Hoot maps your attack surface, finds vulnerabilities, validates them, and ships audit-ready reports — but instead of burning credits for hours unattended, it works in a conversation with you. Six actions, summary, two-or-three concrete next steps, wait for your direction.
Most companies cover security with three things: an annual third-party pentest, an automated scanner, and a security engineer pulled away from real work whenever something smells off. Each has a structural problem.
$30K to $100K per engagement. Two weeks of testing, then twelve months of nothing. By the time the report lands, half the findings are already irrelevant.
Pattern-matched. They catch known CVEs and miss everything that requires reasoning: auth flaws, business logic, multi-step exploits, IDOR. They bury your team in false positives.
Burns API credits for hours, dumps a 300-page wall of findings, no human checkpoint. Cost runs away. Findings go untriaged. Trust evaporates.
Six actions. Summary. Two-or-three concrete next steps. Wait for your direction. You stay in control of the methodology. You see every dollar spent.
No five-hour unattended sessions. No surprise bills. No findings buried in noise.


Every workspace builds up persistent knowledge: what you found last week, which tools work in this environment, which subdomains belong to you. New sessions pick up where old ones left off — no re-running discovery, no re-explaining context.
Memory is versioned, audit-logged, and revertable with a single click.
Six surfaces. Continuous coverage on each. Every finding is validated and mapped to a compliance control before it reaches your report.
Subdomain enumeration, port scanning, technology fingerprinting, WAF detection, DNS analysis, certificate transparency, OSINT. Six tools fire in parallel and report back in roughly sixty seconds.
Directory fuzzing, vulnerability scanning, SQL injection, XSS, CSRF, request smuggling, SSRF, business logic flaws, parameter tampering, security headers, CORS, TLS hygiene.
Prompt injection (direct and indirect), jailbreaks, system prompt extraction, model fingerprinting, rate-limit probing, IDOR on AI-generated routes, RAG leak detection. Purpose-built for vibe-coded Lovable / Bolt / Cursor apps.
Exposed .git folders, leaked tokens in JavaScript bundles, hardcoded credentials, exposed admin panels, leaked .env files, backup files, container image secret extraction.
Import Burp captures, attach API tokens, the agent uses them on subsequent runs. Hoot Interceptor (Chrome extension) pipes live browser traffic into the workspace.
Every finding lands with severity, CVSS score, evidence, reproduction steps, and a control mapping — HIPAA Security Rule, SOC 2 Common Criteria, PCI-DSS, OWASP Top 10.
Hoot is sold to companies whose security review process won't approve sending production data to a third-party cloud. Every design decision in the product reflects that.
Findings, sessions, evidence, and memory write to your local SQLite. Never our servers. Your pentest data never leaves the install.
No usage pings, no crash reports, no anonymised events, no analytics SDK. We don't know what you scan, what you find, or who you're testing.
The only outbound call is a daily heartbeat (192 bytes) confirming your seat is still active. Air-gapped mode disables even that.


A companion Chrome extension pipes HTTPS traffic from your live browser session straight to your workspace. Log into the customer app, click through the user journey, hit Send to Hoot, then ask the agent "check this flow for IDOR."
Captures live on the workspace and are reusable across every session on that target. Same local-only data guarantee.
Belt-and-suspenders defense. The agent refuses dangerous operations by reasoning; the runtime blocks them by pattern. The audit log captures everything for compliance and forensics.
Catastrophic shell operations (rm -rf /, fork bombs, raw-device writes, system file clobbering) are blocked before they fire. The agent also refuses these by reasoning — belt and suspenders.
Every tool execution checks the target against your declared scope. The agent cannot accidentally hit your provider's other customers.
Every credential reveal, every session start, every license event, every config change — recorded with the operator's email and a structured event tag. Defensible for compliance, debuggable for forensics.
AI agents have a reputation for runaway spend. Hoot solves it at the architecture level — not as a post-hoc dashboard.
A single cap covers every session and every background AI call. Every dollar is broken down — agent turns, memory updates, auto-titling — so you can spot what's expensive.
The agent self-paces and stops every ~6 actions to summarize and ask which way to go. No five-hour unattended sessions burning credits.
When the budget hits zero, running sessions pause cleanly. New sessions refuse until you raise the cap or enable Unlimited.
You pay your AI provider directly. No middleman, no markup, no opaque billing. The model relationship is yours.
Everything you need to know about Hoot.
No. Hoot stops every ~6 actions to summarize what it found and ask which way to go next. You see every dollar spent, broken down by agent turn, memory write, and background call. Workspace budgets enforce a hard cap; when it hits zero, running sessions pause cleanly. There's an Unlimited mode for power users — opt-in, audit-logged, with optional 24h auto-revert.
No. Findings, evidence, sessions, memory — all of it lives in a local SQLite on your install. The only outbound call is a daily license heartbeat: license key, product version, host OS string. 192 bytes per day, no scan content. Air-gapped mode disables even that. We don't see what you scan, what you find, or who you're testing.
Scanners pattern-match against known CVEs and miss anything that requires reasoning — auth flaws, business logic, multi-step exploits, IDOR. Hoot reasons through attack chains the way a senior pentester does: enumerates, hypothesizes, validates with working HTTP proof, and only reports what it could actually reproduce. False positives don't reach your report.
One command: docker compose up. Open localhost:7337, sign in with your assigned seat, add a target, start a session. Most operators have their first real finding in under twenty minutes. Supports self-hosted, on-prem, and air-gapped environments.
Yes. Every finding maps to specific compliance controls — SOC 2 Common Criteria, HIPAA Security Rule sections, PCI-DSS requirements, OWASP Top 10, OWASP API Top 10. Export as HackerOne-ready Markdown, a company assessment PDF, or your custom template. Custom frameworks are supported on Enterprise plans.
Custom pricing based on number of seats and targets. Annual contracts, billed by invoice. You bring your own AI provider key — no middleman, no markup. Comparable to one boutique pentest engagement per year, but you get twelve months of continuous coverage instead of two weeks.
Demos are typically a 30-minute call. We'll walk through what Hoot finds against a target you control, and you'll leave with enough information to know whether it fits your stack.
CUSTOM PRICING · ANNUAL CONTRACTS · BRING YOUR OWN AI KEY