HOOT

[ ENTRY ]
YOU ARE NOW ENTERING ENGAGEMENT MODE
[ TIME TO FIRST FINDING ]
< 20 MIN FROM DOCKER COMPOSE UP
[ THE PLATFORM ]
AI PENTESTER · SELF-HOSTED · OPERATOR-PACED
[ © 2026 ]
WATCH OWL LABS LLC · EST. 2024
[ 00 ] · SELF-HOSTED AI PENTESTER

Finds like an attacker.
Asks like a professional.

Hoot maps your attack surface, finds vulnerabilities, validates them, and ships audit-ready reports — but instead of burning credits for hours unattended, it works in a conversation with you. Six actions, summary, two-or-three concrete next steps, wait for your direction.

COMPLIANCE FRAMES /HIPAASOC 2PCI-DSSOWASP TOP 10OWASP API TOP 10NIST CSF
[ 01 ] MISSION

The status quo is broken.

Most companies cover security with three things: an annual third-party pentest, an automated scanner, and a security engineer pulled away from real work whenever something smells off. Each has a structural problem.

ANNUAL PENTEST

$30K to $100K per engagement. Two weeks of testing, then twelve months of nothing. By the time the report lands, half the findings are already irrelevant.

AUTOMATED SCANNERS

Pattern-matched. They catch known CVEs and miss everything that requires reasoning: auth flaws, business logic, multi-step exploits, IDOR. They bury your team in false positives.

UNATTENDED AI AGENT

Burns API credits for hours, dumps a 300-page wall of findings, no human checkpoint. Cost runs away. Findings go untriaged. Trust evaporates.

[ 02 ] OPERATOR LOOP

The agent stops to check in.

Six actions. Summary. Two-or-three concrete next steps. Wait for your direction. You stay in control of the methodology. You see every dollar spent.

No five-hour unattended sessions. No surprise bills. No findings buried in noise.

FIG.01AGENT INTERFACE · CHECKPOINT VIEW
Hoot agent conversation view. The operator has issued a recon command; the agent shows tools firing in parallel, then summarizes findings and presents 2–3 concrete next steps as labeled choices (A, B, C). The agent waits for the operator's input before proceeding.
FIG.02WORKSPACE HQ · OPERATOR DASHBOARD
Hoot workspace dashboard. Shows total findings count, critical and high severity counts, active sessions, target count, a 7-day findings trend bar chart by severity, and compliance scores for HIPAA and SOC 2.
[ 03 ] PLATFORM

One workspace per target.
Memory compounds.

Every workspace builds up persistent knowledge: what you found last week, which tools work in this environment, which subdomains belong to you. New sessions pick up where old ones left off — no re-running discovery, no re-explaining context.

Memory is versioned, audit-logged, and revertable with a single click.

[ 04 ] CAPABILITIES

What Hoot tests.

Six surfaces. Continuous coverage on each. Every finding is validated and mapped to a compliance control before it reaches your report.

RECONNAISSANCE

Subdomain enumeration, port scanning, technology fingerprinting, WAF detection, DNS analysis, certificate transparency, OSINT. Six tools fire in parallel and report back in roughly sixty seconds.

WEB APPLICATION

Directory fuzzing, vulnerability scanning, SQL injection, XSS, CSRF, request smuggling, SSRF, business logic flaws, parameter tampering, security headers, CORS, TLS hygiene.

AI + LLM SYSTEMS

Prompt injection (direct and indirect), jailbreaks, system prompt extraction, model fingerprinting, rate-limit probing, IDOR on AI-generated routes, RAG leak detection. Purpose-built for vibe-coded Lovable / Bolt / Cursor apps.

SECRETS + EXPOSURE

Exposed .git folders, leaked tokens in JavaScript bundles, hardcoded credentials, exposed admin panels, leaked .env files, backup files, container image secret extraction.

AUTHENTICATED TESTING

Import Burp captures, attach API tokens, the agent uses them on subsequent runs. Hoot Interceptor (Chrome extension) pipes live browser traffic into the workspace.

COMPLIANCE FRAMES

Every finding lands with severity, CVSS score, evidence, reproduction steps, and a control mapping — HIPAA Security Rule, SOC 2 Common Criteria, PCI-DSS, OWASP Top 10.

[ 05 ] DATA POSTURE

Your data stays on your machine.

Hoot is sold to companies whose security review process won't approve sending production data to a third-party cloud. Every design decision in the product reflects that.

LOCAL-ONLY DATA

Findings, sessions, evidence, and memory write to your local SQLite. Never our servers. Your pentest data never leaves the install.

ZERO TELEMETRY

No usage pings, no crash reports, no anonymised events, no analytics SDK. We don't know what you scan, what you find, or who you're testing.

AUTH + LICENSE ONLY

The only outbound call is a daily heartbeat (192 bytes) confirming your seat is still active. Air-gapped mode disables even that.

FIG.03SETUP · DATA POSTURE DISCLOSURE
Hoot onboarding modal explaining data posture. Three pillars: LOCAL-ONLY DATA — findings, sessions, evidence and memory write to local SQLite. ZERO TELEMETRY — no usage pings, no crash reports, no anonymized events. AUTH + LICENSE ONLY — the only Watch Owl call is a daily heartbeat to confirm the seat is active.
FIG.04HOOT INTERCEPTOR · CHROME DEVTOOLS
Hoot Interceptor running as a Chrome DevTools panel. Toolbar shows status, workspace selector, and Capturing / Send to Hoot / Clear controls. A request table lists Method, URL, Status, Type, Size, Time.
[ 06 ] INTERCEPTOR

Live browser traffic.
Skip the copy-paste.

A companion Chrome extension pipes HTTPS traffic from your live browser session straight to your workspace. Log into the customer app, click through the user journey, hit Send to Hoot, then ask the agent "check this flow for IDOR."

Captures live on the workspace and are reusable across every session on that target. Same local-only data guarantee.

[ 07 ] SAFETY

Guardrails. Scope. Audit.

Belt-and-suspenders defense. The agent refuses dangerous operations by reasoning; the runtime blocks them by pattern. The audit log captures everything for compliance and forensics.

140+ GUARDRAILS

Catastrophic shell operations (rm -rf /, fork bombs, raw-device writes, system file clobbering) are blocked before they fire. The agent also refuses these by reasoning — belt and suspenders.

SCOPE ENFORCEMENT

Every tool execution checks the target against your declared scope. The agent cannot accidentally hit your provider's other customers.

AUDIT LOG ON EVERYTHING

Every credential reveal, every session start, every license event, every config change — recorded with the operator's email and a structured event tag. Defensible for compliance, debuggable for forensics.

[ 08 ] COST CONTROL

No runaway AI bills.

AI agents have a reputation for runaway spend. Hoot solves it at the architecture level — not as a post-hoc dashboard.

ONE WORKSPACE BUDGET

A single cap covers every session and every background AI call. Every dollar is broken down — agent turns, memory updates, auto-titling — so you can spot what's expensive.

ACTION CHECKPOINTS

The agent self-paces and stops every ~6 actions to summarize and ask which way to go. No five-hour unattended sessions burning credits.

HARD STOPS, GRACE

When the budget hits zero, running sessions pause cleanly. New sessions refuse until you raise the cap or enable Unlimited.

BRING YOUR OWN AI KEY

You pay your AI provider directly. No middleman, no markup, no opaque billing. The model relationship is yours.

Frequently asked questions

Everything you need to know about Hoot.

01Will the agent run for hours unattended and rack up an unexpected AI bill?+

No. Hoot stops every ~6 actions to summarize what it found and ask which way to go next. You see every dollar spent, broken down by agent turn, memory write, and background call. Workspace budgets enforce a hard cap; when it hits zero, running sessions pause cleanly. There's an Unlimited mode for power users — opt-in, audit-logged, with optional 24h auto-revert.

02Is any of my data ever sent outside my network?+

No. Findings, evidence, sessions, memory — all of it lives in a local SQLite on your install. The only outbound call is a daily license heartbeat: license key, product version, host OS string. 192 bytes per day, no scan content. Air-gapped mode disables even that. We don't see what you scan, what you find, or who you're testing.

03How is Hoot different from an automated scanner that runs in the cloud?+

Scanners pattern-match against known CVEs and miss anything that requires reasoning — auth flaws, business logic, multi-step exploits, IDOR. Hoot reasons through attack chains the way a senior pentester does: enumerates, hypothesizes, validates with working HTTP proof, and only reports what it could actually reproduce. False positives don't reach your report.

04How does deployment work?+

One command: docker compose up. Open localhost:7337, sign in with your assigned seat, add a target, start a session. Most operators have their first real finding in under twenty minutes. Supports self-hosted, on-prem, and air-gapped environments.

05Can Hoot's findings be used for SOC 2, HIPAA, or PCI-DSS audits?+

Yes. Every finding maps to specific compliance controls — SOC 2 Common Criteria, HIPAA Security Rule sections, PCI-DSS requirements, OWASP Top 10, OWASP API Top 10. Export as HackerOne-ready Markdown, a company assessment PDF, or your custom template. Custom frameworks are supported on Enterprise plans.

06What does pricing look like?+

Custom pricing based on number of seats and targets. Annual contracts, billed by invoice. You bring your own AI provider key — no middleman, no markup. Comparable to one boutique pentest engagement per year, but you get twelve months of continuous coverage instead of two weeks.

[ 12 ] ENGAGE

See Hoot in your environment.

Demos are typically a 30-minute call. We'll walk through what Hoot finds against a target you control, and you'll leave with enough information to know whether it fits your stack.

CUSTOM PRICING · ANNUAL CONTRACTS · BRING YOUR OWN AI KEY