Launch full-scope assessments in minutes from the Hacktron platform. Get an audit-ready pentest report for SOC 2 or ISO 27001 in hours, not weeks.
“The Hacktron team helped us uncover and remediate sophisticated vulnerabilities across our most critical systems incredibly quickly.
Their expertise brought immediate, measurable value to our security program, and I could not be more impressed with the results.
”
“Hacktron’s coordinated disclosure of their AI-augmented security research and rapid validation helped us quickly identify and close a subtle but serious vulnerability chain.
Their approach represents the cutting edge of modern security research.
”
“We were genuinely impressed by Hacktron's speed and the results.
This is how the future of security testing looks like.
”
From$100
For teams building simple applications with limited cross-service dependencies.
Start PentestDeep security analysis across the full application in scope
Taint flow tracing through business logic, auth, and payment paths
Threat modelling, architecture analysis, and exploit-driven validation
Every finding validated for accuracy
SOC 2 and ISO 27001 compliance-grade pentest reports
From$2,000
For teams maintaining complex applications with multiple services and integrations.
Start PentestLarger attack surfaces across more features, services, and user flows
More complex business logic with higher operational and architectural complexity
Multi-service applications with integrations, supporting systems, and multiple repos
The same exploit-driven methodology applied to a broader and more complex scope
24/7 access to OSCP, OSWE and CREST-certified security researchers
On-premise deployments for organisations with sensitive data
All pentests receive the same assessment depth and quality. Get an instant quote based on codebase size and number of repositories.
Cambridge CS dropout. Ex-TikTok and ex-military. DEF CON CTF runner-up (Blue Water) 2023-24. Credited for 15 CVEs. Topped Singapore's government and military bug bounties.
Ex-Cure53 Senior Security Researcher. Featured on PortSwigger & Vice. BlackHat & DEF CON speaker. Previously founded €1.5M revenue security auditing company.
Ex-ProjectDiscovery. Top-ranked bug bounty hunter. Featured in Forbes for hacking Apple. Ekoparty & BSides speaker.
Security educator with 1M+ YouTube followers. Cure53 Senior Auditor. Previously founded leading cybersecurity education platform.
Ex-Millennium, ex-Binance. Full-stack engineer across government, fintech, and leading startups in Asia. Graduate of Asia's #1 computer science university.
Ex-ProjectDiscovery. Expert in web security, patch analysis, and automation. Speaker at multiple security conferences such as Ekoparty, Hacktivity and NoNamecon.
We’re looking for world-class engineers and researchers. Please apply if you think you fit the bill.
APPLY
I pointed Claude Opus at Discord's bundled Chrome (version 138, nine major versions behind upstream) and asked it to build a full V8 exploit chain. The V8 OOB we used was from Chrome 146, the same version Anthropic's own Claude Desktop is running. A week of back and forth, 2.3 billion tokens, $2,283 in API costs, and about ~20 hours of me unsticking it from dead ends. It popped calc.
Hacktron AI discovers a critical pre-authentication RCE in OpenAM through a forgotten deserialization parameter that the original CVE-2021-35464 fix missed.
Cloudflare built a Next.js replacement in a week with AI for $1100. We pointed Hacktron at it to find what the tests missed.
How we found a vulnerability in Cluely's Electron app that let any website silently capture screenshots, record audio, and exfiltrate everything - all because of a missing will-navigate handler.
