AMSTERDAM, May 20, 2026 (GLOBE NEWSWIRE) -- Hadrian today released OpenHack, a tool for AI-powered source code review that delivers high-quality results at a fraction of the cost of a human reviewer. Released under the MIT License, OpenHack works directly within Claude Code, Codex, and Cursor. Hadrian researchers used a similar methodology to OpenHack to discover hundreds of vulnerabilities, including critical-severity flaws, in open-source software used by Dutch government agencies. By open-sourcing the tool, Hadrian is now making those capabilities freely available to the global security community, without the need for deep expertise and complex tooling.
"In today's offensive security landscape, AI-powered vulnerability discovery must transition from being a research curiosity to a commodity capability," said Rogier Fischer, co-founder and CEO of Hadrian. "We’ve been working on this for some time, but our discovery of critical vulnerabilities made it concrete. OpenHack’s effectiveness proves that security teams don’t need Mythos to find critical vulnerabilities.”
Introducing OpenHack
The temptation when you give a strong LLM a codebase is to let it improvise. "Read this repo and tell me what's vulnerable." It will produce something. The output will be a mixture of plausible bugs, hallucinated bugs, real bugs explained wrongly, and the occasional sharp insight. Triage takes longer than just reading the code yourself.
We've found two failure modes drive most of that noise:
- Unscoped prompts: The agent doesn't know what question it's answering, so it answers all of them at low confidence.
- Self-graded findings: The same agent that proposed the bug decides whether the bug is real. There's no independent check.
The workflow of OpenHack is designed around fixing those two things. Reviews are scenario-first: every unit of agent work is exactly one routing unit, one expert, and one proof question. And the agent that proposes a finding is not the agent that admits it.
How OpenHack works:
- Scenario-based scoping: Every unit of work is one routing unit, one expert, and one specific proof question. No unscored prompts asking the model to find anything wrong.
- Independent triage: The agent that proposes a finding is not the agent that admits it. A separate triage agent reviews each candidate against the original evidence before it becomes a recorded finding.
- Inspectable artifact trail: Recon output, scenario backlogs, expert results, triage decisions, and findings all live as plain files on disk. The full review is auditable end to end.
- Harness-agnostic, model-agnostic: Runs inside Claude Code, Codex, or Cursor, with any model the harness supports.
Hadrian's research team used an advanced version of the OpenHack methodology in a custom harness to review a dozen open-source applications used by government agencies. The analysis surfaced hundreds of vulnerabilities in a matter of hours. The most serious, a critical-severity vulnerability, exposed server credentials and provided access to the underlying Azure database. The methodology has also been used internally to find and disclose critical vulnerabilities in large open-source projects, with further disclosures expected in the coming months.
"Attackers have workflows like this already, in one form or another," continued Fischer. "We'd rather hand defenders the same scaffolding we use internally than watch them re-derive it under pressure. Releasing OpenHack gives security teams a fighting chance to run the same kind of review against their own code before someone else does."
Availability
OpenHack is available immediately at github.com/hadriansecurity/openhack under MIT license. The repository includes the CLI, agent prompts, expert manifests, file schemas, and full documentation. Python 3.9 or later is required. Responsible disclosure guidance is included in SECURITY.md. A technical walkthrough of the methodology is available at hadrian.io/blog.
About Hadrian
Hadrian makes an offensive security platform that helps enterprise security teams see what attackers see, and act before they do. Its agentic engine offers frictionless, always-on discovery, validation, and mobilization of an organization's most critical cyber risks. Trained by elite hackers with top offensive knowledge, Hadrian adapts to the organization's unique environment to continuously probe, discover, and validate the risks that attackers can actually exploit. Global customers including Fortune 500 leaders rely on Hadrian to prevent the most sophisticated cyber-attacks, fortify defenses, increase efficiency, and maximize cyber resilience. To learn more, visit www.hadrian.io.
Media Contact: Elizabeth Safran e.liz@lookingglasspr.com 408-348-1214
