See What an Attacker
Can Find.

Hound attacks your live web app like a hacker would.

Scroll to explore

How Hound Tests Your App

Uses a Real Browser
Logs In and Completes MFA
Tests Across Multiple Accounts
Reasons About Business Logic
Chains Multi-Step Attacks

Covers OWASP Top 10, known CVEs, and beyond.

Reports You Can Trust

Every finding is independently re-tested. Every report is reviewed by a human before it reaches you.

Security Assessment — cyberhound.dev

Executive Summary

We tested the security of cyberhound.dev and its backend API (api.cyberhound.dev). The website is a marketing page protected by a password gate, and the API handles pentest request submissions.

Critical Issues

1. API crashes on unexpected input, bypassing bot protection.

Sending non-text values to the pentest request API causes the server to crash with a 500 error. These crashes happen before the bot-detection check runs.

2. Password gate can be brute-forced without rate limiting.

The HTTP Basic Auth gate has no lockout or rate limiting. We performed 1,155 login attempts without being blocked.

Business Impact

Unauthorized access: The default password grants access to the full website and reveals backend API details, expanding the attack surface.

Guardrails Protect Your App

Autonomous doesn't mean uncontrolled. Every command passes through multiple safety checks, and dangerous operations are blocked before they run.

Your Findings Are Secure

Every engagement runs in its own dedicated cloud
Infrastructure is destroyed when testing completes
Your findings are stored in encrypted storage unique to your app

How Hound Compares

Most teams choose between traditional pentests, noisy scanners, or other security agents. Hound is a different approach.

Traditional Pentests

×Weeks to schedule
×Point-in-time snapshot
×Hard to rerun after changes

With Hound: Results by the next business day. Easy to rerun whenever your app changes.

Scanners

×Noisy results, hard to trust
×Weak on auth and business logic
×No independent verification

With Hound: Real browser, logs in with MFA, every finding verified before delivery.

Other Security Agents

×Limited to one login
×Weak on cross-account workflows

With Hound: Multiple approved accounts and guardrails let Hound test real user boundaries safely.

Want proof? See Hound chain a real attack.

See What Hound Can Find

Submit your domain → Verify ownership → We review and test → Reports delivered over email

Submit your domain

Verify ownership

We review and test

Reports delivered over email

Want to know exactly what's included?
See the full assessment details

FAQ

After you submit your domain, we'll send you a DNS verification key. Add it to your DNS records to confirm you own the site.

Hound logs in, navigates your app, and tests pages behind authentication. It also tests across multiple accounts to find access control flaws. If your app has open registration, we'll create accounts manually. Otherwise, we'll work with you to set up test accounts before your first run.

Absolutely. Every command and script is reviewed in real-time by an independent safety layer. Dangerous operations are blocked before they run. Hound proves vulnerabilities exist without causing damage.

Hound detects and works around WAFs automatically. If you'd prefer to whitelist us, reach out and we'll provide an IP you can add to your allowlist.

Still have questions? Reach out at support@cyberhound.ai

See What an Attacker Can Find.