Hugin Cyber is live. One binary: an intercepting proxy, a vulnerability scanner, a repeater, an intruder, a race-condition engine, and an OOB server — all in one Rust binary. No account required. No telemetry. Everything stays in a local file on your machine.
What it is
One Rust binary that bundles the toolkit a pentester needs: intercepting proxy, active and passive scanner, repeater, intruder, HTTP smuggling and race engines, an OOB server, and an AI agent driven over MCP. GUI and CLI ship in the same file. No plugins to install before you can start testing.
Why it is different
- 55 active checks, 48 passive. SQLi, XSS, SSRF, race conditions, GraphQL authz, request smuggling, JWT, deserialization — compiled in and ready. No template downloads, no plugin marketplace.
- 169 MCP tools. Wire Hugin to opencode, Cursor, or any MCP client. The AI reads the captured traffic, finds the injectable parameters, and writes the payloads. You set the budget; it drives the engagement.
- Synaps modules. Community scanner modules compile to WebAssembly and run sandboxed. Install one, run it — untrusted code stays isolated.
- Capture everything. Every request and response is a flow you can replay, fuzz, or scan. Parameters worth attacking are flagged automatically.
- Oastify built in. 8 OOB protocols (DNS, HTTP, HTTPS, SMTP, LDAP, FTP, SMB, TCP) — no external callback server to set up.
Privacy by construction
No email. No account required to use the Community tier. When you make a Pro account, it is a random ID — no name, no email, no recovery link. The tool does the work and sends nothing home.
Available now
Community is free: the full proxy, scanner, intruder, repeater, and the base MCP tools. Pro is EUR 7/month (launch price through July 31), prepaid with no auto-renewal. Every new account gets a 7-day Pro trial, no card needed.
Download it, point it at a target you are authorized to test, and FUZZ the flows.
