// download

Get
Hugin.

One binary: proxy, scanner, GUI. No dependencies, no JVM, no account. Community is free.

curl -fsSL https://hugin.nu/install | sh

all builds + checksums on the releases page

// quick start

Three
steps.

From download to intercepting traffic in under a minute.

01

start the proxy

Run hugin — the MITM proxy comes up on 127.0.0.1:8080 and the desktop GUI opens.

02

trust the CA

Point your browser at 127.0.0.1:8080 and install the CA cert from http://hugin.local/cert (generated on first run).

03

browse & test

All traffic flows through Hugin. Drive the scanner, repeater and intruder.

Scanner
55+active
Passive
48checks
MCP tools
169+
Pro adds
35offensive

Full coverage matrix →

// agents

MCP
setup.

Drive Hugin from any MCP client — opencode, Cursor, Codex — one JSON block.

{
  "mcpServers": {
    "hugin": { "command": "hugin", "args": ["mcp"] }
  }
}

add it to opencode.json or .mcp.json.

Want it warm from the first message? Point your agent at https://hugin.nu/llms.txt or read the skill →. Your local MCP server also serves it as hugin://skill.

// integrity

Verify,
don't trust.

Every release binary is Ed25519-signed.

hugin verify hugin-cli-linux-x86_64.tar.gz

Prefer not to trust the binary? Manual verification →