See What an Attacker
Can Find.

Hound attacks your live web app like a hacker would. Results in hours.

Scroll to explore

How Hound Tests Your App

Uses a Real Browser
Logs In and Completes MFA
Tests Across Multiple Accounts
Reasons About Business Logic
OWASP Top 10 and CVE Coverage
Chains Multi-Step Attacks

Reports You Can Trust

Every finding is independently re-tested. Every report is reviewed by a human before it reaches you.

Security Assessment — cyberhound.dev

Executive Summary

We tested the security of cyberhound.dev and its backend API (api.cyberhound.dev). The website is a marketing page protected by a password gate, and the API handles pentest request submissions.

Critical Issues

1. API crashes on unexpected input, bypassing bot protection.

Sending non-text values to the pentest request API causes the server to crash with a 500 error. These crashes happen before the bot-detection check runs.

2. Password gate can be brute-forced without rate limiting.

The HTTP Basic Auth gate has no lockout or rate limiting. We performed 1,155 login attempts without being blocked.

Business Impact

Unauthorized access: The default password grants access to the full website and reveals backend API details, expanding the attack surface.

Guardrails Protect Your App

Autonomous doesn't mean uncontrolled. Every command passes through multiple safety checks, and dangerous operations are blocked before they run.

Your Findings Are Secure

Every engagement runs in its own dedicated cloud
Infrastructure is destroyed when testing completes
Your findings are stored in encrypted storage unique to your app

How Hound Compares

Most teams choose between expensive pentests, noisy scanners, or broader security platforms. Hound is a different approach.

Traditional Pentests

×Weeks to schedule
×Expensive, one-time snapshot
×Hard to rerun after changes

With Hound: Results in hours. Easy to rerun whenever your app changes.

Scanners & Automated Tools

×Noisy results, hard to trust
×Weak on auth and business logic
×No independent verification

With Hound: Real browser, logs in with MFA, every finding verified before delivery.

Security Platforms

×Requires broader platform buy-in
×Pentest is one module among many
×More setup before first test

With Hound: Submit a domain. No platform, no repo access, no setup beyond DNS verification.

See What Hound Can Find

Submit your domain → Verify ownership → We review and test → Report delivered over email

Submit your domain

Verify ownership

We review and test

Report delivered over email

FAQ

After you submit your domain, we'll send you a DNS verification key. Add it to your DNS records to confirm you own the site.

Hound logs in, navigates your app, and tests pages behind authentication. It also tests across multiple accounts to find access control flaws. If your app has open registration, we'll create accounts manually. Otherwise, we'll work with you to set up test accounts before your first run.

Absolutely. Every command and script is reviewed in real-time by an independent safety layer. Dangerous operations are blocked before they run. Hound proves vulnerabilities exist without causing damage.

Hound detects and works around WAFs automatically. If you'd prefer to whitelist us, reach out and we'll provide an IP you can add to your allowlist.

Still have questions? Reach out at support@cyberhound.ai

See What an Attacker Can Find.