Claude-BugHunter

Claude-BugHunter: A Self-Contained Claude Skill Bundle for Bug Hunting and External Red-Team Work

Introduction In the rapidly evolving world of bug hunting and external red-team operations, Claude-BugHunter stands as a purpose-built, self-contained skill bundle engineered to transform Claude Code from a chat assistant into a senior, battle-tested bug-hunting operator. This collection of 51 interlinked skills, reinforced by 15 slash commands and more than 574 disclosed-report patterns across 24 vulnerability classes, is designed to guide researchers through a rigorous, repeatable workflow. It brings enterprise attack knowledge, forensic hygiene, and client-facing reporting into a single, coherent toolkit. Built by Sachin Sharma for bug hunting and security research, the bundle has been validated across authorized red-team engagements and public training platforms such as DVWA, OWASP Juice Shop, Hacker101, and testphp.vulnweb.com.

What is Claude-BugHunter? Claude-BugHunter is a drop-in skill bundle for the Claude Code skills system. Install once, and Claude Code transitions from a generic chatbot into a senior bug-hunting researcher or red-team operator. It carries techniques, chain templates, vulnerability pattern mappings (VRT), platform CVE chains, and the hygiene required for real-world engagements, while staying tightly scoped to external-facing challenges.

The architecture unfolds across four integral layers:

• Bug Bounty Mindset and Methodology: The core thinking framework, a five-phase, non-linear hunting workflow, critical-thinking scaffolds, developer-psychology heuristics, anomaly detection patterns, and corrections applicable to “external red team” scope.
• Hunt Skills and Security Arsenal: A catalog of 24 hunt-oriented abilities plus a broad security payload library, providing per-class detection patterns, bypass tables, and chain templates drawn from 574+ disclosed HackerOne reports.
• Enterprise Platform Attack Chains: Perimeter-focused sequences targeting identity, cloud, application, and device ecosystems—complete with current 2024–2026 CVE chains, error references, version fingerprints, and escalation paths.
• Triage, Reporting, and Hygiene: A disciplined, end-to-end process for triage validation, evidence hygiene, red-team reporting templates, and client-facing deliverables. All elements are triggered automatically by topic, so you can describe what you’re testing in plain English and Claude loads the relevant skills without needing to invoke by name.

For quick orientation, the bundle highlights:

• 51 skills, 15 commands, and a curated set of 574+ disclosed reports
• A 6-phase engagement workflow that aligns with typical bug bounty and red-team cycles
• A dual-interface experience: slash commands within Claude Code and a terminal-native CLI (cbh)
• Public training platform coverage and live engagement calibration against real-world targets
• An emphasis on evidence hygiene, reporting templates, and scalable engagement delivery

Scope — what this bundle covers (and what it doesn’t) The Claude-BugHunter bundle is designed to address the external attack surface—everything reachable from the internet without first compromising an internal endpoint. It is built around the practical realities of bug bounty hunting, web app pentesting, and external red-team engagements.

In scope

• Bug bounty hunting across web apps, APIs, SaaS, GraphQL, OAuth, JWT, file upload mechanisms, IDOR, SSRF, RCE chains
• Web application pentesting with comprehensive hunt coverage mapped to OWASP classes
• External red-team engagements including initial access against internet-facing enterprise assets (M365/Entra ID, Okta as IdP, SharePoint on-prem, VMware vCenter/Workspace ONE, SSL VPN appliances, Android APK red-team work, supply-chain reconnaissance)
• Cloud misconfig evaluation and post-credential escalation scenarios (public S3, IMDS, STS AssumeRole, cross-account patterns)
• Recon and OSINT activities (subdomain enumeration, identity-fabric mapping, certificate transparency, JS analysis, secret scanning)
• Reporting for Bugcrowd (VRT-aware), Intigriti, Immunefi, and client-facing red-team deliverables

Out of scope (deliberate design choices)

• Internal Active Directory attacks (BloodHound, Kerberoasting, DCSync, Pass-the-Hash, etc.)
• C2 frameworks (Cobalt Strike, Sliver, Mythic, Havoc, etc.)
• Post-exploit/persistence and lateral movement (Mimikatz, golden tickets, registry tasks, WMI persistence, token theft)
• Evasion tactics (AMSI bypass, ETW patching, AV/EDR bypass)
• iOS pentesting, hardware/RF/ICS
• Binary exploitation and kernel pwn If you’re performing internal domain takeover or lateral movement, this bundle is not the right fit, and we openly acknowledge that boundary.

Capability Map: 51 skills across 7 domains The 51 skills are organized into seven capability domains, with a structured map that guides you from reconnaissance through to reporting. Each skill on disk loads automatically when its keyword appears in your description to Claude. A compact Mermaid diagram inside the original doc illustrates the relationships, but here is a concise tour of the domains and sample skills:

Recon & OSINT

• bb-local-toolkit: Full local bug-bounty pipeline router
• offensive-osint: A curated arsenal of reference probes
• osint-methodology: Five-stage recon pipeline and asset graph
• web2-recon: Subdomain enumeration, host discovery, URL crawling

Hunt — Web App

• hunt-aspnet: ASP.NET ViewState, machineKey, WebForms
• hunt-sqli: SQL injection patterns across classic and NoSQL contexts
• hunt-xss: Reflected, stored, and DOM-based XSS with CSP considerations
• hunt-idor: IDOR and broken object-level authorization
• hunt-ssti: Server-side template injection across major template ecosystems
• hunt-file-upload: File upload bypass techniques and payloads
• hunt-graphql: GraphQL misconfig and abuse patterns
• hunt-xxe: XML External Entity exploitation vectors

Authentication & Identity

• hunt-ato: Account takeover taxonomy with multiple paths
• hunt-auth-bypass: Broken authentication and access control patterns
• hunt-mfa-bypass: MFA/2FA bypass patterns
• hunt-oauth: OAuth 2.0 / OIDC flaws and abuse chains
• hunt-saml: SAML/SSO attacks, including signature wrapping

API & Infrastructure

• hunt-api-misconfig: API misconfig patterns (mass assignment, JWT risks, CORS)
• hunt-cloud-misconfig: Cloud and Kubernetes misconfig patterns (public endpoints, tokens)
• hunt-graphql: GraphQL exposure patterns
• hunt-rce: Remote code execution chains and deserialization pitfalls
• hunt-ssrf: SSRF techniques and cloud metadata exfiltration
• hunt-subdomain: Subdomain takeover fingerprints and chains

Advanced & Concurrency

• hunt-business-logic: Business logic flaws and abuse scenarios
• hunt-cache-poison: Web cache poisoning and CDN exploitation
• hunt-http-smuggling: HTTP request smuggling techniques
• hunt-llm-ai: Prompt injection and AI-adjacent threats
• hunt-misc: Catch-all for less common classes
• hunt-race-condition: Race conditions and TOCTOU patterns

Enterprise Identity & Cloud Attack

• cloud-iam-deep: Cloud IAM privilege escalation patterns
• m365-entra-attack: M365/Entra ID attack vectors
• okta-attack: Okta IdP enumeration and abuse patterns

Infrastructure & Appliance Attack

• enterprise-vpn-attack: Enterprise SSL VPN and analogous VPN appliances
• hunt-ntlm-info: NTLM leakage and topology information
• hunt-sharepoint: SharePoint on-prem attack patterns
• vmware-vcenter-attack: vCenter and Workspace ONE chains

Red Team Tradecraft

• apk-redteam-pipeline: Android APK red-team workflow
• mid-engagement-ir-detection: SOC patches and attacker activity detection
• redteam-mindset: Discipline and DO NOT STOP directive
• supply-chain-attack-recon: Supply-chain reconnaissance patterns

Recon & OSINT (additional)

• bb-local-toolkit
• offensive-osint
• osint-methodology
• web2-recon

Workflow & Validation

• bb-methodology: The five-phase workflow
• bug-bounty: Master orchestrator that pulls in other skills
• hunt-dispatch: The /hunt router for mode and talent detection
• security-arsenal: Payloads, bypass tables, wordlists
• triage-validation: The seven-question gate and four validation gates

Reporting & Hygiene

• bugcrowd-reporting: VT-friendly reporting templates and rebuttals
• evidence-hygiene: Redaction and sanitization discipline
• redteam-report-template: Client-facing red-team deliverable structure
• report-writing: Templates for H1, Bugcrowd, Intigriti, Immunefi

Specialized

• meme-coin-audit: Token rug-pull detection and related patterns
• web3-audit: Smart-contract and DeFi bug class coverage

Slash Commands (15)

• /autopilot, /chain, /hunt, /intel, /memory-gc, /pickup, /remember, /recon, /remember, /report, /scope, /surface, /token-scan, /triage, /validate, /web3-audit
• Each slash command routes to the relevant skill sets automatically, enabling a conversational or scripted workflow.

Two Interfaces — pick what fits your engagement Claude-BugHunter supports two interfaces that share the same content but differ in execution model:

Slash Commands (PRIMARY)

• Runs inside a Claude Code conversation
• LLM-driven, capable of chaining skills, applying nuanced judgment
• Suitable for exploring new targets, building a narrative chain, and handling complex decision trees

cbh CLI (SECONDARY)

• Runs in any terminal with Python 3.9+
• Deterministic execution using standard Python, regex, and real network I/O
• Ideal for CI/CD workflows, scheduled recon, or scripting where reproducibility matters

Choosing by use-case

• If you’re exploring a new target: Claude Code with natural-language prompts yields the best judgment and adaptable flow
• If you’re running automated checks or want scriptable, reproducible results: use cbh CLI
• You can also read the skills’ Markdown content locally to understand the coverage: the skills fall back to vendored or original sources as appropriate

Structure and Architecture Claude-BugHunter is organized as a modular repository with 51 SKILL.md bundles under skills/. Each folder corresponds to a skill with its own content, payloads, and patterns. The architecture also weaves in a 7-skill enterprise-platform layer and an integration layer with Burp MCP compatibility. An architecture overview SVG is included to visually convey the stacked design. For deeper reference, review the docs/architecture.md page, which describes the three-layer stack and the engagement pipeline with the four potential outcomes from the Validate gate.

[architecture image here]

The 7-Question Gate and Engagement Flow Two critical gating mechanisms shape Claude-BugHunter’s discipline:

The 7-Question Gate (triage-validation)

• Q1: Can an attacker exploit this right now with a real HTTP request?
• Q2: Is the impact within the program’s accepted-impact list?
• Q3: Is the asset in scope?
• Q4: Does it require privileged access or something the attacker can’t obtain?
• Q5: Is this not already known or documented behavior?
• Q6: Can impact be demonstrated beyond theoretical possibility?
• Q7: Is this not on the never-submit list?

A single NO at any step triggers KILL, compelling you to move on. This gate is central to maintaining a high signal-to-noise ratio and preventing wasted reporting effort.

Engagement Flow: The six-phase loop 1) Scope: Define who and what you’re testing (target, mode, and boundary conditions)
2) Recon: Gather intelligence and identify assets to map the attack surface
3) Hunt: Apply hypotheses and test vulnerabilities against the target surface
4) Validate: Run the seven-question gate and determine if findings warrant reporting
5) Capture: Redact sensitive information, sanitize evidence, and order findings for readability
6) Report: Draft the submission using platform templates or client-facing formats

At every turn, the tools load the right skill loads based on the task. The “red-team mindset” overlays the Hunt phase, ensuring consistent operator discipline while acknowledging the difference between external bug bounty work and authorized red-team testing.

Quick Start: Getting up to first hunt in minutes Time to first hunt is typically within minutes for seasoned users, and around 25 minutes for newcomers who are installing from scratch.

Step 1 — Prerequisites (one-time)

• macOS or Linux: The shell scaffolding relies on POSIX compatibility
• Claude Code CLI: You need a Claude Code license or API access
• Python 3.9+: Required for the cbh CLI runner
• Git: For cloning the repository
• Optional: Burp Suite Pro/Community for HTTP-history capture

Step 2 — Install the bundle (two minutes)

• Create a workspace, clone the repo, and execute the installer
• The installer copies skills to ~/.claude/skills/ and commands to ~/.claude/commands/
• Adds a hunt.sh scaffold to your shell, enabling quick hunts

Step 3 — Verify install (30 seconds)

• Run hunt to verify it loads and prints usage
• Confirm 51 skills are installed (ls ~/.claude/skills/ | wc -l)
• Spot-check a few skills (e.g., hunt-xss, hunt-rce, m365-entra-attack, triage-validation)

Step 4 — Your first hunt

• Choose a target, such as HackerOne’s own vulnerability disclosure program
• Create an engagement folder (e.g., h1-vdp)
• Inside Claude Code, prompt Claude to walk through recon and establish scope
• Claude loads bb-methodology, triage-validation, offensive-osint, web2-recon, and related skills
• Confirm the engagement mode (bug-bounty vs red-team vs pentest) before mapping out commands

Step 5 — If you think you found something

• Use /triage to route the finding through the 7-Question Gate
• Provide plain-English context (e.g., “password-reset reveals user email for valid ID”)
• Claude returns a gate verdict: PASS, DOWNGRADE, KILL, or CHAIN REQUIRED

Step 6 — Submit when ready

• Use /report to trigger a template-driven write-up
• Claude generates a platform-ready report with the appropriate template (Bugcrowd, Intigriti, Immunefi, etc.)

Authorization and Posture The bundle is designed for assets you own or for which you have written authorization to test. It uses triage-validation to explicitly confirm in-scope status and accepted-impact prior to submission. The Bugcrowd reporting templates include hygiene signals (Bugcrowd ninja alias, account-state restoration) to signal legitimate testing. The project explicitly excludes weaponizing 0-days against unauthorized targets, post-exploitation tooling, malware development, and mass-targeting of infrastructure, aligning with responsible disclosure practices.

Documentation and Resources The Claude-BugHunter project ships with comprehensive docs to guide installation, workflow, and advanced usage:

• README.md: Overview and quick-start guidance
• INSTALL.md: Full setup, including Burp MCP integration and optional skill regeneration
• USAGE.md: Workflow walkthrough, decision tree, and worked engagement example
• docs/architecture.md: Six-phase architecture, skill-to-phase mapping, and engagement composition
• docs/cbh-cli.md: The cbh CLI reference and usage
• docs/cve-coverage.md: CISA KEV coverage snapshot
• docs/credits.md: Full attribution for original and vendored skills
• CONTRIBUTING.md: Contribution guidelines
• SECURITY.md: Authorized-use posture and boundaries
• LICENSE: MIT license

Why Claude-BugHunter exists Bug-hunting toolchains often suffer from being too generic or too fragmented. Claude-BugHunter was born from real-world needs observed in authorized engagements that revealed several gaps in typical toolchains:

• Lack of hypothesis discipline leading to wasted effort
• Absence of per-program reporting tactics and inconsistent evidence hygiene
• Fragmented engagement coordination across folders, findings, and submission IDs
• A missing mid-engagement situational awareness mechanism for SOC patches and attacker activity
• The need for enterprise-platform attack chains to reflect current 2024–2026 CVE knowledge and platform-specific tradecraft The solution is a cohesive, end-to-end operator framework that codifies patterns from 574+ disclosed HackerOne reports into 24 per-class skill forests, anchored by a robust 6-phase workflow and a disciplined gating system. The enterprise-platform and red-team layers address the realities of external red-team engagements against monitored enterprise environments, delivering a practical, scalable approach to testing and reporting.

Roadmap and Future Enhancements Claude-BugHunter is an active project with a forward-looking plan:

• HackerOne MCP integration (current Burp MCP wiring)
• Per-engagement memory layer for pattern recall across targets
• Industry-specific hunt skills (e.g., fintech, healthcare, government)
• Program-rules-parser to auto-generate structured scope
• Refresh of hunt skills with newer disclosed reports via public-skills-builder
• Additional enterprise-platform skills (Citrix NetScaler, F5 BIG-IP, AD CS)
• Quarterly refresh of enterprise VPN CVE matrices for 2026 advisories
• Architecture SVG update to reflect the 7-skill enterprise-platform layer
• Documentation updates (CHANGELOG, CODEOFCONDUCT) aligned with Claude-OSINT layout

About the Author and Related Projects Author: ElementalSoul (GenAI Security Research) Sister project: Claude-OSINT (Recon-focused extension) Vendored foundation: shuvonsec/claude-bug-bounty (core methodology, validation, reporting, payload library) Generator tool: shuvonsec/public-skills-builder (scaffolding per-class skills from public disclosures) Inspirations include top hunters and industry pattern libraries, such as Archangel, Trail of Bits, SecSkills, and related open-source efforts.

Images and Visuals

• Banner: The banner image introduces Claude-BugHunter and sets the visual tone for this engaging, combat-tested toolkit.
• Architecture: The architecture overview provides a three-layer stack view and an engagement pipeline. This image helps readers grasp how the skill modules, platform integrations, and engagement workflows fit together in practice.

Note on Visuals In this narrative, two visuals are essential for comprehension:

• The banner to anchor the article’s theme
• The architecture overview to illustrate the system’s layering and integration If you’re reading a rendered blog post, you’ll see these images in their respective places to reinforce the textual descriptions.

Closing: A Practical Provocation “Give Claude the right skill and it stops being a chatbot. It becomes an operator.” Claude-BugHunter embodies this idea by combining a disciplined, data-driven workflow with the flexibility of a modern conversational AI. It mediates between human judgment and machine-assisted exploration, enabling bug hunters and red-team operators to work efficiently, ethically, and at scale. Whether you’re mapping external attack surfaces, validating vulnerability chains, or producing client-facing deliverables, this bundle aims to be the backbone of your external security engagements.

Key takeaways

• A cohesive set of 51 skills across six structured phases (Scope → Recon → Hunt → Validate → Capture → Report) with a dedicated Red Team overlay
• 24 per-class hunt patterns plus 574+ disclosed-report templates and chain templates
• Two interfaces: conversational slash commands (primary) and a deterministic CLI (secondary)
• Clear in-scope and out-of-scope definitions, with explicit authorization guidelines
• Rich documentation, ongoing roadmap, and a commitment to process hygiene and professional reporting

If you’re embarking on external testing or bug-bounty programs, Claude-BugHunter offers a robust, scalable, and pragmatic framework that aligns with real-world engagement practices. It provides the discipline and the practical calculi needed to transform a tool into an operator—without surrendering your control over scope, safety, and reporting quality.