DISCLAIMER: Many thanks to the Hacktron team for providing their hacker guide to us. Much of the material in this HackPack is adapted from that document.
Hacktron is a cutting-edge AI-powered security platform that brings continuous security scanning and vulnerability detection to both enterprises and individual developers. With the rise of AI-assisted coding, ensuring code security has become more critical than ever.
Hacktron offers two distinct products:
- Enterprise Platform: Continuous security scanning for organisations that need automated, ongoing security monitoring
- Hacktron CLI: A powerful command-line tool designed for security researchers and developers - think of it as "Claude Code for hackers"
The Hacktron CLI is particularly relevant in the era of AI-generated code. As more developers rely on AI coding assistants ("vibe coding"), the importance of verifying that deployed code is free from vulnerabilities has never been greater.
Hacktron is offering IC Hack 2026 participants 1 month of Hacktron Pro for free!
-
Create your Hacktron account at https://hacktron.ai
-
Follow the Quickstart Guide to set up the CLI
-
At checkout, redeem this coupon code:
ICHACK26-easiest-utmost-perjurer
-
Enjoy Hacktron Pro with higher usage limits throughout the hackathon!
The Pro account provides significantly higher usage limits, giving you plenty of capacity to build and test your skills throughout IC Hack 2026.
Hacktron CLI is an AI-powered security testing tool that helps you identify vulnerabilities in your codebase. Here are some powerful use cases:
Run Hacktron on any codebase - whether you're actively developing it or inheriting legacy code - to identify common security issues:
- SQL injection vulnerabilities
- Cross-Site Scripting (XSS) weaknesses
- Insecure Direct Object References (IDOR)
- Authentication and authorisation flaws
- Cryptographic vulnerabilities
- API security issues
Examples:
- Building a web app with user authentication? Hacktron automatically detects if your session management has weaknesses or if sensitive data is being exposed.
- Inherited a Node.js API from another team? Use Hacktron to scan for vulnerabilities and generate a prioritised fix list based on severity.
Before committing code or creating a pull request, use Hacktron to:
- Verify that your AI-generated code doesn't contain security flaws
- Check third-party dependencies for known vulnerabilities
- Ensure secure coding practices are followed
Example: After using Copilot to generate database queries, run Hacktron to ensure they're properly parameterised and safe from SQL injection.
Hacktron is an educational tool that helps you:
- Understand why certain code patterns are vulnerable
- Learn secure alternatives to risky implementations
- Build security awareness as you develop
Example: Write intentionally vulnerable code as a learning exercise, then use Hacktron to identify the issues and understand the proper fixes.
Perfect for Capture The Flag competitions:
- Identify potential attack vectors in challenge applications
- Analyse web applications for exploitable vulnerabilities
- Practice penetration testing skills in a controlled environment
Example: Competing in a web security CTF? Use Hacktron to enumerate vulnerabilities and find the path to capture flags.
For this IC Hack challenge, you'll work on Hacktron Skills - modular, open-source extensions that enhance Hacktron's capabilities.
Hacktron Skills are specialised extensions that provide:
- Domain-specific security instructions
- Custom scripts and tools
- Reference materials for complex security tasks
- Integration with security testing workflows
Each skill follows the Agent Skills specification, making them portable and standardised.
Hacktron Skills work best with environments - containerised applications that can be tested for vulnerabilities. If you're unfamiliar with containerisation, check out our HackPack on Docker!
Once you are, setting up an environment is fairly straightforward:
- Dockerise your application so it can be spun up with
docker-compose up -d - Define an objective through a hidden flag (a piece of text that can only be accessed when the objective is met)
Example Objectives:
- Hide a flag in a user's account to test for IDOR issues
- Hide a flag in the database to test for SQL injection
- Hide a flag in the filesystem to test for remote code execution
Check out this example environment for reference.
Skills must be located in the ~/.hacktron/skills/ directory on your machine for security reasons (skills can execute arbitrary commands).
Verify Hacktron detects your skill:
hacktron skills listHere are some project ideas to get you started:
- Skill: Makes obfuscated or compiled code readable for security analysis
- Fetches and beautifies minified JavaScript from URLs (webpack, React bundles, etc.)
- Decompiles Electron applications or Android APKs
- Performs source-to-sink analysis to identify vulnerabilities
- Use cases:
- Analysing production web apps where source code isn't available
- Security auditing of mobile and desktop applications
- Client-side XSS vulnerability detection
- Skill: Parses JSON or SARIF output from security scanners (like Semgrep)
- Validates findings through static analysis and dynamic testing
- Use case: Reducing false positives from automated security tools
- Skill: Generates framework-specific exploit payloads (Django, Express, Flask, etc.)
- Use case: Testing web applications built with specific frameworks
...or anything else you think would be valuable to the security community!
- Hacktron Documentation
- Hacktron CLI Quickstart
- Agent Skills Specification
- Hacktron Skills Repository
- Trail of Bits Skills (compatible with Hacktron)
- Hacktron Dynamic Agent Discovery
Once you've built your skill, contribute it back to the community:
- Test your skill thoroughly with Hacktron
- Document your skill with clear usage instructions
- Raise a pull request to the Hacktron skills repository
Your contribution could help security researchers and developers worldwide!
- Check the Hacktron documentation
- Review existing skills in the skills repository for examples
- Ask the Hacktron team at the hackathon
Good luck, and happy hacking! 🔒