About Hugin
An intercepting proxy and vulnerability scanner for web application penetration testing.
What Hugin is
Hugin is a single Rust binary that runs locally on macOS or Linux. It ships an MITM proxy, an active and passive vulnerability scanner, an intruder, a repeater, a sequencer, a decoder, and an MCP server for AI-driven workflows. The Community tier is free; Pro adds the offensive module bundle, the race-condition engine, WASM modules, Lua extensions, and team collaboration.
Design principles
Local-first
All intercepted traffic, scan results, findings, repeater history, and project files are stored in a local SQLite database. The Community tier runs fully offline; the Pro tier contacts the license server once every 24 hours and otherwise stays local. There is no telemetry, no analytics, and no crash reporting.
Anonymous by default
Community needs no account. Pro accounts are random IDs in the format HGN-XXXXXXXX-XXXXXXXX-XXXXXXXX — no email, no password, no recovery flow. We store a SHA-256 hash of the account ID server-side, never the ID itself.
Native runtime
Hugin is a native Rust binary. No JVM, no Electron, no Docker. It starts in under a second and runs on hardware that would struggle with a JVM-based proxy. Burp Suite Professional, the closest comparable tool, starts at $499/year per seat.
AI as a first-class client
Hugin exposes its full surface — proxy, scanner, intruder, decoder, crawler, OOB — through 134 Model Context Protocol tools. Claude Code, Cursor, Windsurf, and any other MCP-compatible agent can drive the tool natively. This is built into the binary, not a separate process or plugin.
Pricing model
Community is free and has no time limit. Pro is a flat 5 EUR per month, prepaid; there is no auto-renewal and no per-seat or per-user-class pricing. Verified students with a GitHub Student Developer Pack get 12 months of Pro at no cost — see the students page.
Who builds Hugin
Hugin is built by working bug bounty researchers and penetration testers. We use the tool ourselves on HackerOne, YesWeHack, Bugcrowd, and private engagements. The Pro tier funds continued development; the Community tier remains free.