hugin / teams

● anonymous by default · end-to-end encrypted

One tool your whole team can share — without giving up control.

Live, end-to-end-encrypted collaboration on proxy flows, findings and scope. The relay only ever sees ciphertext. Capabilities are default-deny and revocable live — you grant exactly what each peer sees. A governed org layer (SSO, signed audit, central revocation) is on the roadmap.

Get Pro See it live

E2EChaCha20-Poly1305 0content the relay sees capsdefault-deny, per peer Ed25519signed envelopes

// 01

Built for teams

shared, not leaky

Live collaboration

Share flows, findings, scope and Repeater tabs in real time. End-to-end encrypted — the relay routes ciphertext, never plaintext.

Capability sharing

Grant exactly what each peer sees — Flows, Findings, Scope, Chat, Repeater — per session. Default-deny, revocable live.

Anonymous by default

No email, no seats database. Identity is a numbered account — we store a one-way hash, never the number.

Org-governed mode · roadmap

Planned: flip a workspace into governed mode and add SSO identity, named participants, a signed audit trail, central revocation and DLP policy — without the relay ever reading content. Anonymous mode stays exactly as it is today.

Signed audit trail · roadmap

Planned for governed clients: a hash-chained, signed log — who joined, what class of data moved — exported to your sink or SIEM. Metadata, not payloads: compliance without breaking E2E.

One binary

Same single Rust binary, no Electron, no runtime. MDM-push it and go.

// 02

The shared session

real UI · real capabilities

This is the actual interface — the same design system that ships in the binary. A live session: named participants, the exact capabilities each peer holds on your data, and the event feed. Switch the theme; it re-resolves through tokens.

HUGINshared session

🔒 E2E · acme-redteam Pro 4 participants 9 findings shared

Session · acme-redteam E2E

Session event feed

09:41You shared 3 Findings to the sessionfindings

09:42M. Okafor joined the sessionjoin

09:43ext-pentest joined · chat onlycaps

09:44R. Singh annotated /auth/loginnote

09:45You revoked Flows from R. Singhcap

09:46invite revealed · one-time · 10m TTLinvite

Shared flows · HTTP historyLive

#MethodPathHostStatusSize

1POST/auth/loginauth.acme.io3020 B

2GET/api/v2/users?sort=idapi.acme.internal20018 KB

3DEL/sessions/4f9cauth.acme.io403311 B

4GET/api/v2/scopeapi.acme.internal42988 B

5POST/graphqlapi.acme.internal2006.1 KB

every participant, capability and event above is the real component set · capabilities are default-deny and revocable live; the relay only ever sees ciphertext

// 03

Governance

on the roadmap · designed, not yet shipped

This is the planned opt-in org layer — none of it is shipped yet. Every control below is designed to sit on top of end-to-end encryption, so the relay still never reads your content. Anonymous, E2E collaboration is what ships today; turn governance on later and the anonymous product stays unchanged.

planned

SSO identity

Enrol members through your IdP (OIDC) and MDM. Each client gets an org-signed member certificate binding a real identity to its signing key.

planned

Named participants

Sessions resolve to real people, not anonymous tags. Optional knock-to-join: the owner approves each member before the session key is handed out.

planned

Signed audit log

A hash-chained, client-signed log of governance events exported to your sink or SIEM. Metadata only — who did what with which class of data — so E2E holds.

planned

Central revocation

A signed CRL ejects a revoked member from live sessions and blocks new joins. SCIM de-provision flows straight through to a kill-switch.

planned

DLP policy

Org-pushed hard caps: members may never grant Scope or Findings to an external peer. Effective caps = peer-negotiated ∩ org policy, enforced at the edge.

planned

Retention & escrow

Need payloads for compliance? Add an explicit org escrow key as an additional AEAD recipient — visible to participants, off by default.

// 04

Security model

measured, not vibes

transport ChaCha20-Poly1305 E2Erelay sees ciphertext onlyenvelopes Ed25519-signed

identity one-way hash, ~75-bitcapabilities default-denyrekey every 100k msgs

licence Ed25519, pro-gatedsession key out-of-bandcaps revocable live

the account number is base-32 with a check symbol; the server stores only its SHA-256 — your identity is never brute-forceable from what we keep

// 05

Team pricing

no seats math · no "contact sales"

€7/ month

flat — collaboration is in Pro · no per-seat, no "contact sales" · prepaid, no auto-renewal · cancel anytime

Create your number →

working solo? the free Community tool →

End-to-end encrypted by default. Capabilities you control. Same single Rust binary.

See the session