The story behind the world's most advanced bug bounty pipeline.
Bug bounty hunting has exploded in complexity. Modern web applications span dozens of microservices, third-party identity providers, GraphQL APIs, cloud infrastructure, and CI/CD pipelines. A single bug bounty program can present hundreds of thousands of attack surface points.
Hunters face a fundamental asymmetry: the defender only needs to miss one vulnerability once, but the attacker must find every possible entry point. Manual testing at scale is unsustainable. Automated scanners produce noise, not findings. Most tools operate in isolation — they can't chain vulnerabilities, reason about business logic, or adapt to novel attack patterns.
Dristi was built to close this gap.
Dristi is built on three principles:
Specialization over generalization. A single agent that deeply understands XSS — with patterns curated from BugBoard's disclosed H1 database (10K+ reports) — will always outperform a one-size-fits-all approach. Each agent has domain-specific knowledge, payload libraries, and exploit techniques curated for its class.
Pipeline over point solutions. Vulnerability discovery isn't a single step. It's reconnaissance, surface analysis, targeted hunting, exploitation, validation, and reporting — each feeding into the next. Dristi's 12-phase pipeline ensures no finding is orphaned and no attack chain goes undiscovered.
Security-first architecture. Every agent definition, every prompt, every exploit technique is built on real-world hunting experience. No vendor lock-in. No telemetry. Your data stays yours.
No API lock-in. Dristi works with free models out of the box. Need more power? Bring your own API key — Anthropic, OpenAI, Google, GitHub Copilot — or run fully local with Ollama. You choose the model, you control the cost.
The OWASP Web Security Testing Guide is the industry standard for web application security testing. It covers 12 categories with 96+ individual test cases — from information gathering through client-side testing. Dristi maps every agent to specific WSTG tests, ensuring methodologically complete coverage.
This isn't about ticking boxes. WSTG provides the structure; Dristi provides the automation and reasoning. Tests that require human intuition — business logic flaws, chained attacks, context-aware exploitation — are now automatable through autonomous agents.
Dristi is built on four integrated layers:
Knowledge layer — WSTG v4.2 (96 tests, 12 categories), PortSwigger technique guides, payload libraries, WAF fingerprints, and exploit references curated from BugBoard's disclosed H1 database (10K+ reports).
Engagement layer — SQLite-backed findings database, scope registration, test tracking, phase gates, QA review checkpoints, and automated report generation. Every finding, test, and tool run is tracked.
Agent layer — 87 AI-assisted OpenCode agents: 15 pipeline agents, 54 @hunt-* agents per vulnerability class, 8 specialty agents, and 10 supporting agents. Each agent auto-loads when you describe what you're testing.
Execution layer — Burp Suite MCP for HTTP request execution and recording, Playwright for browser automation, and a WSTG MCP server providing 86 structured methodology tools.
Every engagement follows a structured pipeline with automated phase gates:
| Phase | Name | Agent | Key Activities |
|---|---|---|---|
| 1 | Scope | @scope | Engagement config, scope registration, auth setup, task tree creation |
| 2 | Auth | @auth | Authenticate to target, capture tokens/cookies, detect WAF vendor |
| 3 | Intel | @pintel / @osint | Passive OSINT, WHOIS, M365/Azure check, cloud bucket enumeration, SPF/DMARC spoof check |
| 4 | Recon | @recon | Subdomain enumeration, DNS, crawling, parameter extraction, nuclei scanning, secret hunting |
| 5 | Surface | @surface | Attack surface analysis, endpoint classification (T0/T1/T2), risk-scored queue |
| 6 | Hunt | @hunt | Test all 25 vulnerability classes via 54 @hunt-* sub-agents dispatched per surface analysis |
| 7 | DeepThink | @deepthink | (conditional) First-principles gap analysis when hunt yields zero findings |
| 8 | Exploit | @exploit | 5-tier exploitation: confirm → impact → OOB → WAF bypass → attack chains |
| 9 | Search | @search | (conditional) Research current CVEs, bypass techniques, disclosed reports via 13 resources |
| 10 | Capture | @capture | Evidence collection, screenshots, HAR sanitization, cookie/PII redaction |
| 11 | Validate | @validate | Re-validate PoCs, 7-Question Gate, PASS/KILL/DOWNGRADE/CHAIN verdicts |
| 12 | Report | @report | Coverage check, phase gate validation, platform-specific report generation |
Phase gates ensure quality at every transition. Each gate checks test coverage, tool coverage, and finding integrity before allowing the next phase to proceed. In autopilot mode, gates are automatic; in consult mode, gates pause for human approval.
Pipeline agents (16) — Orchestrate the full engagement lifecycle. From scope intake and authentication through recon, hunting, exploitation, validation, and report generation. Includes browser-auth for automated Playwright-based login.
Hunt agents (54) — One agent per vulnerability class. XSS, SQLi, SSRF, RCE, IDOR, ATO, SSTI, CSRF, CORS, JWT, GraphQL, XXE, race conditions, HTTP smuggling, deserialization, subdomain takeover, prototype pollution, and more. Each has deep domain expertise, payload libraries, and bypass techniques.
Specialty agents (8) — Enterprise-grade attack chains for cloud IAM (AWS/Azure/GCP), M365/Entra ID, Okta, enterprise VPNs, Android APK assessment, supply chain security, OSINT, and meme coin audits.
Supporting agents (10) — Methodology guides, report writers, red-team ops, evidence hygiene, triage validation, bug bounty strategy, and reconnaissance specialists.
validate_poc() catches false positives before they enter the databasefind_chains() runs after each finding to build attack pathsDristi was built by @manojxshrestha — Penetration Tester & Bug Bounty Hunter.