Launch pricing — Pro is $9 one-time. Price goes up when v1.1 ships. Grab it now →
v1.0 available now — free for Windows

The recon tool that
writes your HackerOne reports

Stop copy-pasting curl commands between Notepad and a terminal window.
Trapline runs them, flags the juicy output in real time, and generates the
full HackerOne report — CVSS vector, OWASP ref, impact statement — when you're done.

Download Free (Windows) Get Pro — $9

///  No account. No subscription. One price.  ///

TRAPLINE — recon deck
running…
$ subfinder -d target.com -silent | httpx -silent -sc -title -td -server
[200] admin.target.com [Admin Panel] [nginx/1.18.0]
[200] api.target.com [API Gateway] [Kong/3.4.0]
[301] staging.target.com https://staging.target.com
[200] dev.target.com [Dev Environment] [Apache/2.4.51]
● Kong version exposed
● Server banner: nginx/1.18.0
● Staging subdomain found
exit 0    0.8s
0
commands
0
detection rules
0
categories
0
% local — no cloud
How It Works

Four steps from recon to report

No config files. No API keys. Open the app, pick your target, start hunting.

01
Pick a command

Browse 215 commands across 30 categories or search by keyword. Start with Quickfire for the highest-ROI tests on any new target.

02
Run it

Hit run. Output streams live in the terminal panel. Every line scans against 94 detection rules as it arrives — no waiting for the command to finish.

03
Flags fire

Interesting output gets flagged automatically — ATO tokens, secrets, private IPs, CORS misconfigs — color-coded by severity before you finish reading.

04
Generate the report

Click the bug icon, fill in the program name, hit Generate. Complete HackerOne-ready report with CVSS vector, OWASP reference, and impact statement. Copy and paste.

Features

Built from real findings, not tutorials

Every command in this playbook was added because it found something on a live program. No CTF fluff, no outdated OWASP demos — just the workflows that actually pay.

📑
215 Battle-Tested Commands

Every command came from a real engagement. Quickfire fires the highest-ROI tests first — config.json sweep, CORS origin reflection, Kong portal UUID leak, idToken field scan. One of those four has paid out on every program I've tested seriously. 30 categories, live search, no fumbling through bookmarks.

Quickfire IDOR CORS GraphQL JWT SSRF AI/LLM + 23 more
🔍
Real-Time Flag Detection

94 patterns scan every output line as it prints. Not generic keyword matching — ATO token fields (idToken, access_token, oauth_token, auth_data), Stripe/Twilio/SendGrid keys, private IPs, MongoDB/Postgres connection strings, AWS ARNs. The kind of output most hunters scroll past gets lit up in red before you've finished reading the response.

ATO tokens Stripe keys Private IPs Private keys GitHub secrets Slack tokens
🐛
Never Lose a Finding

Every hunter has lost a finding to a closed browser tab. Click 🐛 on any output card — title, severity, program, endpoint, PoC curl, impact, remediation. Everything persists to a local JSON file between sessions. No cloud sync, no account, no third party touching your draft reports. Your loot stays yours.

Local JSON Session persist CVSS scoring Status tracking
📋
One-Click HackerOne Reports

Hit Generate Report on any tracked finding. You get the exact HackerOne template: CVSS:3.1 vector + numeric score auto-calculated from your severity, OWASP reference matched from the title keywords, impact statement with the business-risk formula triagers actually reward. Copy to clipboard and paste. The part that takes most hunters 30 minutes takes 10 seconds.

Auto CVSS OWASP ref HackerOne template Bugcrowd template
Demo

From finding to report in seconds

Capture the output, fill a few fields, hit generate. The hard part is already done.

Finding Editor
Title
Severity
🟠 High
Status
Program
Evidence (PoC)
Generated Report
TITLE: IDOR in /api/v1/users/{id} allows horizontal privilege escalation SEVERITY: High CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Score: 8.1 SUMMARY: The /api/v1/users endpoint fails to enforce object-level authorization. Authenticated users can access any user record by incrementing the user ID parameter. STEPS TO REPRODUCE: 1. Log in as user A (id: 123) 2. Send GET /api/v1/users/124 3. Response returns victim's PII... IMPACT: An authenticated attacker can exfiltrate PII (SSN, account balance) for any user by iterating IDs, exposing LPL to GDPR/FINRA liability...
Pricing

Start hunting today

Free gets you the full tool on Windows. Pro unlocks every platform and every future update — for less than a coffee.

Free
Free
Windows .exe · direct download
  • All 215 commands
  • 94 real-time detection rules
  • Finding tracker
  • Report generator
  • Discord webhook
  • Session persistence
  • Windows .exe
  • macOS & Linux
  • Future updates
Download Free
Pro
$9
one-time · all platforms
  • Everything in Free
  • Windows MSI installer
  • macOS (.dmg)
  • Linux (.AppImage / .deb)
  • Future updates included
  • Priority support
Get Pro — $9 →

One-time payment. No subscription. No account required.

FAQ

Common questions

Is this legal to use?
Yes. Trapline runs standard recon tools (subfinder, httpx, curl) that every bug bounty hunter uses. It doesn't exploit anything — it organizes your workflow and flags interesting output. You're responsible for only targeting in-scope programs, same as any other tool.
What tools do I need installed?
The app has a built-in tool checker that shows you exactly what's installed and what's missing with the install command for each one. Curl comes pre-installed on Windows. Everything else — subfinder, httpx, nuclei, ffuf — installs with one Go command.
Does my data leave my machine?
No. Your findings, reports, and session data are stored in a local JSON file on your machine. Nothing is sent to any server. The only outbound connections are the recon commands you choose to run against your targets.
Does it work on Mac and Linux?
The free version is Windows only. Pro ($9 one-time) includes the macOS and Linux builds. Both are available immediately after purchase — no waiting list.
I'm a beginner — is this for me?
Yes. The Quickfire category gives you the 11 highest-ROI tests to run on any new target, in order. You don't need to know what command to run next — the playbook tells you. Every command has a description explaining what it finds and why it matters.
What's the difference between Free and Pro?
Free is the full tool — every command, every detection rule, the finding tracker, the report generator — on Windows. Pro is $9 one-time and adds the macOS build, Linux build, Windows MSI installer, and every future update. No subscription, ever.
"I've submitted findings on LPL Financial, Priceline, Dyson, Inspectorio, and a handful of others. The grind is always the same — you find something real, then spend the next 45 minutes formatting the same report template for the fifth time that week. CVSS vector. OWASP reference. Impact statement worded so the triager actually understands the blast radius. The Quickfire category alone has surfaced idToken leaks and IDOR leads on three separate programs just from the config.json sweep. I stopped building Trapline as a tool and started building it as the workflow I actually follow on every engagement. If you've ever closed a browser tab and lost a finding — you already know why this exists."
@foodstampplug · GitHub · Discord