v1.0 — free for Windows · Pro adds Watch

The recon tool that writes your HackerOne reports

Stop copy-pasting curl commands between Notepad and a terminal window. Trapline runs them, flags juicy output in real time, and generates the full HackerOne report when you're done — CVSS vector, OWASP ref, impact statement.

Download Free (Windows) Get Pro — $9

///   No account. No subscription. One price.   ///

TRAPLINE — recon deck
live
$
exit 0   0.8s
0
commands
0
detection rules
0
categories
100%
local — no cloud
How It Works

Four steps from recon to report

No config files. No API keys. Open the app, pick your target, start hunting.

01
Pick a command

Browse 215 commands across 30 categories or search by keyword. Start with Quickfire for the highest-ROI tests on any new target.

02
Run it

Hit run. Output streams live. Every line scans against 94 detection rules as it arrives — no waiting for the command to finish.

03
Flags fire

ATO tokens, secrets, private IPs, CORS misconfigs — color-coded by severity and flagged in real time before you finish reading.

04
Generate the report

Click the bug icon, fill in the program name, hit Generate. Complete HackerOne-ready report with CVSS vector, OWASP reference, and impact statement.

Quickfire — highest ROI tests
$ subfinder -d target.com -silent | httpx -silent -sc -title -td -server
$ curl -s https://target.com/config.json | jq .
$ curl -s -I -H "Origin: https://evil.com" https://api.target.com/v1/user
$ curl -s https://api.target.com/api/v3/portal
$ waybackurls target.com | grep -E "api_key|token|secret|password"

Five of the eleven Quickfire tests — the config.json sweep alone has surfaced findings on three separate programs.

Features

Built from real findings, not tutorials

Every command was added because it found something on a live program. No CTF fluff — just the workflows that actually pay.

215 Battle-Tested Commands

Every command came from a real engagement. Quickfire fires the highest-ROI tests first — config.json sweep, CORS origin reflection, Kong portal UUID leak, idToken field scan. One of those four has paid out on every program I've tested seriously. 30 categories, live search.

QuickfireIDORCORSGraphQLJWTSSRFAI/LLM+23 more
Real-Time Flag Detection

94 patterns scan every output line as it prints — not generic keyword matching. ATO token fields (idToken, access_token, oauth_token), Stripe/Twilio/SendGrid keys, private IPs, MongoDB connection strings, AWS ARNs. The output most hunters scroll past gets lit up in red before you've finished reading.

ATO tokensAPI secretsPrivate IPsAWS keysCORSStack traces
Never Lose a Finding

Every hunter has lost a finding to a closed browser tab. Click the bug icon on any output card — title, severity, program, endpoint, PoC curl, impact, remediation. Everything persists to a local JSON file between sessions. No cloud sync, no account, no third party touching your draft reports.

Local JSONSession persistCVSS scoringStatus tracking
One-Click HackerOne Reports

Hit Generate Report on any tracked finding. You get the exact HackerOne template: CVSS:3.1 vector + score auto-calculated, OWASP reference matched from title keywords, impact statement with the business-risk formula triagers actually reward. Copy and paste. Thirty minutes down to ten seconds.

Auto CVSSOWASP refHackerOneBugcrowd
Demo

From finding to report in seconds

Capture the output, fill a few fields, hit generate. The hard part is done for you.

Finding Editor
Title
Severity
Medium
Status
Program
Evidence (PoC)
Generated Report
TITLE: IDOR in /api/v1/users/{id} allows horizontal privilege escalation SEVERITY: Medium CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Score: 6.5 SUMMARY: The /api/v1/users endpoint fails to enforce object-level authorization. Authenticated users can access any user record by incrementing the user ID parameter. STEPS TO REPRODUCE: 1. Log in as user A (id: 123) 2. Send GET /api/v1/users/124 3. Response returns victim PII... IMPACT: An authenticated attacker can exfiltrate PII (SSN, balance) for any user, exposing LPL to GDPR/FINRA liability...
Meet Watch

The diff is the alpha.

New surface is unhardened surface — whoever sees the change first gets the bug. Watch runs your recon on a schedule and watches a target’s JavaScript. When a bundle changes, it rebuilds the original source from exposed source maps and diffs it per source-file, so bundle-hash churn is zero noise. Free runs when you do. Pro runs while you sleep.

It’s 3am. Somewhere, a deploy ships a new /admin route and a forgotten API key into a rebuilt JS bundle. By the time you run recon at noon, three other hunters already diffed it — and one already filed. Watch is the one that pinged at 3:02am.

An always-on sensor pointed at the part of the app that keeps moving.

bundle.4f9c2a.js — minified diff
What the hash sees
@@ 1 file changed · 1 chunk @@
- a={t:e=>n.p(e,"v2"),f:!0,r:[...4831]}
- O=(s,c)=>fetch(c+"/u",{h:s}).then(d=>d.j())
+ a={t:e=>n.p(e,"v2"),f:!0,r:[...4877]}
+ O=(s,c)=>fetch(c+"/u",{h:s}).then(d=>d.j())
+ w=(i)=>fetch("/i/v3/p/"+i+"/x",P)

// 12,904 tokens of churn.
// hash differs. signal: none.
webpack chunkrenamed varsunreadable
src/api/billing.ts — reconstructed
What Watch sees
// rebuilt from /bundle.4f9c2a.js.map
  flags: { invoicesV2: true },
  getUser = (h) => fetch(API + "/u", { h }),
+ NEW endpoint
  payoutFor = (id) =>
    fetch(`/internal/v3/payouts/${id}/release`, P)
// real file names. real route.
// /internal/v3/* — shipped 4m ago.
new endpointinternal routepayout flow

Same change, both panels. Left is what a hash compare gives you. Right is what Watch actually does — it reconstructs the source and diffs the set of routes, endpoints, secrets and flags per source-file, so churn is silent and real surface is loud.

01
Schedule

One command installs a Windows Scheduled Task. Watch reruns your recon on its own — on your box, no cloud, no account, nothing leaves your machine. Per-target in-scope host gating and a global rate limit keep it from ever wandering off target or hammering a program.

02
Diff

Every run it pulls the target’s JavaScript and compares it to last time. Bundle hash churned but nothing real moved? Zero noise. It only fires when the underlying source actually changes.

03
Reconstruct

When a bundle changes, Watch rebuilds the original source files from exposed source maps — real file names, readable code — and diffs them per source-file. New endpoints, routes, secrets, and feature flags surface the moment they ship.

04
Alert & Sync

It pings your Discord the instant something new appears — then writes a native draft finding straight into Trapline, ready for the one-click HackerOne report generator. Zero-click from new surface to drafted report.

Discord — #watch-alerts · just now
● NEW SURFACE acme.com · 02:14 local

+ endpoint  POST /internal/v3/payouts/{id}/release
+ source    src/api/billing.ts (reconstructed)
+ flag      invoicesV2: true

draft finding written to Trapline → ready to report
JS + source-map diffDiscord pingnative draftsubdomains — soonnew ports — soon403→200 flips — soon

Watch is a separate single binary, included with Trapline Pro. JS + source-map diffing is the working hero today — more surface coming.

Run while you sleep — get Pro →

Built by a working hunter — findings on LPL Financial, Priceline, Dyson & Inspectorio. Watch ships inside Trapline Pro — $9 one-time ↓

Pricing

Start hunting today

Free is the full manual tool on Windows. Pro is $9 one-time and adds Trapline Watch — the always-on sensor that reconstructs a target’s changed JS from its source maps and pings you the moment new surface ships — plus every platform and every future update. For less than a coffee.

Free
Free
Windows .exe · direct download
  • All 215 commands
  • 94 real-time detection rules
  • Finding tracker
  • Report generator
  • Discord webhook
  • Session persistence
  • Windows .exe
  • macOS & Linux
  • Future updates
Download Free
INCLUDES WATCH
Pro · the always-on sensor
$9
one-time · Watch + all platforms
  • Trapline Watch — runs recon while you sleep
  • Source-map reconstruction & per-file JS diff
  • New endpoints, secrets & flags → Discord
  • Auto-drafts findings into Trapline — scope-gated & rate-limited
  • Everything in Free
  • Windows MSI · macOS (.dmg) & Linux (.AppImage / .deb) — v1.1
  • All future updates included · priority support
Get Pro & Watch — $9 →

One-time payment. No subscription. No account required.

FAQ

Common questions

Yes. Trapline runs standard recon tools (subfinder, httpx, curl) that every bug bounty hunter uses. It doesn't exploit anything — it organizes your workflow and flags interesting output. You're responsible for only targeting in-scope programs, same as any other tool.
The app has a built-in tool checker that shows you exactly what's installed and what's missing with the install command for each one. Curl comes pre-installed on Windows. Everything else — subfinder, httpx, nuclei, ffuf — installs with one Go command.
No. Your findings, reports, and session data are stored in a local JSON file on your machine. Nothing is sent to any server. The only outbound connections are the recon commands you choose to run against your targets.
The free version is Windows only. Pro ($9 one-time) includes the macOS and Linux builds coming in v1.1. Both are available immediately after purchase — no waiting list.
Yes. The Quickfire category gives you the 11 highest-ROI tests to run on any new target, in order. You don't need to know what command to run next — the playbook tells you. Every command has a description explaining what it finds and why it matters.
Watch is the always-on sensor included with Trapline Pro — a separate single binary that runs your recon on a schedule. It watches a target’s JavaScript, and when a bundle changes it reconstructs the original source files from exposed source maps (real file names, readable code — not minified soup) and diffs them per source-file, so routine bundle-hash churn produces zero noise. The moment a new endpoint, route, secret, or feature flag appears, Watch pings your Discord and writes a native draft finding into Trapline, ready for the one-click report generator. It runs entirely on your own machine — no cloud, no account — and it’s safe by default: per-target scope gating plus a global rate limit keep it from ever wandering out of scope. JS and source-map diffing is the working hero today; new subdomains, ports, and 403→200 flips are on the roadmap. The diff is the alpha — whoever sees new surface first gets the bug.
Free is the full manual tool — every command, every detection rule, the finding tracker, the report generator — on Windows. Pro is $9 one-time and, most importantly, adds Trapline Watch: the always-on sensor that runs your recon on a schedule, reconstructs a target’s source from its own source maps, and pings your Discord the moment a new endpoint, route, or leaked key ships — then writes the finding straight into Trapline. Pro also unlocks the Windows MSI, the macOS and Linux builds (v1.1), and every future update. Free runs when you do; Pro runs while you sleep. No subscription, ever.
"I've submitted findings on LPL Financial, Priceline, Dyson, Inspectorio, and a handful of others. The grind is always the same — you find something real, then spend the next 45 minutes formatting the same report template for the fifth time that week. The Quickfire category alone has surfaced idToken leaks and IDOR leads on three separate programs just from the config.json sweep. I stopped building Trapline as a tool and started building it as the workflow I actually follow on every engagement. If you've ever closed a browser tab and lost a finding — you already know why this exists."
@foodstampplug · GitHub · Discord