Quickstart

Clone, install, pick a harness, run your first scan. About 60 seconds.

1. Install

git clone https://github.com/deonmenezes/bountyhunter.git mantis
cd mantis
./install.sh /absolute/path/to/your/project

The installer drops the right files into your target project depending on which harness you pick. It will ask you interactively:

  Pick a harness, Mantis runs on any AI model; the harness is just the runner.

    [c]  Claude Code     Anthropic only; deepest integration (parallel waves, hooks)
    [o]  OpenCode        any model (Anthropic / OpenAI / Google / OpenRouter / Ollama)
    [a]  Both            install side-by-side, switch between them per run

  ›

One keypress. No Enter needed.

Tip

If you want anything other than Claude, pick o (OpenCode) or a (both). The Claude Code harness has the deepest integration, but the OpenCode harness gives you access to every model on every major provider.

2. Set an API key

Mantis needs one provider key to run. Set whichever you have:

export ANTHROPIC_API_KEY=sk-ant-...
# or
export OPENAI_API_KEY=sk-...
# or
export GOOGLE_API_KEY=...
# or  (proxies basically everything)
export OPENROUTER_API_KEY=...

For Claude Code, only ANTHROPIC_API_KEY is supported. For OpenCode, any of the above works. See Use any AI model for the per-agent model picker.

3. Run your first scan

From your target project, open the harness and invoke Mantis:

If you picked Claude Code

cd /path/to/your/project
claude
# inside Claude Code:
/mantis target.com

If you picked OpenCode

cd /path/to/your/project
opencode
# inside OpenCode:
@mantis-orchestrator target.com

The orchestrator initializes a session at ~/mantis-sessions/<domain>/, runs recon, asks you about auth, then dispatches hunter waves. You'll see status updates in the terminal as each phase transitions.

4. What happens next

The 7-phase FSM runs end-to-end:

RECON: subdomain enum, live hosts, JS extraction, nuclei. Produces attack_surface.json.
AUTH (optional): captures attacker + victim profiles via temp-email signup or manual token paste.
HUNT: 2-6 parallel waves of specialist hunters, each testing one surface.
CHAIN: chain-builder spots A→B exploit paths across findings.
VERIFY: three adversarial rounds (brutalist → balanced → final) re-prove every finding.
GRADE: 5-axis scoring, issues SUBMIT / HOLD / SKIP.
REPORT: writes a submission-ready report in ~/mantis-sessions/<domain>/report.md.

State is persisted every step. If you Ctrl-C or hit a context limit, just re-run and Mantis picks up where it left off.

5. Resuming a run

# Claude Code
/mantis resume target.com

# OpenCode
@mantis-orchestrator resume target.com

Where to next

Use any AI model: per-agent model overrides across providers.
System architecture: how the FSM, MCP server, and agents fit together.
Speed modes: /mantis-fast for triage, /mantis-ultra for wide parallel runs.
Safety rails: how scope-guard keeps you in bounds.