NETRA is a local-first security orchestration platform for vulnerability assessment, reporting, and bug bounty operations.
Version 1.0.0 marks the first release where the core platform and the NETRA-BB bug bounty workflow can be run end to end on a self-hosted stack.
- Scan orchestration across recon, enumeration, and validation phases
- Local database for scans, findings, evidence, and reports
- AI-assisted analysis with multi-persona reasoning
- Report generation for operational and review workflows
- Docker-based local deployment
- Program registry with scope-sync for supported platforms
- Hard scope-gate enforcement before external actions
- Agentic hunt planning, routing, and execution
- PoC drafting with verifier allowlists and replay controls
- Submission draft workflow with verdict tracking
- Audit trails for scope blocks and UI actions
- Learning corpus ingestion from public prior art
- Graphify-backed repo memory for lower-token reasoning
- HackerOne hacktivity ingestion
- GHSA / NVD advisory ingestion
- Public RSS/writeup ingestion
- Redact -> embed -> upsert corpus pipeline
- Local retrieval for planning, scoring, and drafting
pgvectoracceleration on PostgreSQL with safe local fallback
flowchart TD
UI["CLI + GUI + API"] --> ORCH["Scan / Hunt Orchestrator"]
ORCH --> TOOLS["Tool Wrappers"]
ORCH --> AGENT["Agentic Planner / Router / Executor"]
ORCH --> BRAIN["AI Brain + BountyHunter"]
AGENT --> SCOPE["ScopeValidator"]
TOOLS --> FINDINGS["Findings / Evidence / Submissions"]
BRAIN --> FINDINGS
GRAPH["Graphify Repo Memory"] --> AGENT
CORPUS["Learning Corpus + Retrieval"] --> AGENT
CORPUS --> BRAIN
FINDINGS --> REPORTS["Drafts / Reports / Verdicts"]
git clone https://github.com/yashwarrdhangautam/Netra.git
cd Netra
cp .env.example .envFill in the credentials you want to use. For bug bounty workflows, the important ones are:
H1_API_USERNAMEH1_API_TOKENOLLAMA_BASE_URLNETRA_DATABASE_URLif you are using PostgreSQL outside Docker
docker compose up --buildpoetry run netra-bb doctor- BB console: http://localhost:5173/bb
- API health: http://localhost:8000/api/v1/health
# Register a program
poetry run netra-bb add-program --platform hackerone --handle shopify
# Preview an agentic plan
poetry run netra-bb plan --program shopify --asset api.shopify.com
# Run a passive hunt
poetry run netra-bb hunt --program shopify --profile passive --agentic
# Explain what happened
poetry run netra-bb hunt-explain <scan_id>
# Review trends from the local learning corpus
poetry run netra-bb trendNETRA-BB is intentionally conservative.
- Scope decisions are enforced in code, not delegated to the model
- Verifiers are allowlisted and read-only by default
- The operator remains the only path to state-mutating actions
- Public prior art is used for reasoning, but guarded against verbatim leakage into submission drafts
- Learning sources respect robots policies, rate limits, and source toggles
NETRA does not fine-tune a model. It stores structured public prior art locally and retrieves only the relevant context when needed.
Storage layers:
- Graphify graph for repo and architecture memory
- Learning corpus tables for reports, writeups, advisories, and trends
- Local embeddings with version tracking
pgvectorcolumns on PostgreSQL for faster similarity search
Useful commands:
poetry run netra-bb trend
poetry run netra-bb corpus forget --author <handle> --confirm FORGET
poetry run netra-bb corpus reembed --confirm REEMBEDsrc/netra/ Python application code
frontend/ React GUI
alembic/ Database migrations
docs/ Product and operator documentation
docker/ Container assets
tests/ Automated tests
verifier_allowlist.yaml Allowed replay/verification policies
poetry install
$env:PYTHONPATH="src"
pytestcd frontend
npm install
npm.cmd run build$env:PYTHONPATH="src"
alembic upgrade head- Bug bounty operator guide
- API reference
- Installation
- Configuration
- NETRA-BB PRD
- NETRA-BB GUI PRD
- NETRA-BB Learning PRD
- NETRA-BB Capability PRD
This repository is being prepared as the v1.0.0 release line.
The platform is ready for:
- local deployment
- real bug bounty workflow trials
- learning-corpus ingestion
- agentic passive hunts
The next work after v1 is expected to come from real operator feedback rather than more broad scaffolding.
Licensed under the AGPL-3.0.