You've seen Claude Code everywhere. Developers shipping features. Engineers fixing bugs. Entire codebases built from a single prompt. But every conversation about it stays on the development side.

Nobody's talking about using it for hacking.

And that's the problem. While developers automate their workflows, you're still manually crafting every request, copy-pasting headers, tabbing between your proxy and your terminal. Doing it all by hand. But Claude Code isn't just a coding assistant. It's a terminal-native AI agent. It reads your files. Runs commands. Controls your tools. Remembers what you teach it. And it doesn't stop when you close your laptop.

This article walks through the full setup. From installation to a system where Claude connects to your proxy, runs your methodology as a skill, tests for vulnerabilities, logs findings, and pings you on Discord when it finds something. Seven steps. Everything you need to build it yourself.

What Makes Claude Code Different

Most AI tools live in a browser. You paste code in. You paste output back. It's slow, disconnected, and it breaks the flow every time you switch tabs. That's not a workflow. That's a workaround.

Claude Code lives where you live: in the terminal. It reads your files. It runs shell commands. It understands your project structure. And it remembers what you teach it across sessions. Built by Anthropic, it's not a browser plugin or a web chat. It's an agent with direct access to your environment.

That distinction matters. A chatbot takes your input and gives you output. Claude Code reads files, runs tools, and writes output. With the right setup, it works alongside your entire hacking workflow. Not as an extra tab. As a member of the team.

The system you're about to build has seven parts: installation, project setup, context, permissions, skills, headless mode, and remote control with hooks. Each one is useful on its own. Together, they're a complete hunting assistant.

Installation

One command.

curl -fsSL https://claude.ai/install.sh | bash

Once installed, run claude in your terminal. It walks you through logging in or setting up your API key. Follow the prompts and you're through in a minute.

Project Setup and Init

Open your target's project folder. Inside, create a file called program-details.txt and paste everything the program gives you. Scope, rules, out-of-scope domains, policy details. All of it goes in that one file.

Now run /init.

Claude reads every file in the directory and generates a CLAUDE.md file. This file is your playbook. Claude reads it at the start of every session. It knows your scope. It knows the rules. It knows what's in this project. You don't re-explain anything.

And you can edit it anytime. Add your methodology. Add notes about what you've tested. Add rules like "always check for IDOR on user endpoints" or "this program doesn't accept self-XSS." Whatever you write here, Claude follows.

/init

Claude Code also has auto-memory. When you correct it or tell it something important, it stores that information. Across sessions. Tell it "always use Caido, never Burp" once, and it remembers. Run /memory to see what it has stored, and edit or remove entries as needed.

The more you work with it, the smarter it gets. You don't repeat yourself.

Context

You're deep in a session. You need Claude to analyze a specific file right now. Maybe it's source code. Maybe it's the scope document.

Type @ followed by the filename. Tab autocomplete works. Claude pulls the full content into context instantly. This is how you feed it source code, policy documents, scope files. Anything in your project directory. Just @ the file.

@program-details.txt

If you're working in VS Code or Cursor, you can also select specific lines of code and ask Claude about them directly. But for web hacking from the terminal, the @ reference is what you'll use most.

Now, thinking levels. By default, Claude gives you a standard answer. But when you need deeper analysis, you control the effort.

Type "think" in your prompt. Claude reasons more carefully. "Think hard" goes deeper. "Ultrathink" is maximum effort. Every edge case considered.

ultrathink: analyze @target-source.js for authentication bypasses

For complex logic bugs and authentication flows, you want ultrathink. It takes longer. But the analysis quality jumps significantly.

One more thing. Keep your context clean. Your context window is finite. After a long session with lots of files and back-and-forth, it fills up. Quality drops.

/compact compresses your session. Keeps the important information. Drops the noise. /clear wipes everything for a fresh start. Double-tap Escape rewinds to a previous point in the conversation, which is useful when you go down a wrong path. And /exit closes the session entirely.

Permissions

By default, Claude asks before running any shell command. Safe mode. But if you're running the same commands repeatedly, you can pre-approve them.

Open .claude/settings.local.json and add commands you trust to the allow list:

{
  "permissions": {
    "allow": [
      "Bash(node ~/.claude/skills/caido-mode/caido-client.ts *)",
      "Bash(cat *)",
      "Bash(ls *)"
    ]
  }
}

Claude runs those commands without asking every time. Simple but important when you're in a flow and don't want to approve the same operation over and over.

Skills

This is where Claude Code becomes a real hacking tool.

Skills are instruction files you drop into Claude Code. They teach it how to do something specific. Think of them as plugins, but instead of compiled code, they're structured instructions and commands.

Every skill lives in its own folder inside ~/.claude/skills/. Inside the folder, you need one file: SKILL.md.

---
name: my-skill
description: What this skill does and when Claude should use it
---
# Instructions
Your instructions go here.
What Claude should do.
What tools to use.
What output to produce.

The frontmatter at the top has two key fields. name is what you'll use to call the skill. description tells Claude what this skill does and when to activate it. Below that, you write the actual instructions. Once saved, you invoke it with a slash command. /my-skill. That's it.

A simple skill: scope checker. Create the folder and the file:

mkdir -p ~/.claude/skills/scope-checker

Inside SKILL.md:

---
name: scope-checker
description: Checks if a domain or endpoint is in scope for the current bug bounty program
---
# Scope Checker
When asked to check scope:
1. Read program-details.txt or CLAUDE.md for scope information
2. Compare the target against in-scope and out-of-scope lists
3. Return a clear yes or no with the reason
4. If it's a subdomain, check if wildcard scope applies

One folder. One file. Done. Now whenever you type /scope-checker or ask "is api.target.com in scope?", Claude checks the program files and gives you a clear answer.

That's a basic skill. Skills can get much more powerful.

The Caido skill. Caido published a skill that gives Claude full control over your Caido instance through the official SDK. HTTP history, replay, edit requests, scopes, findings, intercept. Everything.

Install it:

pnpx skills add caido/skills --skill='*'
cd .claude/skills/caido-mode && npm install

Set up authentication with a Personal Access Token from your Caido dashboard:

export CAIDO_PAT="<YOUR-TOKEN>"
npx tsx caido-client.ts setup $CAIDO_PAT

Now ask Claude to search your HTTP history for all POST requests to API endpoints. It runs the query through Caido's SDK and pulls back every matching request with IDs, paths, and status codes. No Caido UI needed. No HTTPQL query written by hand. Claude handles it.

Tell Claude to take a specific request and change the user ID in the path to 999. It runs the edit command, keeps all cookies and auth headers intact, and sends the modified request. IDOR test in one sentence. You don't copy tokens. You don't paste headers. Claude uses the original authenticated request and changes only what you specify.

Create a finding in Caido. Export the request as a curl command for your report. All from the terminal. All through Claude.

That's one skill. One installation. And Claude went from a general-purpose AI to something that controls your proxy, tests endpoints, logs findings, and exports PoCs. Skills scale from simple to powerful. You can build them for anything.

bugSkills. Worth mentioning: BehiSecc built a tool called bugSkills that takes your resolved HackerOne reports, anonymizes the data, and converts them into Claude Code skills. Your past findings become reusable methodology. Every IDOR you've reported. Every auth bypass. Every SSRF. The patterns, detection signals, and techniques you used get packaged into skills Claude can follow on future targets. Your experience, teaching your AI.

Headless Mode

Everything so far has been interactive. You type, Claude responds, you type again. But what if you want Claude to work without you sitting there?

The -p flag. That's all it takes. Claude runs headless. No interactive session.

echo "function getUser(id) { return db.query('SELECT * FROM users WHERE id = ' + id); }" | claude -p "Is this code vulnerable?"

Pipe a file. Get the analysis. Done.

cat source.py | claude -p "find security vulnerabilities in this code"

Feed it a list of endpoints. Get back the ones worth testing for IDOR.

cat endpoints.txt | claude -p "which of these look interesting for IDOR testing?"

One command each time. This is what makes automation possible. Every script you write, every pipeline you build, every cron job you schedule. They all start with -p.

Remote Control and Hooks

Right now, you're tied to your machine. Claude runs in your terminal. If you walk away, nothing happens.

Type /rc in an active session. Claude Code generates a link. Open it on your phone, your tablet, any browser. You now control the terminal session from anywhere.

Your Claude session is running on your machine. You're out. Pull up the link on your phone. Check what it found. Give it new instructions. All remote.

Now, hooks. This is the real power.

Hooks are commands that fire automatically when specific events happen inside Claude Code. Configure them in .claude/settings.json:

{
  "hooks": {
    "Notification": [
      {
        "hooks": [
          {
            "type": "command",
            "command": "curl -s -X POST -H 'Content-Type: application/json' -d '{\"content\": \"Claude Code found something.\"}' $DISCORD_WEBHOOK_URL"
          }
        ]
      }
    ]
  }
}

This is a Notification hook. When Claude needs your attention, this command fires. It sends a POST to a Discord webhook. You get a ping on your server.

The full setup looks like this: Claude Code running on a VPS with specific skills loaded. What to look for. How to test. How to generate a report when it finds something. A Notification hook that pings Discord. You get a notification on your phone. You open remote control. You check what Claude found. You validate. If it's a real bug, it gets reported.

Every piece covered in this article, the skills, headless mode, hooks, and remote control, those are the building blocks. You have everything you need to build your own system.

You're the Hacker, Not Claude

Claude Code can find vulnerabilities. It can spot an IDOR, a broken access control, a misconfiguration. Sometimes in under 30 minutes. It can also write reports, structure them, and even submit them.

Do not let it do that last part.

The moment you let Claude submit a report you haven't validated, you're not a hacker anymore. You're a copy-paster. You don't understand what was found. You don't know if it's real. You don't know if it's a duplicate, a false positive, or something the program already knows about.

And when the triager asks a follow-up question, you won't have an answer. When they ask you to reproduce it in a different context, you'll be stuck. When they push back on severity, you won't know how to argue. Because you never understood the bug. Claude did. And Claude isn't on the call with the triager. You are.

Here's how you do it right. Claude finds something. Good. Now you validate it. Open the app. Reproduce the vulnerability yourself. Confirm it's real. Confirm it's in scope. Understand what's happening and why.

Once you've validated it, you write the report. Your report. In your words. With your understanding. If you've built a skill that writes reports in your style, with your structure and your formatting, then yes, Claude can draft it. But you still read every word before it goes out.

Claude Code saves you time. It doesn't replace your judgment. It handles the repetitive work so you can focus on validation, creativity, and decisions.

You're the hacker. Claude is the assistant. Not the other way around.

Conclusion

Seven steps. One system. Installation gives you the tool. Init gives it context. Skills give it capability. Headless gives it independence. Hooks give it a voice.

But this is the foundation. Custom skills that encode your full hunting methodology. Automation pipelines that handle recon, testing, and reporting on their own. Agent workflows where Claude hits multiple parts of a target at the same time. All of that builds on top of what you just read.

The building blocks are here. What you build with them is up to you.