This guide walks you through installing Hadrian, configuring your first scan, and understanding the results. By the end, you'll have tested an API for OWASP Top 10 authorization vulnerabilities.

• Go 1.24+ (for source install) or download a pre-built binary
• An API to test (your own, or use one of the vulnerable test apps)
• Authentication credentials for at least two roles (e.g., admin and regular user)

go install github.com/praetorian-inc/hadrian/cmd/hadrian@latest

Download the latest binary for your platform from the Releases page.

git clone https://github.com/praetorian-inc/hadrian.git
cd hadrian
make build

hadrian --version

Hadrian needs three files to run a security scan. You can auto-generate these with Claude Code or write them by hand.

Your OpenAPI/Swagger spec describing the API endpoints. Hadrian supports:

• OpenAPI 3.0/3.1 (YAML or JSON)
• Swagger 2.0 (YAML or JSON)
• Postman Collection v2.1

Defines how to authenticate as each role:

method: bearer

roles:
  admin:
    token: "eyJhbGciOiJIUzI1NiIs..."
  user:
    token: "eyJhbGciOiJIUzI1NiIs..."
  guest:
    token: ""

Supported auth methods: bearer, basic, api_key, cookie. See Configuration for all options.

Defines your application's roles and their permissions:

objects:
  - users
  - posts

roles:
  - name: admin
    level: 100
    permissions:
      - "read:users:all"
      - "write:users:all"
      - "delete:users:all"

  - name: user
    level: 10
    permissions:
      - "read:users:own"
      - "read:posts:all"
      - "write:posts:own"

endpoints:
  - path: "/api/users/{id}"
    object: users
    owner_field: id

See Configuration for the complete permission format.

Always start with a dry run:

hadrian test rest --api api.yaml --roles roles.yaml --auth auth.yaml --category all --dry-run

This shows which endpoints, templates, and role combinations will be tested — without sending any requests.

hadrian test rest --api api.yaml --roles roles.yaml --auth auth.yaml --category all --verbose

Hadrian outputs findings with severity, endpoint, attacker/victim roles, and evidence:

[FINDING] API1:2023 - BOLA - Cross-User Resource Access
  Severity: HIGH
  Endpoint: GET /api/users/{id}
  Attacker: user -> Victim: admin
  Evidence: Status 200, body contains user data

# JSON for CI/CD integration
hadrian test rest --api api.yaml --roles roles.yaml --auth auth.yaml --category all \
  --output json --output-file report.json

# Markdown for human review
hadrian test rest --api api.yaml --roles roles.yaml --auth auth.yaml --category all \
  --output markdown --output-file report.md

• Try a tutorial with a vulnerable test application
• Learn about templates to write custom security checks
• Configure advanced options like rate limiting, proxy, and LLM triage
• Explore the architecture to understand how Hadrian works internally