Projects

A Project is Hugin’s unit of workspace isolation. Each project has its own scope, flows, findings, intercept rules, repeater queue, organizer entries, and per-project settings. Switch the active project and the entire UI re-scopes — you see only that project’s data.

Use one project per engagement, per bug bounty target, or per CTF box. They keep findings clean and exports clean.

🔗Project Lifecycle

[New] → [Active] → [Archived]
                ↘ [Deleted]
  • Active — the current working project. Flows captured by the proxy are tagged with this project’s ID. Only one project is active at a time.
  • Archived — read-only snapshot. Flows are still queryable, scope is preserved, but new captures don’t land here.
  • Deleted — soft-deleted; data retained until you purge.

🔗Creating a Project

Click + New Project in the toolbar:

  • Name — required, must be unique
  • Platform — optional metadata (HackerOne, Bugcrowd, YesWeHack, Intigriti, CTF, Internal)
  • Scope hosts — initial in-scope patterns (you can edit anytime in Scopes)
  • User-Agent — per-project UA override (for fingerprint-sensitive targets)
  • Tags — free-form labels for filtering

The project becomes active immediately. Flows captured from this point forward belong to it.

🔗Templates

The Templates menu prefills new-project fields with engagement-specific defaults. Built-in templates:

  • single-domain — single domain target with wildcard coverage
  • multi-subdomain — multi-subdomain target with broad wildcard
  • api-only — API-only target, InScopeOnly mode, JSON-focused testing
  • mobile-backend — mobile app backend with API host patterns
  • saas-multi-tenant — multi-tenant SaaS, auth-heavy focus

Each template ships scope patterns, a scope mode, CDN/analytics exclusions, and tags. Replace TARGET placeholders in the patterns with your actual target host on creation.

🔗Switching Projects

The active-project pill in the top toolbar opens a dropdown of all projects sorted by recent use. Click any project to switch. The flow list, findings, and scopes refresh to reflect the new active project.

🔗Deactivate

Click Deactivate on the active project to drop into “no project” mode. Captures still happen but aren’t tagged. Useful for quick one-off testing you don’t want polluting an engagement.

🔗Per-Project Scope

Each project owns its own scope configuration. When you switch projects, the proxy automatically applies the new scope. The scope can also include scope snapshots — point-in-time backups taken before risky changes.

Snapshot actions on the Scope tab:

  • Take Snapshot — saves current scope with a timestamp and optional note
  • Restore — replaces current scope with a snapshot
  • Diff — compares current scope to a snapshot

🔗Assigning Flows

By default, flows are assigned to the project that was active at capture time. To re-tag flows from another project (e.g., you forgot to switch before testing):

  • Multi-select flows in the Logger
  • Right-click → Assign to Project → choose target

The flows move; their finding associations follow.

🔗Statistics

Each project tracks: total flows, unique hosts, request volume per day, finding count by severity, scanner runs, intruder attacks, scope coverage percentage. Available in the project detail slide-over (click any project row).

🔗Export & Import

🔗.huginproject Bundle

Click Export on a project to produce a .huginproject archive (zstd-compressed JSON). Contains:

  • Scope configuration + snapshots
  • All flows (request + response + metadata) up to a configurable size cap
  • Findings + evidence flows
  • Repeater history, intruder attack configs, organizer entries
  • Project-level settings (UA, intercept rules, session rules)

Import on another machine: Import button → select the .huginproject file. Flows, findings, and scope are restored under a new project ID.

🔗Use Cases

  • Hand off work to a teammate — no shared server needed
  • Archive a completed engagement to cold storage
  • Move from laptop to desktop while preserving in-progress state
  • CI integration — export from a scheduled headless scan, ship to artifact storage

🔗Tags

Project-level tags (set at creation or edited later) help organise large project lists. Filter the project table by tag to find related engagements.

Common patterns: bb-program-name, q1-2026, private, pentest-client-acme.

🔗CLI / API / MCP

The project surface is fully exposed:

  • CLI: project switching not currently in CLI — use the GUI or MCP.
  • REST: GET/POST/PUT/DELETE /api/projects, POST /api/projects/{id}/activate, GET /api/projects/{id}/export, POST /api/projects/import
  • MCP: project tool with actions create, list, get, update, delete, activate, deactivate, archive, scope, stats, assign_flows, export, templates, create_from_template, fingerprint, import_scope, policy_get, policy_set, policy_search

🔗Pro vs Community

Multi-project is a Pro feature. Community edition supports a single default project. Upgrade with hugin account set <ID> to unlock.