SRV, TXT, NAPTR, CNAME, MX — full DNS interrogation across 20+ UC vendors. Microsoft Teams, Cisco Webex, Zoom, RingCentral, Avaya, and more. Passive discovery + optional active SIP probing.
Subdomain enumeration, certificate transparency, email provider detection, SPF/DMARC/DKIM analysis, and cloud stack fingerprinting — all from a single domain.
| Subdomain | IPs | CNAME Target | Cloud | Source | Cert Expiry |
|---|
Query Certificate Transparency logs to see every TLS cert ever issued for this domain — issuer migrations, SAN changes, and cert lifecycle history.
Queries the crt.sh aggregator which indexes all major Certificate Transparency logs — Let's Encrypt, DigiCert, Sectigo, and more.
Shows when certs were issued, who issued them, and when they expired. Reveals issuer migrations (e.g., old DigiCert → Let's Encrypt).
Tracks Subject Alternative Names across cert generations to see new subdomains added over time and infrastructure expansion patterns.
Probe discovered subdomains for Server headers, X-Powered-By, cookies, JS libraries, meta tags. Map the full technology stack per host.
Tip: Run a Domain Intelligence scan first to discover subdomains for deeper coverage.
WordPress, Drupal, Joomla, Squarespace, Ghost, Shopify, Magento, WooCommerce — identified via headers and HTML patterns.
Laravel, Django, Rails, ASP.NET, Next.js, Nuxt.js, Gatsby — detected via cookies, headers, and JS bundle names.
Cloudflare (CF-Ray), Fastly (X-Served-By), AWS CloudFront (X-Amz-Cf-Id), Varnish (X-Varnish), Vercel, Netlify.
Check cipher suites, protocol versions, certificate chain, HSTS, and CT log status. Grade the TLS configuration for the domain and all discovered subdomains.
TLS 1.3, HSTS with max-age ≥ 1 year and includeSubdomains. No deprecated ciphers or expired certs.
TLS 1.2 but missing HSTS or max-age too short. Acceptable protocol version but room for improvement.
TLS 1.0 enabled (deprecated since 2020), expired certificate, self-signed cert, or RSA key under 2048 bits.
ASN lookup, geolocation, reverse DNS, hosting provider identification, and shared hosting detection for every IP tied to this organization.
Tip: Run Domain Intelligence first to discover subdomain IPs for full coverage.
Country, region, city, and coordinates. Timezone detection for operational planning.
Autonomous System Number identifies the network operator. ISP field shows the internet service provider. Critical for network attribution.
Identifies cloud hosts (AWS, Azure, GCP, Cloudflare, DigitalOcean) vs. on-premise or colocation. Flags shared hosting environments.
DNSSEC validation, dangling CNAME detection (subdomain takeover risk), zone transfer testing, SPF/DMARC misconfiguration checks.
Dangling CNAMEs pointing to unclaimed accounts on GitHub Pages, Heroku, Netlify, Vercel, Azure, S3, and 20+ other platforms.
Misconfigured nameservers that respond to AXFR queries expose the entire DNS zone — every subdomain, MX record, and internal hostname.
Missing or misconfigured SPF (+all policy), absent DMARC, or p=none enforcement — all enable impersonation attacks targeting the organization.
Historical DNS resolution data from HackerTarget and Certificate Transparency. See infrastructure changes, IPs rotated, and hosts discovered over time.
| Hostname | IP Address | Type | Source |
|---|---|---|---|
| Run a scan to see results | |||
Provides hostsearch data aggregated from passive DNS sensors. Returns hostname:IP pairs seen on the internet.
Cross-references crt.sh SANs to discover hostnames that appear in TLS certificates — even if they no longer resolve in DNS.
IPs serving multiple hostnames indicate shared hosting — important for attribution and understanding blast radius of compromise.
Discover every subdomain via wordlist brute-force + Certificate Transparency, then run all OSINT modules against each one — TLS grading, tech stack, IP intelligence, and subdomain takeover detection.
Enter a domain and click Deep Scan to discover all subdomains and run full OSINT against each one.
Typical scan: 50–200 subdomains in 2–5 minutes.
Wordlist brute-force (80+ common patterns) + Certificate Transparency logs (crt.sh). Every discovered subdomain is resolved to IPs.
Connects to HTTPS on every live subdomain. Analyzes protocol version, cipher, HSTS, cert expiry. Grades A+ → F — finds forgotten subdomains with weak configs.
HTTP header analysis reveals server software, framework, CDN, and CMS for every subdomain — even ones you didn't know were live.
Maps each subdomain to ASN, hosting provider, and country. Shows which infrastructure providers your org uses across all subdomains.
Checks every CNAME for dangling pointers to GitHub Pages, Heroku, Netlify, Vercel, AWS S3, and 18 other vulnerable platforms.
Scans 8 subdomains concurrently with per-subdomain timeouts. No waiting — results appear as each batch completes.
Domain registration details via RDAP (Registration Data Access Protocol). Shows registrar, registration date, expiry, nameservers, and domain status.
Creation date, last updated, and expiry date. Critical for detecting domains near expiry that could be hijacked if not renewed.
EPP status codes: clientTransferProhibited, serverHold, pendingDelete — each has security implications for domain hijacking risk.
Current authoritative nameservers. Changes to nameservers can indicate domain hijacking or DNS provider migrations.
Discovers open ports, exposed services, and known CVEs via Shodan's InternetDB. No active probing — uses Shodan's prebuilt index for passive discovery.
All TCP/UDP ports Shodan has observed as open. Includes common dangerous services: RDP (3389), SMB (445), Redis (6379), Docker (2375), Elasticsearch (9200).
CVEs indexed by Shodan against the IP based on banner information. Identifies unpatched software before active exploitation occurs.
Shodan tags (cloud, self-signed, honeypot) and CPE identifiers for software/hardware running on the IP. Useful for vendor tracking.
Unified view across all scanner modules. Correlates findings from DNS Security, TLS, Port Intel, WHOIS, Deep Scan, and more to surface the highest-priority risks.
Links findings across DNS Security, TLS Analysis, Port Intel, WHOIS, and Deep Scan. A dangling CNAME + expired TLS = amplified risk.
Each correlated finding includes a CVSS-like severity score. Findings are sorted so the most critical issues surface first.
Instead of 8 separate result sets, get one prioritized list of what to fix. Start with Critical, then High — ignore the noise.