DOCUMENTATION · SELF-HOSTED · PRIVATE BETA

Every feature of h0SINT,
screen by screen.

h0SINT is a self-hosted external attack-surface & digital-footprint intelligence platform for due-diligence, third-party-risk and security teams. It maps your exposure, reasons over it like a senior analyst, and turns raw OSINT into defensible, audience-ready reports — with your data never leaving your perimeter. This page documents the whole platform. Every screenshot is from the live product, anonymized.

29product surfaces
pages from portfolio to a single finding
6-axis
QA gate before any export
7export formats
all reconciled to one dataset
100% self-hosted
your data stays in your perimeter
// 01 — feature

Portfolio & Threat Constellation

Every external attack surface you own, in one living view

The home screen is a live threat constellation — a WebGL star-map of every domain, host and cloud provider you track, wired together by shared infrastructure. Around it sit per-target orb cards and per-group risk rollups, each showing a live Red/Amber/Green verdict that tracks the latest triage.

Nothing you are responsible for goes dark: the constellation grows smoothly as scans land, cloud-provider sub-constellations can be toggled on to see who hosts what, and hovering any node highlights everything it connects to.

Live verdictseach target and group carries a post-triage Red/Amber/Green badge, never a stale one.
Provider constellationstoggle cloud/CDN groupings to see hosting concentration and blast radius.
Risk rollupportfolio-wide counts of criticals, highs and exposed assets at a glance.
Portfolio home — the live threat constellation with per-target orb cards.
Portfolio home — the live threat constellation with per-target orb cards.
Full portfolio scroll — group cards and risk rollups beneath the map.
Full portfolio scroll — group cards and risk rollups beneath the map.
Target groups — estates rolled up into a single grouped verdict.
Target groups — estates rolled up into a single grouped verdict.
// 02 — feature

Target Intelligence Overview

The whole external footprint of one target, at a glance

Open any target and it leads with the numbers that matter — DNS names, IPs, open ports, URLs, vulnerabilities and detected technologies — beside a vulnerability-severity breakdown and the Analyze → Triage → Verify → Build → QA → Export workflow rail that carries the target to a defensible report.

A dedicated Exposed Assets panel surfaces what raw scanners usually drop on the floor: cloud storage buckets, code repositories, mobile apps, Azure tenants and social profiles — each tagged with owned-vs-mention confidence so the report never claims a third-party asset is yours.

Owned vs. mentionevery asset is confidence-scored so attribution is defensible, not assumed.
Exposed surfacebuckets, repos, APKs and tenants that a plain port-scan never reports.
Workflow raila guided path from raw scan to board-ready output, always one click away.
Target overview — the stat spine and workflow rail.
Target overview — the stat spine and workflow rail.
Deeper overview — severity breakdown and infrastructure notes.
Deeper overview — severity breakdown and infrastructure notes.
Exposed Assets — buckets, repos and tenants with owned-vs-mention confidence.
Exposed Assets — buckets, repos and tenants with owned-vs-mention confidence.
// 03 — feature

Findings & Triage

Severity-tiered, CVE-mapped findings you can defend

Every finding is normalized to a canonical severity, mapped to CVEs where they exist, and scored with a contextual engine that weighs EPSS exploit-probability, CISA-KEV status, internet-exposure and false-positive risk — so an outdated client-side library never masquerades as a critical.

Triage is one click: confirm the real ones, teach the false positives, mark noise. Each decision feeds the target's memory and instantly re-computes the verdict. AI triage suggestions come pre-computed, and an evidence bundle behind every finding proves the call with the raw scanner output, the scoring math and the adversarial AI verdict.

Contextual scoringEPSS + KEV + exposure + FP-risk, per profile — not a raw CVSS label.
Teach-once triagefalse positives feed the brain and stop coming back.
Evidence bundleevery finding carries the proof an analyst would need in front of a board.
Findings tab — severity-tiered and filterable, ready to triage.
Findings tab — severity-tiered and filterable, ready to triage.
The full findings table with CVE badges and triage state.
The full findings table with CVE badges and triage state.
Vulnerabilities view — true severities after contextual scoring.
Vulnerabilities view — true severities after contextual scoring.
// 04 — feature

AI Analysis & Defensible Reports

A senior analyst's synthesis — grounded, hedged and audience-true

h0SINT synthesizes the scan, EPSS/KEV data, company profile and infrastructure into a written assessment with a deterministic Red/Amber/Green verdict, a per-category RAG table, an executive summary and tiered P1/P2/P3 recommendations. A grounding gate strips any CVE the scan didn't actually find and neutralizes unproven exploitation claims, so a weak model can't hallucinate a KEV.

A 6-axis QA gate then grades the report — accuracy, fact-checking, gap-vs-brain, truthfulness, visuals and audience value — and auto-corrects until it clears the bar. “Too green is worrying too”: the gate escalates a suspiciously clean verdict just as readily as it softens an overstated one.

Grounded synthesisclaims are checked against the scan; fabricated CVEs and KEV assertions are stripped.
Deterministic verdictthe RAG tracks the contextual scoring engine, not the model's mood.
Self-correcting QAa 6-axis judge iterates the report to a defensible score before any export.
AI analysis tab — synthesis, verdict and recommendations.
AI analysis tab — synthesis, verdict and recommendations.
Master analysis — the full narrative assessment, fact-checked.
Master analysis — the full narrative assessment, fact-checked.
Readiness checklist — the QA axes and what still needs attention.
Readiness checklist — the QA axes and what still needs attention.
// 05 — feature

OSINT Toolbox & Local Leaks

Pivot fast, and check breach exposure without leaving your perimeter

The OSINT tab bundles a Google-dork launcher and a curated grid of free OSINT tools, every one pre-filled for the current target — jump straight from the platform into the manual pivots that turn a hostname into a lead. Structured OSINT modules (corporate registries, Wikidata, tech fingerprinting, job signals) enrich the brain automatically.

Credential exposure is checked against offline breach corpora that live on your own hardware — billions of leaked records, searched locally, with passwords always redacted before anything is stored or shown. No third-party breach API ever sees your target.

Pre-filled pivotsdorks and tools open ready-to-run for the target — no copy-paste.
Offline breach searchlocal corpora, no external API, passwords redacted at the source.
Structured enrichmentregistries, Wikidata and tech signals feed the target brain.
OSINT tab — structured modules and enrichment for the target.
OSINT tab — structured modules and enrichment for the target.
The OSINT Toolbox — dorks and free tools, pre-filled.
The OSINT Toolbox — dorks and free tools, pre-filled.
Deeper OSINT — breach-exposure signals and pivots.
Deeper OSINT — breach-exposure signals and pivots.
// 06 — feature

Scan Orchestration & Monitor

Launch and watch reconnaissance from inside the platform

Kick off reconnaissance without touching a terminal. Pick a template — the kitchen-sink bbot profile, a custom builder, or an offline leak search — and it runs as a durable job that survives restarts, backed by a real detached session on disk rather than an in-memory task that dies with the worker.

A live monitor lists every scan across every target with an elapsed clock and a status dot; click one to tail its log in real time. API keys are passed by reference, never written into the command line, so nothing sensitive ever appears in a process list.

Durable jobsfilesystem-derived status survives gunicorn recycles and restarts.
Live log tailbyte-offset streaming of any running scan's output.
Secret-safekeys passed as ${env:...} references — never in argv or a ps listing.
Scan launcher — templates and the live monitor.
Scan launcher — templates and the live monitor.
Full launcher — the durable scan registry and history.
Full launcher — the durable scan registry and history.
Monitor detail — per-scan status across the whole portfolio.
Monitor detail — per-scan status across the whole portfolio.
// 07 — feature

Artifacts & Code Analysis

Everything a scan captured — and a code audit over what it pulled

bbot collects far more than a findings list: screenshots, downloaded files, cloned git repositories, docker images, mobile apps and Postman workspaces. The Artifacts tab surfaces all of it straight from disk, bypassing the size caps that hide data in a JSON dump.

Point the code-analysis arsenal at any repository a scan cloned and run secret-scanning (gitleaks, trufflehog), SAST (semgrep) and SCA/SBOM (syft + grype) over it. Results are promoted to first-class, triageable findings with stable IDs, and any secret is redacted before it is ever stored or displayed.

Full artifact browsescreenshots, repos, containers, APKs and files — nothing capped away.
SAST · secrets · SCAgitleaks, trufflehog, semgrep, syft and grype over cloned code.
Redacted by designdiscovered secrets are masked to prefix+length before storage.
Artifacts tab — screenshots, repos and downloaded files from the scan.
Artifacts tab — screenshots, repos and downloaded files from the scan.
Full artifact inventory with per-repo Analyze actions.
Full artifact inventory with per-repo Analyze actions.
Code-analysis results promoted into the findings pipeline.
Code-analysis results promoted into the findings pipeline.
// 08 — feature

Security Arsenal

19 recon binaries, run and harvested from one mission-control hub

The Arsenal is a hardened runner for a fleet of OSINT and reconnaissance tools. Toggle a tool on, run it against a validated target, and watch its output stream live in an SSE terminal; queue several at once and save any run's output straight into the target's evidence trail.

The runner is locked down: targets are validated to an argv (never a shell string), runs are killed on timeout by process-group, and every tool is identity-verified at install so a name-collision binary can't shadow the real one.

Live SSE terminalstream tool output as it runs; queue and monitor multiple at once.
Save-as-evidenceharvest any run straight into the target's evidence trail.
Hardened executionvalidated argv, shell=False, killpg timeout, install-verified tools.
Arsenal hub — the tool grid with per-tool toggles.
Arsenal hub — the tool grid with per-tool toggles.
Full arsenal — queued runs and evidence capture.
Full arsenal — queued runs and evidence capture.
Arsenal in-target — recon scoped to one footprint.
Arsenal in-target — recon scoped to one footprint.
// 09 — feature

Cross-Target Correlations

The hidden links a single-target scan can never show

Shared IPs, ASNs, technologies and vulnerabilities surface the connections between your targets — the shared-infrastructure blast radius that only appears when you look across the whole portfolio at once.

A unified correlation graph links domain to domain through the infrastructure they have in common, with shared-infrastructure KPIs and per-provider hover chips. Host attribution is per-finding, so a CDN edge is never mistaken for an origin exposure.

Shared-infra graphdomain↔domain links through common IPs, ASNs and tech.
Blast radiussee which exposure on one target implicates the others.
Per-finding attributionCDN/proxy edges resolved host-by-host, never blanket-applied.
Correlations — the cross-target shared-infrastructure graph.
Correlations — the cross-target shared-infrastructure graph.
Shared-infrastructure KPIs and the domains they link.
Shared-infrastructure KPIs and the domains they link.
Shared-IP cards connecting targets across the portfolio.
Shared-IP cards connecting targets across the portfolio.
// 10 — feature

Threat Intelligence Feed

Live exploit and advisory intel, matched to your stack

A continuously-updated threat feed tracks new advisories, KEV additions and exploited-in-the-wild activity, then matches them precisely against the technologies and versions detected on your targets — so a new product CVE lights up exactly the assets that run it, and nothing that doesn't.

Pins let you keep watch on the products that matter to a given engagement, and matches flow back into the report's synthesis as grounded, version-aware signals rather than blanket alarms.

Precise matchingadvisories matched to detected product + version, not a fuzzy keyword.
KEV-awareknown-exploited entries are never buried under backport noise.
Pinswatch the products that matter to the current engagement.
Threat feed — live advisories and KEV activity.
Threat feed — live advisories and KEV activity.
The full feed with product matches against your stack.
The full feed with product matches against your stack.
Matched entries feeding grounded, version-aware signals.
Matched entries feeding grounded, version-aware signals.
// 11 — feature

Dreaming Mode

An always-on analyst that works your whole portfolio overnight

While your team sleeps, a local model contemplates the entire dataset — building a living cross-domain knowledge graph, forming and testing theories, learning techniques, and feeding verified facts back into each target's brain. Everything it proposes passes a brain quality-check gate before it is trusted.

The result renders as an Obsidian-style dreamscape: a navigable cosmos of everything the platform knows and everything it inferred, with a journal of what it worked on and why. Continuous, autonomous reasoning over the whole estate — not a one-shot scan.

Overnight reasoninga local model works the full portfolio while you're away.
Quality-gated learninginferred facts are QC'd before they enter any brain.
Living knowledge grapha navigable cosmos of facts, entities and correlations.
Dreaming Mode — the Obsidian-style knowledge cosmos.
Dreaming Mode — the Obsidian-style knowledge cosmos.
The dreamscape with legend, filters and search.
The dreamscape with legend, filters and search.
The dream journal — what the analyst worked on overnight.
The dream journal — what the analyst worked on overnight.
// 12 — feature

Agentic Investigation & Universe

Scope-checked agents that dig, verify and explain

Approval-gated agents investigate findings, recon hosts, enrich OSINT and verify vulnerabilities — always scope-checked so an agent can never wander into a sibling domain it wasn't asked about. Every run leaves a narrative of its reasoning and the raw tool input/output behind each step.

The whole swarm is explorable as a live 3D Agent Universe, and you can talk to your galaxy: ask the knowledge graph anything and get a narrative answer with the exact evidence path it reasoned along — and the weaker paths it ruled out. No black box.

Scope-lockedagents are fenced to the target in hand — no cross-domain leakage.
Explainableanswers come with the evidence path taken and the ones rejected.
Approval-gatedevery outbound or state-changing action waits for a human yes.
The 3D Agent Universe — the live investigation swarm.
The 3D Agent Universe — the live investigation swarm.
Agents explorer — per-host agents and their runs.
Agents explorer — per-host agents and their runs.
An agent run — narrative reasoning with evidence paths.
An agent run — narrative reasoning with evidence paths.
// 13 — feature

Footprint Evolution

How a target's attack surface changed over time

Every scan is a snapshot; Evolution stitches them into a timeline so you can see how a target's footprint grew or shrank — new hosts appearing, ports opening and closing, technologies coming and going, findings resolved or introduced between engagements.

It is the difference between a point-in-time audit and continuous assurance: drift is visible, and a re-scan tells you exactly what moved since last time.

Snapshot timelineevery scan preserved and diffable, per target.
Drift detectionwhat opened, closed, appeared or was remediated between scans.
Per-domain historydrill into one target's full change history.
Evolution — the scan-footprint timeline.
Evolution — the scan-footprint timeline.
The full evolution view across snapshots.
The full evolution view across snapshots.
A single target's change history, scan over scan.
A single target's change history, scan over scan.
// 14 — feature

Reports, Slides & Export Center

One defensible dataset, every audience-ready format

A single source-of-truth data model feeds every surface, so the report, the deck, the charts and every export always agree. Preview and edit the slide deck before it leaves, then export from one Export Center to Markdown, self-contained interactive HTML, JSON, CSV, STIX 2.1, XLSX or PDF — or straight into Google Docs and Slides.

An export-consistency gate verifies that every format reports the same counts, the same verdict and no leaked suppressed findings before anything ships. The interactive slide builder turns the same data into a chart-rich, themeable deck.

SSOT exportsseven formats, all reconciled to one post-triage data model.
Consistency gatecounts, verdict and suppression checked to agree across every format.
Deck builderpreview, edit and theme the slides before export.
The interactive slide / deck builder.
The interactive slide / deck builder.
A generated report deck, chart-rich and themeable.
A generated report deck, chart-rich and themeable.
The Export Center — every format from one dataset.
The Export Center — every format from one dataset.
// 15 — feature

Agentic Workspace (Google)

Ask in plain language; an agent builds it in your Workspace

Say “make a report in Google Slides and send me the link” and an agent assembles it in your own Google Workspace — Docs, Slides, Sheets, Drive and Calendar — and hands you the link. A unified mission-control page gives every target its own workspace on disk and in Drive.

Every outbound action is approval-gated, and OAuth tokens are persisted safely so the connection survives restarts. The platform reaches out only when you tell it to.

Natural-language builddescribe the deliverable; the agent produces it in Workspace.
Your accountartifacts land in your Drive, not a third-party tenant.
Approval-gatedno document is created or sent without an explicit yes.
The Workspace mission-control page.
The Workspace mission-control page.
Per-target workspaces on disk and in Drive.
Per-target workspaces on disk and in Drive.
Agentic export — plain-language to a Google deliverable.
Agentic export — plain-language to a Google deliverable.
// 16 — feature

Private Dataroom & Local RAG

Bring your own documents — searched locally, behind a privacy wall

Upload the documents a diligence engagement actually runs on — policies, questionnaires, SOC 2 reports — and the dataroom parses them into brain facts and a local RAG index built with on-device embeddings. Ask questions and get cited answers, or cross-check the scan against what the documents claim.

A privacy wall keeps document content local by default: sensitive material is never sent to a cloud model without explicit consent, and evidence from the dataroom is what lets the report confirm or hedge an internal control an external scan can neither prove nor disprove.

Local RAGon-device embeddings + cited answers — documents never auto-leave the box.
Scan×doc cross-checkreconcile what the scan sees against what the paperwork claims.
Control evidencedataroom proof lets the report stop hedging a verified control.
The Dataroom — upload, parse and index your own documents.
The Dataroom — upload, parse and index your own documents.
Local RAG — ask questions and get cited answers.
Local RAG — ask questions and get cited answers.
Scan-vs-document cross-check, all behind the privacy wall.
Scan-vs-document cross-check, all behind the privacy wall.
// 17 — feature

Learn Mode — Cyber School

An agentic tutor that teaches the tradecraft

Learn Mode turns the platform into a guided cyber-security school: a living 3D tutor walks through OSINT and attack-surface tradecraft with personas, voice and lessons grounded in the same engine that powers the analysis — so the teaching matches how the product actually reasons.

It runs on the same local-or-cloud AI routing as the rest of the platform, so training stays inside your perimeter when you need it to.

Living tutora 3D, emoting guide with selectable personas and voice.
Grounded lessonstaught by the same reasoning engine that runs the analysis.
Local-firstruns on your own models when privacy requires it.
Learn Mode — the agentic cyber-school tutor.
Learn Mode — the agentic cyber-school tutor.
A full lesson flow with the living 3D guide.
A full lesson flow with the living 3D guide.
Personas and grounded lesson content.
Personas and grounded lesson content.
// 18 — feature

Settings & AI Routing

Every model, provider and connection under one panel

One settings panel controls the whole platform: provider enable/disable toggles, OSINT API keys, Neo4j and Workspace connections, and a central AI router that chooses between cloud and local models per task — with cross-provider fallback, health checks and a live activity badge.

The privacy invariant is intrinsic: a target pinned to a local model never falls back to the cloud, no matter which call site invokes it. What you host stays hosted.

Central AI routercloud/local/smart modes, cross-provider fallback and health checks.
Local-pin privacya locally-pinned model can never silently fall back to a cloud one.
One panelproviders, keys, connections and model stats in a single drawer.
Settings — providers, keys and connections.
Settings — providers, keys and connections.
The full settings surface with AI routing controls.
The full settings surface with AI routing controls.
AI router — cloud/local modes and live provider health.
AI router — cloud/local modes and live provider health.
// also in the platform

More capabilities

Groups & EstatesTreat a whole estate as one target: concurrent per-member analyst agents, a group-lead synthesis, a live 3D collaboration scene and an estate-wide verdict that a sibling's exposure can never green-wash.
Story ModeTarget intelligence as swipeable IG-style stories — like, share, comment and report on findings, for stakeholders who will never open a PDF.
Obsidian BrainExport everything the platform knows as a wiki-linked Obsidian vault (knowledge + a Claude-brain mirror), with an optional real-time push to Drive.
Telegram BridgeAn owner-locked Telegram bot to launch analyses and receive results from your phone, allowlist-gated.
Command Palette (⌘K)A global command palette and keyboard layer to jump to any target, tab or action instantly.
Mobile-readyA responsive layer down to 390px with pinch-zoom accessibility and a mobile-aware 3D pixel ratio — the whole console works on a phone.
Context SessionsGrounded “questions to ask” plus virtual CEO/CTO/SecEng persona rehearsals to prep a real diligence call, with a wrap-up debrief.
Vision & OCRImage recognition and OCR in the AI chat and analysis, so screenshots and scanned documents become searchable evidence.
Encrypted Secrets VaultAPI keys and tokens live in a gitignored .env or an encrypted vault — never committed, never in a process list.
Audit TrailGoogle-login gated access with a full audit trail of who ran what, for engagements that answer to compliance.

See it on your own data.

h0SINT is in a private, invite-only beta with due-diligence, TPRM and security teams. Tell us about your use case.

▸ request beta access