h0SINT maps your external attack surface and digital footprint, reasons over it like a senior analyst, and turns raw OSINT into defensible, audience-ready intelligence — built for due-diligence, third-party risk and security teams. Self-hosted: your data never leaves your perimeter.
Not another scanner. h0SINT turns raw attack-surface data into defensible, audience-ready intelligence — and gets smarter the more it works.
A local model contemplates your whole portfolio overnight, building a living cross-domain knowledge graph and feeding verified facts back into each target's brain — quality-checked before they're trusted. While your team sleeps, the analyst keeps working.
Every target accumulates a private memory of facts, false positives, entities and evidence — so the platform never forgets.
Scope-checked, approval-gated agents investigate findings, recon hosts, enrich OSINT and verify vulnerabilities — explorable as a live 3D Agent Universe.
Launch and monitor reconnaissance from inside the platform as durable jobs that survive restarts, then browse everything a scan captured — screenshots, files, repos and apps. Run secret-scanning, SAST and SCA over the code it pulled, and sweep offline breach corpora for credential exposure — all local, passwords always redacted.
A 6-axis judge grades the report — accuracy, fact-checking, gap-vs-brain, truthfulness, visuals, audience value — and auto-corrects until it's defensible. "Too green is worrying too."
Ask in plain language — "make a report in Google Slides and send me the link" — and an agent builds it in your own Google Workspace and hands you the link. Every outbound action stays approval-gated.
Ask the knowledge graph anything and get a narrative answer with the exact evidence path it reasoned along — and the weaker paths it ruled out. No black box.
Because it will. h0SINT is engineered for diligence, legal and defense buyers — where "trust me" isn't an answer.
From a whole portfolio down to a single finding — external attack-surface intelligence over bbot scans, triaged, correlated and made defensible.

Track dozens of external attack surfaces at a glance — a live threat constellation, per-group cards and risk rollups across your whole portfolio, so nothing you're responsible for goes dark.

Every target opens on the numbers that matter — DNS, IPs, ports, URLs, vulnerabilities and tech — beside a vuln-severity breakdown and the Analyze → Triage → Verify → Build → QA → Export workflow rail that carries it to a defensible report.

A Google-dork launcher and a curated grid of free OSINT tools, pre-filled for the target — jump straight from the platform into the manual pivots that turn a hostname into a lead.

Every finding is severity-tiered and CVE-mapped, filterable by severity, and ready to triage — confirm the real ones, teach the false positives, and feed the target's memory as you go.

Kick off reconnaissance from templates — kitchen-sink, custom bbot or leak search — and watch it run on a live monitor. Durable jobs that survive restarts, no terminal required.

Shared IPs, ASNs, technologies and vulnerabilities surface the hidden links between targets — the shared-infrastructure blast radius a single-target scan can never show you.
$ h0sint run --target acme.com --audience board
AI synthesizes scan, EPSS, company & infra into a draft.
Confirm findings, teach false positives — feeding the brain.
Adversarial fact-checking weeds out the noise.
Auto-corrects until the report is defensible.
PDF / HTML, or straight to Google Docs & Slides.
…and while you sleep, the dreaming engine works the whole portfolio — learning techniques, verifying theories, and getting better at the job every single night.
Runs on your hardware with local models. Sensitive client data never leaves your perimeter — a hard requirement for diligence, legal and defense buyers.
Every engagement makes the brains richer. The product's value grows with use — a data moat competitors can't copy.
The overnight dreaming engine is unique: continuous, autonomous reasoning over the whole portfolio — not a one-shot scan.
QA gate + evidence paths make every claim auditable — the difference between a scanner and an analyst you'd put in front of a board.
h0SINT is in closed beta with a small set of due-diligence, TPRM and security teams. Tell us about your use case and we'll be in touch about access.
Invite only · we reply to every serious request.