PRIVATE BETA · INVITE ONLY · SELF-HOSTED
External attack-surface & digital-footprint intelligence

See what attackers see — before the deal closes.

h0SINT maps your external attack surface and digital footprint, reasons over it like a senior analyst, and turns raw OSINT into defensible, audience-ready intelligence — built for due-diligence, third-party risk and security teams. Self-hosted: your data never leaves your perimeter.

EASM + OSINT, one platform Defensible evidence-backed reports Self-hosted · zero data egress Audience-ready · board to engineering
h0sint@mission-control: ~/portfolio LIVE
// 01 — capabilities

An entire security-diligence team,
in one platform.

Not another scanner. h0SINT turns raw attack-surface data into defensible, audience-ready intelligence — and gets smarter the more it works.

dream.engine● online
[ overnight ]

Dreaming Mode

A local model contemplates your whole portfolio overnight, building a living cross-domain knowledge graph and feeding verified facts back into each target's brain — quality-checked before they're trusted. While your team sleeps, the analyst keeps working.

brain.store● online
[ memory ]

Per-target brain

Every target accumulates a private memory of facts, false positives, entities and evidence — so the platform never forgets.

agent.swarm● online
[ autonomous ]

Agentic investigation

Scope-checked, approval-gated agents investigate findings, recon hosts, enrich OSINT and verify vulnerabilities — explorable as a live 3D Agent Universe.

scan.orchestrator● online
[ durable ]

Scan orchestration & artifacts

Launch and monitor reconnaissance from inside the platform as durable jobs that survive restarts, then browse everything a scan captured — screenshots, files, repos and apps. Run secret-scanning, SAST and SCA over the code it pulled, and sweep offline breach corpora for credential exposure — all local, passwords always redacted.

qa.gate● armed
[ ≥90 / 100 ]

Self-correcting QA gate

A 6-axis judge grades the report — accuracy, fact-checking, gap-vs-brain, truthfulness, visuals, audience value — and auto-corrects until it's defensible. "Too green is worrying too."

workspace.io● online
[ google ]

Agentic Workspace

Ask in plain language — "make a report in Google Slides and send me the link" — and an agent builds it in your own Google Workspace and hands you the link. Every outbound action stays approval-gated.

graph.query● online
[ explainable ]

Talk to your galaxy

Ask the knowledge graph anything and get a narrative answer with the exact evidence path it reasoned along — and the weaker paths it ruled out. No black box.

// 02 — proof

Built like the report has to survive an audit.

Because it will. h0SINT is engineered for diligence, legal and defense buyers — where "trust me" isn't an answer.

0
axis QA gate before any export
0%
self-hosted · data stays in perimeter
0/7
overnight dreaming & correlation
0-click
scan → board-ready report
// 03 — the product

See the platform, screen by screen.

From a whole portfolio down to a single finding — external attack-surface intelligence over bbot scans, triaged, correlated and made defensible.

h0sint://portfolio
Portfolio dashboard showing a fleet of attack surfaces, a threat constellation graph and target groups
// portfolio

Every attack surface, one view

Track dozens of external attack surfaces at a glance — a live threat constellation, per-group cards and risk rollups across your whole portfolio, so nothing you're responsible for goes dark.

h0sint://target/overview
Per-target overview with DNS, IP, ports, URLs, vulnerabilities and tech stat cards, an Analyze to Export workflow rail and a vulnerability-severity chart
// per-target

The whole footprint at a glance

Every target opens on the numbers that matter — DNS, IPs, ports, URLs, vulnerabilities and tech — beside a vuln-severity breakdown and the Analyze → Triage → Verify → Build → QA → Export workflow rail that carries it to a defensible report.

h0sint://target/osint
OSINT tab with a Google-dork launcher and a curated grid of free OSINT tools, pre-filled for the target
// osint toolbox

Pivot fast, from one place

A Google-dork launcher and a curated grid of free OSINT tools, pre-filled for the target — jump straight from the platform into the manual pivots that turn a hostname into a lead.

h0sint://target/findings
Security findings table, severity-tiered with CVE badges and a severity filter
// findings

Triage that maps to CVEs

Every finding is severity-tiered and CVE-mapped, filterable by severity, and ready to triage — confirm the real ones, teach the false positives, and feed the target's memory as you go.

h0sint://scans
Scan launcher showing scan templates and a live-monitor empty state
// scan orchestration

Launch recon from inside

Kick off reconnaissance from templates — kitchen-sink, custom bbot or leak search — and watch it run on a live monitor. Durable jobs that survive restarts, no terminal required.

h0sint://correlations
Cross-target correlations view with shared-infrastructure KPIs and shared-IP cards linking targets
// correlations

See what connects your targets

Shared IPs, ASNs, technologies and vulnerabilities surface the hidden links between targets — the shared-infrastructure blast radius a single-target scan can never show you.

// 04 — the whole platform

Nineteen features,
one defensible workflow.

From a live portfolio constellation to an overnight dreaming engine — every capability is documented, screen by screen. Read the full docs →

[ 01 ]

Portfolio & Constellation

Every external attack surface in one live WebGL threat-map with per-group risk rollups.

[ 02 ]

Target Intelligence

The whole footprint at a glance — plus exposed buckets, repos and tenants, owned-vs-mention scored.

[ 03 ]

Findings & Triage

Severity-tiered, CVE-mapped, contextually scored — teach-once triage with an evidence bundle.

[ 04 ]

AI Analysis & Reports

Grounded synthesis, deterministic verdict and a self-correcting 6-axis QA gate.

[ 05 ]

OSINT Toolbox & Leaks

Pre-filled dorks, free-tool grid and offline breach-corpus search — passwords always redacted.

[ 06 ]

Scan Orchestration

Launch and monitor recon as durable jobs that survive restarts. Keys never hit a process list.

[ 07 ]

Artifacts & Code Analysis

Browse everything a scan captured, then run secrets/SAST/SCA over the code it cloned.

[ 08 ]

Security Arsenal

19 recon binaries, streamed live and harvested to evidence from a hardened runner.

[ 09 ]

Cross-Target Correlations

Shared IPs, ASNs and tech reveal the blast radius a single-target scan can't see.

[ 10 ]

Threat Feed

Live advisories and KEV activity, matched precisely to your detected stack and versions.

[ 11 ]

Dreaming Mode

An always-on local analyst that works the whole portfolio overnight, quality-gated.

[ 12 ]

Agent Universe

Scope-locked agents that dig and verify — explorable in 3D, with explainable evidence paths.

[ 13 ]

Footprint Evolution

Every scan a snapshot; drift over time makes it continuous assurance, not a point-in-time audit.

[ 14 ]

Reports & Export Center

One dataset → seven reconciled formats and a themeable deck, consistency-gated before export.

[ 15 ]

Agentic Workspace

Ask in plain language; an agent builds it in your own Google Workspace, approval-gated.

[ 16 ]

Dataroom & Local RAG

Your documents, parsed and searched on-device behind a privacy wall, with cited answers.

[ 17 ]

Learn Mode

A living 3D tutor that teaches the tradecraft, grounded in the same reasoning engine.

[ 18 ]

Settings & AI Routing

Central cloud/local router with fallback and health — a locally-pinned model never leaks to cloud.

[ 19 ]

…and more

Groups & estates, Story Mode, Obsidian brain, Telegram bridge, ⌘K palette, mobile, vision/OCR.

// 05 — how it works

From scan to board report —
and smarter every night.

$ h0sint run --target acme.com --audience board

[01]
analyze

AI synthesizes scan, EPSS, company & infra into a draft.

[02]
triage

Confirm findings, teach false positives — feeding the brain.

[03]
verify

Adversarial fact-checking weeds out the noise.

[04]
qa ≥90

Auto-corrects until the report is defensible.

[05]
export

PDF / HTML, or straight to Google Docs & Slides.

…and while you sleep, the dreaming engine works the whole portfolio — learning techniques, verifying theories, and getting better at the job every single night.

// 06 — why h0sint

The moat: it remembers, reasons
and improves
.

perimeter.lock● sealed
[ self-hosted ]

Your data stays yours

Runs on your hardware with local models. Sensitive client data never leaves your perimeter — a hard requirement for diligence, legal and defense buyers.

memory.compound● growing
[ data moat ]

Compounding memory

Every engagement makes the brains richer. The product's value grows with use — a data moat competitors can't copy.

analyst.always-on● running
[ continuous ]

Always-on analyst

The overnight dreaming engine is unique: continuous, autonomous reasoning over the whole portfolio — not a one-shot scan.

output.auditable● signed
[ defensible ]

Auditable output

QA gate + evidence paths make every claim auditable — the difference between a scanner and an analyst you'd put in front of a board.

// private beta

Request a private beta invite.

h0SINT is in closed beta with a small set of due-diligence, TPRM and security teams. Tell us about your use case and we'll be in touch about access.

Invite only · we reply to every serious request.