h0SINT maps your external attack surface and digital footprint, reasons over it like a senior analyst, and turns raw OSINT into defensible, audience-ready intelligence — built for due-diligence, third-party risk and security teams. Self-hosted: your data never leaves your perimeter.
Not another scanner. h0SINT turns raw attack-surface data into defensible, audience-ready intelligence — and gets smarter the more it works.
A local model contemplates your whole portfolio overnight, building a living cross-domain knowledge graph and feeding verified facts back into each target's brain — quality-checked before they're trusted. While your team sleeps, the analyst keeps working.
Every target accumulates a private memory of facts, false positives, entities and evidence — so the platform never forgets.
Scope-checked, approval-gated agents investigate findings, recon hosts, enrich OSINT and verify vulnerabilities — explorable as a live 3D Agent Universe.
Launch and monitor reconnaissance from inside the platform as durable jobs that survive restarts, then browse everything a scan captured — screenshots, files, repos and apps. Run secret-scanning, SAST and SCA over the code it pulled, and sweep offline breach corpora for credential exposure — all local, passwords always redacted.
A 6-axis judge grades the report — accuracy, fact-checking, gap-vs-brain, truthfulness, visuals, audience value — and auto-corrects until it's defensible. "Too green is worrying too."
Ask in plain language — "make a report in Google Slides and send me the link" — and an agent builds it in your own Google Workspace and hands you the link. Every outbound action stays approval-gated.
Ask the knowledge graph anything and get a narrative answer with the exact evidence path it reasoned along — and the weaker paths it ruled out. No black box.
Because it will. h0SINT is engineered for diligence, legal and defense buyers — where "trust me" isn't an answer.
From a whole portfolio down to a single finding — external attack-surface intelligence over bbot scans, triaged, correlated and made defensible.

Track dozens of external attack surfaces at a glance — a live threat constellation, per-group cards and risk rollups across your whole portfolio, so nothing you're responsible for goes dark.

Every target opens on the numbers that matter — DNS, IPs, ports, URLs, vulnerabilities and tech — beside a vuln-severity breakdown and the Analyze → Triage → Verify → Build → QA → Export workflow rail that carries it to a defensible report.

A Google-dork launcher and a curated grid of free OSINT tools, pre-filled for the target — jump straight from the platform into the manual pivots that turn a hostname into a lead.

Every finding is severity-tiered and CVE-mapped, filterable by severity, and ready to triage — confirm the real ones, teach the false positives, and feed the target's memory as you go.

Kick off reconnaissance from templates — kitchen-sink, custom bbot or leak search — and watch it run on a live monitor. Durable jobs that survive restarts, no terminal required.

Shared IPs, ASNs, technologies and vulnerabilities surface the hidden links between targets — the shared-infrastructure blast radius a single-target scan can never show you.
From a live portfolio constellation to an overnight dreaming engine — every capability is documented, screen by screen. Read the full docs →
Every external attack surface in one live WebGL threat-map with per-group risk rollups.
The whole footprint at a glance — plus exposed buckets, repos and tenants, owned-vs-mention scored.
Severity-tiered, CVE-mapped, contextually scored — teach-once triage with an evidence bundle.
Grounded synthesis, deterministic verdict and a self-correcting 6-axis QA gate.
Pre-filled dorks, free-tool grid and offline breach-corpus search — passwords always redacted.
Launch and monitor recon as durable jobs that survive restarts. Keys never hit a process list.
Browse everything a scan captured, then run secrets/SAST/SCA over the code it cloned.
19 recon binaries, streamed live and harvested to evidence from a hardened runner.
Shared IPs, ASNs and tech reveal the blast radius a single-target scan can't see.
Live advisories and KEV activity, matched precisely to your detected stack and versions.
An always-on local analyst that works the whole portfolio overnight, quality-gated.
Scope-locked agents that dig and verify — explorable in 3D, with explainable evidence paths.
Every scan a snapshot; drift over time makes it continuous assurance, not a point-in-time audit.
One dataset → seven reconciled formats and a themeable deck, consistency-gated before export.
Ask in plain language; an agent builds it in your own Google Workspace, approval-gated.
Your documents, parsed and searched on-device behind a privacy wall, with cited answers.
A living 3D tutor that teaches the tradecraft, grounded in the same reasoning engine.
Central cloud/local router with fallback and health — a locally-pinned model never leaks to cloud.
Groups & estates, Story Mode, Obsidian brain, Telegram bridge, ⌘K palette, mobile, vision/OCR.
$ h0sint run --target acme.com --audience board
AI synthesizes scan, EPSS, company & infra into a draft.
Confirm findings, teach false positives — feeding the brain.
Adversarial fact-checking weeds out the noise.
Auto-corrects until the report is defensible.
PDF / HTML, or straight to Google Docs & Slides.
…and while you sleep, the dreaming engine works the whole portfolio — learning techniques, verifying theories, and getting better at the job every single night.
Runs on your hardware with local models. Sensitive client data never leaves your perimeter — a hard requirement for diligence, legal and defense buyers.
Every engagement makes the brains richer. The product's value grows with use — a data moat competitors can't copy.
The overnight dreaming engine is unique: continuous, autonomous reasoning over the whole portfolio — not a one-shot scan.
QA gate + evidence paths make every claim auditable — the difference between a scanner and an analyst you'd put in front of a board.
h0SINT is in closed beta with a small set of due-diligence, TPRM and security teams. Tell us about your use case and we'll be in touch about access.
Invite only · we reply to every serious request.