PRIVATE BETA · INVITE ONLY · SELF-HOSTED
External attack-surface & digital-footprint intelligence

See what attackers see — before the deal closes.

h0SINT maps your external attack surface and digital footprint, reasons over it like a senior analyst, and turns raw OSINT into defensible, audience-ready intelligence — built for due-diligence, third-party risk and security teams. Self-hosted: your data never leaves your perimeter.

EASM + OSINT, one platform Defensible evidence-backed reports Self-hosted · zero data egress Audience-ready · board to engineering
h0sint@mission-control: ~/portfolio LIVE
// 01 — capabilities

An entire security-diligence team,
in one platform.

Not another scanner. h0SINT turns raw attack-surface data into defensible, audience-ready intelligence — and gets smarter the more it works.

dream.engine● online
[ overnight ]

Dreaming Mode

A local model contemplates your whole portfolio overnight, building a living cross-domain knowledge graph and feeding verified facts back into each target's brain — quality-checked before they're trusted. While your team sleeps, the analyst keeps working.

brain.store● online
[ memory ]

Per-target brain

Every target accumulates a private memory of facts, false positives, entities and evidence — so the platform never forgets.

agent.swarm● online
[ autonomous ]

Agentic investigation

Scope-checked, approval-gated agents investigate findings, recon hosts, enrich OSINT and verify vulnerabilities — explorable as a live 3D Agent Universe.

scan.orchestrator● online
[ durable ]

Scan orchestration & artifacts

Launch and monitor reconnaissance from inside the platform as durable jobs that survive restarts, then browse everything a scan captured — screenshots, files, repos and apps. Run secret-scanning, SAST and SCA over the code it pulled, and sweep offline breach corpora for credential exposure — all local, passwords always redacted.

qa.gate● armed
[ ≥90 / 100 ]

Self-correcting QA gate

A 6-axis judge grades the report — accuracy, fact-checking, gap-vs-brain, truthfulness, visuals, audience value — and auto-corrects until it's defensible. "Too green is worrying too."

workspace.io● online
[ google ]

Agentic Workspace

Ask in plain language — "make a report in Google Slides and send me the link" — and an agent builds it in your own Google Workspace and hands you the link. Every outbound action stays approval-gated.

graph.query● online
[ explainable ]

Talk to your galaxy

Ask the knowledge graph anything and get a narrative answer with the exact evidence path it reasoned along — and the weaker paths it ruled out. No black box.

// 02 — proof

Built like the report has to survive an audit.

Because it will. h0SINT is engineered for diligence, legal and defense buyers — where "trust me" isn't an answer.

0
axis QA gate before any export
0%
self-hosted · data stays in perimeter
0/7
overnight dreaming & correlation
0-click
scan → board-ready report
// 03 — the product

See the platform, screen by screen.

From a whole portfolio down to a single finding — external attack-surface intelligence over bbot scans, triaged, correlated and made defensible.

h0sint://portfolio
Portfolio dashboard showing 32 attack surfaces, a threat constellation graph and target groups
// portfolio

Every attack surface, one view

Track dozens of external attack surfaces at a glance — a live threat constellation, per-group cards and risk rollups across your whole portfolio, so nothing you're responsible for goes dark.

h0sint://target/overview
Per-target overview with DNS, IP, ports, URLs, vulnerabilities and tech stat cards, an Analyze to Export workflow rail and a vulnerability-severity chart
// per-target

The whole footprint at a glance

Every target opens on the numbers that matter — DNS, IPs, ports, URLs, vulnerabilities and tech — beside a vuln-severity breakdown and the Analyze → Triage → Verify → Build → QA → Export workflow rail that carries it to a defensible report.

h0sint://target/osint
OSINT tab with a Google-dork launcher and a curated grid of free OSINT tools, pre-filled for the target
// osint toolbox

Pivot fast, from one place

A Google-dork launcher and a curated grid of free OSINT tools, pre-filled for the target — jump straight from the platform into the manual pivots that turn a hostname into a lead.

h0sint://target/findings
Security findings table, severity-tiered with CVE badges and a severity filter
// findings

Triage that maps to CVEs

Every finding is severity-tiered and CVE-mapped, filterable by severity, and ready to triage — confirm the real ones, teach the false positives, and feed the target's memory as you go.

h0sint://scans
Scan launcher showing scan templates and a live-monitor empty state
// scan orchestration

Launch recon from inside

Kick off reconnaissance from templates — kitchen-sink, custom bbot or leak search — and watch it run on a live monitor. Durable jobs that survive restarts, no terminal required.

h0sint://correlations
Cross-target correlations view with shared-infrastructure KPIs and shared-IP cards linking targets
// correlations

See what connects your targets

Shared IPs, ASNs, technologies and vulnerabilities surface the hidden links between targets — the shared-infrastructure blast radius a single-target scan can never show you.

// 04 — how it works

From scan to board report —
and smarter every night.

$ h0sint run --target acme.com --audience board

[01]
analyze

AI synthesizes scan, EPSS, company & infra into a draft.

[02]
triage

Confirm findings, teach false positives — feeding the brain.

[03]
verify

Adversarial fact-checking weeds out the noise.

[04]
qa ≥90

Auto-corrects until the report is defensible.

[05]
export

PDF / HTML, or straight to Google Docs & Slides.

…and while you sleep, the dreaming engine works the whole portfolio — learning techniques, verifying theories, and getting better at the job every single night.

// 05 — why h0sint

The moat: it remembers, reasons
and improves
.

perimeter.lock● sealed
[ self-hosted ]

Your data stays yours

Runs on your hardware with local models. Sensitive client data never leaves your perimeter — a hard requirement for diligence, legal and defense buyers.

memory.compound● growing
[ data moat ]

Compounding memory

Every engagement makes the brains richer. The product's value grows with use — a data moat competitors can't copy.

analyst.always-on● running
[ continuous ]

Always-on analyst

The overnight dreaming engine is unique: continuous, autonomous reasoning over the whole portfolio — not a one-shot scan.

output.auditable● signed
[ defensible ]

Auditable output

QA gate + evidence paths make every claim auditable — the difference between a scanner and an analyst you'd put in front of a board.

// private beta

Request a private beta invite.

h0SINT is in closed beta with a small set of due-diligence, TPRM and security teams. Tell us about your use case and we'll be in touch about access.

Invite only · we reply to every serious request.