SpiderFoot is an open source intelligence (OSINT) automation tool. It integrates with just about every data source available and utilises a range of methods for data analysis, making that data easy to navigate.
SpiderFoot has an embedded web-server for providing a clean and intuitive web-based interface but can also be used completely via the command-line. It's written in Python 3 and GPL-licensed.

Need more from SpiderFoot? Check out SpiderFoot HX for: - 100% Cloud-based and managed for you - Attack Surface Monitoring with change notifications by email, REST and Slack - Multiple targets per scan - Multi-user collaboration - Authenticated and 2FA - Investigations - Customer support - Third party tools pre-installed & configured - Drive it with a fully RESTful API - TOR integration built-in - Screenshotting - Bring your own Python SpiderFoot modules - Feed scan data to Splunk, ElasticSearch and REST endpoints
See the full set of differences between SpiderFoot HX and the open source version here.
SpiderFoot can be used offensively (e.g. in a red team exercise or penetration test) for reconnaissance of your target or defensively to gather information about what you or your organisation might have exposed over the Internet.
You can target the following entities in a SpiderFoot scan:
SpiderFoot's 200+ modules feed each other in a publisher/subscriber model to ensure maximum data extraction to do things like:
To install and run SpiderFoot, you need at least Python 3.7 and a number of Python libraries which you can install with pip. We recommend you install a packaged release since master will often have bleeding edge features and modules that aren't fully tested.
$ wget https://github.com/smicallef/spiderfoot/archive/v4.0.tar.gz
$ tar zxvf v4.0.tar.gz
$ cd spiderfoot-4.0
$ pip3 install -r requirements.txt
$ python3 ./sf.py -l 127.0.0.1:5001
$ git clone https://github.com/smicallef/spiderfoot.git
$ cd spiderfoot
$ pip3 install -r requirements.txt
$ python3 ./sf.py -l 127.0.0.1:5001
Check out the documentation and our asciinema videos for more tutorials.
Whether you're a contributor, user or just curious about SpiderFoot and OSINT in general, we'd love to have you join our community! SpiderFoot now has a Discord server for seeking help from the community, requesting features or just general OSINT chit-chat.
We have a comprehensive write-up and reference of the correlation rule-set introduced in SpiderFoot 4.0 here.
Also take a look at the template.yaml file for a walk through. The existing 37 rules are also quite readable and good as starting points for additional rules.
SpiderFoot has over 200 modules, most of which don't require API keys, and many of those that do require API keys have a free tier.
| Name | Description | Type |
|---|---|---|
| AbstractAPI | Look up domain, phone and IP address information from AbstractAPI. | Tiered API |
| abuse.ch | Check if a host/domain, IP address or netblock is malicious according to Abuse.ch. | Free API |
| AbuseIPDB | Check if an IP address is malicious according to AbuseIPDB.com blacklist. | Tiered API |
| Abusix Mail Intelligence | Check if a netblock or IP address is in the Abusix Mail Intelligence blacklist. | Tiered API |
| Account Finder | Look for possible associated accounts on nearly 200 websites like Ebay, Slashdot, reddit, etc. | Internal |
| AdBlock Check | Check if linked pages would be blocked by AdBlock Plus. | Tiered API |
| AdGuard DNS | Check if a host would be blocked by AdGuard DNS. | Free API |
| Ahmia | Search Tor 'Ahmia' search engine for mentions of the target. | Free API |
| AlienVault IP Reputation | Check if an IP or netblock is malicious according to the AlienVault IP Reputation database. | Free API |
| AlienVault OTX | Obtain information from AlienVault Open Threat Exchange (OTX) | Tiered API |
| Amazon S3 Bucket Finder | Search for potential Amazon S3 buckets associated with the target and attempt to list their contents. | Free API |
| Apple iTunes | Search Apple iTunes for mobile apps. | Free API |
| Archive.org | Identifies historic versions of interesting files/pages from the Wayback Machine. | Free API |
| ARIN | Queries ARIN registry for contact information. | Free API |
| Azure Blob Finder | Search for potential Azure blobs associated with the target and attempt to list their contents. | Free API |
| Bad Packets | Obtain information about any malicious activities involving IP addresses found | Commercial API |
| Base64 Decoder | Identify Base64-encoded strings in URLs, often revealing interesting hidden information. | Internal |
| BGPView | Obtain network information from BGPView API. | Free API |
| Binary String Extractor | Attempt to identify strings in binary content. | Internal |
| BinaryEdge | Obtain information from BinaryEdge.io Internet scanning systems, including breaches, vulnerabilities, torrents and passive DNS. | Tiered API |
| Bing (Shared IPs) | Search Bing for hosts sharing the same IP. | Tiered API |
| Bing | Obtain information from bing to identify sub-domains and links. | Tiered API |
| Bitcoin Finder | Identify bitcoin addresses in scraped webpages. | Internal |
| Bitcoin Who's Who | Check for Bitcoin addresses against the Bitcoin Who's Who database of suspect/malicious addresses. | Tiered API |
| BitcoinAbuse | Check Bitcoin addresses against the bitcoinabuse.com database of suspect/malicious addresses. | Free API |
| Blockchain | Queries blockchain.info to find the balance of identified bitcoin wallet addresses. | Free API |
| blocklist.de | Check if a netblock or IP is malicious according to blocklist.de. | Free API |
| BotScout | Searches BotScout.com's database of spam-bot IP addresses and e-mail addresses. | Tiered API |
| botvrij.eu | Check if a domain is malicious according to botvrij.eu. | Free API |
| BuiltWith | Query BuiltWith.com's Domain API for information about your target's web technology stack, e-mail addresses and more. | Tiered API |
| C99 | Queries the C99 API which offers various data (geo location, proxy detection, phone lookup, etc). | Commercial API |
| CallerName | Lookup US phone number location and reputation information. | Free API |
| Censys | Obtain host information from Censys.io. | Tiered API |
| Certificate Transparency | Gather hostnames from historical certificates in crt.sh. | Free API |
| CertSpotter | Gather information about SSL certificates from SSLMate CertSpotter API. | Tiered API |
| CINS Army List | Check if a netblock or IP address is malicious according to Collective Intelligence Network Security (CINS) Army list. | Free API |
| CIRCL.LU | Obtain information from CIRCL.LU's Passive DNS and Passive SSL databases. | Free API |
| CleanBrowsing.org | Check if a host would be blocked by CleanBrowsing.org DNS content filters. | Free API |
| CleanTalk Spam List | Check if a netblock or IP address is on CleanTalk.org's spam IP list. | Free API |
| Clearbit | Check for names, addresses, domains and more based on lookups of e-mail addresses on clearbit.com. | Tiered API |
| CloudFlare DNS | Check if a host would be blocked by CloudFlare DNS. | Free API |
| CoinBlocker Lists | Check if a domain appears on CoinBlocker lists. | Free API |
| CommonCrawl | Searches for URLs found through CommonCrawl.org. | Free API |
| Comodo Secure DNS | Check if a host would be blocked by Comodo Secure DNS. | Tiered API |
| Company Name Extractor | Identify company names in any obtained data. | Internal |
| Cookie Extractor | Extract Cookies from HTTP headers. | Internal |
| Country Name Extractor | Identify country names in any obtained data. | Internal |
| Credit Card Number Extractor | Identify Credit Card Numbers in any data | Internal |
| Crobat API | Search Crobat API for subdomains. | Free API |
| Cross-Referencer | Identify whether other domains are associated ('Affiliates') of the target by looking for links back to the target site(s). | Internal |
| CRXcavator | Search CRXcavator for Chrome extensions. | Free API |
| Custom Threat Feed | Check if a host/domain, netblock, ASN or IP is malicious according to your custom feed. | Internal |
| CyberCrime-Tracker.net | Check if a host/domain or IP address is malicious according to CyberCrime-Tracker.net. | Free API |
| Darksearch | Search the Darksearch.io Tor search engine for mentions of the target domain. | Free API |
| Debounce | Check whether an email is disposable | Free API |
| Dehashed | Gather breach data from Dehashed API. | Commercial API |
| Digital Ocean Space Finder | Search for potential Digital Ocean Spaces associated with the target and attempt to list their contents. | Free API |
| DNS Brute-forcer | Attempts to identify hostnames through brute-forcing common names and iterations. | Internal |
| DNS Common SRV | Attempts to identify hostnames through brute-forcing common DNS SRV records. | Internal |
| DNS for Family | Check if a host would be blocked by DNS for Family. | Free API |
| DNS Look-aside | Attempt to reverse-resolve the IP addresses next to your target to see if they are related. | Internal |
| DNS Raw Records | Retrieves raw DNS records such as MX, TXT and others. | Internal |
| DNS Resolver | Resolves hosts and IP addresses identified, also extracted from raw content. | Internal |
| DNS Zone Transfer | Attempts to perform a full DNS zone transfer. | Internal |
| DNSDB | Query FarSight's DNSDB fo |
$ claude mcp add spiderfoot \
-- python -m otcore.mcp_server <graph>