All-in-one passive reconnaissance framework with a real-time web dashboard, AI-powered analysis, and 20+ OSINT modules.
Scan any domain, IP, email, phone, or username — get WHOIS, DNS, threat intel, breach data, username search, OPSEC score, entity graphs, and a full HTML report in seconds.
Live Demo: getprism.su | Docs: CONTRIBUTING.md
- 20+ modules — WHOIS, DNS, crt.sh, Wayback Machine, Shodan, VirusTotal, AbuseIPDB, email reputation, SMTP verify, breach lookup, Blackbird (50+ sites), Maigret (3000+ sites), Telegram, phone HLR, email headers, file metadata, and more
- AI-powered analysis — automated executive summary, risk assessment, and interactive Q&A chat via LLM (OpenRouter / Nvidia Nemotron)
- Real-time dashboard — WebSocket-driven scan progress, interactive entity relationship graph, GeoIP map with coordinates
- OPSEC Score — aggregated 0–100 exposure risk score based on all collected data
- Self-contained reports — export full scan results as a styled HTML report
- Zero mandatory API keys — 12 out of 20 modules work without any keys at all
- One-command deploy —
docker compose up --buildand you're running - Fully open source — MIT license, extensible module architecture, contributor-friendly
PRISM aggregates data from 20+ external intelligence sources to build a comprehensive profile of any target — domain, IP address, email, phone number, or social username. All data is presented in a real-time dashboard with relationship graphs, a GeoIP map, exportable HTML reports, and an automated OPSEC exposure score.
Stack:
- Backend — Python, FastAPI, asyncio, WebSocket, Pydantic
- Frontend — Next.js 14 (App Router), React, TypeScript, Tailwind CSS
- AI — OpenRouter API (Nvidia Nemotron) for summary and chat
- Infrastructure — Docker, docker-compose, GitHub Actions CI/CD
- Tests — pytest, 30+ test cases with monkeypatching
| Module | Description | API Key |
|---|---|---|
| WHOIS | Domain registration, registrar, dates | — |
| DNS | A, MX, NS, TXT, CNAME, SOA records | — |
| Certificate Transparency | Subdomain discovery via crt.sh | — |
| Wayback Machine | Historical snapshots, sensitive URL patterns | — |
| GeoIP | IP geolocation, ASN, timezone | ipinfo.io |
| Shodan | Open ports, services, known CVEs | Shodan |
| VirusTotal | Domain/IP reputation, malware detections | VirusTotal |
| AbuseIPDB | IP abuse confidence score | AbuseIPDB |
| Website Analyzer | Tech stack, emails, social links, metadata | — |
| Email Reputation | DNS-based email rep (MX, SPF, DMARC, disposable check) | — |
| SMTP Verify | Mailbox existence check via SMTP handshake | — |
| Breach Check | Email breach / credential leak lookup | Leak-Lookup |
| Blackbird | Username presence across 50+ platforms (async) | — |
| Maigret | Deep username search across 3000+ sites | — |
| Telegram Lookup | Username/ID lookup via Bot API + scraping | Telegram |
| Phone / HLR | Number validation, carrier, country, reverse lookup | Numverify |
| Email Headers | SPF/DKIM/DMARC analysis, routing hops, spoofing detection | — |
| File Metadata | EXIF, GPS coordinates, PDF/DOCX properties | — |
| OPSEC Score | Aggregated 0–100 exposure risk score | — |
| Entity Graph | Interactive node-relationship visualization | — |
| HTML Report | Self-contained PDF-ready scan report | — |
| AI Summary | Natural-language findings summary via LLM | OpenRouter |
WHOIS registration, DNS records, OPSEC findings, VirusTotal threats, Wayback Machine snapshots, GeoIP map, and entity graph — all in one scan.
Findings & OPSEC Score
WHOIS Registration
DNS Records
Threat Intelligence (VirusTotal)
Wayback Machine
GeoIP Map
Entity Graph
Raw JSON
VirusTotal + AbuseIPDB threat intel, GeoIP map with coordinates, and entity graph.
Threat Intelligence (VirusTotal + AbuseIPDB)
GeoIP Map
DNS-based reputation (MX, SPF, DMARC), SMTP mailbox verification, and breach check.
Email Reputation + SMTP Verification
Findings
Number validation, carrier detection, country/region, timezone, and reverse lookup.
Phone Intelligence
GeoIP Map
Blackbird async search across 50+ platforms with response times.
Accounts Found
Entity Graph
LLM-powered OSINT summary with risk assessment and recommended next investigation steps. Interactive chat for follow-up questions.
AI Summary
Ask the AI
File Metadata (EXIF/GPS), Email Header Analyzer, Crypto Address Lookup, and QR Code Decoder.
File Metadata & GEOINT
Email Header Analyzer
Crypto Address Lookup
QR Code Decoder
cp .env.example .env # add your API keys
docker compose up --buildOpen http://localhost:3000 (frontend) and http://localhost:8080 (API).
# Backend
pip install -r requirements.txt
cp .env.example .env
python -m uvicorn web.app:app --host 0.0.0.0 --port 8080 --reload
# Frontend (separate terminal)
cd frontend
npm install
npm run devCopy .env.example → .env. All keys are optional — modules gracefully skip if a key is missing.
| Variable | Service | Free Tier |
|---|---|---|
NUMVERIFY_API_KEY |
Phone validation & carrier | 100 req/mo |
IPINFO_API_KEY |
GeoIP location | 50k req/mo |
VIRUSTOTAL_API_KEY |
Threat intelligence | 500 req/day |
ABUSEIPDB_API_KEY |
IP abuse score | 1000 req/day |
SHODAN_API_KEY |
Port scan + CVE lookup | Free tier |
OPENROUTER_API_KEY |
AI summary (Nvidia Nemotron) | Free tier |
TELEGRAM_BOT_TOKEN |
Telegram user lookup | Free |
LEAK_LOOKUP_API_KEY |
Breach database | Limited free |
Certificate Transparency, Wayback Machine, DNS, WHOIS, Website Analyzer, Email Reputation, SMTP Verify, Blackbird, Maigret, Email Headers, and File Metadata all work with zero API keys.
prism/
├── config.py # Environment + API key loader
├── requirements.txt
├── Dockerfile
├── docker-compose.yml
│
├── modules/
│ ├── extra_tools.py # WHOIS, GeoIP, DNS, Website Analyzer
│ ├── cert_transparency.py # Subdomain discovery via crt.sh
│ ├── threat_intel.py # VirusTotal + AbuseIPDB
│ ├── shodan_lookup.py # Shodan host intelligence
│ ├── wayback.py # Wayback Machine snapshots
│ ├── blackbird.py # Username search (async, 50+ platforms)
│ ├── maigret_wrapper.py # Deep username search (3000+ sites)
│ ├── hlr_lookup.py # Phone validation + reverse lookup
│ ├── hunter.py # DNS-based email reputation check
│ ├── telegram_lookup.py # Telegram username/ID lookup
│ ├── email_header_analyzer.py # SPF/DKIM/DMARC + hop analysis
│ ├── metadata_extractor.py # EXIF/PDF/DOCX + GPS extraction
│ ├── opsec_score.py # Exposure risk scoring (0–100)
│ ├── report_generator.py # Jinja2 HTML report
│ └── graph_builder.py # Entity relationship graph data
│
├── web/
│ └── app.py # FastAPI + WebSocket scan engine
│
├── frontend/ # Next.js 14 + TypeScript + Tailwind
│ └── src/
│ ├── app/ # App Router pages
│ ├── components/ # UI components (Topbar, Sidebar, views)
│ └── lib/ # API client, types
│
└── tests/
└── test_modules.py # pytest suite, 30+ tests
pip install pytest pytest-cov
pytest tests/ -v --cov=modules --cov-report=term-missingGitHub Actions pipeline (.github/workflows/ci.yml):
- Lint — flake8
- Test — pytest with coverage
- Build — Docker image
This tool is intended exclusively for lawful use:
- Authorized security assessments and penetration testing
- Research on infrastructure you own or have explicit permission to test
- Academic and educational purposes
Do not use PRISM for unauthorized data collection, surveillance, or any activity that violates applicable law. The author assumes no liability for misuse.
Contributions are welcome! Please read CONTRIBUTING.md before submitting a pull request.
MIT