Self-hosted OSINT platform with 22+ modules, OPSEC scoring, AI summary, and a real-time web dashboard. Scan any domain, IP, email, phone, or username — get WHOIS, DNS, threat intel, breach data, username search, dark-web mirrors, OPSEC score, entity graphs, and HTML/PDF reports in seconds.
Live Demo · Docker Quick Start · Architecture · Security · Changelog
If you find PRISM useful, please consider giving it a star — it helps others discover the project and motivates further development.
- 22+ modules — WHOIS, DNS, crt.sh, Wayback Machine, Shodan, VirusTotal, AbuseIPDB, Censys, Dark Web (Ahmia + DarkSearch), email reputation, SMTP verify, breach lookup, Blackbird (50+ sites), Maigret (3000+ sites), Telegram, phone HLR, email headers, file metadata, and more
- AI-powered analysis — automated executive summary, risk assessment, and interactive Q&A chat via LLM (OpenRouter / Nvidia Nemotron)
- Real-time dashboard — WebSocket-driven scan progress with module-level progress bar (5/8 · 62%), interactive entity relationship graph, multi-marker Leaflet GeoIP map
- OPSEC Score — aggregated 0–100 exposure risk score across data exposure, identity, infrastructure and web security
- HTML & PDF reports — export full scan results as a styled, self-contained HTML or print-ready PDF (locale-aware EN/RU/DE)
- Multi-language UI — English, Russian, German out of the box (i18n + auto-detect)
- Webhook callbacks — get notified on scan completion with HMAC-signed payloads (SSRF-protected)
- Hardened auth — header-only API keys (
X-API-Key/Bearer), no query-string secrets, strict CORS, per-principal scan isolation - Zero mandatory API keys — 14 out of 22 modules work without any keys at all
- One-command deploy —
docker compose up --buildand you're running - Fully open source — MIT license, extensible module architecture, contributor-friendly
PRISM aggregates data from 20+ external intelligence sources to build a comprehensive profile of any target — domain, IP address, email, phone number, or social username. All data is presented in a real-time dashboard with relationship graphs, a GeoIP map, exportable HTML/PDF reports, and an automated OPSEC exposure score.
Stack:
- Backend — Python 3.10+, FastAPI, asyncio, WebSocket, Pydantic, slowapi (rate limiting), xhtml2pdf (PDF)
- Frontend — Next.js 14 (App Router), React, TypeScript, Tailwind CSS, Leaflet (maps)
- AI — OpenRouter (Nvidia Nemotron) or Groq (Llama-3) for summary and chat
- Infrastructure — Docker, docker-compose, GitHub Actions CI/CD
- Tests — pytest, 102 test cases with monkeypatching, network mocking, SSRF/auth coverage
flowchart LR
U[User / Browser] -->|HTTPS + X-API-Key| FE[Next.js 14 Dashboard]
FE -->|REST + WebSocket| API[FastAPI Backend]
API --> SCH[Scan Orchestrator<br/>asyncio + queues]
SCH --> MOD[22+ OSINT Modules]
MOD --> EXT[(External APIs<br/>Shodan / VT / Censys<br/>crt.sh / Wayback / etc.)]
SCH --> CACHE[(Module Cache<br/>TTL JSON)]
SCH --> STORE[(Scan Storage<br/>per-principal)]
SCH --> WH[Webhook Dispatcher<br/>HMAC + SSRF guard]
API --> AI[AI Summary / Chat<br/>OpenRouter / Groq]
API --> RPT[Report Generator<br/>HTML + xhtml2pdf]
| Capability | PRISM | SpiderFoot CE | theHarvester | Recon-ng | Maltego CE |
|---|---|---|---|---|---|
| Modern web dashboard | ✅ Next.js 14 | ❌ CLI only | ❌ CLI only | ✅ desktop | |
| Real-time scan progress (WS) | ✅ | ❌ | ❌ | ❌ | ❌ |
| AI-powered summary + chat | ✅ LLM | ❌ | ❌ | ❌ | ❌ |
| OPSEC score (0–100) | ✅ | ❌ | ❌ | ❌ | ❌ |
| Entity graph (interactive) | ✅ | ✅ | ❌ | ❌ | ✅ |
| GeoIP map (multi-marker) | ✅ Leaflet | ❌ | ❌ | ||
| HTML + PDF report export | ✅ EN/RU/DE | ❌ | |||
| Multi-language UI | ✅ EN/RU/DE | ❌ | ❌ | ❌ | ❌ |
| Zero-key out of the box | ✅ 14/22 modules | ❌ | |||
| Webhook callbacks (signed) | ✅ | ❌ | ❌ | ❌ | ❌ |
| One-command Docker deploy | ✅ | ❌ | ❌ | ||
| MIT license | ✅ | ❌ GPLv2 | ✅ | ✅ GPLv3 | ❌ |
- Bug bounty recon — kick off a single scan and get subdomains (crt.sh + Censys), open ports (Shodan), wayback sensitive paths, and AI-prioritized findings.
- Phishing investigation — pivot from a suspicious domain or email to threat intel, breach exposure, mail auth (SPF/DKIM/DMARC), and historical snapshots.
- Brand & impersonation monitoring — webhook-driven scans to detect new lookalike subdomains, dark-web mentions, and exposed credentials.
- Security awareness training — give employees their own OPSEC score across email, phone, and username so they see exposure on a 0–100 scale.
- Academic / educational OSINT — a self-hosted, MIT-licensed reference for teaching passive reconnaissance, geolocation, and threat intel pipelines.
| Module | Description | API Key |
|---|---|---|
| WHOIS | Domain registration, registrar, dates | — |
| DNS | A, MX, NS, TXT, CNAME, SOA records | — |
| Certificate Transparency | Subdomain discovery via crt.sh | — |
| Wayback Machine | Historical snapshots, sensitive URL patterns | — |
| GeoIP | IP geolocation, ASN, timezone | ipinfo.io |
| Shodan | Open ports, services, known CVEs | Shodan |
| Censys | Host services, ASN, certificate → subdomain discovery | Censys |
| VirusTotal | Domain/IP reputation, malware detections | VirusTotal |
| AbuseIPDB | IP abuse confidence score | AbuseIPDB |
| Dark Web Checker | .onion mirrors via Ahmia + DarkSearch | — |
| Website Analyzer | Tech stack, emails, social links, metadata | — |
| Email Reputation | DNS-based email rep (MX, SPF, DMARC, disposable check) | — |
| SMTP Verify | Mailbox existence check via SMTP handshake | — |
| Breach Check | Email breach / credential leak lookup | Leak-Lookup |
| Blackbird | Username presence across 50+ platforms (async) | — |
| Maigret | Deep username search across 3000+ sites | — |
| Telegram Lookup | Username/ID lookup via Bot API + scraping | Telegram |
| Phone / HLR | Number validation, carrier, country, reverse lookup | Numverify |
| Email Headers | SPF/DKIM/DMARC analysis, routing hops, spoofing detection | — |
| File Metadata | EXIF, GPS coordinates, PDF/DOCX properties | — |
| OPSEC Score | Aggregated 0–100 exposure risk score | — |
| Entity Graph | Interactive node-relationship visualization | — |
| HTML / PDF Report | Self-contained styled report (HTML + xhtml2pdf), localized EN/RU/DE | — |
| AI Summary | Natural-language findings summary via LLM | OpenRouter / Groq |
| Webhook Callbacks | HMAC-signed POST on scan completion (SSRF-guarded) | — |
More screenshots (domain / IP / email / phone / username / standalone tools)
WHOIS, DNS, threats, Wayback, GeoIP map, entity graph.
VirusTotal + AbuseIPDB threat intel, GeoIP map, entity graph.
DNS-based reputation, SMTP mailbox verification, breach check.
Number validation, carrier detection, country/region, timezone, reverse lookup.
Blackbird async search across 50+ platforms.
LLM-powered OSINT summary + interactive chat.
File Metadata (EXIF/GPS), Email Header Analyzer, Crypto Address Lookup, QR Code Decoder.
git clone https://github.com/NovaCode37/Prism-platform.git
cd Prism-platform
cp .env.example .env # edit and set API_KEYS, optionally provider keys
docker compose up --buildOpen http://localhost:3000 (frontend) and http://localhost:8080 (API).
# 1. Backend
git clone https://github.com/NovaCode37/Prism-platform.git
cd Prism-platform
pip install -r requirements.txt
cp .env.example .env
python -m uvicorn web.app:app --host 0.0.0.0 --port 8080 --reload
# 2. Frontend (in a separate terminal, from repo root)
cd frontend
npm install
# create .env.local with the same key you put into API_KEYS / API_KEY:
# NEXT_PUBLIC_API_URL=http://localhost:8080
# NEXT_PUBLIC_API_KEY=<your-api-key>
npm run devOpen http://localhost:3000.
Since v2.2 the backend rejects requests without a valid
X-API-Keyheader by default. To run a fully open instance for local experimentation, setALLOW_ANON_API=truein.env.
PRISM is configured via environment variables (.env). All API keys are optional — modules that need a missing key gracefully skip.
| Variable | Purpose |
|---|---|
API_KEYS |
Comma-separated list of accepted API keys (preferred, multi-tenant) |
API_KEY |
Single API key (legacy, also accepted) |
ALLOW_ANON_API |
true to allow unauthenticated API access (off by default) |
ALLOWED_ORIGINS |
Comma-separated CORS origins; empty/unset = no cross-origin |
MAX_UPLOAD_MB |
Max upload size for file-based tools (default 20) |
MAX_STORED_SCANS |
In-memory scan cap before disk-only mode (default 200) |
CACHE_TTL_HOURS |
Per-module cache TTL (default 24) |
WEBHOOK_SECRET |
If set, signs webhook callbacks with X-Prism-Secret |
DISABLE_DOCS |
true to disable /docs, /redoc, /openapi.json in production |
| Variable | Service | Free Tier |
|---|---|---|
NUMVERIFY_API_KEY |
Phone validation & carrier | 100 req/mo |
IPINFO_API_KEY |
GeoIP location | 50k req/mo |
VIRUSTOTAL_API_KEY |
Threat intelligence | 500 req/day |
ABUSEIPDB_API_KEY |
IP abuse score | 1000 req/day |
SHODAN_API_KEY |
Port scan + CVE lookup | Free tier |
CENSYS_API_ID + CENSYS_API_SECRET |
Host & certificate search | 250 req/mo |
OPENROUTER_API_KEY |
AI summary (Nvidia Nemotron) | Free tier |
GROQ_API_KEY |
AI fallback (Llama-3 instant) | Free tier |
TELEGRAM_BOT_TOKEN |
Telegram user lookup | Free |
LEAK_LOOKUP_API_KEY |
Breach database | Limited free |
Certificate Transparency, Wayback Machine, DNS, WHOIS, Website Analyzer, Email Reputation, SMTP Verify, Blackbird, Maigret, Email Headers, File Metadata, and Dark Web Checker all work with zero API keys.
prism/
├── config.py # Environment + API key loader
├── requirements.txt
├── Dockerfile
├── docker-compose.yml
│
├── modules/
│ ├── extra_tools.py # WHOIS, GeoIP, DNS, Website Analyzer
│ ├── cert_transparency.py # Subdomain discovery via crt.sh
│ ├── threat_intel.py # VirusTotal + AbuseIPDB
│ ├── shodan_lookup.py # Shodan host intelligence
│ ├── censys_lookup.py # Censys host + certificate search
│ ├── wayback.py # Wayback Machine snapshots + sensitive URLs
│ ├── onion_checker.py # .onion mirror checker (Ahmia + DarkSearch)
│ ├── darkweb_search.py # Dark-web mentions search
│ ├── blackbird.py # Username search (async, 50+ platforms)
│ ├── maigret_wrapper.py # Deep username search (3000+ sites)
│ ├── hlr_lookup.py # Phone validation + reverse lookup
│ ├── hunter.py # DNS-based email reputation check
│ ├── smtp_verify.py # SMTP mailbox existence verification
│ ├── leak_lookup.py # Email breach / credential leak lookup
│ ├── telegram_lookup.py # Telegram username/ID lookup
│ ├── email_header_analyzer.py # SPF/DKIM/DMARC + hop analysis
│ ├── metadata_extractor.py # EXIF/PDF/DOCX + GPS extraction
│ ├── crypto_lookup.py # Crypto address heuristics
│ ├── qr_decoder.py # QR image decoder
│ ├── url_scanner.py # Standalone URL scanner
│ ├── opsec_score.py # Exposure risk scoring (0–100)
│ ├── graph_builder.py # Entity relationship graph data
│ ├── report_generator.py # Jinja2 HTML report + xhtml2pdf PDF
│ └── report_i18n.py # Report translations EN / RU / DE
│
├── web/
│ ├── app.py # FastAPI + WebSocket scan engine
│ └── security.py # Auth, CORS, rate limiting, SSRF guard
│
├── frontend/ # Next.js 14 + TypeScript + Tailwind
│ └── src/
│ ├── app/ # App Router pages
│ ├── components/ # UI (Topbar, Sidebar, Map, Graph, ...)
│ └── lib/ # API client, i18n, types
│
└── tests/ # 102 pytest tests
├── test_modules.py
├── test_modules_extended.py
├── test_v2_1_modules.py
└── test_webhook.py
pip install pytest pytest-cov pytest-asyncio
pytest -q
# or with coverage:
pytest tests/ -v --cov=modules --cov=web --cov-report=term-missingFrontend type check:
cd frontend
npx tsc --noEmit -p tsconfig.jsonGitHub Actions pipeline (.github/workflows/ci.yml):
- Lint — flake8
- Test — pytest with coverage
- Build — Docker image
- Multilingual report rendering (EN / RU / DE) via
report_i18n - Webhook callbacks with HMAC signing + SSRF guard
- Multi-marker Leaflet GeoIP map (replaces single-iframe map)
- Hardened auth: header-only API keys, no query-string secrets
- Strict CORS by default;
ALLOW_ANON_APIopt-in for anonymous mode - Phone map: removed coordinate fabrication, only explicit lat/lng
- Authenticated HTML/PDF report download via blob fetch
- Test suite expanded to 102 cases
- Scheduled scans + diff alerting via webhooks
- Slack / Discord notification adapters
- Scan history & comparison view
- More languages (FR, ES, ZH)
- Browser extension for one-click scans
- Standalone CLI (
prism scan example.com --json) - Per-API-key quotas and usage stats endpoint
Want to contribute? Pick an open issue tagged
good first issueor open a new one.
This tool is intended exclusively for lawful use:
- Authorized security assessments and penetration testing
- Research on infrastructure you own or have explicit permission to test
- Academic and educational purposes
Do not use PRISM for unauthorized data collection, surveillance, or any activity that violates applicable law. The author assumes no liability for misuse.
Contributions are welcome! Please read CONTRIBUTING.md before submitting a pull request. For security issues, see SECURITY.md.
MIT