loading
loading
Recon
OSINT automation for threat intelligence and attack surface mapping.
overview
spiderfoot automates open-source intelligence gathering. Give it a target such as a domain, IP, hostname, email, or name with -s, and it runs a large library of modules that query passive data sources and correlate the results into a connected picture of the target's footprint.
Because the work is split into modules, you choose breadth versus stealth. Pick modules with -m, restrict by use case with -u, select by event types with -t, or enable strict mode with -x so only modules that consume your target type directly fire.
In a Trickest workflow spiderfoot takes a target and writes a file and a folder of findings. Emit CSV or JSON with -o for structured output, then route the events into the same triage and enrichment path your active recon results take.
use cases
Run a broad module set against a domain to collect subdomains, IPs, related hosts, leaked data, and infrastructure into one correlated dataset.
Use -x strict mode so only modules that consume your target type directly fire, keeping the run quiet and the results focused.
Select the event types you care about with -t and let spiderfoot enable the modules that produce them, instead of running everything.
Emit JSON or CSV with -o and route spiderfoot events into a downstream pipeline that dedupes, enriches, and reports on the surface it found.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| target | STRING | -s | Target for the scan, such as a domain, IP, host, or email. |
| modules | STRING | -m | Modules to enable (mod1,mod2,...). |
| use-case | STRING | -u | Select modules automatically by use case. |
| event-types | STRING | -t | Event types to collect; modules are selected automatically (type1,type2,...). |
| output-format | STRING | -o | Output format: tab (default), csv, or json. |
| strict-mode | BOOLEAN | -x | Only enable modules that can directly consume your target. Overrides -t and -m. |
| config | FILE | --config | API config file for module credentials. |
| max-threads | STRING | -max-threads | Max number of modules to run concurrently. |
Showing key inputs. spiderfoot exposes 17 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| debug | BOOLEAN | --debug | Enable debug output. |
| config | FILE | --config | API config file |
| filter | BOOLEAN | -f | Filter out other event types that weren't requested. |
| target | STRING | -s | Target for the scan. |
| modules | STRING | -m | Modules to enable (mod1,mod2,...). |
| use-case | STRING | -u | Select modules automatically by use case |
| delimiter | STRING | -D | Delimiter to use for CSV output. Default is ,. |
| max-length | STRING | -S | Maximum data length to display. By default, all data is shown. |
| no-headers | BOOLEAN | -H | Don't print field headers, just data. |
| event-types | STRING | -t | Event types to collect; modules selected automatically (type1,type2,...). |
| max-threads | STRING | -max-threads | Max number of modules to run concurrently. |
| strict-mode | BOOLEAN | -x | Only enable modules that can directly consume your target, and if -t was specified only those events will be consumed by modules. This overrides -t and -m |
| output-format | STRING | -o | Output format. Tab is default. (tab,csv,json) |
| include-source | BOOLEAN | -r | Include the source data field in tab/csv output. |
| strip-newlines | BOOLEAN | -n | Strip newlines from data. |
| disable-logging | BOOLEAN | -q | Disable logging. This will also hide errors! |
| show-event-types | STRING | -F | Show only a set of event types, comma-separated. |
example
# spiderfoot: footprint use-case against example.com, JSON outspiderfoot -s example.com -u footprint -o json -x -max-threads 8example.comwww.example.comapi.example.commail.example.comstaging.example.comdev.example.com198.51.100.10203.0.113.25guidance
Use spiderfoot when you want broad, automated OSINT across many sources from a single seed, not one narrow lookup. For passive subdomain names only, subfinder is faster. Many spiderfoot modules need API keys in the config file to reach their full reach.
Passive subdomain enumeration only. spiderfoot covers far more event types but is heavier to run.
Deep DNS and infrastructure mapping. spiderfoot spreads wider across non-DNS OSINT sources.
faq
related
Asynchronous DNS brute-force tool for fast subdomain enumeration.
OWASP Amass: network mapping and external asset discovery.
OWASP Amass intel: find an organization's root domains and ranges.
OWASP Amass enumeration that produces structured JSON output.
Find related domains and subdomains via shared Google Analytics IDs.
Find domains and subdomains potentially related to a given domain.
A target feeds spiderfoot, which runs its OSINT modules and writes the correlated findings as a queryable output.
Facts on this page come from the live Trickest tool library.