Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/edoardottt/awesome-hacker-search-engines/llms.txt

Use this file to discover all available pages before exploring further.

Security search engines are most powerful when used systematically — not in isolation, but as a layered, ordered workflow where each step informs the next. This page walks through proven operational sequences for the most common security disciplines: penetration testing, bug bounty hunting, OSINT investigations, and threat intelligence. Each workflow maps directly to categories in this reference so you can jump to the right tool at every phase.
Always ensure you have written authorization before running active reconnaissance against any target. Unauthorized use of these tools against systems you do not own or have explicit permission to test may violate the Computer Fraud and Abuse Act (CFAA), the UK Computer Misuse Act, or equivalent computer crime laws in your jurisdiction. When in doubt, consult legal counsel before proceeding.

Penetration Testing Workflow

A methodical recon-to-exploitation workflow dramatically improves coverage and reduces noise. Start with the widest passive data sources, then progressively narrow focus toward actionable findings.
1

Discover Servers & Infrastructure

Begin with internet-wide scan databases to identify all hosts associated with the target organization. Search by organization name, ASN, IP range, or known domain.Recommended tools: Shodan, Censys Search, FOFA, ZoomEye, Netlas.ioLook for: open ports, service banners, running software versions, TLS certificate subjects, and geolocation. Cross-reference multiple engines — each has different scanning cadence and IPv4/IPv6 coverage.
2

Map the Attack Surface

Expand your infrastructure picture using dedicated attack-surface management platforms that correlate IPs, domains, certificates, and ASN data into a unified external inventory.Recommended tools: FullHunt.io, BinaryEdge, SecurityTrails, Censys ASM, RedHunt LabsLook for: shadow IT assets, forgotten staging environments, cloud storage buckets, and any hosts outside the expected IP range that still resolve to the target’s domains.
3

Enumerate Domains & Subdomains

Expand horizontally by enumerating every domain and subdomain tied to the organization. Subdomains often host less-hardened internal tools, dev environments, or legacy applications.Recommended tools: DNSDumpster, Crt.sh, Omnisint, RapidDNS, Chaos, subdomainfinder.c99.nlLook for: certificate transparency logs (crt.sh is particularly valuable here), passive DNS history, and wildcard DNS entries that may hide additional hosts.
4

Search for Known Vulnerabilities

With a target technology stack identified from step 1–2, pivot to vulnerability databases to find known CVEs, PoCs, and vendor advisories applicable to the software versions in scope.Recommended tools: NIST NVD, MITRE CVE, Exploit-DB, Sploitus, Vulners.comLook for: CVEs with public PoC code, recent advisories for the target’s specific software versions, and any active exploitation flags in sources like InTheWild.io.
5

Find Exposed Credentials & Leaks

Before crafting any active exploit, check whether valid credentials are already available in public breach data. A single reused password can make the entire exploit chain unnecessary.Recommended tools: Have I Been Pwned, Dehashed, LeakCheck.io, WhiteIntel, Hudson RockLook for: email/password pairs from previous breaches, infostealer logs tied to target employees, and NTLM hash leaks that can be passed directly without cracking.

Bug Bounty Workflow

Bug bounty programs reward breadth and precision. The goal is to identify a unique, high-impact finding within scope faster than other researchers — which means efficient recon is a competitive advantage.
1

Scope & Initial Reconnaissance

Define scope from the program brief, then immediately begin passive reconnaissance to build a comprehensive asset inventory. Use multiple tools in parallel — different engines index different data.Recommended tools: Shodan, Censys Search, SecurityTrails, FullHunt.io, URLScanFocus on: assets that appear to be in scope but may not be explicitly listed, recently added infrastructure (new subdomains often ship with fewer protections), and cloud-hosted assets.
2

Subdomain Enumeration

Go deep on subdomain discovery — many high-value findings live on forgotten subdomains that the security team doesn’t actively monitor.Recommended tools: Crt.sh, Omnisint, DNSDumpster, SubDomainRadar.io, AnubisDB, PhoneBookCombine passive certificate transparency data (no active probing) with historical DNS records to find subdomains that have been created and abandoned over time.
3

Search for Secrets in Code

Developers frequently commit API keys, tokens, and credentials to public repositories. Code search engines let you find these exposures before an attacker does.Recommended tools: GitHub Code Search, grep.app, publicwww.com, SearchCodeSearch for: the target’s domain name, internal hostnames, API endpoint patterns, and known key prefixes (e.g., AKIA for AWS access keys). Also check Postman Public Collections for accidentally public API workspaces.
4

Check Credentials & Breach Data

Confirm whether any employee email addresses from the target organization appear in breach databases. Even if credentials are hashed, knowing which accounts are compromised guides your testing priorities.Recommended tools: Have I Been Pwned, Dehashed, breachdirectory.org, LeakCheck.ioCross-reference discovered email patterns (from Hunter.io or email-format.com) against breach data to find valid credential pairs for in-scope test accounts.

OSINT Investigation Workflow

OSINT investigations are iterative: each data point unlocks new pivots. The key discipline is documenting every step and source so your findings are reproducible and legally defensible.
1

Email Address Lookup

Start with any known email address. Validate that it’s real, check its breach history, and use it to pivot to associated identities, domains, and accounts.Recommended tools: IntelligenceX, Hunter.io, EmailRep.io, PhoneBook, Have I Been PwnedAn email lookup may reveal: associated domains (useful for corporate investigations), breached passwords, linked social accounts, and public records. IntelligenceX in particular archives Pastebin and darknet sources.
2

Phone Number Lookup

Phone numbers are high-value pivot points that connect online identities to real-world individuals. Reverse lookups can reveal carrier, location, and associated names.Recommended tools: NumLookup, SpyDialer, ThatsThem, Truepeoplesearch, SynapsIntCombine multiple sources — no single service has complete coverage. Tellows and thisnumber.com add crowd-sourced report history that can indicate fraud or scam use.
3

Social Network Search

Map the subject’s presence across social platforms. Look for username consistency across networks, publicly shared media, connections, and historical posts.Recommended tools: Whatsmyname.app, Username Search, direct searches on LinkedIn, Twitter/X, Instagram, RedditUsername enumeration tools like Whatsmyname automate checking a single handle across hundreds of platforms simultaneously, revealing accounts the subject may not have publicized.
4

People Search & Records Aggregation

People-search aggregators consolidate public records, voter rolls, property records, and other civil data into searchable profiles.Recommended tools: Pipl, BeenVerified, TruePeopleSearch, Intelius, PeekYou, RadarisUse these to verify that online identities match real-world individuals and to confirm addresses, associates, and employment history. Always respect applicable privacy laws (GDPR, CCPA, etc.) when using these sources.
5

Reverse Image Search

Reverse image searches can link a profile photo to other online accounts, confirm or disprove claimed identities, and surface stolen images.Recommended tools: Google Image Search, Yandex Image, TinEye, FaceCheck.id, PimEyesYandex often finds matches that Google misses, particularly for Eastern European sources. FaceCheck.id and PimEyes specialize in facial recognition across public web imagery. FotoForensics can also analyze image metadata and detect manipulation.

Threat Intelligence Workflow

Threat intelligence work centers on enriching indicators of compromise (IOCs), understanding adversary infrastructure, and building context around observed malicious activity.
1

Indicator Lookup & Enrichment

Start with any raw IOC — IP address, domain, file hash, or URL — and run it through multi-engine analysis to determine reputation, historical behavior, and associated threat campaigns.Recommended tools: VirusTotal, AbuseIPDB, PulseDive, Cisco Talos, IBM X-Force ExchangeVirusTotal aggregates 70+ antivirus engines and sandbox results. Cross-referencing with AbuseIPDB (crowd-reported abuse) and Talos (commercial threat intel) gives both technical and contextual signal in a single workflow step.
2

Malware Sample Analysis

If you’ve identified a suspicious file hash, expand your analysis by retrieving the sample, reviewing sandbox detonation reports, and checking YARA rule matches.Recommended tools: bazaar.abuse.ch, tria.ge, Hybrid Analysis, AnyRun, MalShare, Filescan.iobazaar.abuse.ch (MalwareBazaar) is the go-to community malware repository. tria.ge and Hybrid Analysis provide automated sandbox detonation with behavioral analysis. yaraify.abuse.ch matches samples against community YARA rules.
3

Threat Actor Research

Move from individual IOCs to campaign-level and actor-level context. Understand the TTPs, tooling, and targets associated with the adversary responsible for what you’re investigating.Recommended tools: MITRE ATT&CK, ThreatMiner, ORKL, CyberCampaigns, ShadowServer, Team CymruMITRE ATT&CK is the authoritative framework for mapping adversary behavior to techniques and sub-techniques. ORKL aggregates community-published threat intelligence reports. CyberCampaigns maintains write-ups on specific threat actors and their tooling.
4

Infrastructure Pivoting

Use identified adversary infrastructure (C2 domains, IPs, TLS certificates) to discover related malicious assets through passive DNS, certificate transparency, and scan data.Recommended tools: SecurityTrails, Censys Search, feodotracker.abuse.ch, threatfox.abuse.ch, PassiveTotal / RiskIQPivot on shared TLS certificate subjects, ASNs, registrar patterns, and hosting providers to find the full extent of an adversary’s infrastructure — even if individual components are burned and rotated.

Tips for Effective Use

No single search engine indexes the entire internet, and each has unique data sources, crawl schedules, and coverage gaps. Shodan, Censys, and FOFA all scan the internet — but they return different results for the same query. Running the same search across three engines typically surfaces 30–50% more unique results than relying on any one alone.For domains, combine certificate transparency logs (crt.sh), passive DNS (DNSDumpster, RapidDNS), and attack-surface platforms (FullHunt, SecurityTrails) to build the most complete subdomain inventory possible.
Passive tools query pre-collected data — they never send a packet to your target. This means you can build a rich picture of an organization’s infrastructure without triggering IDS/IPS alerts, firewall logs, or blue team tripwires.Begin every engagement with fully passive sources: Shodan’s cached scan data, certificate transparency logs, historical DNS, and breach databases. Only move to active scanning after you have explicit permission and have exhausted passive sources. In a red team context, passive-first also helps avoid tipping off defenders during the early reconnaissance phase.
A single data point from one source is a lead — confirmed by two or more independent sources, it becomes a finding you can act on or report with confidence. This is especially important for:
  • Breach data: Confirm credential pairs appear in multiple sources before reporting or testing.
  • Open ports / services: Shodan’s cached data may be weeks or months old; verify with a second engine or a careful active check before assuming a service is still exposed.
  • OSINT identities: People-search aggregators regularly contain stale or incorrect data. Cross-reference names, addresses, and phone numbers across at least two independent sources before drawing conclusions.
Most security search engines offer free tiers with rate limits and paid plans for higher-volume access. Exceeding rate limits can get your IP temporarily blocked and interrupt an active engagement.Before relying on a tool in a time-sensitive workflow:
  • Check whether the free tier provides enough queries for your use case.
  • Review the terms of service — some tools explicitly prohibit use against systems you don’t own, or require attribution.
  • Consider API access for automated pipelines to avoid hitting web-UI rate limits.
  • Cache results locally so you’re not re-querying the same data repeatedly.
In professional engagements, every finding must be reproducible. Record which tool you used, the exact query, the timestamp, and the raw output for every piece of evidence you plan to include in a report. This protects you legally, helps clients validate findings, and makes retesting straightforward.For OSINT investigations in particular, chain-of-custody documentation is essential. Use a structured notes format (Obsidian, CherryTree, or similar) that captures: source → query → result → pivot → next source.
The security tooling landscape moves quickly. Services go offline, rebrand, or change their data model without notice. The upstream repository maintains a dedicated “Not Working / Paused” section for tools that have gone dark, but the best practice is to verify that a tool is still operational before building a workflow dependency on it.Bookmark this site and subscribe to the GitHub repository to be notified of updates when new tools are added or existing ones change.

Bookmark this site and use Ctrl+F (or Cmd+F on macOS) on any category page — or use the sidebar search — to instantly locate the right tool for your current task. The sidebar is organized by discipline, so you can navigate directly to the category relevant to your current phase of work.

Quick-Reference Tool Cards

The most commonly reached-for tools across all workflows:

Shodan

Internet-wide host and service enumeration. The starting point for infrastructure recon.

Censys Search

Comprehensive internet scan data with strong certificate and protocol coverage.

VirusTotal

Multi-engine file, URL, domain, and IP analysis. Essential for IOC enrichment.

Have I Been Pwned

The authoritative source for checking email and phone exposure in data breaches.

Crt.sh

Certificate transparency log search — the fastest way to enumerate subdomains passively.

MITRE ATT&CK

The definitive framework for mapping adversary TTPs to real-world techniques.

Miscellaneous & Utility Tools

A handful of tools from the project are broadly useful across many security workflows but don’t fit neatly into a single category:

DorkSearch

Speed up your Google Dorking with pre-built dork templates for common security research queries.

Wappalyzer

Instant access to website technology stacks, company details, social profiles, and email verification.

usersearch.org

Find someone by username or email across social networks, dating sites, forums, and crypto communities.

Awakari

Real-time search from unlimited sources including RSS, Fediverse, and Telegram with keyword and numeric filters.

CanIUse.com

Browser support tables for modern web technologies — useful for fingerprinting client browser environments.

Known Agents

Track and control artificial agents crawling your website — identify bot and AI crawler activity.

Not Human Search

Search engine for AI agent tools and infrastructure, indexing 1,750+ sites ranked by agentic readiness score.

Build docs developers (and LLMs) love