Self-hosted OSINT platform with 22+ modules, OPSEC scoring, AI summary, and a real-time web dashboard.
Scan any domain, IP, email, phone, or username — get WHOIS, DNS, threat intel, breach data, username search, dark-web mirrors, OPSEC score, entity graphs, and HTML/PDF reports in seconds.
Live Demo · Docker Quick Start · Architecture · Security · Changelog · FAQ
If you find PRISM useful, please consider giving it a ⭐ — it helps others discover the project and motivates further development.
Why PRISM? • Overview • Why PRISM vs alternatives? • Use cases • Features • Showcase • Quick Start • Configuration • API • Project Structure • Running Tests • CI/CD • Roadmap • Star History • Legal Notice • Support the project • Contributing • Credits • License
- 22+ modules — WHOIS, DNS, crt.sh, Wayback Machine, Shodan, VirusTotal, AbuseIPDB, Censys, Dark Web (Ahmia + DarkSearch), email reputation, SMTP verify, breach lookup, Blackbird (50+ sites), Maigret (3000+ sites), Telegram, phone HLR, email headers, file metadata, and more
- AI-powered analysis — automated executive summary, risk assessment, and interactive Q&A chat via LLM (OpenRouter / Nvidia Nemotron)
- Real-time dashboard — WebSocket-driven scan progress with module-level progress bar (5/8 · 62%), interactive entity relationship graph, multi-marker Leaflet GeoIP map
- OPSEC Score — aggregated 0–100 exposure risk score across data exposure, identity, infrastructure and web security
- HTML, PDF, CSV & Markdown reports — export full scan results as HTML, PDF, CSV, or Markdown (locale-aware EN/RU/DE/FR/ES)
- Multi-language UI — English, Russian, German, French, Spanish out of the box (i18n + auto-detect)
- Standalone CLI — run scans headlessly via
python cli.py scan example.com --json - Scan history & comparison — browse past scans, load results, compare two scans side-by-side
- Webhook callbacks — get notified on scan completion with HMAC-signed payloads (SSRF-protected), Slack/Discord formatters
- Hardened auth — header-only API keys (
X-API-Key/Bearer), no query-string secrets, strict CORS, per-principal scan isolation - Zero mandatory API keys — 14 out of 22 modules work without any keys at all
- One-command deploy —
docker compose up --buildand you're running - Fully open source — MIT license, extensible module architecture, contributor-friendly
PRISM aggregates data from 20+ external intelligence sources to build a comprehensive profile of any target — domain, IP address, email, phone number, or social username. All data is presented in a real-time dashboard with relationship graphs, a GeoIP map, exportable HTML/PDF reports, and an automated OPSEC exposure score.
Stack:
- Backend — Python 3.10+, FastAPI, asyncio, WebSocket, Pydantic, slowapi (rate limiting), xhtml2pdf (PDF)
- Frontend — Next.js 14 (App Router), React, TypeScript, Tailwind CSS, Leaflet (maps)
- AI — OpenRouter (Nvidia Nemotron) or Groq (Llama-3) for summary and chat
- Infrastructure — Docker, docker-compose, GitHub Actions CI/CD
- Tests — pytest, 137 test cases with monkeypatching, network mocking, SSRF/auth coverage
flowchart LR
U[User / Browser] -->|HTTPS + X-API-Key| FE[Next.js 14 Dashboard]
FE -->|REST + WebSocket| API[FastAPI Backend]
API --> SCH[Scan Orchestrator<br/>asyncio + queues]
SCH --> MOD[22+ OSINT Modules]
MOD --> EXT[(External APIs<br/>Shodan / VT / Censys<br/>crt.sh / Wayback / etc.)]
SCH --> CACHE[(Module Cache<br/>TTL JSON)]
SCH --> STORE[(Scan Storage<br/>per-principal)]
SCH --> WH[Webhook Dispatcher<br/>HMAC + SSRF guard]
API --> AI[AI Summary / Chat<br/>OpenRouter / Groq]
API --> RPT[Report Generator<br/>HTML + xhtml2pdf]
| Capability | PRISM | SpiderFoot CE | theHarvester | Recon-ng | Maltego CE |
|---|---|---|---|---|---|
| Modern web dashboard | ✅ Next.js 14 | ❌ CLI only | ❌ CLI only | ✅ desktop | |
| Real-time scan progress | ✅ | ❌ | ❌ | ❌ | |
| AI-powered summary + chat | ✅ LLM | ❌ | ❌ | ❌ | ❌ |
| OPSEC score (0–100) | ✅ | ❌ | ❌ | ❌ | ❌ |
| Entity graph (interactive) | ✅ | ✅ | ❌ | ❌ | ✅ |
| GeoIP map (multi-marker) | ✅ Leaflet | ❌ | ❌ | ||
| HTML + PDF report export | ✅ EN/RU/DE/FR/ES | ||||
| Multi-language UI | ✅ EN/RU/DE/FR/ES | ❌ | ❌ | ❌ | ❌ |
| Zero-key out of the box | ✅ 14/22 modules | ❌ | |||
| Webhook callbacks (signed) | ✅ | ❌ | ❌ | ❌ | ❌ |
| One-command Docker deploy | ✅ | ❌ |
- Bug bounty recon — kick off a single scan and get subdomains (crt.sh + Censys), open ports (Shodan), wayback sensitive paths, and AI-prioritized findings.
- Phishing investigation — pivot from a suspicious domain or email to threat intel, breach exposure, mail auth (SPF/DKIM/DMARC), and historical snapshots.
- Brand & impersonation monitoring — webhook-driven scans to detect new lookalike subdomains, dark-web mentions, and exposed credentials.
- Security awareness training — give employees their own OPSEC score across email, phone, and username so they see exposure on a 0–100 scale.
- Academic / educational OSINT — a self-hosted, MIT-licensed reference for teaching passive reconnaissance, geolocation, and threat intel pipelines.
| Module | Description | API Key |
|---|---|---|
| WHOIS | Domain registration, registrar, dates | — |
| DNS | A, MX, NS, TXT, CNAME, SOA records | — |
| Certificate Transparency | Subdomain discovery via crt.sh | — |
| Wayback Machine | Historical snapshots, sensitive URL patterns | — |
| GeoIP | IP geolocation, ASN, timezone | ipinfo.io |
| Shodan | Open ports, services, known CVEs | Shodan |
| Censys | Host services, ASN, certificate → subdomain discovery | Censys |
| VirusTotal | Domain/IP reputation, malware detections | VirusTotal |
| AbuseIPDB | IP abuse confidence score | AbuseIPDB |
| Dark Web Checker | .onion mirrors via Ahmia + DarkSearch | — |
| Website Analyzer | Tech stack, emails, social links, metadata | — |
| Email Reputation | DNS-based email rep (MX, SPF, DMARC, disposable check) | — |
| SMTP Verify | Mailbox existence check via SMTP handshake | — |
| Breach Check | Email breach / credential leak lookup | Leak-Lookup |
| Blackbird | Username presence across 50+ platforms (async) | — |
| Maigret | Deep username search across 3000+ sites | — |
| Telegram Lookup | Username/ID lookup via Bot API + scraping | Telegram |
| Phone / HLR | Number validation, carrier, country, reverse lookup | Numverify |
| Email Headers | SPF/DKIM/DMARC analysis, routing hops, spoofing detection | — |
| File Metadata | EXIF, GPS coordinates, PDF/DOCX properties | — |
| OPSEC Score | Aggregated 0–100 exposure risk score | — |
| Entity Graph | Interactive node-relationship visualization | — |
| HTML / PDF Report | Self-contained styled report (HTML + xhtml2pdf), localized EN/RU/DE/FR/ES | — |
| AI Summary | Natural-language findings summary via LLM | OpenRouter / Groq |
| Webhook Callbacks | HMAC-signed POST on scan completion (SSRF-guarded) | — |
More screenshots (domain / IP / email / phone / username / standalone tools)
WHOIS, DNS, threats, Wayback, GeoIP map, entity graph.
VirusTotal + AbuseIPDB threat intel, GeoIP map, entity graph.
DNS-based reputation, SMTP mailbox verification, breach check.
Number validation, carrier detection, country/region, timezone, reverse lookup.
Blackbird async search across 50+ platforms.
LLM-powered OSINT summary + interactive chat.
File Metadata (EXIF/GPS), Email Header Analyzer, Crypto Address Lookup, QR Code Decoder.
Spin up a self-contained demo preloaded with example scans — no API keys, no external lookups required:
git clone https://github.com/NovaCode37/Prism-platform.git
cd Prism-platform
docker compose -f docker-compose.demo.yml up --buildOpen http://localhost:8080 — the Next.js UI and FastAPI backend are served by the same container. Three sample scans (a domain, an IP, and a username) are already under Recent Scans, showing the dashboard, OPSEC score, entity graph, map, and HTML/PDF report.
The demo runs anonymously (
ALLOW_ANON_API=true) on:8080. For authenticated production-style setup, use the Docker / Manual setups below.
git clone https://github.com/NovaCode37/Prism-platform.git
cd Prism-platform
cp .env.example .env # local/demo defaults to anonymous access; edit for production keys
docker compose up --buildOpen http://localhost:8080. Docker builds the Next.js static export and serves it from FastAPI together with /api/*, /ws/*, and /healthz.
The example .env is intentionally easy to run: ALLOW_ANON_API=true and no API key is required. Before exposing PRISM beyond your machine, switch to API-key mode as shown in API keys and anonymous mode.
# 1. Backend
git clone https://github.com/NovaCode37/Prism-platform.git
cd Prism-platform
pip install -r requirements.txt
cp .env.example .env
python -m uvicorn web.app:app --host 0.0.0.0 --port 8080 --reload --no-proxy-headers
# 2. Frontend (in a separate terminal, from repo root)
cd frontend
npm install
# create .env.local for the separate dev server:
# NEXT_PUBLIC_API_URL=http://localhost:8080
# NEXT_PUBLIC_BASE_PATH=
# NEXT_PUBLIC_API_KEY=<only when ALLOW_ANON_API=false>
npm run devOpen http://localhost:3000.
When you run only uvicorn from source, FastAPI serves /api/*, /ws/*, and /healthz. The root page / needs a built Next.js export in frontend/out; on a fresh checkout without that build it returns {"detail":"Frontend build not found"}. Use npm run dev as shown above, or run npm run build before serving the single-container style UI from FastAPI.
For local experimentation,
.env.exampleusesALLOW_ANON_API=true. For any shared or public deployment, setALLOW_ANON_API=false, configureAPI_KEYS, and give the UI one accepted key.
PRISM is configured via environment variables (.env). External provider keys are optional — modules that need a missing provider key gracefully skip.
PRISM has two API access modes. The /healthz endpoint is always unauthenticated for container and reverse-proxy health checks; application endpoints under /api/* and /ws/* follow the mode below.
Anonymous local/demo mode is meant for a laptop, a private test VM, or the demo compose file. Anyone who can reach the HTTP server can start scans and use tools.
ALLOW_ANON_API=true
API_KEYS=
API_KEY=
PRISM_UI_API_KEY=API-key mode is the recommended mode for shared, reverse-proxied, or internet-facing deployments. API_KEYS is preferred because it supports multiple accepted keys; API_KEY is kept as a legacy single-key option. Each accepted key maps to its own principal, so scan history is isolated per key.
ALLOW_ANON_API=false
API_KEYS=replace-with-a-long-random-ui-key
API_KEY=
PRISM_UI_API_KEY=replace-with-the-same-long-random-ui-keyClients authenticate with either X-API-Key: <key> or Authorization: Bearer <key>. When Docker serves the Next.js UI from FastAPI, set PRISM_UI_API_KEY to one key that is also present in API_KEYS so the browser can call the API. This value is injected into public frontend config, so treat it as a browser-visible UI key, not as a private server secret. For extra users or automation, add more comma-separated entries to API_KEYS. If you run npm run dev separately, put the same kind of UI key into frontend/.env.local as NEXT_PUBLIC_API_KEY.
Common auth errors:
| Error | Meaning | Fix |
|---|---|---|
HTTP 503: API auth is not configured on server. |
No API_KEYS/API_KEY were loaded and ALLOW_ANON_API is not true. |
Set ALLOW_ANON_API=true for local anonymous mode, or configure API_KEYS and restart. |
HTTP 401: Invalid or missing API key. |
The backend has keys configured, but the request did not send a matching key. | Set PRISM_UI_API_KEY / NEXT_PUBLIC_API_KEY, or send X-API-Key / Authorization: Bearer. |
After changing .env for Docker, recreate the container so the backend and runtime UI config see the new values:
docker compose up -d --force-recreate| Variable | Purpose |
|---|---|
API_KEYS |
Comma-separated accepted API keys; preferred for API-key mode |
API_KEY |
Single accepted API key; legacy option |
ALLOW_ANON_API |
true to allow unauthenticated API access; local/demo only |
PRISM_DEMO_MODE |
true to show the public demo notice in the UI |
ALLOWED_ORIGINS |
Comma-separated CORS origins; empty/unset = no cross-origin |
PRISM_BASE_PATH |
Public API/WS path prefix when mounted under a subpath, e.g. /prism |
PRISM_UI_API_KEY |
Public browser UI key injected into the Docker-served UI |
PRISM_FRONTEND_DIR |
Optional static Next.js export path (default frontend/out) |
NEXT_PUBLIC_API_URL |
Optional external API origin for frontend builds/runtime config |
NEXT_PUBLIC_BASE_PATH |
Next.js build-time asset prefix for subpath deployments |
TRUST_PROXY_HEADERS |
true to trust forwarded headers from configured reverse proxies |
FORWARDED_ALLOW_IPS |
Comma-separated proxy IPs allowed to set X-Forwarded-* headers |
TRUSTED_HOSTS |
Optional comma-separated allowed Host values for the backend |
HEALTHCHECK_HOST |
Optional Host header override for Docker health checks |
MAX_UPLOAD_MB |
Max upload size for file-based tools (default 20) |
MAX_STORED_SCANS |
In-memory scan cap before disk-only mode (default 200) |
CACHE_TTL_HOURS |
Per-module cache TTL (default 24) |
WEBHOOK_SECRET |
If set, signs webhook callbacks with X-Prism-Secret |
DISABLE_DOCS |
true to disable /docs, /redoc, /openapi.json in production |
The supported Docker topology is a single container: FastAPI serves the exported Next.js UI plus /api/*, /ws/*, and /healthz on the same public origin. Keep NEXT_PUBLIC_API_URL empty for same-origin deployments. For subpath deployments, set PRISM_BASE_PATH at runtime and build the image with the same NEXT_PUBLIC_BASE_PATH.
Root deployment (https://prism.example.com):
PRISM_BASE_PATH=
TRUST_PROXY_HEADERS=true
FORWARDED_ALLOW_IPS=172.18.0.1
TRUSTED_HOSTS=prism.example.com
NEXT_PUBLIC_API_URL=
NEXT_PUBLIC_BASE_PATH=Subpath deployment (https://example.com/prism), with the proxy stripping /prism before forwarding to the backend:
PRISM_BASE_PATH=/prism
TRUST_PROXY_HEADERS=true
FORWARDED_ALLOW_IPS=172.18.0.1
TRUSTED_HOSTS=example.com
NEXT_PUBLIC_API_URL=
NEXT_PUBLIC_BASE_PATH=/prismAfter changing NEXT_PUBLIC_BASE_PATH, rebuild the image because Next.js asset paths are fixed at build time:
NEXT_PUBLIC_BASE_PATH=/prism docker compose build
docker compose upMinimal nginx proxy for the single container:
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /api/ {
proxy_pass http://127.0.0.1:8080/api/;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /ws/ {
proxy_pass http://127.0.0.1:8080/ws/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}For /prism, proxy /prism/, /prism/api/, and /prism/ws/ to the container while stripping the prefix. The legacy FastAPI HTML dashboard has been removed.
Minimal Caddy example:
prism.example.com {
reverse_proxy 127.0.0.1:8080
}| Variable | Service | Free Tier |
|---|---|---|
NUMVERIFY_API_KEY |
Phone validation & carrier | 100 req/mo |
IPINFO_API_KEY |
GeoIP location | 50k req/mo |
VIRUSTOTAL_API_KEY |
Threat intelligence | 500 req/day |
ABUSEIPDB_API_KEY |
IP abuse score | 1000 req/day |
SHODAN_API_KEY |
Port scan + CVE lookup | Free tier |
CENSYS_API_ID + CENSYS_API_SECRET |
Host & certificate search | 250 req/mo |
OPENROUTER_API_KEY |
AI summary (Nvidia Nemotron) | Free tier |
GROQ_API_KEY |
AI fallback (Llama-3 instant) | Free tier |
TELEGRAM_BOT_TOKEN |
Telegram user lookup | Free |
LEAK_LOOKUP_API_KEY |
Breach database | Limited free |
| Variable | What it enables | Required? | Where to Get |
|---|---|---|---|
API_KEYS |
Preferred comma-separated accepted API keys for API-key mode | Auth mode only | Generate long random strings |
API_KEY |
Legacy single accepted API key for API-key mode | Auth mode only | Generate a long random string |
ALLOW_ANON_API |
Allows unauthenticated local/demo API requests without a key | No | true for local/demo, false for production |
PRISM_DEMO_MODE |
Shows the public demo notice in the UI | No | true only for the demo compose setup |
NUMVERIFY_API_KEY |
Validates phone numbers | No | Numverify dashboard |
LEAK_LOOKUP_API_KEY |
Searches Data Breaches for Leaked Credentials | No | LeakLookup API dashboard |
HIBP_API_KEY |
Checks if Email/Passwords have been compromised | No | HIBP Developer Portal |
IPINFO_API_KEY |
Fetches geolocation and ASN details for IP addresses | No | IPInfo.io Dashboard |
VIRUSTOTAL_API_KEY |
Scans file hashes and URLs for malware | No | VirusTotal API Dashboard |
ABUSEIPDB_API_KEY |
Checks if an IP address has been reported for malicious activity | No | AbuseIPDB Dashboard |
SHODAN_API_KEY |
Searches for internet-connected devices and open ports | No | Shodan Developer Dashboard |
TELEGRAM_BOT_TOKEN |
Sends automated scan alerts and reports directly to a Telegram channel | No | Telegram BotFather |
CENSYS_API_ID |
Authenticates attack surface and internet-wide scanning queries | No | Censys Search Console |
CENSYS_API_SECRET |
Paired with CENSYS_API_ID for Censys data access | No | Censys Search Console |
ALLOWED_ORIGINS |
Configures CORS settings to restrict which frontend domains can talk to your backend | No | Set to a comma-separated list of domains |
PRISM_BASE_PATH |
Public backend path prefix for reverse proxy subpath deployments | No | Set to /prism or leave empty |
PRISM_UI_API_KEY |
Public browser UI key injected into the Docker-served UI | No | Use an accepted UI-scoped value from API_KEYS |
PRISM_FRONTEND_DIR |
Static Next.js export directory served by FastAPI | No | Defaults to frontend/out |
NEXT_PUBLIC_API_URL |
External API origin for frontend builds/runtime config | No | Leave empty for same-origin Docker |
NEXT_PUBLIC_BASE_PATH |
Build-time Next.js base path for subpath deployments | No | Match PRISM_BASE_PATH, then rebuild |
TRUST_PROXY_HEADERS |
Enables trusted X-Forwarded-* handling behind a reverse proxy |
No | Set to true only behind trusted proxy |
FORWARDED_ALLOW_IPS |
Proxy source IPs allowed to set forwarded headers | No | Comma-separated IPs or * for trusted private networks |
TRUSTED_HOSTS |
Restricts accepted backend Host headers | No | Comma-separated public hostnames |
HEALTHCHECK_HOST |
Host header sent by Docker health checks | No | Defaults to first TRUSTED_HOSTS entry or localhost |
OPENROUTER_API_KEY |
AI summary & chat via OpenRouter (preferred LLM provider) | No | OpenRouter dashboard |
GROQ_API_KEY |
AI summary & chat via Groq (fallback LLM provider) | No | Groq Console |
MAX_STORED_SCANS |
Max scans kept in memory before old ones are evicted (default 200) | No | Set An Integer Value |
DISABLE_DOCS |
Disables the /docs and /redoc API documentation pages | No | Set to True/False |
WEBHOOK_SECRET |
Adds an X-Prism-Secret header to webhook callbacks for verification | No | Generate a Placeholder string |
MAX_UPLOAD_MB |
Sets the maximum file size limit for uploads, defaults to 20MB if missing. | No | Set an integer value |
WEBHOOK_FORMAT |
Configures the format for webhook data payloads. | No | Set to raw, slack, or discord |
CACHE_TTL_HOURS |
Module cache TTL in hours | No | Set an integer value |
Certificate Transparency, Wayback Machine, DNS, WHOIS, Website Analyzer, Email Reputation, SMTP Verify, Blackbird, Maigret, Email Headers, File Metadata, and Dark Web Checker all work with zero API keys.
The backend exposes a REST + WebSocket API. Application requests require an X-API-Key or Authorization: Bearer header in API-key mode; in anonymous mode (ALLOW_ANON_API=true) the header can be omitted. /healthz stays unauthenticated. Interactive docs are served at /docs (Swagger) and /redoc when running locally (unless DISABLE_DOCS=true).
| Method | Endpoint | Description |
|---|---|---|
POST |
/api/scan |
Start a scan ({ target, scan_type, modules }) → returns scan_id |
GET |
/api/scan/{id} |
Scan status and results |
GET |
/api/scan/{id}/graph |
Entity relationship graph |
GET |
/api/scan/{id}/map |
GeoIP map markers |
GET |
/api/scan/{id}/report |
HTML report |
GET |
/api/scan/{id}/report/pdf |
PDF report |
GET |
/api/scans |
List past scans (per-principal) |
GET |
/healthz |
Unauthenticated health check |
GET |
/api/health |
Unauthenticated health check for uptime monitors and load balancers |
WS |
/ws/{scan_id} |
Live scan progress stream |
POST |
/api/ai/summary, /api/ai/chat |
AI summary and Q&A |
POST |
/api/url-scan, /api/mac-lookup, /api/crypto, /api/darkweb, /api/qr-decode, /api/email-headers, /api/metadata |
Standalone tools |
Authenticated example:
curl -X POST http://localhost:8080/api/scan \
-H "X-API-Key: $API_KEY" -H "Content-Type: application/json" \
-d '{"target":"example.com","scan_type":"domain"}'prism/
├── config.py # Environment + API key loader
├── requirements.txt
├── Dockerfile
├── docker-compose.yml
│
├── modules/
│ ├── extra_tools.py # WHOIS, GeoIP, DNS, Website Analyzer
│ ├── cert_transparency.py # Subdomain discovery via crt.sh
│ ├── threat_intel.py # VirusTotal + AbuseIPDB
│ ├── shodan_lookup.py # Shodan host intelligence
│ ├── censys_lookup.py # Censys host + certificate search
│ ├── wayback.py # Wayback Machine snapshots + sensitive URLs
│ ├── onion_checker.py # .onion mirror checker (Ahmia + DarkSearch)
│ ├── darkweb_search.py # Dark-web mentions search
│ ├── blackbird.py # Username search (async, 50+ platforms)
│ ├── maigret_wrapper.py # Deep username search (3000+ sites)
│ ├── hlr_lookup.py # Phone validation + reverse lookup
│ ├── hunter.py # DNS-based email reputation check
│ ├── smtp_verify.py # SMTP mailbox existence verification
│ ├── leak_lookup.py # Email breach / credential leak lookup
│ ├── telegram_lookup.py # Telegram username/ID lookup
│ ├── email_header_analyzer.py # SPF/DKIM/DMARC + hop analysis
│ ├── metadata_extractor.py # EXIF/PDF/DOCX + GPS extraction
│ ├── crypto_lookup.py # Crypto address heuristics
│ ├── qr_decoder.py # QR image decoder
│ ├── url_scanner.py # Standalone URL scanner
│ ├── opsec_score.py # Exposure risk scoring (0–100)
│ ├── graph_builder.py # Entity relationship graph data
│ ├── report_generator.py # Jinja2 HTML report + xhtml2pdf PDF
│ └── report_i18n.py # Report translations EN / RU / DE
│
├── web/
│ ├── app.py # FastAPI + WebSocket scan engine
│ └── security.py # Auth, CORS, rate limiting, SSRF guard
│
├── frontend/ # Next.js 14 + TypeScript + Tailwind
│ └── src/
│ ├── app/ # App Router pages
│ ├── components/ # UI (Topbar, Sidebar, Map, Graph, ...)
│ └── lib/ # API client, i18n, types
│
└── tests/ # 137 pytest tests
├── test_modules.py
├── test_modules_extended.py
├── test_v2_1_modules.py
└── test_webhook.py
pip install pytest pytest-cov pytest-asyncio
pytest -q
# or with coverage:
pytest tests/ -v --cov=modules --cov=web --cov-report=term-missingFrontend type check:
cd frontend
npx tsc --noEmit -p tsconfig.jsonGitHub Actions pipeline (.github/workflows/ci.yml):
- Lint — flake8
- Test — pytest with coverage
- Build — Docker image
- Multilingual report rendering (EN / RU / DE) via
report_i18n - Webhook callbacks with HMAC signing + SSRF guard
- Multi-marker Leaflet GeoIP map (replaces single-iframe map)
- Hardened auth: header-only API keys, no query-string secrets
- Strict CORS by default;
ALLOW_ANON_APIopt-in for anonymous mode - Phone map: removed coordinate fabrication, only explicit lat/lng
- Authenticated HTML/PDF report download via blob fetch
- Test suite expanded to 102 cases
- Scan history panel + side-by-side scan comparison (diff view)
- CSV & Markdown report export (alongside HTML/PDF)
- French (FR) & Spanish (ES) locales — UI now ships EN / RU / DE / FR / ES
- Standalone CLI (
python cli.py scan <target> --json|--html|--pdf) - Slack / Discord webhook formatters (
WEBHOOK_FORMAT=slack|discord) - Rate-limit response headers, keyboard shortcuts, scan duration, copy-all-emails
- Graceful module degradation —
skipped/rate_limitedstatuses instead of hard errors - IP / Subnet calculator standalone tool
- One-command demo (
docker compose -f docker-compose.demo.yml up) with seeded scans - Reliable Leaflet map rendering + Unicode (Cyrillic) fonts in PDF export
- GitHub user / organization recon module (profile, languages, repos, commit-metadata emails)
- Hash Identifier and Base64 / URL encoder standalone tools
- Per-module refresh — re-run a single module from its result card
- Approximate region-level GeoIP map for phone scans
- Scan history — sorted newest-first, auto-refresh, "Clear history", localized
- Friendly empty states (graph tab) and more rotating sidebar tips
- Hardening — Unicode (DejaVu) fonts in PDF, robust startup env parsing, apt-retry Docker builds
- Scheduled scans + continuous monitoring / watchlists with diff alerting
- Entity graph export to GEXF / GraphML (Gephi / Maltego)
- Per-API-key quotas and usage-stats endpoint
- Browser extension for one-click scans
- Additional locales (ZH) + dark / light theme toggle
- (exploring) AI OSINT agent — autonomous multi-module investigation
Want to contribute? Pick an open issue tagged
good first issueor open a new one.
This tool is intended exclusively for lawful, authorized use:
- Security assessments and penetration testing you are authorized to perform
- Research on infrastructure, accounts, or data you own or have explicit permission to investigate
- Auditing your own digital footprint
- Academic and educational purposes
Every scan PRISM performs is passive and queries only publicly available data — but aggregating public data can still cause real harm. Do not use PRISM to:
- Stalk, harass, dox, or surveil any person without their consent
- Profile or track individuals you have no authorization to investigate
- Collect data in violation of applicable law or the terms of service of the platforms involved
You are responsible for how you use the results. The author assumes no liability for misuse.
If PRISM is useful to you, a ⭐ is the best free way to help. If you'd like to support development financially:
- SberTips (RUB)
- Crypto:
USDT (TRC20): TEdN41cTdAyNm7vrP4NYceT9sVhTB9BHho
TON: UQAkpcYb0hKgqEwGLs08syU_4Nh-_MhwaJT3HPWqFSidLThV
BTC: bc1qm8zvvh2ehv3m2su6u0exmcr903cf07gn0r66y6
ETH: 0x0639476A71255FD2C15dceD53e167952DcddEE8A
Do I need API keys? No — 14 of 22 modules work without any keys.
Is it free? Yes, MIT licensed and completely self-hosted.
Can I run it without installing anything? Try the live demo, or spin it up with the one-command Docker demo.
Which LLM does the AI summary use? Any OpenAI-compatible endpoint — OpenRouter, Groq, or local Ollama all work.
Contributions are welcome! Please read CONTRIBUTING.md before submitting a pull request! For security issues, see SECURITY.md.
PRISM is built solo, with AI coding assistance as part of the workflow. All code is reviewed and tested (137 passing tests covering module mocking, SSRF/auth, and reverse-proxy behavior), and the project is MIT-licensed and fully open to audit. Bug reports and contributions are very welcome.
PRISM stands on the shoulders of excellent open-source projects and public data sources.
Tools & techniques
- Maigret — username search across thousands of sites (run as a subprocess)
- Username heuristics inspired by Sherlock and Blackbird
Data sources & APIs
- crt.sh, Wayback Machine, Shodan, VirusTotal, AbuseIPDB, Censys, Ahmia, XposedOrNot, ipinfo.io, CoinGecko, BlockCypher, blockchain.info, Ethplorer, api.qrserver.com
Core libraries
- Backend: FastAPI, Uvicorn, Pydantic, SQLAlchemy, slowapi, phonenumbers, dnspython, python-whois, Pillow, xhtml2pdf
- Frontend: Next.js, React, Tailwind CSS, Leaflet
Each project is the property of its respective authors and used under its own license. PRISM itself is MIT-licensed.
MIT
























