When you enter a domain, CyberRecon fires a series of parallel, read-only lookups against public OSINT APIs and open data sources. Everything runs in your browser — no data transits through any server controlled by the author.
Resolves A, AAAA, MX, NS, TXT, and CAA records via Google DNS-over-HTTPS. Checks for SPF, DKIM, DMARC, MTA-STS, TLS-RPT, and BIMI — the complete email authentication stack. DKIM is probed across 20 common selector names.
MX and primary A-record IPs are enriched through a four-source fallback chain: ipwho.isipinfo.iordap.arin.netipapi.co — all queried in parallel to produce hosting organisation, country, ASN, and CIDR network prefix for every resolved IP. Sources fire simultaneously so IP enrichment never blocks cert or threat intel lookups.
Queries URLScan.io for the last 20 scans with full verdict breakdown, and ThreatFox / abuse.ch for active malicious IOC matches. DNSBL status is checked against Spamhaus DBL and SURBL via DNS.
Fetches TLS certificates from crt.sh and a secondary Cert Spotter CT index fallback, then normalises the result set into a single certificate view. Wildcard and apex query paths are both checked, SAN lists are parsed on both newlines and commas, and genuine subdomains are extracted with a strict suffix match — passively revealing the domain's external attack surface without touching any target system.
A 0–100 composite score across 8 weighted components: SPF mechanism (20pts), DMARC policy level (25pts), DKIM selector count (20pts), MTA-STS (10pts), BIMI (5pts), TLS-RPT (5pts), DNSBL clean status (10pts), and gateway presence (5pts). Rendered as letter grade A+–F with per-component progress bars. All derived from scan data — no inference.
A 15-cell colour-coded summary grid covering all security domains (SPF, DMARC, DKIM, MTA-STS, Email GW, URLScan, ThreatFox, Spamhaus, SURBL, TLS Cert, CAA, WAF/CDN, Typosquats, BIMI, Deliverability). Every tile is clickable — navigates directly to the relevant tab. Colours: red=critical, orange=fail, yellow=warn, green=pass, blue=info.
Detects 40+ technologies from 9 passive signal sources: URLScan page URL/server/domain/tags, NS records, IP org, cloud footprint providers + CNAME targets, MX hostnames, TXT detectedTools, SPF includes, DKIM selectors, and CT subdomain names. No active HTTP requests — purely from data already collected in the scan.
Mines URLScan page URLs and active CT subdomains for 21 API path patterns: versioned REST, GraphQL, Swagger/OpenAPI docs, health/metrics/admin endpoints, WordPress REST API, XML-RPC, phpMyAdmin. Also detects API-pattern subdomains (api., graphql., admin., swagger., backend.) from CT log resolution.
Detects cloud providers (AWS, Azure, GCP, Cloudflare, Akamai, Fastly, DigitalOcean, Vercel, Netlify, and others) by matching IP organisation strings, ASN names, NS record patterns, and CNAME targets. Resolves up to 20 CT-discovered subdomains live via DNS for cloud attribution.
Generates 60+ lookalike domain variants using TLD swaps, homoglyphs, character insertion/deletion, and abuse prefix/suffix patterns. The top 18 by risk are checked live via DNS. Certificate Transparency logs and URLScan.io are also queried for brand-related domains on external infrastructure.
All findings feed a deterministic, rule-based scoring engine producing a 0–100 risk score with per-factor explanations. The score is fully transparent — no AI inference, no black box. The same domain scanned twice produces identical results.
CSV — 23 sections covering every scan finding in flat spreadsheet format. Excel (.xlsx) — 9 worksheets (Overview, Email Security, Threat Intel, Certificates, Risk Factors, Brand, Cloud, Web+Tech, Tools) using SheetJS — open directly in Excel or Google Sheets. Word (.doc) — 12 fully structured sections with tables, headers, and a legal disclaimer block. PDF — browser print-to-PDF with a clean stylesheet covering 13 numbered sections. Recommendations section is excluded from all exports.
A separate 0–100 composite score measuring email deliverability health across 8 weighted components: SPF mechanism (20pts), DMARC policy level (25pts), DKIM selector count and rotation (20pts), MTA-STS (10pts), BIMI (5pts), TLS-RPT (5pts), DNSBL clean status (10pts), and gateway presence (5pts). The score renders as a letter grade (A+ through F) with individual progress bars for each component — all derived from real scan data, no inference.
Detects 25+ technologies from passive signals already collected during the scan: URLScan.io page data (URLs, server strings, domain lists), cloud footprint provider attribution, and TXT record tool signatures. Identifies CMS platforms (WordPress, Drupal, Joomla, Wix, Squarespace, Shopify), hosting/CDN (Cloudflare, AWS, Netlify, Vercel, GitHub Pages), analytics (Google Analytics, GTM, Hotjar), bot protection (reCAPTCHA, hCaptcha, Turnstile), and JavaScript frameworks (React, Angular, Vue, Next.js, Nuxt.js, jQuery). No active HTTP requests are made — all detection is from existing scan signals.
Extracts registration date, expiry date, and last-updated date from RDAP responses. Calculates domain age in days and years with a risk classification — domains under 90 days are flagged HIGH risk (common in phishing infrastructure), under 1 year elevated risk. Expiry warnings trigger at 30 and 90 days. All data sourced directly from RDAP/Verisign/IANA registry responses.
Four security controls verified entirely from existing scan data — no external calls, no guesses: TLS Certificate (expiry status from crt.sh), CAA Records (certificate authority restriction from DNS), WAF/CDN Protection (inferred from cloud footprint provider list), and Threat Intelligence Standing (composite of DNSBL, URLScan, and ThreatFox results). Each returns a definitive PASS, WARN, or FAIL with the exact data behind the verdict.
Last updated: April 2025 · Operated by Jitendera Sarda · jitusarda@outlook.com
Because your browser calls external APIs directly, those third-party services (URLScan.io, ThreatFox, ipwho.is, crt.sh, Spamhaus, SURBL, etc.) may log the domain names and your IP address according to their own privacy policies. You should review those policies if scanning sensitive domains.
CyberRecon is a single HTML file that runs entirely in your browser. There is no backend, no database, no server-side processing. Export files (PDF, Word, CSV) are generated locally in your browser using Blob URLs and are never uploaded anywhere.
Exported reports contain domain intelligence data compiled from public sources. Reports are generated locally and not transmitted to any server. They carry a disclaimer stating data is sourced from public OSINT feeds and is provided for informational purposes only.
All data CyberRecon retrieves is publicly available by design:
Querying this data is legally analogous to looking up a company in a public directory. No packets are sent to the target domain's servers. No authentication is bypassed. No systems are probed.
CyberRecon is best positioned as:
"CyberRecon reads what the internet already makes public. It is for defenders, researchers, and domain owners — not for offensive use."