How to Use SpiderFoot for Automated OSINT Reconnaissance
Step-by-step guide to running SpiderFoot scans, configuring modules, and reading results without alerting your target.
SpiderFoot maps everything connected to a target, a domain, IP address, email, person's name, phone number, username, subnet, or ASN. It uses over 200 modules to tap into external sources, DNS records, WHOIS, Shodan, VirusTotal, HaveIBeenPwned, social platforms, leak databases. Each module feeds into others automatically, and you get a relationship graph showing how findings connect.
SpiderFoot is built on Python and runs a local web interface on port 5001. The product is fully open source on GitHub with over 13,000 stars. There is also a cloud-hosted commercial version, SpiderFoot HX.
SpiderFoot chains findings. A domain lookup leads to mail servers. Mail servers resolve to IPs. IPs get checked against threat intelligence feeds. WHOIS records yield email addresses. Email addresses get cross-checked against breach databases. The automated chain makes SpiderFoot useful. Operators love the workflow.
When to Use SpiderFoot
SpiderFoot excels in specific investigations. It's great for pre-engagement reconnaissance, mapping the full external attack surface without touching the target.
Use SpiderFoot for organizational footprint mapping to uncover subdomains, IP ranges, tech stacks, leaked staff emails, cloud infrastructure. It also helps with person investigations, linking an email address to social profiles, leaked credentials, linked domains, phone numbers.
SpiderFoot is useful for threat intelligence, pulling the history of a suspicious IP or domain, associated malware campaigns, related C2 infrastructure. It quickly assesses whether a target has a significant digital footprint, saving time on manual research.
However, SpiderFoot isn't suitable for real-time monitoring. It's not designed for continuous surveillance.
Additionally, SpiderFoot isn't ideal for social media content analysis; it finds accounts but doesn't analyze post content.
For deep dark web research, SpiderFoot has some dark web modules, though specialized tools may be needed.
Setting Up SpiderFoot
Setup
You can set up SpiderFoot in several ways. The quickest method is via pip. To do this, run the following commands: pip3 install spiderfoot, spiderfoot -l 127.0.0.1:5001.
You can access the web interface at http://127.0.0.1:5001.
Another option is to use Docker. You can run SpiderFoot with this command: docker run -p 5001:5001 spiderfoot/spiderfoot.
This method works well on macOS or Windows for a clean setup, with no Python dependencies to manage.
There is also SpiderFoot HX, which costs $25/month and offers team features and saved scans, making it suitable for teams doing regular recon.
Configuration
API keys are not required, but they are helpful. The services you can get API keys for are Shodan, VirusTotal, HaveIBeenPwned, Hunter.io, SecurityTrails, Censys. You can add them in Settings → API Keys. Your results will improve with these keys.
Running Your First Scan
To start, hit "New Scan" in the web UI and give it a name. Your target can be a domain. There are four scan types: All, Footprint, Investigate, and Passive. The Footprint scan is a good default, as it hits the useful sources. The Passive mode won't alert the target; it only queries third-party sources and doesn't send HTTP requests.
Understanding SpiderFoot Modules
SpiderFoot's modules are grouped by function, categorized as DNS, WHOIS, Email, Social Media, and more. Each targets a specific data source or lookup.
The modules are organized into categories such as DNS, WHOIS, Email, Social Media, Web Crawling, Threat Intel, Dark Web, Leak Data, and Infrastructure. You select which modules to run and can disable those you don't need, which reduces scan time. This is particularly useful for targeted investigations, where you can turn off entire categories you're not using, saving time.
Reading Scan Results
While a scan runs, results appear live under Browse. The scan finishes, and you have three views: Browse, Graph, and Summary.
The Browse tab shows every finding, with all results typed out. The Graph view draws connections between entities, but can be cluttered with large scans. The Summary gives you counts by data type, providing a quick overview of the scan.
When reviewing results, focus on IPs, which indicate infrastructure, and email addresses, which indicate staff, especially those marked as compromised. Domains and subdomains show the domain footprint. Look for immediate red flags, such as Malware or Blacklisted flags.
Each finding has a Risk Level, but automated ratings can miss context, so review them manually.
Practical Scan Strategies
Recon Strategies
Domain Footprinting
To map a domain, start with the root. Use the Footprint scan type. It digs up subdomains, infrastructure exposure, email addresses, and SSL certs.
Person Investigations
Investigate people with the Investigate scan. The scan looks for breach data, username connections, domains they own, and social profiles. For discreet searches, go Passive.
IP Reputation & Threat Intel
If you have a suspicious IP or domain, investigate it. Focus on malware hits, blacklist mentions, passive DNS data, and linked domains.
Organizational Footprint
Footprint the main domain. Then, filter by IP and domain to see the full external attack surface.
Limitations
SpiderFoot has limitations. Thousands of results from one scan, most are noise. Scans can be slow, noisy too. If all modules are running, expect several hours; your target domain gets probed.
API keys unlock better data; without them, you're missing out. Results go stale, sources do too.
Python version issues can pop up, but Docker helps.
The graph view can bog down; use the Browse table instead.
Verdict
SpiderFoot automates wide-area recon, crunching hours of busywork into one scan. You choose the scan type: Passive, Footprint, or All, trading off target interaction for data volume. API keys improve result quality; do not skip them. The scan runs fast, but triage takes time, so plan for that. Solo operators can use pip or Docker on a local machine. Teams should use SpiderFoot HX, which comes with persistent storage and access controls.
Related Guides
Best OSINT GitHub Repositories in 2026
The top GitHub repositories for OSINT — curated lists, automation frameworks, username lookup, email investigation, phone OSINT, and threat intelligence tools. Stars verified April 2026.
Domain and IP Investigation with OSINT: A Complete Guide
A practical guide to investigating domains and IP addresses using open source tools — covering WHOIS, DNS history, IP geolocation, ASN analysis, and infrastructure pivoting.
How to Use Shodan: A Beginner's Guide
A practical introduction to Shodan — what it is, how to search it, and how OSINT investigators and security practitioners use it to research internet-facing infrastructure.
Last updated 2026-04-02. Techniques and tools change — verify current capabilities with vendors directly.