Subterfuge
OSINT Intelligence Platform
by Cipher Cortex Technologies
Investigate any indicator in seconds. Subterfuge runs 50+ enrichment tools across 8 indicator types — IPs, domains, emails, URLs, phone numbers, usernames, file hashes, and crypto wallets — then scores risk, generates executive reports, and lets you compare, extract, and share intelligence.
How It Works
From indicator to intelligence in three steps
Paste Any Indicator
Enter an IP, domain, email, URL, phone number, username, file hash, or crypto wallet. Subterfuge auto-detects the type.
Automated Enrichment
Up to 30 tools run in parallel per search — DNS, WHOIS, threat feeds, carrier lookups, screenshots, and more. Results stream in live.
Risk Score & Report
Get a composite risk score, executive PDF report, and structured findings with actionable recommendations.
Eight Indicator Types
One search box, automatic detection
IP Addresses
Geolocation, reverse DNS, WHOIS, DNSBL checks, Tor exit detection, port scanning, and threat reputation.
Domains
WHOIS, DNS records, subdomains, SSL/TLS, tech stack, typosquatting, Wayback Machine, subdomain takeover, and screenshots.
Emails
Validation, SMTP deliverability, Gravatar, PGP keys, SPF/DKIM/DMARC, spam reputation, and disposable email detection.
URLs
Redirect chain analysis, full domain enrichment on the host, SSL/TLS, tech stack, Wayback Machine, and threat reputation.
Phone Numbers
Real-time carrier identification (post-porting), VoIP detection, line type, area code geo-mapping, and risk analysis.
Usernames
Multi-platform enumeration across 25+ sites, pattern analysis, GitHub/Reddit profiles, and Gravatar lookups.
File Hashes
MD5, SHA-1, and SHA-256 hash identification with algorithm detection and malware intelligence lookups.
Crypto Wallets
Bitcoin balance, transaction history, first/last seen dates, known address labels, and wallet risk analysis for fraud detection.
Analyst Toolkit
Purpose-built tools beyond basic enrichment
Compare
Compare two indicators of the same type side-by-side. Highlights shared infrastructure, overlapping DNS, common technologies, and more.
Indicator Extractor
Paste text, upload files (TXT, PDF, CSV, JSON, EML, YARA, and more), or provide a URL. Automatically extracts IPs, domains, emails, hashes, wallets, CVEs, and phone numbers.
Analytics Dashboard
Interactive charts tracking search activity, risk distribution, selector breakdowns, geographic trends, and technology intelligence across all investigations.
Platform Features
Enterprise-grade capabilities at every layer
Threat Reputation Scoring
Every search is checked against URLhaus, ThreatFox, Feodo Tracker, Spamhaus, PhishTank, Quad9, StopForumSpam, and more. Risk is scored and color-coded in real time.
Executive Reports
One-click PDF generation with a cover page, composite risk score, severity-ranked findings, prioritized recommendations, and a full evidence appendix.
Progressive Live Results
Results stream in as each enrichment completes. No waiting for everything to finish — start analyzing while tools are still running.
Re-run & Diff
Re-run any past search and see what changed. New ports opened, DNS records modified, SSL certificates rotated — highlighted automatically.
Shareable Results
Generate a read-only share link for any search result. Share with clients or teammates without requiring them to log in.
Export Anywhere
Export any search to PDF, CSV, or JSON. Executive reports include branded cover pages and structured evidence for handoff to stakeholders.
50+
Enrichment Tools
8
Indicator Types
18+
Threat Feeds
3
Analyst Tools
Ready to investigate?
Start turning raw indicators into actionable intelligence.