techstack identification

Skill

OSINT-based technology stack identification. Routes to 6 domain sub-skills (frontend, backend, infra, security, osint, correlation) to discover a target's stack from publicly available signals.

Files13
  • @skills/techstack-identification/SKILL.md
  • @skills/techstack-identification/backend/SKILL.md
  • @skills/techstack-identification/backend/reference/patterns.md
  • @skills/techstack-identification/correlation/SKILL.md
  • @skills/techstack-identification/correlation/reference/patterns.md
  • @skills/techstack-identification/frontend/SKILL.md
  • @skills/techstack-identification/frontend/reference/patterns.md
  • @skills/techstack-identification/infra/SKILL.md
  • @skills/techstack-identification/infra/reference/patterns.md
  • @skills/techstack-identification/osint/SKILL.md
  • @skills/techstack-identification/osint/reference/patterns.md
  • @skills/techstack-identification/security/SKILL.md
  • @skills/techstack-identification/security/reference/patterns.md

Tech Stack Identification

Passive OSINT reconnaissance to identify a target's technology stack. No credentials, no active scanning — only publicly available signals.

Quick Start

text
1. Provide company name (+ optional domain hint)
2. Run infra first (asset inventory) → frontend / backend / security / osint in parallel
3. Pass all signals into correlation → final report (JSON + Markdown)

Domain Sub-Skills

Sub-skillIdentifiesRead
frontendJS frameworks, meta-frameworks, CSS libraries, build tools, CMS via DOM/HTML/JSfrontend/SKILL.md [blocked]
backendWeb servers, runtimes, languages, frameworks, DB, APIs, CMSbackend/SKILL.md [blocked]
infraCloud, CDN/WAF, DNS, TLS/CT, DevOps, asset discovery (domains/subdomains/IPs)infra/SKILL.md [blocked]
securitySecurity headers, CSP, email auth, security.txt, third-party SaaSsecurity/SKILL.md [blocked]
osintPublic repos (GitHub/GitLab), job postings/ATS, Wayback Machineosint/SKILL.md [blocked]
correlationCross-validation, confidence scoring, conflict resolutioncorrelation/SKILL.md [blocked]

Routing by Objective

ObjectiveMount
Full stack discoveryinfra → (frontend, backend, security, osint) → correlation
CDN/WAF identification onlyinfra
API surface mappingbackend
Supply-chain / SaaS exposuresecurity + osint
CVE matching by versionbackend + frontend (then correlation)
Migration / historical contextosint (web archive) + correlation
CMS fingerprintfrontend (HTML generators) + backend (CMS paths/cookies)
Asset inventory onlyinfra (domain discovery, subdomain enum, IP attribution, CT)

Confidence Levels

  • High: 3+ independent sources OR explicit identifier (header/meta/global) + supporting evidence + version known
  • Medium: Single strong source OR multiple indirect signals (URL patterns, cookies, DOM attrs, job postings)
  • Low: Speculative — single weak signal, conflicting data, or archive-only evidence
Computed in correlation/. Target distribution: 50-70% High, 20-35% Medium, <15% Low.

Final Report Schema

json
{ "report_id": "uuid", "company": "string", "primary_domain": "string",
  "discovered_assets": {"domains", "subdomains", "ip_addresses", "certificates", "api_portals"},
  "technologies": {
    "frontend": [{"name", "version?", "confidence", "evidence": []}],
    "backend": [...], "infrastructure": [...], "security": [...],
    "devops": [...], "third_party": [...] },
  "confidence_summary": {"high_confidence", "medium_confidence", "low_confidence", "overall_score"} }

Rate Limits

crt.sh 10/min · GitHub (unauth) 60/h · HTTP 30/min/domain · DNS 30/min · Wayback CDX 15/min · WHOIS 5/min.

Ethics

Passive only. No active scanning, credentialed access, zone transfers, or brute force. Public sources only. Log every external request for audit.
techstack-identification — Kortix Marketplace | Kortix