SwarmHawk Platform Guide

Everything you need to know about SwarmHawk — from signing up and scanning your first domain to integrating the API into your workflow and managing enterprise attack surfaces.

Last updated: March 2026 · swarmhawk.com

Platform Overview

SwarmHawk is a continuous external attack surface management (EASM) platform. It automatically discovers, scans, and scores every internet-facing domain in your inventory — then maps exactly how an attacker would move through them using real MITRE ATT&CK techniques.

Instead of producing a 500-page vulnerability report once a quarter, SwarmHawk runs continuously and surfaces a short, prioritized action list: the 3–5 things that, if fixed today, would most reduce your real breach risk.

How it works at a glance

Quick Start

Sign up and add your first domain

Your Role

SwarmHawk serves four distinct user types. Your role determines which features are most relevant — but everyone uses the same unified platform.

Role-based access

Dashboard Guide

The SwarmHawk dashboard is a full-screen app that opens automatically after login. It has three tabs: Domains, Account, and Admin (admin users only).

Domains Tab

This is your main workspace. It shows every domain in your inventory with its current risk score and status.

Domain list

• Risk score (0–100) — colour-coded: green <30, amber 30–69, red 70+
• Status badge — clean, warning, critical, or pending (scan in progress)
• Last scanned — timestamp of most recent completed scan
• Findings count — how many open issues were detected

Filtering

Use the filter bar above the domain list to show only all, critical, warning, or clean domains. The filter selection persists across page refreshes.

Domain report

Click any domain row to open the full scan report. The report is divided into sections:

• Risk summary — overall score with breakdown by category
• Findings — each issue with severity, affected record, and a plain-English fix
• DNS records — live DNS output for all record types
• Scan history — score trend over time

Adding domains

Click + Add Domain (top-right of the domains tab). Enter a bare domain name (example.com) — do not include https:// or trailing slashes. SwarmHawk normalizes the input automatically.

Account Tab

The Account tab shows your plan details, billing history, API key, and profile settings.

• Plan — current tier, renewal date, domain usage
• API Key — your personal Bearer token for API access (click to reveal)
• Billing — manage subscription, download invoices (Stripe portal)
• Profile — update display name, email, and avatar
• Danger zone — delete account (irreversible)

Admin Tab

Visible only to users with the admin role. Contains four sections:

Pipeline stats

Live counts from the scan engine: total domains in queue, pending scans, completed today, error rate, and the timestamp of the last successful scan cycle.

Domain management

Search and manage any domain in the system. Force a re-scan, change priority tier, flag for review, or delete a domain from the database.

Batch upload

Upload a .txt file (one domain per line) or a .json array to ingest domains in bulk. Useful for onboarding a new customer portfolio or importing from another scanner.

Enterprise compute

Trigger the org graph clustering engine to re-cluster all domains into organizations and recompute breach paths and risk scores. This runs automatically on a schedule but can also be triggered manually here.

Scan Engine

SwarmHawk's scan engine uses a three-tier architecture to balance speed, depth, and cost.

When you add a new domain, a Tier 1 scan is dispatched immediately. Tier 1.5 and Tier 2 scans are queued and run on the next available cycle.

Security Checks

SwarmHawk runs 23 individual checks grouped into six categories:

DNS Health

SSL / TLS

Email Security

Web / HTTP

Infrastructure

Active Reconnaissance New

Risk Scoring

Every domain receives a risk score from 0 (fully clean) to 100 (critically exposed). The score is computed from a weighted sum of active findings:

The raw sum is capped at 100. Multiple critical findings push the score to 100 quickly — which is intentional. A domain with 4 critical issues is as urgent as one with 6.

REST API

The SwarmHawk REST API gives programmatic access to scan data, domain management, and reporting. It's the foundation for the MCP server and bulk feed integrations.

Base URL: https://swarmhawk.com/api

Authentication

All API requests require a Bearer token in the Authorization header. You can find your token in the Account tab of the dashboard under API Key.

# Example: fetch your domain list
curl -s https://swarmhawk.com/api/domains \
  -H "Authorization: Bearer YOUR_API_KEY"

Key Endpoints

Domain Management

Scanning & Reports

Bulk Feed (Team / Enterprise)

Enterprise

Example: scan a domain and read findings

# 1. Add domain
curl -sX POST https://swarmhawk.com/api/domains \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"domain":"example.com"}'

# 2. Poll until scan completes (status != "pending")
curl -s https://swarmhawk.com/api/scan-results/example.com \
  -H "Authorization: Bearer YOUR_API_KEY" | \
  jq '{score: .risk_score, findings: [.findings[] | {sev:.severity, msg:.message}]}'

MCP Integration

SwarmHawk exposes a Model Context Protocol (MCP) server so AI tools — Claude, Cursor, GitHub Copilot, and any MCP-compatible assistant — can query your security data and answer questions like "which of my domains are most at risk?" or "summarize the findings for api.example.com".

What is MCP?

MCP (Model Context Protocol) is an open standard that lets AI assistants call external tools and data sources in a structured, sandboxed way. When you connect SwarmHawk's MCP server to your AI tool, the assistant can read your live scan data — but cannot make changes without your explicit approval.

Connect to Claude Desktop

Add the following to your claude_desktop_config.json (found in your Claude Desktop settings):

{
  "mcpServers": {
    "swarmhawk": {
      "url": "https://swarmhawk.com/api/mcp",
      "headers": {
        "Authorization": "Bearer YOUR_API_KEY"
      }
    }
  }
}

Connect to Cursor / VS Code

# In your workspace .mcp.json
{
  "servers": {
    "swarmhawk": {
      "url": "https://swarmhawk.com/api/mcp",
      "apiKey": "YOUR_API_KEY"
    }
  }
}

MCP tools available

For full MCP setup instructions for Claude Desktop, Cursor, Windsurf, Cline, and self-hosting — including copy-paste config snippets, all 7 tool definitions, example prompts, and troubleshooting — see the → MCP Integration Guide.

Attack Surface Management

Enterprise accounts unlock SwarmHawk's EASM capabilities — designed for security teams who need a continuous, organization-wide view of their exposure, not just a domain list.

What EASM means in practice

• Every domain your organization owns is automatically grouped into a logical entity (the "org")
• SwarmHawk computes an org-level risk score — a weighted aggregate of all domain scores, amplified by how interconnected the attack surface is
• Entry points (publicly reachable, lower-trust domains) are distinguished from critical assets (internal tooling, authentication providers, core infrastructure)
• Choke points — domains that appear on the most attack paths — are highlighted so you can prioritize hardening them first

Org Graph

The org graph engine reads your full domain inventory and clusters domains by their registered parent domain (eTLD+1). Each cluster becomes an organization node.

Each domain in the cluster is classified as one of four node types:

Breach Path Analysis

Once the org graph is built, SwarmHawk's path engine enumerates directed attack paths from every entry node to every critical asset — up to depth 4 and 100 paths per organization.

Each path edge is labelled with a MITRE ATT&CK technique that represents the likely exploitation method:

Choke points are nodes that appear on the highest number of paths. Hardening a choke point — even moderately — breaks the most attack paths simultaneously. SwarmHawk ranks choke points by blast radius and surfaces them first in the remediation queue.

NIS2 / DORA / GDPR

SwarmHawk maps directly to the technical security measures required under current EU regulations. Your scan data can be exported as a compliance evidence package.

NIS2 Article 21 mapping

DORA (Digital Operational Resilience Act)

DORA requires financial entities to continuously monitor their ICT attack surface. SwarmHawk satisfies the threat-led penetration testing and vulnerability management pillars by providing continuous automated scanning as a documented, auditable process.

GDPR Article 32

Article 32 requires "appropriate technical measures" to ensure data security. SwarmHawk's TLS, header, and breach detection checks provide evidence of proactive security hygiene — suitable for inclusion in a GDPR technical measures register.

Plans & Limits

API rate limits are enforced per API key. Exceeding the limit returns HTTP 429 Too Many Requests. Limits reset at midnight UTC.

Domain limits are enforced at the account level. Attempting to add a domain beyond your plan limit returns HTTP 403 Forbidden with a domain_limit_reached error code.

XDR & SIEM Integration Guide

SwarmHawk pushes the full external attack surface picture — not just a risk number — directly into your existing security stack. Every integration sends platform-optimised, fully-enriched payloads: 22-check scan results, CVE list, software fingerprints, email security chain (SPF/DMARC/DKIM), threat classification, blacklist status, domain age, and per-check remediation steps.

What SwarmHawk sends to every integration

📊 Splunk SIEM

What you gain: SwarmHawk writes CIM-aligned events (sourcetype=swarmhawk:scan) into your Splunk index. Security analysts can immediately write SPL queries across your entire external domain footprint — no custom schema required.

Setup

1. In Splunk: Settings → Data Inputs → HTTP Event Collector → New Token
2. Note the HEC URL (https://your-splunk:8088) and token
3. In SwarmHawk: Account → Integrations → Splunk → Configure
4. Paste HEC URL, token, and target index

CIM fields sent

dest              = "example.cz"          -- domain (CIM: Network)
vendor_product    = "SwarmHawk EASM"
category          = "vulnerability"
severity          = "high"
risk_score        = 87
max_cvss          = 9.1
threat_types_csv  = "phishing_vector,unpatched_cve"
cve_ids           = "CVE-2024-1234, CVE-2023-5678"
software_names    = "Apache 2.4.51, OpenSSL 1.0.2"
failed_checks_csv = "ssl,headers,dmarc"
spf_status        = "missing"
dmarc_status      = "missing"
email_security_score = 0                   -- 0/3 = fully spoofable
phishing_risk     = 1
blacklisted       = 0
country           = "CZ"
domain_age_days   = 180

Example SPL queries

-- Find all phishing-ready domains
index=swarmhawk sourcetype=swarmhawk:scan phishing_risk=1
| table dest, country, domain_age_days, registrar
| sort -risk_score

-- Top exposed software stacks
index=swarmhawk sourcetype=swarmhawk:scan
| rex field=software_names "(?P<product>[^,]+)"
| stats count by product | sort -count

-- Domains with active CVEs by country
index=swarmhawk sourcetype=swarmhawk:scan cve_count>0
| stats avg(max_cvss) as avg_cvss, count by country
| sort -avg_cvss

-- Risk posture trend over time
index=swarmhawk sourcetype=swarmhawk:scan
| timechart avg(risk_score) by priority

🔵 Microsoft Sentinel

What you gain: SwarmHawk creates a custom SwarmHawk_CL log table in your Log Analytics workspace. Every field is KQL-queryable with typed suffixes (_s string, _d number, _b boolean). Use it in workbooks, analytic rules, and SOAR playbooks.

Setup

1. In Azure: Log Analytics workspace → Agents → Workspace ID + Primary Key
2. In SwarmHawk: Account → Integrations → Microsoft Sentinel → Configure
3. Paste Workspace ID and Shared Key (primary or secondary)

KQL fields in SwarmHawk_CL

Domain_s, Country_s, Registrar_s, DomainAgeDays_d
RiskScore_d, MaxCVSS_d, Priority_s, CriticalCount_d
ThreatCategory_s, ThreatTypes_s, AttackVectors_s
PhishingRisk_b, Blacklisted_b, WAFDetected_b
CVEList_s, CVECount_d, SoftwareStack_s
SPFStatus_s, DMARCStatus_s, DKIMStatus_s, EmailSecurityScore_d
ComplianceFlag_s  -- "NIS2-Art21" when risk >= 70
TimeGenerated

Example KQL queries

// Phishing-ready domains with email spoofing risk
SwarmHawk_CL
| where PhishingRisk_b == true
| project Domain_s, Country_s, EmailSecurityScore_d, DomainAgeDays_d, RiskScore_d
| order by RiskScore_d desc

// High-CVSS domains by country heatmap
SwarmHawk_CL
| where MaxCVSS_d >= 7.0
| summarize count(), avg(MaxCVSS_d) by Country_s
| order by count_ desc

// NIS2 compliance exposure
SwarmHawk_CL
| where ComplianceFlag_s == "NIS2-Art21"
| summarize count() by ThreatCategory_s

// Cross-source: user browsed blacklisted domain
SwarmHawk_CL
| where Blacklisted_b == true
| join kind=inner (
    SigninLogs | project UserPrincipalName, ResourceDisplayName
) on $left.Domain_s == $right.ResourceDisplayName
| project UserPrincipalName, Domain_s, RiskScore_d, ThreatTypes_s

🦅 CrowdStrike Falcon

What you gain: SwarmHawk pushes your high-risk domains as typed IOCs into Falcon's threat intelligence. Falcon then blocks or alerts when any endpoint — anywhere in your estate — attempts to connect to those domains.

IOC enrichment sent to Falcon

type:        "domain"
value:       "compromised-supplier.cz"
action:      "prevent"   -- for blacklisted/malware; "detect" for CVE/misconfiguration
severity:    "HIGH"      -- CRITICAL (CVSS≥9) / HIGH (7-9) / MEDIUM (4-7)
description: "SwarmHawk EASM | Risk: 91/100 | CVSS: 9.1
              Threats: phishing_vector, unpatched_cve
              CVEs: CVE-2024-1234, CVE-2023-5678
              Software: Apache 2.4.51, OpenSSL 1.0.2
              ⚠ Domain can be spoofed — SPF/DMARC missing"
tags:        ["swarmhawk","easm","phishing_vector","unpatched_cve"]
expiration:  90 days (auto-refreshed on rescan)

🛡️ Bitdefender GravityZone

What you gain: SwarmHawk creates named domain rules in GravityZone, classified by threat type. Endpoints covered by GravityZone are protected from domains your external scanner has flagged — without manual rule management.

Rule naming convention: [SwarmHawk CRITICAL] compromised-domain.cz — instantly visible in GravityZone policy console with priority embedded in the name.

Action is set to block for confirmed malware/blacklisted domains and report for CVE-exposure or misconfiguration findings.

🟠 Palo Alto Cortex XDR

What you gain: SwarmHawk inserts external alerts into Cortex XDR's investigation timeline, mapped to MITRE ATT&CK techniques. Your SOC analysts see domain-level exposure findings alongside endpoint detections — in the same pane of glass.

MITRE ATT&CK mapping

🎫 Jira

What you gain: SwarmHawk creates fully-structured Jira tickets in Atlassian Document Format (ADF) — with tables, bullet lists, and headings. Each ticket includes everything the assignee needs to remediate without ever opening SwarmHawk.

What's in each ticket

• Risk summary table — domain, score, CVSS, country, domain age, phishing risk, blacklist status, email security score
• Threat classification — bulleted list of identified threat types
• CVE table — CVE ID | CVSS | Severity for each vulnerability found
• Software stack table — detected product + version (what needs patching)
• Failed checks list — every check that returned critical or warning
• Per-check remediation steps — e.g. "dmarc: Add DMARC DNS record: v=DMARC1; p=quarantine; rua=..."
• NIS2 compliance note — added automatically when risk ≥ 70

Labels are auto-set: swarmhawk easm nis2 phishing-vector cz — enabling sprint filters and SLA tracking.

Only fires for domains with risk_score ≥ 70 or max_cvss ≥ 7.0 — no ticket noise for low-risk findings.

🔧 ServiceNow

What you gain: SwarmHawk creates ServiceNow incidents with business risk framing, NIS2 compliance references, urgency/impact auto-mapped from risk score, and per-check remediation steps with SLA guidance.

Urgency / Impact mapping

📡 Webhook / REST API

Configure a webhook URL in Account → Integrations → Webhook. SwarmHawk will POST a fully-enriched JSON payload to your endpoint each time a scan completes for a high-risk domain (risk ≥ 70). Use this to build Slack alerts, PagerDuty incidents, custom dashboards, or SOAR automations.

POST https://your-endpoint.com/swarmhawk-hook
Content-Type: application/json
X-SwarmHawk-Signature: sha256=<hmac>

{
  "event":               "scan.completed",
  "domain":              "target.cz",
  "risk_score":          87,
  "max_cvss":            9.1,
  "priority":            "CRITICAL",
  "critical_count":      4,
  "threat_types":        ["phishing_vector", "unpatched_cve"],
  "phishing_risk":       true,
  "blacklisted":         false,
  "cve_ids":             "CVE-2024-1234, CVE-2023-5678",
  "software_names":      "Apache 2.4.51, OpenSSL 1.0.2",
  "failed_checks":       ["ssl", "dmarc", "headers"],
  "email_security_score": 0,
  "country":             "CZ",
  "timestamp":           "2026-03-30T09:12:00Z"
}

Signature verification (Python)

import hmac, hashlib
from flask import Flask, request, abort

app    = Flask(__name__)
SECRET = b"your_webhook_secret"

@app.post("/swarmhawk-hook")
def handle():
    sig      = request.headers.get("X-SwarmHawk-Signature", "")
    expected = "sha256=" + hmac.new(SECRET, request.data, hashlib.sha256).hexdigest()
    if not hmac.compare_digest(sig, expected):
        abort(403)
    payload = request.json
    # Route by priority
    if payload["priority"] == "CRITICAL":
        page_oncall(payload)
    elif "phishing_vector" in payload["threat_types"]:
        alert_security_team(payload)
    return {"ok": True}

⚡ STIX / TAXII 2.1

What you gain: SwarmHawk serves your critical domain findings as a STIX 2.1 bundle via a TAXII 2.1-compliant endpoint. Any threat intel platform — MISP, OpenCTI, Anomali, Recorded Future — can ingest it natively.

TAXII endpoints

GET /taxii/collections/
Authorization: Bearer swh_YOUR_SESSION_TOKEN

GET /taxii/collections/swarmhawk/objects/?min_risk=70&limit=100
Authorization: Bearer swh_YOUR_SESSION_TOKEN

STIX object types generated

• domain-name — each monitored domain with scan timestamps
• vulnerability — each CVE found, with CVSS score and NVD reference
• relationship — domain-name has vulnerability edges

Full Field Mapping Reference

NIS2 Compliance Findings

Pull per-article NIS2 findings for a domain via GET /domains/{id}/nis2. Each finding includes the article reference, pass/fail, and remediation guidance — import directly into Sentinel workbooks or Splunk ES compliance dashboards.

Need Help?

For enterprise integration support or custom SIEM connectors, contact sales@swarmhawk.com or open a ticket from the Contact page.

Intelligence Feeds

SwarmHawk enriches every scan with multiple external threat intelligence sources — several of which are completely free with no API key required. This section documents each feed, its coverage, and how to enable it.

CISA KEV — Known Exploited Vulnerabilities

The CISA Known Exploited Vulnerabilities catalog is maintained by the US Cybersecurity and Infrastructure Security Agency. It lists every CVE that has been confirmed as actively exploited in the wild — not just theoretically dangerous, but actually used in real attacks right now.

What SwarmHawk does with it

• At startup and every 24 hours, SwarmHawk fetches the full KEV list (~1,200+ CVEs)
• During every Tier 1 and Tier 2 scan, all detected CVEs are checked against the KEV list
• Any domain running software with a KEV CVE is immediately boosted to risk_score = 95, priority = CRITICAL — regardless of CVSS score
• The daily run_kev_refresh_job() (06:00 Prague) re-scores all existing domains within minutes of CISA adding a new entry to the catalog

Why this matters

A CVE with CVSS 7.5 is "high severity." A CVE with CVSS 7.5 that is in the KEV catalog means attackers have automated exploit tools for it and are using them in active campaigns right now. SwarmHawk treats these categorically differently.

EPSS — Exploit Prediction Scoring System

EPSS (Exploit Prediction Scoring System) is published by FIRST.org and assigns every CVE a probability from 0.0 to 1.0 indicating how likely it is to be exploited in the wild within 30 days. Unlike CVSS (which measures severity), EPSS measures likelihood.

EPSS thresholds in SwarmHawk

EPSS scores are fetched in bulk (up to 100 CVEs per API call) and cached for 24 hours. The API is free with no key required.

OSV.dev — Open Source Vulnerability Database

OSV.dev is Google's open-source vulnerability database covering 17+ package ecosystems. NVD alone covers C/C++ and vendor software well but routinely lags 30–90 days behind for npm, PyPI, Go, Maven, and Rust packages. OSV.dev bridges that gap.

Ecosystems covered by SwarmHawk

During every scan, SwarmHawk takes the software fingerprint (e.g., WordPress 6.4.1) and queries OSV.dev for all known vulnerabilities in that version. CVEs found in OSV that are not yet in NVD are added to the result with "source": "osv".

Certstream — Real-Time CT Log Streaming

Certificate Transparency logs record every TLS certificate issued. Certstream streams these in real-time via a WebSocket feed. New domains appear in SwarmHawk's discovery queue within seconds of certificate issuance — vs the previous 24-hour batch via crt.sh.

How it works

• SwarmHawk connects to wss://certstream.calidog.io/ on startup
• Every new certificate → all domain names extracted → validated → inserted into domain_queue
• Domains are batched in groups of 100 to avoid database spam
• On reconnection after network failure, the worker automatically resumes

Practical impact

A threat actor registers a phishing domain (e.g., secure-yourbank-login.com) and gets a Let's Encrypt cert. SwarmHawk sees it within 10–30 seconds via Certstream and begins scanning. Previously this would take up to 24 hours.

Configuration

BGP / ASN Expansion

Given a root domain, SwarmHawk can discover every other FQDN in the same organisation's IP space by following the chain: domain → IP → ASN → all IP prefixes → reverse DNS → new FQDNs.

How it works (BGPView API, free, no key)

Prefixes wider than /20 (more than 4,096 IPs) are skipped to avoid spending excessive time on large CDN ranges. The function is capped at 300 new domains per root domain per run.

Use case

Enterprise customers can call run_asn_discovery_job(["yourcompany.com"]) to discover every IP your organisation routes — including cloud assets, legacy servers, and acquired company infrastructure that never appeared in CT logs.

Subdomain Enumeration — Free Multi-Source

SwarmHawk enumerates subdomains using three completely free sources in parallel. SecurityTrails was originally planned here but was acquired by Recorded Future and now costs $11k–$70k/year — so SwarmHawk uses better free alternatives instead.

Setup

crt.sh and HackerTarget work automatically with zero configuration.

VirusTotal (optional, adds coverage): Register free at virustotal.com → API Key → add to Render as VIRUSTOTAL_API_KEY=your_key

Example output

Discovered subdomains are ingested with source = "securitytrails" (legacy field name preserved) and scanned by the next Tier 1 batch run.

Censys — Internet-Wide Host Scan Data

Censys continuously scans the entire IPv4 internet and indexes the results. For any IP or organisation, you can retrieve open ports, service banners, TLS certificates, and autonomous system information — without touching the target.

Free community tier

• 250 Search queries/day — no credit card required
• Register at censys.io/register
• Go to Account → API Access → copy API ID and Secret
• Add to Render: CENSYS_API_ID=xxx and CENSYS_API_SECRET=yyy

What SwarmHawk uses it for

• censys_search_org("Company Name") — finds all hosts registered under an organisation's ASN
• censys_get_host("1.2.3.4") — enriches a scan result with full port/service/banner detail from Censys's passive scan data

Example host record

Nuclei — Active Vulnerability Validation

Nuclei is an open-source vulnerability scanner from ProjectDiscovery. The full template library has 11,000+ entries; SwarmHawk uses the ~3,000 templates applicable to unauthenticated external scanning — CVEs, exposed admin panels, misconfigurations, and default credentials. SwarmHawk uses it to actively confirm whether a vulnerability is exploitable, eliminating false positives from passive NVD version-range lookups.

How SwarmHawk uses Nuclei

• Every user domain scan runs nuclei as a standard check alongside the other 22 checks
• Tier 2 pipeline scans also run nuclei for all domains with risk_score ≥ 30
• Templates used: cve, exposure, misconfig, default-logins — intrusive and authenticated templates are excluded
• Each finding is an active proof: nuclei sends a real HTTP/TCP request and confirms the exploit path in the response — not a version inference
• Confirmed findings get "confirmed": true in the CVE list and a nuclei_findings array with matched URLs
• High/critical confirmed findings boost risk_score by up to +15 points
• If the nuclei binary is not installed, the check silently returns ok — all other checks continue normally

Installation

Configuration

If the nuclei binary is not in PATH, SwarmHawk silently skips active scanning — all other intelligence feeds continue to work normally.

Real-Time Alerts — Server-Sent Events

SwarmHawk's dashboard receives push notifications for new high-risk findings via Server-Sent Events (SSE) — a persistent HTTP connection over which the server can push data at any time without polling.

Endpoint

JavaScript client example

Event payload fields

OSINT Intelligence Checks

SwarmHawk now includes four open-source intelligence (OSINT) checks powered by public APIs and the Agent-Reach intelligence framework. These run automatically on every scan alongside the 23 standard checks — no extra configuration needed unless you want higher GitHub rate limits.

GitHub PoC Hunter (github_poc)

After fingerprinting the domain's tech stack (server header, X-Powered-By, WordPress/Drupal/Joomla signals, and meta generator tags), SwarmHawk searches GitHub's repository index for public proof-of-concept exploit code targeting those exact products and versions.

How it works

• Fingerprints up to 5 software components from live HTTP responses
• Queries github.com/search/repositories for each: {product} {version} exploit poc
• Filters results to repositories updated after January 2023 with exploit/PoC keywords in name or description
• Severity escalates to CRITICAL if any repo has more than 100 stars (weaponised, widely used exploit code)
• Severity is WARNING for newer, lower-star repos (emerging PoC, not yet widely weaponised)

What this means for you

Most vulnerability scanners tell you a CVE exists. SwarmHawk tells you whether there is public working exploit code for it on GitHub right now — the difference between a theoretical risk and something an attacker can deploy in minutes.

Rate limits & GitHub Token

Without a GitHub token, the GitHub Search API allows 10 requests/minute. Each github_poc check uses up to 3 requests (one per detected software component). For production deployments scanning many domains, add a GitHub personal access token:

Contact Discovery (contact_discovery)

This check determines whether the domain's owner has published a security contact — a critical prerequisite for responsible disclosure and fast incident response. It follows a two-step discovery process.

Step 1 — RFC 9116 security.txt

SwarmHawk checks both canonical locations for a security.txt file:

If found with a valid Contact: field, the check returns OK and extracts all contact methods (email, URL, phone). An additional warning is shown if the Expires: field is missing (required by RFC 9116).

Step 2 — Jina Reader web scan

If no security.txt is found, SwarmHawk uses Jina Reader (https://r.jina.ai/) to fetch a plain-text version of the domain's /contact, /about, /security, and homepage, then scans for email addresses using a regex pattern. Found emails are surfaced as a WARNING alongside a recommendation to publish a proper security.txt.

Why this is a security check

GDPR Article 33 requires organisations to report data breaches within 72 hours. NIS2 Article 23 mandates early warning within 24 hours of a significant incident. If researchers or threat intelligence teams cannot find a contact for your domain, they have no way to alert you — and attackers can stay undetected longer.

CISA KEV Direct Matching (threat_feeds)

While SwarmHawk already boosts risk scores for KEV CVEs found during vulnerability scanning, the threat_feeds check takes a different approach: it fingerprints the live software stack and directly looks up each detected product against all 1,200+ CISA KEV entries — without needing a prior CVE detection step.

Why this is different from the standard CVE check

Severity thresholds

• CRITICAL (+18): Any KEV match linked to active ransomware campaigns, or 3+ total matches
• WARNING (+10): 1–2 matches, no ransomware campaigns confirmed

Performance

The KEV catalog (~1.2 MB JSON) is fetched once and cached in-process for 6 hours. Each scan performs the matching locally with zero additional network requests.

GitHub Credential Leak Scan (github_leaks)

This check searches all publicly indexed GitHub code for files that mention your domain alongside credential-related keywords. It catches accidental commits of configuration files, .env files, database connection strings, and API credentials — often before the organisation itself is aware.

Search query

Severity thresholds

• CRITICAL (+20): 5 or more public files found — systematic exposure or a widely-forked repository containing credentials
• WARNING (+12): 1–4 files found — isolated exposure, likely an accidental commit or copied configuration file
• OK: No matches found

False positives

The check flags any file containing the domain name with credential keywords — it cannot read file contents via the Search API and cannot confirm whether the values are real credentials or placeholder examples. Always review each linked file before taking action. A finding here means "investigate urgently", not automatically "you are breached".

GitHub Token

The GitHub Code Search API requires authentication for production use. Without a token, searches may return HTTP 403 after 10 requests/minute, at which point the check returns an informational result rather than a false negative. Add GITHUB_TOKEN to your Render environment variables to enable reliable scanning.

FAQ

How long does the first scan take?

The Tier 1 scan (DNS, SSL, basic reachability) completes in under 60 seconds. The deeper Tier 2 scan (port scan, breach data, full TLS analysis) typically takes 3–8 minutes and runs automatically in the background.

Does SwarmHawk scan subdomains?

Yes. When you add a root domain like example.com, SwarmHawk queries certificate transparency logs to discover subdomains and adds them to the scan queue. You'll see them appear in your domain list automatically.

How do I prove domain ownership?

Currently SwarmHawk does not require ownership proof for individual domains on paid plans. For Enterprise accounts scanning large portfolios, a verification step may be required — contact us to discuss.

Is my scan data private?

Yes. Your domain list and scan results are private to your account. Scan results are never shared with other users or used to populate any public dataset. See our Privacy Policy for full details.

What happens if a scan fails?

If a domain is unreachable (e.g. DNS fails), SwarmHawk marks the scan as error and retries automatically on the next scan cycle. Persistent failures are flagged in your dashboard as a critical finding: "Domain unreachable."

Can I whitelist SwarmHawk's scanner IPs?

Yes. Contact support to receive the current list of scanner egress IPs. This is useful if your infrastructure blocks external scanners or if you want to ensure SwarmHawk's requests are never rate-limited by your firewall.

How do I cancel my subscription?

Go to Account → Billing → Manage Subscription. You can cancel at any time. Your plan remains active until the end of the current billing period, then drops to Free tier.

I'm a hosting provider. How does the Bulk Feed work?

Use GET /feed/domains with your admin API key to pull scan results for all domains in your account. Add ?since=2026-03-01T00:00:00Z to pull only results updated after a given timestamp — ideal for incremental sync into your own database or dashboard.

Where can I get support?

Email hello@swarmhawk.com, open a ticket from the Account tab, or check the Contact page. Enterprise accounts have a dedicated Slack channel and a named support engineer.

Last updated March 2026 · swarmhawk.com · Privacy · Terms