Cybersecurity Research Project

scanhawk

Passive internet survey — aggregate technology adoption & security posture of the public web.

What this is

scanhawk is a research-purpose internet scanner. Once per cycle we issue a single passive HTTP/HTTPS request to publicly listed web domains and record headers, server metadata, and small body snippets. The collected data feeds aggregate statistics about web technology adoption, software versions, known vulnerabilities (NVD/CVE), and email security posture.

It is comparable in posture to projects like Censys, Rapid7 Project Sonar, and Shodan — smaller in scale, identical in intent. Output is statistical, not per-customer, and informs public reporting and internal defensive research.

What we do

Single HTTP/HTTPS GET per domain, per cycle
Read response headers + first 128 KB of body
Identify ourselves via User-Agent + reverse DNS
Public scan policy + abuse contact
Honor opt-out requests within 24 hours
Hard-cap at 200 req/s globally, 5 req/s per /24

What we DON'T do

No authentication, no POST/PUT
No fuzzing, no exploitation, no payloads
No port scanning beyond 80/443
No subdomain brute-force
No long-lived connections
Never scan governmental or military zones

How to identify our traffic

Our scanner is transparent and fully traceable:

Source IP: 37.187.253.48 (Hetzner-OVH Strasbourg, FR)
Reverse DNS: currently the OVH default ns347344.ip-37-187-253.eu; will be reconfigured to scanner1.scanhawk.net once the domain is live
HTTP User-Agent: Mozilla/5.0 (compatible; scanhawk/0.1; +https://scanhawk.net/scanner)

For each domain, per cycle, scanhawk performs exactly these requests:

DNS queries against public resolvers (1.1.1.1, 8.8.8.8): A / AAAA / MX / NS / SOA / CAA, plus TXT records on example.com (SPF), _dmarc.example.com (DMARC), {15 known selectors}._domainkey.example.com (DKIM), _mta-sts.example.com, _smtp._tls.example.com, default._bimi.example.com
HTTP GET on port 80: single request to /, body capped at 128 KB, max 2 redirects, 8 second timeout. Plus 6 GETs to well-known paths to detect exposed configuration files publicly accessible: /.well-known/security.txt, /.git/HEAD, /.env, /server-status, /phpinfo.php, /wp-admin/
TLS handshake on port 443 (no application data sent — only ClientHello to capture certificate metadata: issuer, validity, key bits, signature algorithm, SAN list)
RDAP query to the TLD registry's RDAP server (per IANA bootstrap) for registrar / registration metadata

That's all. No POST, no authentication, no fuzzing, no other paths, no other ports. The scanner closes connections after each response.

Opt out

Domain opt-out (instant, automated): submit your domain at /optout. No email, no verification step, no manual review — the domain (and all subdomains) is added to the permanent skip list and any prior scan data is erased from our database immediately.

IP / CIDR opt-out: ranges cannot be self-served safely (no automatic ownership proof). Email admin@swarmhawk.com with the range and a quick line about your authority over it. Processed within 24 hours.

Permanent exclusions

The following zones are hardcoded skip patterns in our discovery aggregator and are never probed:

*.gov *.mil *.bund.de *.gv.at *.gov.uk *.gov.cz *.gouv.fr

Privacy & GDPR

scanhawk only records data that domains publish to the open Internet — DNS records, HTTP headers, certificate fingerprints, and short HTML snippets returned to anonymous clients. We do not collect personally identifying data beyond what registrars themselves publish via WHOIS / RDAP. Erasure requests for any indexed data are honored automatically via the /optout form (domains) or by writing to admin@swarmhawk.com (IP / CIDR ranges).

Contact

scanhawk is an independent passive-survey research project. The output is statistical and published periodically to inform defensive security decisions across the industry.

For operational and abuse questions: admin@swarmhawk.com