Shadowspotter documentation
Shadowspotter is a domain-intelligence platform: it indexes domains, DNS records, TLS certificates, WHOIS records and HTTP responses from across the public internet and exposes them through a fast, expressive search interface. You can save any query as a detection that runs in the background and triggers a notification (email, Slack, webhook, …) whenever a new match shows up.
Where to start
- Query language — the syntax used in both the search bar and detections, the available entities, and every searchable field.
- Detections — saving a query so it runs continuously and notifies you on new matches.
- Notifications — what to do when a detection fires (email, Slack, custom webhook).
- Profile — managing your account, avatar and API key.
- Internet-wide scanning — what we scan, why, and how to identify or block our traffic.
Core concepts
| Concept | Description |
|---|---|
| Entity | A category of records: domain, whois, dns, cert or http. Every query targets one or more entities. |
| Query | A ShadowLang expression that filters records, e.g. registrar:*NameCheap* creation_date:2024-01-01+. |
| Detection | A stored query that runs in the background and produces detection results when new matches appear. |
| Notification | An automation triggered by a detection — an email, a Slack message or any other configured template. |
| Tag | A label attached to a domain. Tags can be queried using the tag field and are useful for grouping known assets or known-bad infrastructure. |
| Subscription | Your plan. Determines which entities and fields you can query, the time range of historical data, and your detection / notification quotas. |
Subscriptions at a glance
The Free plan lets you explore single-entity queries and create one detection.
Paid plans (Researcher and Pro) unlock multi-entity queries,
advanced fields (fuzzy_domain, lexical features), the HTTP entity and longer
historical data windows. Enterprise adds API access and unlimited quotas.
See pricing for the current breakdown.