God's Eye

AI-powered attack-surface discovery & offensive security
in a single Go binary. Terminal-only. Zero cloud.

_{Zero-flag launch → AI tier → model check → target → profile → live scan. Recorded live against scanme.nmap.org.}

⚡ Quick start • Why • Features • Wizard • AI • Live benchmark • vs. competitors • Legal

⚡ 30-second quickstart

git clone https://github.com/Vyntral/god-eye && cd god-eye
go build -o god-eye ./cmd/god-eye
./god-eye

That's it. Running ./god-eye with no flags launches an interactive wizard that:

Asks which AI tier you want (lean / balanced / heavy / none)
Checks Ollama, downloads missing models for you
Asks for your target, validates it, applies a scan profile
Streams colorized events live as the scan runs

Prefer one-liners? You're covered:

./god-eye -d target.com --pipeline --profile bugbounty --live
./god-eye -d target.com --pipeline --enable-ai --ai-profile heavy --nuclei --live
./god-eye -d target.com --pipeline --profile asm-continuous --monitor-interval 24h

🎯 What makes God's Eye different

Every OSS recon tool picks a lane: passive subdomain enum, or vuln scanning, or fingerprinting. You end up chaining four tools with Bash + jq and praying nothing breaks. God's Eye v2 is the whole pipeline in a single binary, with an AI layer that no other OSS scanner has.

Six things no competitor does in one command


🧙 Interactive wizard	Zero-flag launch. Walks you through setup.
🤖 Local LLM CVE correlation	Ollama cascade maps detected tech → real CVEs offline.
🎚️ AI tier presets	`lean` / `balanced` / `heavy` — picks models for your RAM.
📥 Auto-manage 13k Nuclei templates	`god-eye nuclei-update` downloads + refreshes the cache.
🛰️ Auto-pull Ollama models	Missing models? Streams them from the registry.
🔄 ASM continuous monitoring	Scheduler + diff engine + webhooks built-in.

A concrete example — what you get in one command

Running ./god-eye -d scanme.nmap.org --pipeline --profile bugbounty --ai-profile balanced --live surfaces in under 2½ minutes:

✅ Full passive subdomain enumeration (26 sources, no API keys)
✅ HTTP probe + technology fingerprint (Apache/2.4.7 (Ubuntu))
✅ TLS analysis + appliance fingerprint (25+ vendors)
✅ AI-assisted CVE correlation — Apache 2.4.7 → CVE-2026-34197 (CRITICAL/9.8) +4 more
✅ Security header audit (OWASP Secure Headers Project aligned)
✅ JS secret extraction (regex + filter against noise)
✅ Subdomain takeover check (110+ signatures)
✅ Cloud asset discovery (S3, GCS, Azure, Firebase)

No subfinder | httpx | nuclei | tee | jq pipeline. No glue scripts. One binary.

See the live, reproducible benchmark: BENCHMARK-SCANME.md.

🧙 The wizard

═══════════════════════════════════════════════════════════
  God's Eye v2 — interactive setup
  Ctrl-C to abort at any time.
═══════════════════════════════════════════════════════════

? Select AI tier
  ▸ 1) Lean     — 16GB RAM · qwen3:1.7b + qwen2.5-coder:14b (default)
    2) Balanced — 32GB RAM · qwen3:4b + qwen3-coder:30b (MoE, 256K ctx)
    3) Heavy    — 64GB RAM · qwen3:8b + qwen3-coder:30b (max quality)
    4) No AI    — Pure recon without LLM analysis
  Choice [1]: 2

⚙ Checking Ollama at http://localhost:11434…
  ↓ Missing models: qwen3:4b, qwen3-coder:30b
? Download missing models now? [Y/n] y
↓ qwen3:4b            100%  2.5GB / 2.5GB  ✓ ready
↓ qwen3-coder:30b     100%  17GB / 17GB    ✓ ready

? Target domain
  > target.com

? Select scan profile
    1) Quick          — passive enum + HTTP probe, no brute
  ▸ 2) Bug bounty     — full recon, AI + all features (default)
    3) Pentest        — full recon + light stealth
    4) ASM continuous — recurring scans with diff + alerts
    5) Stealth max    — paranoid evasion

? Enable live event view? [Y/n] y
? Log every AI query to stderr? [y/N] y
? Save report to file (empty to skip)
  > report.json

─── Scan summary ───
  Target           target.com
  Scan profile     bugbounty
  AI tier          balanced
  AI auto-pull     yes
  AI verbose       yes
  Live view        yes (v=1)
  Output           report.json (format=json)

? Start scan? [Y/n]

Force the wizard even when -d is set:

./god-eye --wizard -d target.com

When stdin is not a TTY (CI, pipes), the wizard auto-skips — one binary, two modes.

_{Live colorized event stream — every finding appears as it's discovered.}

🔍 What it finds

🛰️ Discovery — 11 module types, 26 passive sources

Full source list — all key-less / free

crt.sh · Certspotter · AlienVault · HackerTarget · URLScan · RapidDNS · Anubis · ThreatMiner · DNSRepo · SubdomainCenter · Wayback · CommonCrawl · Sitedossier · Riddler · Robtex · DNSHistory · ArchiveToday · JLDC · SynapsInt · CensysFree · BufferOver · DNSDumpster · Omnisint · HudsonRock · WebArchiveCDX · Digitorus

Active techniques:

DNS brute-force with opportunistic wildcard detection and per-host filtering
Recursive pattern learning — learns naming conventions from found hosts
DNS permutation (alterx-style, opt-in) — api → api-v2, stg-api, api.dev, etc.
AXFR zone-transfer attempted against every authoritative name-server
Reverse DNS ±16 sweep around every resolved IP (opt-in)
Virtual host discovery (opt-in)
ASN/CIDR expansion (opt-in)
Certificate Transparency live polling (opt-in)
GitHub code dorks (honors GITHUB_TOKEN env var for higher rate limits)
Supply-chain recon — npm + PyPI packages referencing target brand

🧬 Enrichment

HTTP/HTTPS probing — status, title, content length, server, response time
Technology fingerprinting (WordPress, React, Next.js, Angular, Laravel, Django, …)
TLS appliance fingerprinting for 25+ vendors — Fortinet FortiGate, Palo Alto PAN-OS, Cisco ASA, F5 BIG-IP, SonicWall, Check Point, pfSense, OPNsense, Juniper SRX, OpenVPN, Pulse Secure, GlobalProtect, Citrix NetScaler, …
Internal-hostname extraction from certificate SANs
TCP connect port scan on common ports

🛡️ Vulnerability detection

Header audit	HSTS · CSP · X-Frame-Options · X-Content-Type-Options · Referrer-Policy · Permissions-Policy. OWASP-aligned with remediation text.
Surface misconfigs	Open redirect · CORS wildcards · dangerous HTTP methods · Git/SVN exposure · backup-file discovery · admin/API-endpoint enumeration
Takeover	110+ fingerprints: GitHub Pages, S3, CloudFront, Heroku, Netlify, Vercel, Azure Web Apps, Shopify, …
GraphQL	Introspection enabled detection + mutation-enabled flag (v2 native)
JWT	`alg=none`, excessive expiry, kid-injection, weak-HMAC crack (v2 native)
HTTP smuggling	CL.TE / TE.CL timing probe, non-destructive (v2 native, opt-in)
Cloud assets	S3 / GCS / Azure Blob / Firebase enumeration
Secret extraction	Regex + entropy + validation. FP denylist for third-party APIs and UI strings.
Nuclei compat	~13k community templates, HTTP subset, auto-scope-filtered (no off-host false positives)

🧠 AI layer

Local LLM via Ollama — fully private, no API keys, no cloud.
Six event-driven handlers — CVE correlation · JavaScript secret validation · HTTP response anomaly analysis · Secret filtering · Multi-agent vulnerability enrichment · End-of-scan anomaly detection + executive report
End-of-scan AI brief — a framed terminal summary with severity totals, top exploitable chains, AI agent contributions, executive prose, and recommended next actions
Content-hash cache so the same tech detected on 10 hosts fires one Ollama call, not ten
Three tuned profiles:

Tier	Triage model	Deep model	RAM	Context
lean	qwen3:1.7b	qwen2.5-coder:14b	16GB	32K
balanced	qwen3:4b	qwen3-coder:30b (MoE)	32GB	256K
heavy	qwen3:8b	qwen3-coder:30b (MoE)	64GB	256K

Cascade architecture — fast triage filters ~70% of noise; deep model runs only on relevant findings. Cuts AI overhead to ~20-30% of total scan time.
8 specialized agents (multi-agent mode): XSS, SQLi, Auth, API, Crypto, Secrets, Headers, General.
Automatic CVE correlation — offline CISA KEV (~1500 actively-exploited CVEs) + online NVD function-calling fallback.
Auto-pull of missing models — no manual ollama pull.
--ai-verbose streams every query to stderr for observability.

🔄 Continuous monitoring (ASM)

./god-eye -d target.com --pipeline --profile asm-continuous \
  --monitor-interval 24h --monitor-webhook https://hooks.slack.com/...

Interval-based re-scans with diff engine (9 change kinds: new_host, removed_host, new_ip, removed_ip, status_change, tech_change, new_vuln, cleared_vuln, cert_change, new_takeover)
Webhook (generic JSON POST) + stdout alerter. Slack/Discord/Linear adapters planned.

🥷 Stealth — 4 levels

Mode	Threads	Delay	Rate	Use case
`light`	100	10-50ms	100/s	Avoid basic rate limits
`moderate`	30	50-200ms	30/s	Evade WAF detection
`aggressive`	10	200ms-1s	10/s	Sensitive targets
`paranoid`	3	1-5s	2/s	Maximum evasion

All modes use: UA rotation (25+), request randomization, DNS query distribution, per-host throttling, 50-70% timing jitter (aggressive+), adaptive backoff on error-rate spikes.

🧠 AI integration

God's Eye v2 is the only open-source recon tool that ships LLM-assisted CVE correlation out of the box, running entirely on your machine.

One-shot setup

# 1. Install Ollama (one-time)
curl https://ollama.ai/install.sh | sh
ollama serve &

# 2. Let the wizard pull your tier's models automatically
./god-eye

Or manually:

# Lean (default, 16GB RAM) — tried and tested
ollama pull qwen3:1.7b && ollama pull qwen2.5-coder:14b

# Balanced (32GB RAM, MoE 30B — the sweet spot)
ollama pull qwen3:4b && ollama pull qwen3-coder:30b

# Heavy (64GB+ RAM, top quality)
ollama pull qwen3:8b && ollama pull qwen3-coder:30b

Why MoE matters

qwen3-coder:30b is a Mixture-of-Experts model: 30B total parameters, only 3.3B active per token. You get dense-30B quality at the inference speed of a dense-3B model, with a 256K context window — enough to ingest entire JS bundles + long HTTP bodies in a single prompt.

Complete AI guide: AI_SETUP.md

🎯 Nuclei integration

13,023 community templates auto-downloaded and executed through a compat layer:

# One-time: download + extract templates (~40MB, ~15 seconds)
./god-eye nuclei-update

# Or let the scan auto-download on first use
./god-eye -d target.com --pipeline --nuclei --live

Supported subset (≈ 65-70% of community templates):

http: / requests: protocols
Matchers: word · regex · status · size (with part: header/body/response, condition: and/or, negative matching)
Templating: {{BaseURL}} · {{Hostname}} · {{RootURL}}

Out of scope (templates auto-skipped):

DNS / SSL / network / headless / code / workflow protocols
Payloads, fuzzing, DSL matchers
Off-host templates (OSINT-style user lookups on third-party services)

🧩 The wizard walks you through everything. Power users get every knob.

Core flags:
  -d, --domain string        Target domain
  -c, --concurrency int      Workers (default 1000)
  -t, --timeout int          Per-request timeout (default 5s)
  -o, --output string        Output file
  -f, --format string        txt | json | csv
  -s, --silent               Suppress console output
  -v, --verbose              Verbose logs

Pipeline (v2):
      --pipeline             Use v2 event-driven pipeline
      --wizard               Force interactive setup (even with -d set)
      --profile string       bugbounty | pentest | asm-continuous | stealth-max | quick
      --config string        Path to YAML config (auto-discovers ~/.god-eye/config.yaml)
      --live                 Colorized live event stream
      --live-verbosity int   0 (findings) | 1 (normal) | 2 (noisy)

AI:
      --enable-ai            Turn on AI cascade
      --ai-profile string    lean | balanced | heavy
      --ai-url string        Ollama URL (default http://localhost:11434)
      --ai-fast-model str    Triage model tag
      --ai-deep-model str    Deep-analysis model tag
      --ai-cascade           Use triage→deep cascade (default true)
      --ai-deep              Skip triage, always run deep
      --multi-agent          Enable 8-agent orchestration
      --ai-verbose           Log every Ollama query to stderr
      --ai-auto-pull         Auto-download missing models (default true)

Nuclei:
      --nuclei               Run Nuclei-format templates
      --nuclei-templates str Template directory override
      --nuclei-auto-download Auto-fetch templates from GitHub (default true)

Stealth:
      --stealth string       light | moderate | aggressive | paranoid
      --proxy string         Outbound proxy URL. Supports http://, https://, socks5://, socks5h:// (Tor). Basic auth via http://user:pass@host.

Monitoring:
      --monitor-interval X   Re-scan every X (e.g. 24h, 6h)
      --monitor-webhook URL  POST diff reports to URL

Subcommands:
  update-db                  Refresh CISA KEV CVE cache
  db-info                    Show KEV cache status
  nuclei-update              Refresh nuclei-templates ZIP cache

Full list: ./god-eye --help • Full cookbook: EXAMPLES.md

📊 Competitive landscape

On scanme.nmap.org (Nmap's authorized test host) — see full methodology in BENCHMARK-SCANME.md.

Capability	God's Eye v2	Subfinder	Amass	Assetfinder	Findomain	BBOT	Nuclei
Discovery
Passive sources	26	30+	20+	8	15	40+	—
DNS brute-force	✅	❌	✅	❌	✅	✅	—
Permutation (alterx)	✅	❌	❌	❌	❌	✅	—
AXFR / ASN	✅	❌	✅	❌	❌	✅	—
Enrichment
HTTP probe + tech	✅	❌	❌	❌	❌	✅	◐
TLS appliance fingerprint	✅	❌	❌	❌	❌	❌	❌
Vulnerability
Headers / CORS / redirect	✅	❌	❌	❌	❌	◐	✅
Takeover (110+)	✅	❌	❌	❌	❌	✅	✅
GraphQL introspection	✅	❌	❌	❌	❌	❌	✅
JWT analyzer + crack	✅	❌	❌	❌	❌	❌	❌
HTTP smuggling probe	✅	❌	❌	❌	❌	❌	◐
Cloud assets (S3/GCS)	✅	❌	❌	❌	❌	✅	❌
Nuclei templates	✅ subset	❌	❌	❌	❌	❌	✅ full
AI
Local LLM analysis	✅	❌	❌	❌	❌	❌	❌
Multi-agent orchestration	✅	❌	❌	❌	❌	❌	❌
Auto-pull models	✅	❌	❌	❌	❌	❌	❌
AI CVE correlation	✅	❌	❌	❌	❌	❌	❌
Ops
Interactive wizard	✅	❌	❌	❌	❌	❌	❌
Continuous monitoring + diff	✅	❌	❌	❌	❌	◐	❌
Webhook alerts	✅	❌	❌	❌	❌	✅	❌
Event-driven plugin arch	✅	❌	❌	❌	❌	✅	❌
Stealth profiles (4 levels)	✅	❌	❌	❌	❌	✅	❌

Honest positioning

Where God's Eye v2 wins:

AI-assisted CVE correlation — no other OSS scanner does Apache 2.4.7 → CVE-2026-34197 (CRITICAL/9.8) +4 more automatically.
Single-binary full-pipeline workflow — replaces subfinder | httpx | nuclei | katana + Bash glue.
Interactive wizard + auto-managed dependencies (Ollama models, Nuclei templates).
ASM continuous mode — scheduler + diff + webhooks out of the box.

Where competitors still beat us:

Pure passive speed — assetfinder and subfinder are 3-5 s on single-host targets. We're slower because we also probe + analyze.
Nuclei template breadth — full nuclei CLI runs DNS/SSL/network/headless templates too; our compat layer is HTTP-only (~70% coverage).
Amass ASN graph depth — unmatched for multi-asset infrastructure reconstruction.
BBOT module count — 100+ Python modules vs our 29.

Full methodology and scenario runs: BENCHMARK.md.

🔁 Continuous monitoring example

./god-eye -d target.com --pipeline --profile asm-continuous \
  --monitor-interval 24h \
  --monitor-webhook https://hooks.slack.com/services/T.../B.../XXX

Every 24h the scan reruns. When the diff contains meaningful changes, the webhook fires:

{
  "target": "target.com",
  "changes": [
    {
      "kind": "new_host",
      "host": "staging-v2.target.com",
      "detected_at": "2026-04-19T08:02:14Z"
    },
    {
      "kind": "new_vuln",
      "host": "admin.target.com",
      "after": "Git Repository Exposed",
      "severity": "critical",
      "detected_at": "2026-04-19T08:04:01Z"
    }
  ]
}

Supported kind values: new_host · removed_host · new_ip · removed_ip · status_change · tech_change · new_vuln · cleared_vuln · cert_change · new_takeover.

📐 Output formats

Colorized terminal (`--live`)

▶ phase discovery
↳ passive:crt.sh  api.target.com
↳ passive:crt.sh  admin.target.com
↳ brute           staging.target.com
↳ axfr:ns1.target.com  internal-gw.target.com
▣ phase discovery  42.3s
▶ phase resolution
⏚ api.target.com  [1.2.3.4]
● https://api.target.com [200] API Documentation
● https://admin.target.com [401]
[HIGH]  CORS Misconfiguration  https://api.target.com  cors-misconfig
[CRIT]  Git Repository Exposed  https://staging.target.com/.git/config  git-exposed
 TAKEOVER  dev.target.com  service=GitHub Pages
[HIGH]  CVE Apache@2.4.7 → CVE-2026-34197 (CRITICAL/9.8) +4 more
·  scan elapsed 2m47s, 847 events seen

JSON (`-f json -o report.json`)

{
  "subdomain": "api.target.com",
  "ips": ["1.2.3.4"],
  "status_code": 200,
  "technologies": ["nginx/1.18.0", "Node.js"],
  "cloud_provider": "AWS",
  "tls_fingerprint": {
    "vendor": "Fortinet",
    "product": "FortiGate",
    "appliance_type": "firewall",
    "internal_hosts": ["fw-internal.corp.local"]
  },
  "security_headers": ["HSTS"],
  "missing_headers": ["Content-Security-Policy", "X-Frame-Options"],
  "cors_misconfig": "wildcard with credentials",
  "ai_findings": ["Reflected XSS via user parameter"],
  "cve_findings": ["CVE-2021-23017"]
}

CSV

Flat columns suitable for spreadsheet / pivot table analysis.

💡 Typical use cases

Bug-bounty recon

./god-eye -d in-scope.com --pipeline --profile bugbounty --live \
  -o bounty-findings.json -f json

Authorized penetration test (with light stealth)

./god-eye -d client.com --pipeline --profile pentest \
  --stealth light --live -o pentest-report.json -f json

Fast triage on a fresh target

./god-eye -d target.com --pipeline --profile quick

ASM continuous monitoring (daily diff + Slack)

./god-eye -d company.com --pipeline --profile asm-continuous \
  --monitor-interval 12h \
  --monitor-webhook https://hooks.slack.com/...

Full cookbook of 13 recipes: EXAMPLES.md.

📋 Requirements & install

Go 1.21+ for building
Ollama (optional, for AI features) — installation guide
RAM: 16GB (lean tier), 32GB (balanced), 64GB+ (heavy)

git clone https://github.com/Vyntral/god-eye.git
cd god-eye
go build -o god-eye ./cmd/god-eye
./god-eye --help

Dependencies (pure Go, no cgo):

github.com/fatih/color
github.com/miekg/dns
github.com/spf13/cobra
github.com/mattn/go-isatty
gopkg.in/yaml.v3

Single static binary on every platform.

🏗️ Architecture

v2 is structured in three layers — see CLAUDE.md for the full reference.

Foundation (internal/)

eventbus — typed pub/sub, race-safe, per-subscriber goroutines, drop counter
module — interface + auto-registering registry, phase-based selection
store — thread-safe host store, per-host locks, deep-copy reads
pipeline — coordinator with phase barriers, panic recovery, error aggregation
config — 5 scan profiles + 3 AI tiers, YAML loader, CLI overrides

Modules (internal/modules/*)

29 auto-registered modules across 6 phases: discovery, resolution, enrichment, analysis, reporting. Adding one is ~60 lines of Go; new modules plug in without touching main.go.

Operational (internal/)

wizard — interactive setup (9 prompts, input validation, TTY detection)
tui — colorized live event printer, 3 verbosity levels
nucleitpl — Nuclei template parser + executor + auto-downloader
diff + scheduler — ASM continuous mode

Testing

go test ./... -race -timeout 120s

200+ tests across 14 packages, all race-detector clean.

🗺️ Roadmap

v2.0 is in active development. Current state:

Fase	Theme	Status
0	Foundation refactor	✅ complete
1	Discovery Supremacy	🟡 core done
2	Vulnerability Engine	🟡 5/10 native
3	AI Agentic v2	🔵 scaffolding
4	TUI + Reporting (terminal-only)	🟡 wizard + live
5	Continuous & Distributed	🟡 single-node
6	Ecosystem & community	📋 planned

Full breakdown: FEATURE_ANALYSIS.md.

🧪 Contributing

Fork
Create a branch: git checkout -b feat/your-feature
Ship with tests (-race mandatory)
Open a PR

New modules should:

Live under internal/modules/<name>/
Implement module.Module
Register in internal/modules/all/all.go
Emit events via the bus; no direct cross-module calls
Drain the store at Run() start + subscribe for late events

See CLAUDE.md for the full conventions.

⚖️ Legal notice

For authorized security testing only. By using God's Eye you agree to:

✅ Only scan domains you own or have written permission to test
✅ Comply with local laws (CFAA, Computer Misuse Act, GDPR, NIS2, …)
✅ Respect bug-bounty program scopes
❌ Never use for unauthorized access, exploitation, or malicious activity

The author accepts NO liability for misuse. Full terms: SECURITY.md · LICENSE.

Unauthorized computer access is illegal. Always get written permission first.

📚 Documentation map

Document	What it covers
README.md	You're here. Everything, high level.
CHANGELOG.md	What changed in v2 vs v0.1. Read before upgrading.
EXAMPLES.md	14 practical recipes — bug-bounty, pentest, ASM, stealth, CI, Tor.
AI_SETUP.md	Complete AI layer guide — profiles, Ollama, cascade, verbose.
BENCHMARK.md	Cross-tool benchmarks, methodology, honest caveats.
BENCHMARK-SCANME.md	Live reproducible benchmark on `scanme.nmap.org`.
FEATURE_ANALYSIS.md	Per-feature status across all 6 development phases.
SECURITY.md	Ethical guidelines, disclosure process, data protection.
CLAUDE.md	Architecture reference for contributors and AI agents.

👤 Author

Made by Vyntral — GitHub · X / Twitter.

Contributions welcome. Bug reports, feature requests, and PRs go on GitHub Issues.

_{Every number in this README is reproducible. No marketing fluff, no synthetic benchmarks, no vendor lock-in. Just a single Go binary, your local machine, and the targets you're authorized to test.}

FilesExpand file tree

README.md

Latest commit

History