Strix Archer
Strix Archer is a free, open-source OSINT tool for Linux — built for CTF challenges and authorized lab targets — that performs passive domain and identity recon (DNS/RDAP/crt.sh, username and email lookup, GitHub OSINT, breach checks) plus a safe HIBP k-anonymity password check.
Strix Archer pairs a dependency-free, standard-library-only OSINT engine with wrappers for popular tools — using Sherlock, maigret, holehe, theHarvester and SpiderFoot when installed, and falling back to its own implementation when not. It does domain recon (DNS-over-HTTPS, RDAP/WHOIS, crt.sh subdomains, HTTP + security-header fingerprint), identity recon (rate-limited username scan, GitHub OSINT, Gravatar, breach lookup), and a safe HIBP k-anonymity password check. A one-time consent gate keeps it to authorized lab use; everything is passive and read-only, with a .txt and dark HTML report.
- Price
- Free — open-source (MIT)
- Platforms
- Linux
- Category
- OSINT
- Built with
- Python
- Open-source alternative to
- Sherlock, maigret, SpiderFoot, theHarvester
- Telemetry
- None — fully offline
- Updated
A look inside

What it does
- Built-in stdlib engine + auto-wraps Sherlock / maigret / holehe / theHarvester / SpiderFoot when present
- Domain: DNS-over-HTTPS, RDAP/WHOIS, crt.sh subdomains, HTTP + missing-security-header check
- Identity: rate-limited username scan, GitHub OSINT (commit-leaked emails), Gravatar, XposedOrNot breach lookup
- Safe password breach check via HIBP k-anonymity — the password never leaves your machine
- One-time consent gate, rate-limited by design; passive & read-only; .txt + dark HTML report
What Strix Archer deliberately does not do
- It is passive and read-only — it never exploits or actively attacks a target.
- It is for authorized use only — a one-time consent gate enforces acknowledgement.
- The password breach check never sends your password (HIBP k-anonymity).
Installation
🐧 Linux (Ubuntu / Debian)
git clone https://github.com/strix-tool/strix-archer
cd strix-archer
python3 strix_archer.py -u demo-user --i-am-authorized Frequently asked
Is this legal to use?
Only against CTF challenges / fictional characters or targets you own or are explicitly authorized to test. Profiling real people without consent can be harassment and may be illegal — a one-time consent gate enforces acknowledgement.
Do I need to install anything?
No — the built-in engine is pure Python standard library. Optional tools (Sherlock, holehe, …) are auto-wrapped if present, and `--setup` installs them into isolated pipx environments so your system Python is untouched.
Powered by open source
Strix Archer wraps these open-source tools and public services — it does not bundle or modify them. Thank you to every upstream project and service.