Tools reference

The server exposes nine tools. Your assistant calls them for you; you just describe what you want. Costs are charged server-side against your Profundis credits, the same as the equivalent API or web UI search.

Tool	What it does	Cost
list_available_fields	List the queryable fields for a source	Free
search_hosts	Search internet-wide HTTP/HTTPS services	1 credit / page
search_dns	Search DNS records (A, AAAA, CNAME, MX, NS, TXT…)	1 credit / page
search_vhosts	Search TLS certificates and SAN entries	1 credit / page
search_whois	Search WHOIS registrations and contacts	3 credits / page
enumerate_subdomains	List known subdomains of a domain	Per plan
domain_details	Resolved IPs, ports, hostnames, and ASN for a domain	1 + 1 per resolved IP
asn_details	Resolve an IP, CIDR, name, or number to ASN details	1 credit
favicon_search	Find favicons that look like a given one (Brand Clone Radar)	5 credits

A repeat of the same domain_details lookup inside the cache window is free.

The search tools

search_hosts, search_dns, search_vhosts, and search_whois share the same arguments:

• query (required): a Profundis query-DSL string (see Query syntax below).
• time_frame: one of last_24h, last_7d, last_30d, this_year, all_time (default all_time).
• page: 1-based page number, 1 to 100 (default 1).
• results_per_page: 10, 30, or 50 (default 50).
• order_by and direction (asc or desc): optional sorting.

Each source has its own fields. Call list_available_fields (free) for the authoritative list, or use these common ones:

Source	Key fields
hosts	host, title, protocol, technologies, port, status_code, content_length, favicon_hash, as_name, as_number, ip_country_code, cert_subj, cert_issuer_cn, cert_expired, cert_trusted
dns	host, value, type, date_first_seen, date_last_seen
vhosts	san, cert_common_name, cert_issuer_cn, cert_org, port, not_after, not_before
whois	domain, registrar_name, registrant_organization, registrant_email, nameservers, expiration_date

The lookup tools

• enumerate_subdomains takes a domain (for example example.com) and returns the known subdomains gathered from DNS records and certificates.
• domain_details takes a domain and returns resolved IPs, open ports, associated hostnames, and AS information.
• asn_details takes exactly one selector: ip, cidr, name, number, or partial_name. The selector type is inferred from the field you set, so ip=8.8.8.8 or number=15169 is enough.

favicon_search (Brand Clone Radar)

favicon_search finds favicons that are visually similar to a given one, not just byte-identical copies. It is how you spot phishing and clone sites that reuse a brand's icon with small pixel tweaks.

• hash (required): an mmh3 favicon hash, either decimal 32-bit (for example 81586312) or 32-character hex. The engine indexes raster icons only (PNG, ICO, JPG); SVG and unindexed favicons are not supported.
• limit: cap the number of matches returned.
• hide_ubiquitous: drop generic icons shared by a huge number of hosts (stock nginx, Apache, or CMS defaults).

It returns the matches, each with a score (0 to 1 similarity), a band (rank tier, lower is more similar), and a host_count (how many hosts serve that favicon). For safety the host list itself is never returned here, only the count. To get the hosts behind a favicon, pivot with search_hosts on favicon_hash (see the recipe below).

Query syntax

The four search tools share one query DSL:

Pattern	Meaning
field:value	exact match
field:val*	prefix match (wildcard)
field:*val*	substring / wildcard match
content_length>100	range query (>, <, >=, <=) on numeric or date fields
a AND b, a OR b, NOT a	boolean operators (case-insensitive)
(a OR b) AND c	grouping with parentheses
field:""	empty value (use NOT field:"" for non-empty)

Use at most 3 wildcards per query. Examples:

host:*.example.com AND status_code:200
ip_country_code:FR AND port:443
value:8.8.8.8 AND type:A
cert_org:"Let's Encrypt" AND port:443
registrant_organization:Google
favicon_hash:81586312

Recipes

Find clones of a brand's site

1. search_hosts with host:brand.com and read the target's favicon_hash.
2. favicon_search with that hash to get the visually similar favicons (the lookalikes).
3. search_hosts with favicon_hash:<a lookalike hash> to enumerate every host serving that clone icon.

Map a target's surface

1. enumerate_subdomains with the apex domain to get the subdomain list.
2. search_dns with host:*.example.com to see resolutions and record types.
3. domain_details on the interesting names for IPs, ports, and ASN.

Trace an ASN footprint

Use asn_details with ip=8.8.8.8 or number=15169, then search_hosts with as_number:15169 to enumerate services in that AS.