// private beta · go 1.26 · react 18 · v1.4

The secret scanner that ships the next step.

keyhound finds leaked API keys across GitHub code search, JS bundles, and local source — then validates them live, writes a PoC, drafts a disclosure, and monitors for new leaks on a schedule. One binary, no SaaS, built for hunters.

request beta access see it in action free cheatsheet
147
regex patterns
40+
providers
14
exploit chains
25
cli subcommands

// what it does

Find, validate, exploit, disclose — in one binary.

Most scanners stop at "I found a regex match". keyhound assumes you also want to know whether the key is live, what it unlocks, and how to write the disclosure — because the regex match on its own doesn't close the loop.

// STAGE 1

Multi-surface find

GitHub code search with 90+ dorks, JS bundle + sourcemap walker, local filesystem scan, nested directory crawl. Anchored regex prefilter skips the 90% of files that can't possibly match.

// STAGE 2

Live validation

Every finding is tested against the real provider API with a read-only probe — whoami, list-models, get-account. Verdict is LIVE, DEAD, or ROTATED per key. No "potential match" noise to triage.

// STAGE 3

Ready-to-run PoC

Per-provider PoC templates in curl / python / httpie / js / raw / pdf. Multi-step exploit chains with variable capture — take a leaked token through whoami → scope → blast-radius in one command.

// STAGE 4

Disclosure drafting

Drafts an RFC-9116-aligned disclosure with CVSS, CWE, evidence block, fingerprint, and the matched security.txt contact already filled in. Five tones so you can pick what fits the vendor: humanized, formal, bug bounty, CVE-style, internal triage.

// STAGE 5

Recon on the side

Wraps the ProjectDiscovery / Tomnomnom stack: subfinder, httpx, katana, dnsx, urlfinder, waybackurls, gau, nuclei. Resolves attack surface before you even hit the regex layer.

// STAGE 6

Continuous monitor

Hourly GitHub Actions cron runs your watchlist, diffs vs previous snapshot via SHA256 fingerprint, emails only when a new LIVE key appears. No backend, no database, no SaaS lock-in.

// how it feels

One binary, twenty-five subcommands.

Copy-paste anything below, swap the target, ship.

scan — the one command you use every day

keyhound scan https://target.com --validate --poc

# crawl JS bundles + sourcemaps, match 147 patterns,
# validate every hit against the live provider API,
# write a ready-to-run PoC per finding.

gh — GitHub dork sweep

keyhound gh acmecorp --category AWS --limit 30

# 90+ dorks, scoped to the org, regex+keyword modes,
# backend auto-selects gh-cli > api-token > api-anon.
# --format=json for machine-readable NDJSON pipelines.

chain — one key, five-step exploit

keyhound chain "GitHub PAT" ghp_XXXXXXXX

# step 1: whoami → capture LOGIN
# step 2: orgs → capture ORG[]
# step 3: private-repos → list scope
# step 4: org-secrets → blast radius
# step 5: emails → attribution

aikey — AI-provider PoCs in any format

keyhound aikey sk-ant-api03-XXXX --style matrix --format python

# supports anthropic / openai / gemini / groq / openrouter /
# xai / cerebras / perplexity / hf / replicate / fireworks.
# styles: minimal | report | matrix.

recon — ProjectDiscovery arsenal wrapper

keyhound recon target.com

# subfinder → dnsx → httpx → katana → waybackurls → gau
# → nuclei → feed live URLs back into `keyhound scan`.

validate — confirm a lone key

keyhound validate "AWS Access Key" AKIAXXXXXXXXXXXXXXXX

# single read-only probe, LIVE/DEAD/ROTATED verdict,
# prints bill-and-scope metadata when available.

bot — Slack/Discord/Telegram/Teams notify

keyhound bot slack xoxb-XXXX --message "new LIVE key"

# post findings to a webhook or bot token; used by the
# monitor/ subsystem for instant Pro-tier alerts.

template — custom PoCs & chains

keyhound template add my-aws curl "aws sts get-caller-identity"
keyhound template chain run aws AKIAXXXX --proxychains
keyhound template export my-aws > shared-poc.json
full command reference (25 subcommands)
scanbatchjsfull ghbountyreconharvest validateaikeypatternsdorks pocchaintrufflehoggitleaks doctoolsdashboardbot template addtemplate listtemplate runtemplate chain run template import/exportversion--format=json on every command

// what it finds

Forty-plus providers, live-validated.

Not every pattern has a live validator — the ones below do. If your favourite isn't here, add a custom pattern + regex in the web UI.

AI · LLM
Anthropic
AI · LLM
OpenAI
AI · LLM
Google Gemini
AI · LLM
Groq
AI · LLM
OpenRouter
AI · LLM
xAI
AI · LLM
Cerebras
AI · LLM
Perplexity
AI · LLM
HuggingFace
AI · LLM
Replicate
AI · LLM
Fireworks
CLOUD
AWS
CLOUD
GCP
CLOUD
DigitalOcean
CLOUD
Heroku
CLOUD
Firebase
SOURCE
GitHub PAT
SOURCE
GitHub App
SOURCE
GitLab
SOURCE
NPM
PAY
Stripe
PAY
Stripe Restricted
PAY
Shopify
COMMS
Slack
COMMS
Slack Webhook
COMMS
Discord Bot
COMMS
Telegram Bot
COMMS
Twilio
COMMS
SendGrid
COMMS
Mailgun
COMMS
Mailchimp
OPS
New Relic
OPS
Sentry
OPS
PagerDuty
OPS
Zendesk
OPS
Airtable
OPS
Notion
OPS
Linear
OPS
MongoDB Atlas
OPS
Postgres URI
OPS
JWT
OPS
PKCS + private keys

// post-exploitation

Multi-step exploit chains with variable capture.

Every chain step can capture output into a named variable that later steps reference. Turns a lone key into a full blast-radius map.

AWS key → full recon

sts identity → iam list-policies → s3api list-buckets → route53 hosted-zones → lambda list-functions → read CI/CD secrets

GitHub PAT → blast radius

whoami → orgs[] → private-repos → org-secrets → emails[]

Anthropic key → org map

workspaces → members → usage → invoices → spend ceiling

OpenAI key → workspace probe

models → org-info → billing → usage → invite-list

Heroku → config-vars harvest

account → apps[] → config-vars per app → addons → collaborators

Slack bot → org graph

auth.test → team.info → users.list → conversations.list → files.list

Stripe → revenue surface

account → balance → customers → charges → webhooks

Active Directory creds → enum

silentHound wrapper — dumps AD without touching LSASS, flags admin paths.

Plus: Twilio, DigitalOcean, GCP service accounts, Firebase, PagerDuty, Discord, Telegram, Shopify. Every chain supports --proxychains + --dry-run.

// the SaaS alternative

Continuous monitoring without a backend.

GitHub Actions runs a cron against your watchlist every hour. SHA256 fingerprint dedup means you only get pinged on new leaks. Subscribers live in repo secrets. No database. No vendor.

# monitor/watchlist.yml
targets:
  - type: github_org
    value: your-org
    tier: pro
  - type: github_repo
    value: your-org/sensitive-service
    tier: pro
  - type: github_query
    value: 'org:your-org "sk-ant-api03-"'
    tier: watch

# every hour:
#   build keyhound → run against watchlist → diff via fingerprint →
#   email only NEW live keys → commit state to the repo

Tiers

SAMPLE
$0
  • 1 watchlist target
  • weekly digest
  • tester / demo
WATCH
$4/mo
  • 3 targets
  • daily digest
  • includes dead keys
PRO · most popular
$19/mo
  • 10 targets
  • instant on LIVE
  • PGP-encrypted mail
AGENCY
$79/mo
  • unlimited targets
  • private feed
  • quarterly report

All tiers optional — keyhound stays free to self-host. Paid tiers fund dev + run the hosted monitor.

// why keyhound

It ships the part nobody else does.

keyhound gitleaks trufflehog big-SaaS scanner
regex scan
live validation✓ 137 validatorspartialpartial
multi-step exploit chain✓ 14 chains
PoC templates✓ curl/py/js/pdf
disclosure draft✓ RFC-9116 + PGP
continuous monitor✓ GH ActionsCI onlyCI onlySaaS $$$
self-host✓ single binary
pricefree · optional $4–79freefree / paid$500+/mo

// private beta

Request access.

The codebase is private during beta. Ask for a build + API keys, or subscribe to the hosted monitor and never touch the CLI.

OPTION 1

Beta build

Email for a signed binary + eligibility. Free for hunters with a track record, or $0 for OSS maintainers scanning their own orgs.
OPTION 2

Hosted monitor

We run the cron, diff, validate, email you only when new LIVE keys appear. $4–79/mo depending on watchlist size.
OPTION 3

DIY cheatsheet

Don't want any of this? The free cheatsheet gives you pre-commit, trufflehog, rotation recipes, and an incident checklist. No signup.

Verify who we are