Whack the moles your scanner can't see.
Load any URL through datacenter, residential and mobile egress at once, then diff the captures to expose the cloaking a datacenter-only scan never sees. Free from datacenter egress; the curl API drives every tier, free or paid.
$ whack <url>
The gap
Datacenter-only scanners have a tell. They run from a handful of cloud ASNs — AWS, GCP, Azure — and cloakers know every one. The moment a request arrives from a known scanner range, the traffic distribution system fingerprints the IP and serves a clean decoy: a parked page, a harmless redirect, a login form that does nothing. Your scanner records “benign” and moves on. The mole never surfaced.
The malicious payload only renders for real users on real residential and mobile IPs — the exact view a datacenter scan can't reach. And it goes deeper: sophisticated kits fingerprint the visitor's ASN and tailor the payload to the organization behind it. A request from a bank's corporate range doesn't get commodity malware — it gets a pixel-perfect employee re-validation screen built to harvest that company's credentials. One URL can serve a parked page to a scanner, generic malware to a home user on residential, a different payload again over mobile, and a targeted corporate-login lure to an employee at the org it's actually hunting.
whack.sh closes the gap by looking from every angle at once and diffing what comes back — and by logging which payload deploys to which ASN. Divergence across egress is the cloak slipping, scored 0–100; the per-ASN map turns “is this URL bad?” into “who is this campaign targeting, and what credentials is it after?” Spot the organizations in the blast radius before the VPN logins start leaking. See how it works →
What you get
Split-Horizon Diff
Load the same URL through datacenter, residential and mobile egress, then diff how the page mutates across IP types. Divergence is cloaking — caught, scored, and shown side by side.
ASN & Org-Targeted Detection
Advanced kits don’t just split datacenter vs. real users — they fingerprint the visitor’s ASN and serve org-specific lures (a fake employee login to a bank’s range, say). whack.sh reveals what a kit serves the vantage points that matter and logs every payload-to-ASN mapping, so you see who a campaign is hunting.
Multi-Egress Capture
One whack <url> fires through datacenter, residential and mobile IPs in parallel. Cloakers that serve a clean decoy to datacenter scanners can’t hide when three IP classes hit at once.
HAR + Screenshot Timeline
Every egress does a full, faithful load — real Chromium, JavaScript executed, every resource fetched, exactly what a real visitor pulls — then returns the complete request waterfall as HAR plus a screenshot timeline. We keep stored HAR lean by trimming response bodies, never the load itself: cutting resources to save bytes is exactly what gets a scanner fingerprinted.
Redirect / TDS Chain
Follow the whole hop sequence through traffic distribution systems to the final payload. The chain that routes a victim is the chain we map.
Cloaking Score
Egress divergence is scored 0–100 so you can triage at a glance and alert on a threshold. High score = a mole serving two faces. Whack it.
Free where it counts. Paid where it matters.
Datacenter egress is free, no card. Residential and mobile are the paid tier — they unlock the Split-Horizon Diff that exposes cloaking a datacenter-only scan can't see. The curl-first API drives every egress, not just the free one.
Datacenter
FREEWhat it sees: the decoy — the clean, safe-looking page cloakers happily serve to scanners. Your free baseline. 0 credits, web or curl, no card.
Residential
5 cr / 3 MB blockWhat it sees: what a real home visitor sees. Diff it against datacenter to expose cloaking aimed at consumer IPs.
Mobile
10 cr / 3 MB blockWhat it sees: what a phone on a carrier network sees — the egress cloakers trust most and guard tightest. Failed paid scans still bill the blocks consumed.
Bring Your Own Vantage Points
Deploy a tiny outbound agent in your own network — no firewall changes, no Tailscale — and scan from your exact IP/ASN. See the org-targeted payload a cloaker tailors for you, while our pipeline still does the full render, analysis and storage.
Who it's for
Phishing & Abuse Investigation
Phishing kits cloak: they fingerprint the visitor and serve a clean decoy to anything that smells like a datacenter scanner. whack <url> loads the target through residential and mobile egress too, so the mole that hides from everyone else gets whacked — full HAR, screenshot timeline, and the live redirect/TDS chain.
Targeted-Campaign & Exposure Mapping
When a cloaker singles out corporate ASNs to harvest employee or VPN credentials, the per-ASN payload log shows which organizations it’s tailoring lures for — turning one malicious URL into a map of who’s in the blast radius, so a SOC knows it’s a target before credentials leak.
Brand & Ad-Fraud Protection
Cloaked landers and fake storefronts show one face to your monitoring and another to real users on a phone. The Split-Horizon Diff catches that gap across datacenter, residential and mobile IPs, with a 0–100 divergence score telling you exactly how hard a page is hiding.
Threat-Intel & IOC Enrichment
Turn a single URL into shareable intel. whack.sh extracts IOCs from every egress path and exports them as CSV, STIX 2.1 or MISP — and since every endpoint is a curl endpoint, you can wire enrichment straight into your pipeline.
Malware & TDS Research
Trace the full traffic distribution system from entry to payload. Sample capture is opt-in: when you want the artifact, forced-download files are hashed, checked against the feeds, stored only if novel, and handed back through single-use expiring links — study the delivery chain without re-arming it, or leave it off to stay invisible on the scan.
SOC Triage & Incident Response
A user reports a suspicious link — verify it across every egress in seconds, confirm or dismiss the threat, and attach the HAR, screenshot timeline and cloaking score straight to the ticket. Turn “is this safe to click?” into a scored answer your analysts can act on.
FAQ
How is whack.sh different from urlscan.io or Browserling?
Those tools scan a URL from one vantage point — typically a datacenter IP. Cloakers know datacenter ranges cold and serve them a clean decoy, so the threat never shows up. whack.sh loads the same URL through datacenter, residential and mobile egress simultaneously and diffs the results — built to catch the page that only misbehaves when it thinks no analyst is watching.
What is the Split-Horizon Diff?
It’s the core of the product. We capture the full HAR, screenshot timeline and redirect chain from each egress type, then diff them against each other. When the datacenter capture shows a parked page but the mobile capture drops a fake login or a forced download, that divergence is the cloak — caught in the act.
Can it detect ASN- or org-targeted cloaking?
Yes — it’s a core reason multi-egress matters. Beyond datacenter-vs-real-user, advanced kits fingerprint the visitor’s ASN and serve org-specific payloads — a fake corporate login to a bank’s range, for instance — to harvest employee or VPN credentials. whack.sh exposes the payload served to the vantage points that matter and logs which payload hits which ASN, so you can map exactly who a campaign is targeting.
How does the cloaking score work?
We measure divergence across your egress captures — differences in DOM, redirect chains, network requests and rendered screenshots — and roll it into a single 0–100 score. Zero means the page looked identical no matter who asked; a high score means it served materially different content to different IP types.
What do “egress types” mean and why does mobile cost more?
Egress is the kind of IP your scan exits from: datacenter (cloud ranges), residential (real home ISP IPs) or mobile (real carrier IPs). Cloakers trust residential and mobile far more than datacenter. Mobile costs more because carrier IPs are the scarcest and most expensive to source — the multiplier reflects that reality.
Get on the list. Bring your own curl.
whack.sh is coming soon. Drop your email and grab a free key at launch — scan from datacenter egress with the full curl-first API at no cost, then add residential and mobile egress to whack the moles a datacenter-only scan can't see.
Already have a key? Sign in →