Frequently asked questions

Those tools scan a URL from one vantage point — typically a datacenter IP. Cloakers know datacenter ranges cold and serve them a clean decoy, so the threat never shows up. whack.sh loads the same URL through datacenter, residential and mobile egress simultaneously and diffs the results — built to catch the page that only misbehaves when it thinks no analyst is watching.

It’s the core of the product. We capture the full HAR, screenshot timeline and redirect chain from each egress type, then diff them against each other. When the datacenter capture shows a parked page but the mobile capture drops a fake login or a forced download, that divergence is the cloak — caught in the act.

Yes — it’s a core reason multi-egress matters. Beyond datacenter-vs-real-user, advanced kits fingerprint the visitor’s ASN and serve org-specific payloads — a fake corporate login to a bank’s range, for instance — to harvest employee or VPN credentials. whack.sh exposes the payload served to the vantage points that matter and logs which payload hits which ASN, so you can map exactly who a campaign is targeting.

We measure divergence across your egress captures — differences in DOM, redirect chains, network requests and rendered screenshots — and roll it into a single 0–100 score. Zero means the page looked identical no matter who asked; a high score means it served materially different content to different IP types.

Egress is the kind of IP your scan exits from: datacenter (cloud ranges), residential (real home ISP IPs) or mobile (real carrier IPs). Cloakers trust residential and mobile far more than datacenter. Mobile costs more because carrier IPs are the scarcest and most expensive to source — the multiplier reflects that reality.

No — and that’s deliberate. Every egress does a full, faithful load in real Chromium, with JavaScript executed and every resource fetched, exactly like a real visitor. Cutting corners to save bytes — blocking images, skipping JS, HEAD-only requests, bailing out early — is precisely the behavioral fingerprint cloakers watch for, so it would defeat the whole point. We stay lean by trimming response bodies from the stored HAR (never from the load) and by handing any payload to the isolated vault out of band. The trade-off: paid residential/mobile egress meters the real bytes of that faithful load — to control spend, scan datacenter-first (free) and escalate to paid egress only when you want the cross-IP diff.

Datacenter egress is free — including the full curl-first API. Sign up for a free key and scan with datacenter egress all you want, web or curl, no card. Residential and mobile egress are the paid tier, and the Split-Horizon Diff is the premium unlock that exposes cloaking a datacenter-only scan can’t see.

Paid egress is metered in credits per 3 MB block: datacenter = 0 (free), residential = 5, mobile = 10. You set daily and monthly caps per account, and velocity anomaly detection auto-pauses a key on a spike. Yes — failed paid scans still bill the blocks they consumed, because a cloaker that crashes your scan mid-load still cost real residential/mobile bandwidth to reach.

whack.sh scans public URLs — the same content any visitor to that link would receive. Sensitive targets (.gov, .mil, financial institutions) are handled carefully with extra guardrails, and binaries are never fetched over residential or mobile egress. It’s a defensive tool for investigators: expose threats, don’t attack infrastructure, and stay inside the AUP you agree to at signup.

Every endpoint is a curl endpoint — anything in the web UI works from a shell with whack <url>. The API key is your login: paste it or click a one-time magic link for an httpOnly session, no passwords to manage or leak. Automate scans and pull results as JSON straight from the terminal.

Sample download is an explicit option and it’s off by default — fetching the binary from your scan’s vantage is a classic tell (the distributor sees the payload pulled, often from a datacenter range, and cloaks that ASN on the next hit), so by default the node just flags the payload URL. When you opt in, the binary is never pulled through your scan’s egress and never lands on a scan node or your device: an isolated “cold” vault retrieves and identifies it out of band — URL reputation first, then a sandboxed fetch only if it’s novel — hashes it, checks VirusTotal/MalwareBazaar/URLhaus, stores it only if novel, and serves it via single-use expiring links with IOC export to CSV, STIX 2.1 or MISP. Confining the payload to the vault keeps both your cover and your devices clean.

Yes. Free datacenter scanning runs under standard rate limits, and paid egress is governed by the per-account daily and monthly credit caps you set. Velocity anomaly detection watches for spikes — if a key burns credits abnormally fast, it auto-pauses and alerts the operator, so a misfiring script or stolen key can’t quietly empty your account. And a hostile page can’t pad itself to drain you: oversized or junk-bloated responses are handled the way a real browser does — streamed, not bulk-downloaded — bounded, and flagged as evasive rather than billed blindly.

whack.sh is pre-launch — coming soon. When we open, you’ll grab a free key and start whacking with datacenter egress and the full curl API at no cost, then add residential and mobile egress when you need to expose a cloak. Sign up to get notified at launch and be first in line.