tech-stack-teardown

# Tech Stack Recon

Reverse-engineer a company's sales, marketing, and outbound infrastructure from public signals. No login, no API access to their tools needed — everything is derived from DNS records, website source code, technology profiling, blacklist databases, and public complaints.

## What It Detects

| Category | Tools Detected |
|----------|---------------|
| **CRM** | HubSpot, Salesforce (via SPF, website pixels, DNS) |
| **Cold Email Tools** | Smartlead, Instantly, Outreach, Salesloft, Lemlist (via SPF, DKIM, TXT records, website source) |
| **People Databases** | Apollo, ZoomInfo, Clearbit, 6sense (via website tracker scripts) |
| **Email Delivery** | SendGrid, Amazon SES, Postmark, Mailgun, Mandrill (via SPF includes, DKIM selectors) |
| **Email Marketing** | Mailchimp, Brevo, ActiveCampaign, Klaviyo (via DKIM selectors) |
| **Ad Retargeting** | LinkedIn Insight Tag, Facebook Pixel, AdRoll, Reddit Ads, Twitter Ads (via Apify profiler + source) |
| **Website Builder** | Webflow, Framer, Next.js, WordPress (via Apify profiler + source) |
| **Chat / Support** | Intercom, Drift, Crisp, Zendesk (via website source) |
| **Analytics** | Google Analytics, Segment, Mixpanel, Amplitude, PostHog, Heap (via website source) |
| **Outbound Domains** | Separate cold sending domains (via SPF-only Google Workspace + redirect to primary) |

## How It Works

The skill runs 5 layers of detection, each revealing different signals:

### Layer 1: DNS Records (Free, instant)

```
MX     → Primary email provider (Google Workspace, Microsoft 365, etc.)
SPF    → Every service authorized to send email on their behalf
DKIM   → Cryptographic proof of which tools actually send email
DMARC  → Email authentication policy (how strict they are)
TXT    → Misc verifications (Smartlead tracking domains, tool verifications)
CNAME  → Subdomains pointing to third-party services
```

This is the highest-signal layer. SPF and DKIM don't lie — if SendGrid is in their SPF, they use SendGrid.

### Layer 2: Website Source Inspection (Free, instant)

Fetches the target website and searches HTML for:
- Tracking pixels (Apollo, REB2B, HubSpot, Facebook, LinkedIn)
- Script tags loading third-party tools
- Meta tags and framework signatures
- Hidden form handlers and API endpoints

### Layer 3: Apify Technology Profiler (Pay-per-use, ~$0.005/domain)

Runs `justa/technology-profiling-engine` actor for deep detection of 7,000+ technologies using 8-tier inspection with confidence scores. Catches tools that don't appear in source code (loaded dynamically, via GTM, etc.).

### Layer 4: Blacklist Checks (Free, instant)

Queries 6 major DNS-based blacklists:
- Spamhaus (zen.spamhaus.org)
- Barracuda (b.barracudacentral.org)
- SpamCop (bl.spamcop.net)
- SORBS (dnsbl.sorbs.net)
- SURBL (multi.surbl.org)
- URIBL (black.uribl.com)

### Layer 5: Public Complaint Search (Free)

Web searches for spam complaints on Trustpilot, Reddit, SpamCop forums, and general web. Also searches for the company + tool names to find public mentions of their stack.

## Cost

| Component | Cost |
|-----------|------|
| DNS queries | Free |
| Website source fetch | Free |
| Blacklist checks | Free |
| Web searches | Free |
| Apify Technology Profiler | ~$0.005 per domain |

**Typical costs:**
| Scenario | Domains | Est. Cost |
|----------|---------|-----------|
| Single company | 1 | ~$0.005 |
| Small batch | 5 | ~$0.025 |
| Large batch | 20 | ~$0.10 |

Skip the Apify profiler with `--no-apify` for free-only analysis (DNS + source + blacklists).

## Setup

### 1. Required

```bash
# dig (DNS lookups) — included on macOS/Linux
which dig

# curl (website source fetch) — included on macOS/Linux
which curl

# Python 3 with requests + dotenv
pip3 install requests python-dotenv
```

### 2. Optional (for Apify Technology Profiler)

```bash
# Get your token at https://console.apify.com/account/integrations
# Add to .env:
APIFY_API_TOKEN=apify_api_YOUR_TOKEN_HERE
```

## Usage

### Single Company

```bash
python3 scripts/recon.py --domains pump.co
```

### Batch of Companies

```bash
python3 scripts/recon.py --domains "dili.ai,pump.co,runautomat.com"
```

### Free-Only Mode (No Apify)

```bash
python3 scripts/recon.py --domains pump.co --no-apify
```

### Output to File

```bash
python3 scripts/recon.py --domains "dili.ai,pump.co" --output /path/to/report.md
```

### JSON Output

```bash
python3 scripts/recon.py --domains pump.co --json
```

## What the Script Does

For each domain:

1. **DNS Scan** — Queries MX, SPF, DKIM (18 common selectors), DMARC, TXT records, and 30+ common subdomains (email, tracking, click, bounce, send, smtp, mail, etc.)
2. **Website Source Scan** — Fetches the homepage HTML and greps for 40+ known tool signatures (script URLs, pixel IDs, tracking domains)
3. **Apify Technology Profile** (optional) — Runs deep 8-tier technology detection for 7,000+ technologies with confidence scores
4. **Blacklist Check** — Queries 6 DNS-based blacklists for the domain
5. **Outbound Domain Detection** — Checks if common variations of the domain exist (get[name].com, try[name].com, [name]reach.com, etc.) and analyzes their DNS for cold outbound patterns
6. **Report Generation** — Produces a structured markdown report with confirmed tools, evidence, email auth assessment, blacklist status, and an overall assessment

## Agent Integration

When using this skill as an agent, follow this flow:

1. User provides one or more company domains
2. Run `recon.py` for all domains (confirm Apify cost if > 5 domains)
3. Present the report — group findings by:
   - **Confirmed tools** (with evidence)
   - **Email authentication** (SPF/DKIM/DMARC assessment)
   - **Deliverability** (blacklist status + spam complaints)
   - **Notable signals** (outbound domains, missing DMARC, SPF gaps)
4. If batch, include a comparative summary table at the end

### Agent Without the Script

The agent can perform all checks manually using built-in tools:

**DNS checks** — Use `Bash` tool: