Nmap tells you what's open. ORION tells you what's possible.
ORION doesn't just find open ports. It discovers hosts, fingerprints services, maps DNS, pulls OSINT from 8 sources, reasons about what it finds with an LLM, generates attack plans, anonymises everything through 4 stealth levels, and renders the entire attack surface as a graph.
ARP, ICMP, TCP SYN, UDP probes. Identifies live hosts across subnets, cloud ranges, and segmented networks. Adaptive timing to avoid detection.
SYN, connect, UDP, FIN, XMAS, NULL, and idle scans. Service version detection. Top ports or full 65535. Rate-limited and stealth-aware.
OS detection, service banners, TLS certificate analysis, application-layer probes. Identifies technology stacks, frameworks, and known vulnerable versions.
Forward/reverse lookups, zone transfers, subdomain enumeration, DNS record analysis. Maps the full DNS footprint including cloud endpoints and CDN origins.
Shodan, Censys, VirusTotal, SecurityTrails, crt.sh, WHOIS, BGP, and passive DNS. Correlates external intelligence with active scan results.
Feeds all reconnaissance data into an LLM reasoning engine. Identifies attack paths, misconfigurations, and exposure patterns that scanners miss.
Generates prioritised attack plans from HUNTER's analysis. Maps services to known exploits, ranks by impact and feasibility, outputs actionable playbooks.
Anonymity engine. Level 1: direct. Level 2: proxy chains. Level 3: Tor routing. Level 4: distributed multi-hop with timing randomisation. All subsystems route through VOID.
Renders the full attack surface as an interactive graph. Hosts, ports, services, vulnerabilities, OSINT, and attack paths — all connected and explorable.
Cryptographic override. Private key controlled. One operator. Founder's machine only.
Passive reconnaissance only. OSINT, DNS, certificate transparency. No packets sent to target. No detection risk.
Simulates active scanning. Shows what would be discovered and what traffic would be generated. Ed25519 required. No execution.
Active stealth reconnaissance. Full scanning through VOID anonymity. All 9 subsystems engaged. Real traffic to target.
THIS TOOL IS FOR AUTHORISED SECURITY TESTING ONLY. EVERY EXECUTION IS SIGNED AND LOGGED.
9 subsystems. 8 OSINT sources. 4 stealth levels. LLM reasoning. Attack surface graphs. Reconnaissance evolved.