Skip to main content

Scanners

Scanners allow you to set up automated monitoring of stealer logs. When new credentials matching your search criteria are indexed, you’ll receive notifications via email, Discord webhook, or HTTP webhook.

How Scanners Work

Important: Scanners only find new data indexed after the scanner is created. They search using indexed_at date starting from when you created the scanner. To find existing data, use the regular search on OathNet.
  • Hourly Scanning: Scanners run automatically every hour
  • Incremental Search: Only searches for results indexed since the last run
  • Multiple Notification Types: Email, Discord, or custom HTTP webhook
  • Plan-Based Limits: Higher plans get more scanners

Scanner Limits by Plan

Each plan includes a different number of scanners. Check your plan details on the Pricing Page for current limits. You can view your remaining scanner quota in Dashboard → Notifier (shown as “X/Y scanners” in the header).

Creating a Scanner (Dashboard UI)

  1. Go to oathnet.org/dashboard
  2. Click the Notifier tab
  3. Click New Scanner
  4. Fill in the form:

Scanner Name

A friendly name to identify your scanner (e.g., “Company Domain Monitor”).

Query Filters

Add at least one filter to monitor. When new stealer logs matching your filters are indexed, you’ll be notified.
FilterDescriptionExample
DomainsMonitor credentials from specific domainsexample.com
SubdomainsMonitor specific subdomainsmail.example.com
UsernamesMonitor specific usernames or emails[email protected]
PasswordsMonitor specific password patternsSummer2024!
PathsMonitor specific URL paths/admin/login
Log IDMonitor a specific stealer log (Advanced)abc123...
Combine multiple filters for more precise monitoring. For example, add both your company domain AND common admin usernames.

Notification Method

Choose how you want to be notified:
MethodDescription
EmailSends to your account email with results summary and link
Discord WebhookPosts a rich embed to your Discord channel
Custom WebhookSends JSON payload to your own endpoint

Webhook URL

Required for Discord and Custom Webhook notifications.
  • Discord: Get your webhook URL from Discord Server Settings → Integrations → Webhooks
    • Format: https://discord.com/api/webhooks/{id}/{token}
  • Custom: Any HTTPS URL that accepts POST requests
    • Must use HTTPS (not HTTP)
    • Must be a domain name (IP addresses not allowed)

Notify on Zero Results

When enabled: You’ll receive a notification every time the scanner runs, even if no new results are found. Useful for confirming your webhook is working. When disabled (default): You’ll only receive notifications when new matching results are found. Recommended for production use to avoid notification spam.

Scanner Actions

Test Notification

Click Test to send a test notification to verify your webhook is configured correctly. This sends a test payload without running an actual search.

Run Now

Click Run Now to manually trigger the scanner immediately instead of waiting for the next hourly run.

Pause / Resume

Temporarily pause a scanner without deleting it. Paused scanners won’t run until resumed.

View Details

See scanner run history, including:
  • When each run occurred
  • How many results were found
  • Notification delivery status

Webhook Payload Format

When using Custom Webhook, you’ll receive this JSON payload: 
{
  "event": "scanner.results_found",
  "scanner": {
    "uid": "550e8400-e29b-41d4-a716-446655440000",
    "name": "My Company Monitor",
    "type": "stealer",
    "query_config": {
      "domain[]": ["example.com"]
    }
  },
  "run": {
    "uid": "660e8400-e29b-41d4-a716-446655440001",
    "search_from": "2024-01-15T00:00:00Z",
    "search_to": "2024-01-15T01:00:00Z"
  },
  "results": {
    "count": 5,
    "sample": [
      {
        "domain": ["example.com"],
        "subdomain": ["login.example.com"],
        "url": "https://login.example.com/auth",
        "username": "[email protected]",
        "password": "password123",
        "indexed_at": "2024-01-15T00:45:00Z"
      }
    ]
  },
  "search_url": "https://oathnet.com/?mode=manual&type=stealer&filter=...",
  "timestamp": "2024-01-15T01:00:00Z"
}
Headers included:
  • Content-Type: application/json
  • User-Agent: OathNet-Scanner/1.0
  • X-Scanner-UID: <scanner-uuid>
Event types:
  • scanner.results_found - Real results found
  • scanner.test - Test notification

Replicating Scanner Behavior via API

If you want to build your own scanner logic using the API, you can replicate the scanner behavior by using the indexed_at date filter. Example: Search for new stealer logs since a specific date 
curl "https://oathnet.org/api/service/v2/stealer/search?\
q=example.com&\
domain[]=example.com&\
from=2024-01-15T00:00:00Z&\
date_field=indexed_at" \
  -H "x-api-key: YOUR_API_KEY"
Key parameters:
  • from - Search for results indexed after this date (ISO 8601 format)
  • date_field=indexed_at - Filter by when OathNet indexed the result (not when it was originally compromised)
This is exactly what scanners do internally - they store the last run timestamp and use it as the from date for the next search.

Example Webhook Handlers

Node.js

const express = require('express');
const app = express();
app.use(express.json());

app.post('/oathnet-webhook', (req, res) => {
  const { event, scanner, results } = req.body;

  if (event === 'scanner.test') {
    console.log('Test notification received');
    return res.status(200).json({ received: true });
  }

  if (event === 'scanner.results_found') {
    console.log(`Scanner "${scanner.name}" found ${results.count} results`);
    // Process results, alert security team, etc.
  }

  res.status(200).json({ received: true });
});

app.listen(3000);

Python

from flask import Flask, request, jsonify

app = Flask(__name__)

@app.route('/oathnet-webhook', methods=['POST'])
def handle_webhook():
    data = request.json
    event = data.get('event')

    if event == 'scanner.test':
        print('Test notification received')
    elif event == 'scanner.results_found':
        print(f'Found {data["results"]["count"]} results')
        # Process results, alert security team, etc.

    return jsonify({'received': True})

Troubleshooting

No results found

  • Scanners only find new data indexed after creation
  • Use the regular search to find existing data
  • Make sure your filters aren’t too restrictive

Not receiving notifications

  • Check if “Notify on Zero Results” is enabled (for testing)
  • Use “Test” button to verify webhook is working
  • Check scanner run history for notification errors
  • Ensure webhook URL is HTTPS and responds with 2xx status

Scanner disabled

  • Scanners are auto-disabled after 5 consecutive failures
  • Check if your plan still allows scanners
  • Re-enable from the scanner details page

Scanner Management API

Coming Soon: Scanner API access via API key is not yet available. Currently, scanners can only be managed through the OathNet Dashboard. API support will be added in a future update.