Investigators, security professionals, and due diligence analysts routinely need to build a complete picture of a digital subject email addresses, domains, usernames, but the data is scattered across dozens of disconnected sources: breach databases, WHOIS registries, DNS records, certificate transparency logs, web archives, paste sites, and social platforms. Working across these manually is slow, produces no unified view, and makes it nearly impossible to see how entities relate to each other.

Beyond raw data aggregation, there was a deeper gap: no existing free tool assessed the security posture of a domain as part of the investigation. Knowing that a domain exists is one signal knowing it runs an outdated technology stack, exposes a database port to the internet, or fails to enforce HTTPS is an entirely different level of intelligence. The goal was to collapse the full workflow into a single investigation that runs in seconds and surfaces both the data and the risk.

TraceTrellis was architected as a multi-source intelligence platform built around a parallel job dispatch system. Each of the 16 integrated data sources runs as an independently managed job, sources execute concurrently rather than sequentially, cutting total investigation time to a fraction of what sequential calls would require. Each source is a self-contained, pluggable service implementing a shared interface with its own timeout, failure handling, and artifact output, new sources can be added to the registry without modifying the core pipeline.

Domain investigations run a full security intelligence pass in addition to standard OSINT collection: SSL certificate inspection, HTTP security header analysis, open port scanning against a curated list of high-risk services, and technology stack fingerprinting. Results from all sources are unified into a typed artifact store, fed into a relationship graph visualization that maps entity connections interactively, and scored against a multi-dimensional exposure model that weighs breach exposure, social footprint, domain visibility, and security posture into a single risk score.

• Parallel job dispatch system executing up to 16 source jobs concurrently, with per-source timeout enforcement, typed failure tracking, and real-time progress reporting, failed sources are recorded as structured failure records rather than silently dropped
• Domain security intelligence pipeline covering SSL certificate metadata and expiry analysis, eight HTTP security header checks with remediation guidance, open port exposure scanning with automatic risk flagging for high-severity services, and passive technology fingerprinting, all scored and surfaced alongside OSINT findings
• Interactive relationship graph visualization mapping how discovered entities connect domains linked to shared registrants, usernames appearing across platforms, breaches tied to email addresses with the graph state captured and embedded directly into PDF exports
• Multi-dimensional exposure scoring model weighing breach data, social footprint, domain visibility, and security posture into a single normalized risk score per investigation
• PDF report generation supporting fully custom-branded exports, user-uploaded logo, company name, tagline, and contact details are injected into every page, producing a client-ready deliverable with no platform branding