ARL
ARL is an asset reconnaissance platform designed to discover and catalog internet-facing assets associated with a target organization, including domains, IPs, open ports, and web services. It provides automated scanning, fingerprinting, monitoring, and risk detection for security teams and penetration testers. This is a community-maintained fork of the original project, updated with improved tooling, higher concurrency, and expanded fingerprint databases.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | adysec/ARL |
| Owner | adysec |
| Primary language | Python |
| License | CC0-1.0 — Requires review (not clearly OSI) |
| Stars | 879 |
| Forks | 269 |
| Open issues | 1 |
| Latest release | Unknown |
| Last updated | 2026-07-07 |
| Source | https://github.com/adysec/ARL |
What ARL is
ARL is a Python/Flask-based reconnaissance framework that integrates nmap, nuclei, and custom fingerprint libraries to automate asset discovery across multiple data sources (FOFA, Shodan, DNS enumeration, certificate transparency, etc.). It uses MongoDB, RabbitMQ, and systemd services for task orchestration and includes web UI for asset management, monitoring, and scheduled scanning. This fork adds CentOS 8 Docker support, removed domain/IP limits, increased database timeout, and bundled additional fingerprint databases (eHole, FingerprintHub, dismap) with deduplication.
Get the ARL source
Clone the repository and explore it locally.
git clone https://github.com/adysec/ARL.gitcd ARL# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Docker deployment recommended; CentOS 8 base image and single-container mode simplify setup but require network access to pull from custom Docker registries (docker.adysec.com or self-hosted mirror) due to rate limiting.
- Requires 4+ CPU cores and 8GB RAM minimum; cloud deployment recommended due to high egress traffic from concurrent scanning (DNS, port, web reconnaissance); on-premise networks may experience bandwidth saturation.
- MongoDB and RabbitMQ services must be configured and reachable; default credentials hardcoded in Docker image require manual reset post-deployment; systemd service dependencies (arl-web, arl-worker, arl-worker-github, arl-scheduler) must be managed.
- Query plugins (FOFA, Shodan, Hunter, etc.) require API keys; failure to configure reduces asset discovery effectiveness; DNS resolution via smartdns recommended for performance; WAF/IDS rules may block nuclei PoC and file leakage scans.
- Fingerprint databases can be manually updated via JSON import; tool versions (nmap, nuclei) auto-updated via GitHub Actions in this fork; no explicit version pinning or rollback mechanism documented.
When to avoid it — and what to weigh
- Production Use Without Legal Review — Automated scanning and reconnaissance tools can trigger intrusion detection systems, generate network noise, and may violate terms of service or local laws if used against third-party infrastructure without authorization.
- Strict Air-Gapped or Isolated Network Requirements — ARL requires internet connectivity for query plugins (FOFA, Shodan, crt.sh, etc.) and regular tool updates (nuclei, nmap). Offline-only deployments would require significant customization and manual data updates.
- Need for Commercial SLA or Enterprise Support — This is a community fork with no official support, SLA, or commercial backing. No guarantee of security patches, feature development, or incident response.
- Compliance-Sensitive Environments Without Risk Assessment — Network scanning and automated reconnaissance may conflict with compliance policies (PCI-DSS, HIPAA, etc.) without proper documentation, risk acceptance, and isolated test networks.
License & commercial use
Licensed under CC0-1.0 (Creative Commons Zero v1.0 Universal), which dedicates the work to the public domain. This is NOT an OSI-approved open-source license and does NOT provide explicit software patent indemnification, warranty disclaimers, or liability limitations typical of GPL, MIT, or Apache licenses.
CC0-1.0 places the work in the public domain and permits commercial use, modification, and distribution without attribution or license obligations. However, CC0 is not designed for software and lacks standard liability/warranty waivers found in software licenses. Requires legal review before commercial deployment: no patent guarantees, no warranty disclaimers, and ambiguous liability. Using in a commercial product without independent legal assessment carries elevated risk.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Needs review |
| Deployment complexity | Moderate |
| DEV.co fit | Possible |
| Assessment confidence | High |
ARL performs network reconnaissance at scale (DNS, port scanning, web crawling, file enumeration), generating significant traffic and potential IDS/WAF triggers. Automated scanning can be detected and blocked by defenders. Consider: (1) Legitimate scope and authorization before deployment; (2) Network segmentation to avoid scanning internal/production assets accidentally; (3) Monitor outbound traffic and potential data exfiltration via query plugins (FOFA, Shodan); (4) Secure MongoDB and RabbitMQ access (default passwords in Docker require immediate change); (5) No end-to-end encryption for stored asset data; (6) Query plugin API keys stored in plaintext or weakly protected in config.
Alternatives to consider
Shodan / FOFA / Hunter (Direct)
These are paid commercial services with broader internet scanning coverage and legal guarantees. Use directly for asset discovery without deploying infrastructure; less customization and automation than ARL.
Nessus / Qualys / Rapid7 Nexpose
Enterprise vulnerability management platforms with native asset inventory, port scanning, fingerprinting, and monitoring. Higher cost but include support, SLA, compliance reporting, and liability protection.
OWASP Amass / Subfinder / Assetfinder
Lightweight, CLI-based asset enumeration tools (OSI-licensed, actively maintained) suitable for penetration testers. No UI or persistent storage; lower overhead; integration with custom scripts via pipes.
Build on ARL with DEV.co software developers
ARL offers a powerful, open-source platform for automated asset discovery and monitoring. Review deployment complexity, integration requirements, and legal considerations before production use. Consult your security and legal teams regarding scope, authorization, and compliance.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
ARL FAQ
What is the difference between this fork and the original ARL?
Do I need API keys for FOFA, Shodan, Hunter, etc.?
Is this safe to use in production networks?
What is the licensing risk for commercial use?
Software developers & web developers for hire
DEV.co helps companies turn open-source tools like ARL into production software. Our software development services cover the full lifecycle — architecture, web development, integration, and maintenance — delivered by software developers and web developers who ship. Engage our software development agency to implement or customize it for your open-source security stack.
Evaluate ARL for Your Reconnaissance Needs
ARL offers a powerful, open-source platform for automated asset discovery and monitoring. Review deployment complexity, integration requirements, and legal considerations before production use. Consult your security and legal teams regarding scope, authorization, and compliance.