DEV.co
Open-Source Security · BishopFox

eyeballer

Eyeballer is a Python-based CNN that automatically classifies web application screenshots into categories like 'Old-Looking Sites', 'Login Pages', 'Webapps', 'Custom 404s', and 'Parked Domains' to help penetration testers identify vulnerable targets at scale. It outputs both human-readable HTML and machine-readable CSV results with reported 93.52% binary accuracy.

Source: GitHub — github.com/BishopFox/eyeballer
1.3k
GitHub stars
147
Forks
Python
Primary language
GPL-3.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
RepositoryBishopFox/eyeballer
OwnerBishopFox
Primary languagePython
LicenseGPL-3.0 — OSI-approved
Stars1.3k
Forks147
Open issues9
Latest release3.0 (2021-04-22)
Last updated2026-03-08
Sourcehttps://github.com/BishopFox/eyeballer

What eyeballer is

A TensorFlow-based multi-label image classifier trained on pentest screenshots to detect patterns indicative of security risk or low-value targets. The model is distributed as pretrained H5 weights, accepts 224x224 PNG/image inputs, and supports both CPU and GPU inference. Training pipeline and evaluation metrics provided.

Quickstart

Get the eyeballer source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/BishopFox/eyeballer.gitcd eyeballer# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Large-scope penetration test triage

Filter thousands of screenshots from tools like EyeWitness/GoWitness to prioritize high-value targets (old-looking, webapp with functionality) and exclude noise (parked domains, custom 404s).

Automated screenshot classification workflow

Integrate into CI/CD or custom tooling to batch-process and categorize web reconnaissance output, reducing manual review overhead.

Retraining on custom target datasets

Organizations with proprietary screenshot libraries can retrain the model on custom distributions using the provided training pipeline to improve label precision for their specific threat model.

Implementation considerations

  • Screenshots must be 1.6:1 aspect ratio (e.g., 1440×900) for best accuracy; wrong ratios reduce precision due to image squishing during resize.
  • Pretrained weights must be downloaded separately from GitHub releases; ensure version compatibility with installed TensorFlow (GPU/CPU).
  • GPU setup for training is undocumented; CPU training will be slow. Only inference mode is likely practical on standard hardware.
  • Multi-label classification outputs all applicable labels per image; interpret results as overlapping categories, not mutually exclusive buckets.
  • Results are two-file output (HTML for review, CSV for integration); downstream tooling must parse CSV to filter or prioritize.
  • Model performance degrades on labels with lower recall (e.g., 'Old Looking' 62.20%, 'Parked Domain' 66.43%); manual validation recommended for high-stakes decisions.

When to avoid it — and what to weigh

  • Real-time, sub-second inference required — CPU inference is slow for bulk classification. GPU setup is undocumented and non-trivial. Batch processing is the intended use case.
  • Non-English or highly regional web interfaces — Training data is pentest-oriented English-language screenshots. Label definitions assume Western web design patterns; effectiveness on other regions/languages is unknown.
  • Production SaaS or critical security appliance — Last release was April 2021 (v3.0), with recent updates (March 2026 push) but no published release notes. No formal support, security audit, or SLA available.
  • Closed-source commercial product deployment — GPL-3.0 requires derivative works to be open-source. Proprietary tools incorporating this model must expose source, which may conflict with IP protection goals. Requires legal review.

License & commercial use

Licensed under GNU General Public License v3.0 (GPL-3.0). This is a copyleft license requiring any modifications or derivative works to remain open-source and distribute source code under the same license.

GPL-3.0 permits commercial use of the unmodified software, but any proprietary modifications or derivative works must be released as open-source under GPL-3.0. Using this in a closed-source product or modifying it for a SaaS offering likely violates the license. Requires legal review before any commercial bundling or redistribution. The online demo (eyeballer.bishopfox.com) does not imply commercial support or indemnification.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityModerate
DEV.co fitGood
Assessment confidenceMedium
Security considerations

No security audit, CVE history, or vulnerability disclosure policy documented. As a machine learning model, consider: (1) model poisoning or adversarial input robustness is not discussed; (2) input validation for image uploads is not specified (size limits, format validation); (3) GPU inference may expose side-channel risks in shared environments; (4) pretrained weights are unsigned/unverified—validate source from official GitHub releases. Use in offline/sandboxed environments only if ingesting untrusted screenshots.

Alternatives to consider

Manual screenshot review / custom regex/heuristics

No model complexity or licensing overhead; slower and error-prone but fully transparent and modifiable. Suitable for small scopes.

EyeWitness / GoWitness (screenshotting tools with built-in filtering)

These tools provide basic heuristic-based classification (e.g., HTTP status, title tags) without ML. Faster, no training data needed, but less sophisticated category detection.

Commercial OSINT/reconnaissance platforms (e.g., Shodan, censys.io, similar ML classifiers)

Proprietary SaaS with support, API, and commercial guarantees. No local deployment or GPL licensing concerns; higher cost and data privacy implications.

Software development agency

Build on eyeballer with DEV.co software developers

Eyeballer is open-source and powerful for triage—but deployment, retraining, and licensing require planning. Devco can help architect a custom or wrapped solution. Let's talk.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

eyeballer FAQ

Can I use Eyeballer for a commercial penetration testing service or product?
Not without legal review. GPL-3.0 permits using the unmodified binary, but bundling it into a closed-source tool or modifying it requires releasing source under GPL-3.0. Consult your legal team before commercial deployment.
How long does inference take on a large screenshot directory?
Unknown; depends on CPU/GPU hardware and image count. The README notes that GPU setup is required for reasonable training speed; no inference time benchmarks are provided. Expect CPU inference to be slow for thousands of images.
What if my screenshots are not 1.6:1 aspect ratio?
The model will auto-scale them, but label precision degrades because images are squished. Best practice: screenshot at 1440×900 or similar 1.6:1 ratio before feeding to Eyeballer.
Can I retrain the model on my own data?
Yes. The `train` subcommand supports retraining if you have a `images/` folder and `labels.csv`. GPU is strongly recommended. The Kaggle training dataset is referenced; you must download it separately.

Software developers & web developers for hire

Adopting eyeballer is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source security software in production.

Need to integrate AI-powered security tooling?

Eyeballer is open-source and powerful for triage—but deployment, retraining, and licensing require planning. Devco can help architect a custom or wrapped solution. Let's talk.