interactsh
Interactsh is an open-source out-of-band (OOB) interaction detection tool used to identify vulnerabilities that trigger external interactions. It provides both a client library and a self-hosted server supporting DNS, HTTP(S), SMTP(S), and LDAP channels with encryption and zero logging.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | projectdiscovery/interactsh |
| Owner | projectdiscovery |
| Primary language | Go |
| License | MIT — OSI-approved |
| Stars | 4.4k |
| Forks | 467 |
| Open issues | 17 |
| Latest release | v1.3.1 (2026-03-10) |
| Last updated | 2026-07-03 |
| Source | https://github.com/projectdiscovery/interactsh |
What interactsh is
Built in Go, Interactsh operates as a dual-component system: a client that generates unique payloads for injection testing, and a server that captures and logs interactions across multiple protocols. It offers self-hosted deployment with wildcard DNS support, ACME-based TLS automation, and optional authentication.
Get the interactsh source
Clone the repository and explore it locally.
git clone https://github.com/projectdiscovery/interactsh.gitcd interactsh# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Verify Go version >= 1.20 for client and self-hosted server installation; confirm Docker availability if containerized deployment is preferred.
- For self-hosted deployment: plan DNS zone delegation (wildcard records), TLS certificate management via ACME, and network egress rules for interaction capture.
- Configure PDCP_API_KEY for managed cloud payload servers, or run private instance; understand polling interval (default 5s) impact on testing workflow latency.
- Review encryption model (AES mentioned in docs) and session persistence via session files; test interaction filtering and output formats (JSON, text) before production use.
- If using Burp/ZAP integration: validate plugin compatibility with your version and confirm payload injection points align with your testing scope.
When to avoid it — and what to weigh
- Monitoring or logging production traffic — Interactsh is narrowly scoped for security testing OOB interactions, not general network monitoring or logging infrastructure.
- Requirement for HIPAA/PCI compliance without auditing capability — While it advertises 'zero logging,' no compliance certifications or audit reports are evident in the repository. Self-hosted deployments require independent security review.
- Teams unfamiliar with Go or container deployment — Self-hosted server setup requires Go 1.20+ or Docker. CLI client also requires Go 1.20+; no prebuilt binaries documented for all platforms.
- Real-time, high-volume interaction correlation at scale — Not designed for massive-scale telemetry collection; best suited for targeted testing sessions with manageable payload counts.
License & commercial use
Licensed under MIT (permissive OSI license). Permits commercial use, modification, and distribution with minimal restrictions. Requires inclusion of original license and copyright notice.
MIT license explicitly permits commercial use. No proprietary restrictions, source code modifications, or resale limitations. However, no indemnification or warranty is provided. Recommend review by legal/compliance team before embedding in commercial products, especially for liability-sensitive contexts.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Moderate |
| DEV.co fit | Good |
| Assessment confidence | High |
Tool advertises AES encryption for payload/response data and 'zero logging' on managed servers. Claims ACME-based automatic TLS with wildcard certificate renewal. Independent security audits not evident. Self-hosted deployments inherit responsibility for secure TLS, DNS delegation, network isolation, and payload handling. Ensure interactsh-client and server versions are kept current to receive security patches.
Alternatives to consider
Burp Suite Collaborator
Proprietary, integrated OOB detection within Burp Pro; easier UI but vendor lock-in and ongoing licensing cost; limited to Burp ecosystem.
Request Bin / Webhook.site
Simpler HTTP-only payload inspection; lightweight but lacks DNS/SMTP/LDAP support; less suited for professional penetration testing workflows.
CanaryTokens
Free, hosted OOB detection for DNS/HTTP; minimal setup; less configurable and limited to basic vulnerability validation vs. targeted security testing.
Build on interactsh with DEV.co software developers
Get started with the open-source client or deploy a self-hosted server. No licensing fees, full source transparency, and integration with your favorite security tools.
Talk to DEV.coRelated on DEV.co
Explore the category and the services that help you build with it.
interactsh FAQ
Can I use Interactsh in a fully air-gapped environment?
Does Interactsh log or retain interaction data on managed servers?
How does Interactsh differ from Burp Collaborator?
What are the compute/network requirements for self-hosted server?
Custom software development services
From first prototype to production, DEV.co delivers software development services around tools like interactsh. Our software development agency staffs experienced software developers and web developers for custom software development, web development, integrations, and ongoing support across open-source security and beyond.
Deploy Interactsh for Your Security Testing
Get started with the open-source client or deploy a self-hosted server. No licensing fees, full source transparency, and integration with your favorite security tools.