v3.1 · local-onlyRecon-grade extraction

Drop a leak.
See what's inside.

BLINK reads through breach dumps, S3 spills, and stolen archives — and tells you, in under two minutes, exactly what was exposed.

→ Drop file · or click anywhere in this panel

Drop a .zip, .tar.gz, .sql, or any archive.

Supported49 formats

.zip.tar.tar.gz.7z.rar.sql.sqlite.pst.mbox.eml.pdf.docx.xlsx.csv.log.json.env.pem.pcap.dmg+29

SHA-256 on-the-fly

OCR tesseract-5

Decompress recursive · 12 lvls

Entropy ≥ 4.5 bits

4.3 GB / 1m 42s

Median throughput

2,184 signatures

Pattern library

0 bytes uploaded

Network egress

02 / 07Pattern library · 2,184 signatures

Everything they didn't mean to leave.

Six categories, one pass. BLINK pulls high-signal items out of raw dumps using a curated signature library — not a model that hallucinates secrets that aren't there.

Credentials

Passwords, hashes, session cookies — across plaintext dumps, SQL exports, and old config files.

14,206 bcrypt318 argon21,902 md584 plain

API tokens & keys

Live keys for AWS, GCP, Stripe, Slack, GitHub, OpenAI, Twilio and 240 other providers.

12 AWS3 Stripe live27 GitHub PAT19 Slack

PII

Names, emails, DOB, government IDs, addresses, payment data — flagged with their jurisdiction.

6,114 EU GDPR4,338 US PCI1,902 UK71,758 other

Crypto material

Private keys (RSA, EC, Ed25519), wallet seeds, recovery phrases and certificate chains.

18 RSA11 EC6 seed phrase203 x509

Internal topology

Hostnames, S3 buckets, VPN endpoints, Kubernetes namespaces — anything that maps the attack surface.

2,906 hosts84 S311 VPN62 k8s

Communications

Emails, chat logs and ticket threads — clustered by participant, redacted, full-text searchable.

8,204 mbox6,118 slack1,881 jira

03 / 07Pipeline

Three moves. That's it.

No buckets to configure, no models to wait on. The whole pipeline runs locally and finishes before your coffee.

Drop the archive.

Any envelope BLINK knows how to crack — .zip, .tar.gz, .7z, .sql, .pcap, even nested 12 levels deep. SHA-256 is computed inline so the fingerprint is ready before extraction finishes.

→ recursive · sandboxed · zero network

BLINK extracts.

2,184 hand-tuned signatures sweep every byte. OCR for scanned PDFs and screenshots. Entropy scoring catches the secrets we don't have a pattern for yet.

→ ~40 MB/s on M-series · sig-pack v3.1.8

III

You triage.

Findings are sorted by blast radius, deduped against the noise floor, and cross-linked to the identities they belong to. Export to SARIF, JSON, CSV or a one-page exec PDF.

→ SARIF · JSON · CSV · STIX 2.1 · PDF

04 / 07Sample · Anonymized

A report looks like this.

One pane. Severity-sorted. Every finding is a path, a line number, and a redacted preview you can copy with one keystroke. Below is the report BLINK produced from a fabricated "WyndCorp" breach dump — same shape as the real thing.

BLINK — report · blk:7f2a·c019·d3e1·8b44

local · airgapped

▸ Extraction complete

wyndcorp-leak-2026-03.tar.gz

4.3 GB·28,411 files·scanned in 00:01:42·2,184 patterns matched

Critical 23High 184Medium 612Low 1893

1,247

Credentials

passwords · keys · cookies

318

API tokens

AWS · GCP · Stripe · Slack

84,112

PII records

names · emails · DOB · SSN

Crypto material

private keys · seeds

2,906

Internal URLs

hosts · S3 buckets · VPNs

16,203

Communications

emails · chats · tickets

SeverityFinding

critical#0001

AWS Root Credential

infra/legacy/.terraform/state.tfstate.backup : line 1842

AWS_SECRET_ACCESS_KEY = "wK•••••••••••••••••••••••••••••••MzQ7Lf"

· account 8341••••3206· us-east-1· active 14 mo

critical#0002

Stripe Live Key

services/billing-svc/.env.production : line 12

STRIPE_SECRET = "sk_live_••••••••••••••••••••••••••8a3f"

· live· platform· last rotated 2023-08-11

critical#0003

Private SSH key (RSA-2048)

team/m.alvarez/.ssh/id_rsa : line 1

-----BEGIN RSA PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEFA••• [2031 chars]

· passphrase: none· fingerprint SHA256:Lh1q••••dG0

high#0004

Database URI

k8s/prod/configmap.yaml : line 84

postgres://wynd_app:n7K••••••@db-prod-1.wynd.internal:5432/orders

· prod· 10.4M rows reachable

high#0005

Slack Bot Token

scripts/oncall/notify.py : line 6

SLACK_BOT = "xoxb-2348••••••••••-••••••••-Wq3K"

· scopes: chat:write, files:read

high#0006

Bcrypt password hashes

dumps/users_2024_q4.sql : line —

$2b$12$jY7•••••••••••••••••••.zG1mTpQq.Kxg2zT (×14,206)

· 14,206 rows· cost factor 12

medium#0007

Customer PII (PCI scope)

exports/refunds-2025-12.csv : line header+

full_name, dob, last4, billing_addr, phone — 28,411 records

· PCI-DSS in scope· EU residents: 6,114

medium#0008

Internal hostnames

ops/dns-zone-internal.txt : line —

vault.wynd.internal · gitlab-runner-7.wynd.internal · +312 hosts

· expands attack surface map

low#0009

Email addresses (employees)

comms/2024-mbox/*.mbox : line —

j••@wyndcorp.com, m.••••rez@wyndcorp.com, +1,604 unique

· from: 1,238 internal threads

↓ 2,703 more findings · load all

05 / 07Local · airgapped · auditable

It never leaves the machine.

01
Zero network egress.BLINK ships as a single signed binary. After install, the process is sandboxed with no outbound sockets. We can't see your dumps because we can't reach them.
netfilter
02
Ephemeral by default.Extracted previews live in a tmpfs scratch and are zeroed when you close the report. Persistence is opt-in and writes only to a path you choose.
tmpfs
03
Reproducible builds.Every release is built from a public commit, with a SLSA-3 provenance attestation. Diff the binary against the source. Hash matches or it doesn't run.
slsa-3
04
Read-only on the source.BLINK refuses to mount your archive writable. The original bytes are never modified, never re-archived, never silently re-uploaded somewhere "for analysis."
O_RDONLY

06 / 07Field-tested

Already read 4.2 million dumps.

BLINK is used in incident response, M&A diligence, journalism, threat-intel, and litigation discovery. Numbers below are aggregated from opt-in telemetry across v2 and v3.

4.2Marchives

Processed since 2024

From 1 KB envelopes to 1.4 TB monsters.

312kcritical

Live credentials found

Rotated before they could be re-used.

1m 42smedian

Time-to-first-finding

Across the WyndCorp-class workload.

2,184sigs

Pattern library

Maintained weekly. Community PRs welcome.

49formats

Container support

Archives, mailboxes, databases, pcaps.

0B/job

Network egress

Verified in the netfilter audit.

14orgs

National CSIRTs deployed

Names withheld at their request.

87%p95

Reduction in triage time

vs. grep + spreadsheets, per IR teams.

07 / 07$0 to read · paid to extract

Read your first leak
in the next two minutes.

▸ Download for macOS · 38 MB Linux · Windows · Docker

Free for individual responders. Team licenses start at $1,800/seat/yr. National CSIRTs and accredited newsrooms — free, contact us.

BLINK v3.1.8 · sig-pack 2026-05-12

changelog signatures audit (PDF)github

Drop a leak.See what's inside.

Everything they didn't mean to leave.

Credentials

API tokens & keys

PII

Crypto material

Internal topology

Communications

Three moves. That's it.

Drop the archive.

BLINK extracts.

You triage.

A report looks like this.

It never leaves the machine.

Already read 4.2 million dumps.

Read your first leakin the next two minutes.

Drop a leak.
See what's inside.

Read your first leak
in the next two minutes.