The app that cracks all the other IP Scanners & Network Analyzers
200+ features · Zero dependencies · Pure macOS power
See how Paranoid compares to the most popular network scanners on the market.
A blazing-fast discovery engine that finds every device on your network—even those hiding behind firewalls with no open ports.
ARP prepopulation → ARP snapshot → TCP scan → ARP injection → re-sweep → enrichment. Six phases ensure no device is missed, including IoT devices, phones, and smart TVs with no open ports.
Scan by CIDR notation (192.168.1.0/24), IP range (10.0.0.1-10.0.0.254), or single host. Auto-detect your local subnet or manually specify custom ranges.
Four pre-configured profiles: Fast (quick sweep), Standard (balanced), Thorough (deep scan), and Custom (tune every parameter). Each profile adjusts ARP timing, concurrency, and timeout values.
Evade Intrusion Detection Systems with configurable jitter between probes, reduced concurrency, and randomized scan order. Perfect for authorized penetration testing without triggering alerts.
PROAutomatically detects active VPN connections by analyzing IPv4 routing tables. Prevents false positives from macOS system interfaces (iCloud Private Relay, Xcode tunnels) that confuse other scanners.
Enumerates all network interfaces (Ethernet, WiFi, Thunderbolt, USB) with real-time NWPathMonitor tracking. Automatically selects the active interface and updates when you switch networks.
3-tier resolution: local IEEE CSV database (33,000+ entries) → online maclookup.app API → embedded fallback. Identifies the manufacturer of every network card.
Multi-signal analysis using TCP TTL values, TCP window sizes, port presence patterns, and DNS behavior. Distinguishes Windows, macOS, Linux, iOS, Android, and embedded OS variants.
Automatically classifies into 15+ categories: smartphone, laptop, desktop, tablet, printer, router, camera, smart TV, IoT sensor, NAS, game console, wearable, and more.
Enriches identification with the Fingerbank API using MAC address, mDNS services, UPnP headers, and hostname signals. Returns specific device models (e.g., "iPhone 15 Pro", "Samsung Galaxy S24") with confidence scores.
APIBuilt-in database of Apple hardware identifiers. Maps Bonjour model strings to specific product names (MacBook Air M2, iPad Pro 12.9", Apple TV 4K, HomePod mini, etc.).
Runs mDNS/Bonjour, NetBIOS, SSDP/UPnP, SNMP, and DNS reverse lookups in parallel. Each protocol contributes unique identification signals that are merged into a unified device profile.
Full TCP connect scanning with concurrent connections (configurable 10-200 threads). UDP scanning for DNS, SNMP, DHCP, NTP, and other UDP-based services.
Built-in database mapping 145+ well-known ports to their services (HTTP, SSH, SMB, RDP, MySQL, PostgreSQL, Redis, etc.). Instantly see what services are running.
Sends nmap-format probes in rarity order, matches responses against thousands of regex rules, and extracts product name, version, and CPE string. Identifies Apache, Nginx, OpenSSH, Samba, and hundreds more.
Distinguishes between Open (service accepting connections), Closed (port reachable but no service), and Filtered (firewall blocking). Color-coded for instant visual assessment.
Where Paranoid leaves every other scanner behind. Professional-grade security modules built directly into the app.
Raw ARP request scanning using libpcap for direct Layer 2 device discovery. Finds devices that don't respond to TCP or ICMP, including many IoT devices and network appliances. Significantly faster than TCP-based discovery.
Half-open TCP scanning that sends SYN packets without completing the handshake. Much harder for target hosts to detect and log, and significantly faster than full TCP connect scans. The gold standard for port discovery.
PROActive UDP port probing that discovers services invisible to TCP scanning: DNS (53), SNMP (161), DHCP (67/68), NTP (123), TFTP (69), and more. Essential for complete security auditing.
Real ICMP Echo Request/Reply pings using raw sockets. Accurate latency measurement and host availability detection, bypassing TCP-based workarounds that other unprivileged scanners must use.
Silently monitors network traffic without sending any packets. Discovers active hosts purely by observing ARP requests, broadcast traffic, and multicast communications. Completely undetectable.
Advanced OS detection using raw TCP/IP stack analysis: initial TTL values, TCP window sizes, DF bit, TCP options ordering, and MSS values. Far more accurate than application-level fingerprinting.
Emulates an Ubuntu 22.04 server with a realistic multi-stage login flow. Allows 2 failed login attempts before capturing the session. Responds to shell commands (ls, pwd, whoami, ifconfig, ps, cat) with realistic fake output to keep attackers engaged.
Emulates ProFTPD 1.3.7 with full FTP command support (USER, PASS, LIST, RETR, STOR, PWD, CWD, etc.). Captures login credentials and file transfer attempts. Returns realistic directory listings and error messages.
Presents an OpenSSH 9.3p1 banner and simulates the SSH key exchange initiation (KEX_INIT). Captures SSH client identification strings, key exchange algorithms, and connection metadata. Useful for identifying automated SSH brute-force bots.
Emulates Apache 2.4.54 with fake admin panels, login forms, and a /robots.txt honeytrap that attracts web crawlers and vulnerability scanners. Captures HTTP methods, paths, headers, and POST payloads.
Automatically blocks IPs after a configurable number of connection attempts (default: 5). Choose between temporary blocks (1h, 6h, 24h) or permanent bans. Whitelisted IPs (localhost, trusted devices) are never blocked.
SECURITYExport blocked IP lists as macOS PF (Packet Filter) firewall rules. One-click export generates ready-to-use pf.conf rules that block attackers at the kernel level, before traffic reaches any application.
Receive instant macOS notification center alerts when honeypot events occur. Actionable notifications let you block an IP or view the attack log directly from the notification banner.
Real-time dashboard showing total attacks, top attacking IPs, protocol breakdown, credential capture statistics, active sessions, blocked IPs, and a live event stream. Export all data for forensic analysis.
netstat and correlates each connection to its responsible process using lsof. It then analyzes traffic patterns against 42 pre-compiled regular expressions to detect active attacks in real time. The system learns your normal traffic baseline and flags anomalies that deviate from established patterns.
13 patterns detect UNION SELECT, OR 1=1, DROP TABLE, SLEEP() timing attacks, information_schema access, LOAD_FILE() attempts, and other SQL injection techniques across all monitored connections.
13 PATTERNS10 patterns catch <script> injection, javascript: URIs, event handler attributes (onload, onerror, onclick), eval() calls, document.cookie theft, and SVG-based XSS vectors.
10 PATTERNS10 patterns identify shell metacharacter abuse: semicolons, pipe operators, && chaining, backtick execution, $() subshells, and direct calls to ping, wget, curl, nc, and /bin/bash.
10 PATTERNS9 patterns catch ../../ directory traversal, URL-encoded variants (%2e%2e), /etc/passwd access, /proc/self/ enumeration, and Windows-style path traversal (..\\) attempts.
9 PATTERNSEvery detected connection is linked to its responsible process (Chrome, Spotify, Docker, Node.js, etc.) and user ID. Know exactly which application is making suspicious connections.
The system learns your normal network behavior over time, establishing a traffic baseline. Deviations—new connections, unusual ports, unexpected protocols—trigger anomaly alerts with severity classification.
Detects port scanning activity (≥10 ports from a single source) and brute force attacks (≥20 connections to the same port). These behavioral patterns catch attacks that don't match any specific regex signature.
Deduplication engine prevents alert fatigue (5-minute window per IP+pattern). Stores up to 500 alerts in memory and 200 on disk. Context extraction shows ±30 characters around each pattern match for quick triage.
Real-time CVE lookups against the NIST National Vulnerability Database. Supports API key authentication for 10x faster rate limits. Falls back gracefully when offline.
Pre-seeded SQLite database with LZFSE compression, bundled with the app. Supports incremental updates—download only new CVEs since your last sync. Works completely offline for air-gapped networks.
Automatically generates CPE identifiers from banner grab results using 160+ vendor/product mappings. Tries exact match, then prefix match (vendor:product), maximizing CVE hit rates.
Every vulnerability is classified with its CVSS v3 score: Critical (9.0-10.0), High (7.0-8.9), Medium (4.0-6.9), Low (0.1-3.9).
Detects dangerous configurations: SSLv3/TLS 1.0/TLS 1.1, weak ciphers (DES, RC4, NULL, MD5), SMBv1 (EternalBlue vector, CVSS 10.0), Telnet (CVSS 9.8), plain FTP, unencrypted HTTP.
CRITICALLookup order: in-memory cache (7-day TTL) → NVD API 2.0 → offline DB (exact CPE) → offline DB (prefix match). Ensures maximum coverage regardless of connectivity.
Detects deauthentication flooding by correlating multiple disconnection events within a short timeframe (<30 seconds). This is the first stage of most WiFi attacks (Evil Twin, KRACK, PMKID capture).
CRITICALIdentifies rogue access points that clone your network's SSID. When Paranoid detects a BSSID change to an unknown access point (not in your trusted baseline), it immediately alerts you that you may be connected to an attacker's AP.
CRITICALMonitors the MAC address of your default gateway. If it changes unexpectedly, it means someone on the network is performing ARP spoofing to intercept your traffic (man-in-the-middle attack).
Detects when DNS responses are being poisoned or redirected. Compares DNS resolution results against known-good values to identify DNS spoofing attacks that redirect you to malicious servers.
Monitors your WiFi security protocol level (WPA3 → WPA2 → WPA → WEP → Open). Any unexpected downgrade indicates a potential protocol downgrade attack forcing you onto a weaker, crackable encryption.
Monitors signal strength variations. A sudden large jump in RSSI (>20 dBm) can indicate that you've been disconnected from a distant legitimate AP and connected to a nearby rogue AP. Configurable threshold.
Saves trusted WiFi baselines (BSSID, channel, security level, gateway MAC) for your known networks. Future sessions compare against the baseline—any deviation triggers an alert.
Scans for all visible WiFi networks in your area, identifying potential threats, rogue access points, and channel congestion. Recommends optimal WiFi channels to minimize interference.
Scans for both BLE (Bluetooth Low Energy) and Classic Bluetooth simultaneously. Discovers headphones, keyboards, fitness trackers, smartwatches, medical devices, IoT sensors, speakers, and all other Bluetooth-enabled devices.
Estimates device proximity using RSSI and TX Power values: Immediate (<0.5m), Near (0.5-3m), Medium (3-10m), Far (>10m). Know exactly how close unknown devices are.
Discovers and identifies 50+ known GATT service UUIDs: heart rate, blood pressure, location, battery, device info, health thermometer, and more. Reveals exactly what data each device is exposing.
Fingerprints tracking devices by their Bluetooth Company ID: Apple AirTags, Tile trackers, Pebblebee beacons, Samsung SmartTags. Alerts you if an unknown tracker is following you.
SECURITYEvaluates each device's security posture: legacy Bluetooth vulnerabilities, JustWorks pairing (no authentication), open GATT services, exposed health/location data. Flags risky devices.
Save a baseline of your known Bluetooth devices. On subsequent scans, any new device not in your baseline is flagged as a "rogue" with an alert. Continuous auto-scanning keeps your airspace monitored.
Database of 35+ camera manufacturers' MAC address prefixes: Hikvision, Dahua, Axis, Reolink, Wyze, Ring, Nest, TP-Link, Ubiquiti, Amcrest, Lorex, Foscam, and many more.
Probes RTSP protocol (port 554) with OPTIONS and DESCRIBE commands. Parses SDP (Session Description Protocol) responses to identify video codecs (H.264, H.265, MJPEG) and stream URIs.
Probes ONVIF-compliant cameras using the standardized web services protocol used by most professional IP cameras. Identifies manufacturer, model, and firmware version.
Deep probing of vendor-specific protocols: Dahua (port 37777, 0xA0/0xA4 magic bytes), Reolink (port 9000, Baichuan 0x0ABCDEF0), XMEye (port 34567, 0xFF magic), RTMP (port 1935, 0x03 handshake).
DEEP SCANScans 9 generic media paths (/video, /mjpeg, /snapshot.jpg, /live, etc.) and 10 brand-specific endpoints. Analyzes Content-Type headers to detect MJPEG streams, JPEG snapshots, and HLS feeds.
Aggregates weighted signals into a 0-100 confidence score. Multiple detections compound: OUI match + RTSP + ONVIF + HTTP media = near-certain camera identification. Results show Confirmed, Suspicious, or Unlikely.
Automatically finds your router using UPnP IGD protocol. Identifies the gateway model, firmware, and supported capabilities without requiring router login credentials.
Lists every port forward configured via UPnP: internal/external port, protocol, target device, description, and lease duration. Many applications silently open ports—now you can see them all.
Flags dangerous port exposures: SSH (22), RDP (3389), Telnet (23), SMB (445), database ports (3306, 5432), and other services that should never be internet-facing. Each flagged with risk severity.
SECURITYCalculates an overall router security score based on exposed services, dangerous port mappings, UPnP configuration, and NAT-PMP status. Provides actionable recommendations to improve your score.
Extracts person names from common hostname patterns: "Andreas-MacBook", "iPhone di Marco", "DESKTOP-JOHN", "LisasiPad". Handles dozens of naming conventions across macOS, iOS, Windows, and Android.
Links identified users to all their devices. See "Andrea" with their MacBook, iPhone, iPad, and Apple Watch—all grouped under a single identity with evidence from each device's hostname.
Each identification carries a confidence level based on the strength and number of signal sources. Hostname + Bonjour + NetBIOS all matching = High confidence. Single weak signal = Low confidence.
Country, region, city, and precise coordinates (latitude/longitude) for any IP address. See where connections are coming from on a global scale.
Identifies the Internet Service Provider and Autonomous System Number for every IP. Spot connections from hosting providers, cloud infrastructure, or suspicious ISPs.
Identifies if an IP belongs to a VPN service, proxy server, or Tor exit node. Detects the proxy type (VPN, HTTP proxy, SOCKS, etc.) and identifies known anonymization services.
Each IP receives a threat score from 0 to 100, mapped to categories: Low (0-33), Medium (34-66), High (67-100). Based on abuse history, blacklist presence, and behavioral analysis.
Discover your external/WAN IP address, see your ISP information, and run a full security analysis on your own internet-facing address. Know what attackers see when they scan you.
Enter any public IP to perform a combined port scan + geolocation lookup. Useful for investigating suspicious connections, analyzing remote servers, or auditing external infrastructure.
Save, name, and manage multiple network profiles. Keep separate baselines for home, office, and client networks. Each profile stores complete device inventory with MAC, vendor, ports, and device type.
Automatically compares every scan against your active profile. New devices are highlighted in green, missing devices in red, and changed devices in orange—directly in the host table with diff indicators (+2 -1).
Any device not in your baseline is immediately flagged as unauthorized. Combined with macOS notifications, you'll know within seconds when a stranger joins your network.
Continuous network polling with configurable interval. Uses the same ARP snapshot pattern as full scans for accurate results. Merges discoveries into the main host table in real time.
Comprehensive alerting across all modules: network events (new device, IP change, unknown vendor), WiFi attacks, honeypot events, traffic anomalies, security findings, Bluetooth rogue devices, and more.
Define IF-THEN rules: "IF new device joins THEN send webhook to Slack". "IF vulnerability found THEN generate report". Supports webhooks, email notifications, annotations, and automated reports.
Schedule scans with cron-like flexibility: every hour, daily at midnight, weekdays at 9am, or custom intervals. Scans run automatically and save results as sessions for later review.
Industry-standard penetration testing tools integrated directly into Paranoid. Auto-installed via Homebrew, executed through a privileged XPC helper, with real-time output streaming.
Missing a tool? Paranoid detects it and offers one-click installation through Homebrew. Supports both Apple Silicon (arm64) and Intel (x86_64) paths.
Tools requiring root (Nmap, Masscan, Bettercap) run through the XPC helper with zero password prompts after initial setup. No more sudo in the terminal.
Watch tool output in real time as it streams. No waiting for the tool to finish—see results the moment they're discovered. Full log console for debugging.
Built-in wordlist management for Hydra and Gobuster. Download popular wordlists (SecLists, RockYou) or import your own. Organized by category.
From sortable tables to network topology maps, choose the visualization that fits your workflow.
Dynamic sortable table with drag-to-reorder columns. Resize any column. Show/hide columns. Diff highlighting for network changes. Right-click context menus.
Visual device cards with icons, status indicators, and key metrics at a glance. Adaptive grid layout (240-320px per card). Perfect for visual browsing.
Obsidian-style graph visualization showing network topology. Devices as nodes, connections as edges. See how your network is actually structured.
Device presence heatmap over time: 24 hours, 7 days, or 30 days. See when devices come and go. Identify patterns in device behavior.
Security health score, device breakdown, port exposure, vulnerability summary, and alerts. Glassmorphic cards with live updating statistics.
Generate professional reports and export in industry-standard formats.
Professional reports with SVG charts, sortable tables, dark/light toggle, and print-optimized layout. Share with clients or archive for compliance.
Spreadsheet-compatible CSV with all device data. Import into Excel, Google Sheets, or any data analysis tool.
Complete structured data in JSON format. Perfect for programmatic analysis, API integration, or feeding into SIEM systems.
Compatible with the Nmap XML format, importable into any tool that reads Nmap output: Metasploit, OpenVAS, Nessus, and more.
Download Paranoid. Optionally install the Privileged Helper for advanced scanning (one-time admin password). Install external tools with one click.
Select your network interface and hit Start. Paranoid's multi-phase engine discovers every device, identifies services, and checks for vulnerabilities.
Enable Paranoid features: honeypot, traffic inspector, WiFi guard, Bluetooth guard. Set up baselines, monitoring, and automation. You're protected 24/7.
Requires macOS Sonoma or later. Universal binary (Apple Silicon + Intel).
100% Swift with modern async/await concurrency. Actor-based thread safety.
Native macOS interface. Automatic dark/light mode. Smooth 60fps animations.
Uses only Apple frameworks: SwiftUI, Network, Combine, Foundation, Darwin, CoreBluetooth.
Clean MVVM with actor-based services, @Published state management, and protocol-oriented design.
Core features work without admin. Optional Privileged Helper unlocks SYN scan, ARP scan, ICMP, and more.
Full English and Italian localization. All UI strings externalized for easy translation.
All data stored locally in ~/Library/Application Support/. JSON serialization. Your data never leaves your Mac.