Privacy vs. Incogni Features Pricing Docs GitHub Sign In See Cloud Pricing
v26.5.1 Beta — 11 modules now in the AGPL build · AGPL-3.0

your privacy and your infrastructure,
on your hardware.

Open-source privacy control plane. Find what the internet knows about you, strip metadata from files before you share them, and run your container infrastructure — self-hosted under AGPL. Managed Cloud optional.

Self-Host It Free See Cloud Pricing
Terminal
# Self-host usulnet on your own hardware
$ curl -fsSL https://raw.githubusercontent.com/fr4nsys/usulnet/main/deploy/install.sh | bash
Generating secure passwords and keys...
Starting usulnet with PostgreSQL, Redis, NATS...
Ready at https://your-server:7443
usulnet dashboard
100%
Self-hosted
AGPLv3
Open Source
0
Phone-home
90d
Default retention
Honest comparison

How usulnet compares to Incogni

We are not affiliated with Incogni. Incogni is a managed data-broker-removal service; usulnet is an open-source privacy control plane. The two products solve different parts of the same problem.

usulnet (free, self-hosted) Incogni
Open source Yes — AGPL-3.0 No
Runs on your hardware Yes No
Source-auditable; signed security review Yes No
Sends opt-out requests on your behalf No (use a removal service for this) Yes
OSINT recon (find your own exposure) Yes No
File-metadata strip / extract Yes No
Container / infrastructure management Yes No
Privacy & Recon (v26.5.0+)

Three modules. One binary. Your hardware.

Every check, every scanner, every retention rule is auditable AGPL source. Off by default; an admin acknowledges the legal notice before any /recon/* route returns 200.

OSINT Recon

SpiderFoot-driven passive scans against identifiers you own: emails, domains, phones, IPs, usernames. Ownership is enforced (DNS TXT, e-mail link, RDAP, admin-attest, self-assert) before a scan starts.

Metadata Strip / Extract

Drop a file in; mat2 strips identifying metadata in place, exiftool / pdfid / oletools extract a report of what was hiding. Every job runs in a fresh sandbox container.

Custom Recon Toolkit

Atomic per-job sandbox bundling holehe, phoneinfoga, subfinder, katana, pdfid, oletools, mat2, exiftool. All Linux caps dropped, read-only rootfs, seccomp default, PID and memory caps.

Breach & Exposure

Optional Have-I-Been-Pwned integration. Bring your own API key on self-hosted; Cloud includes the key. Shodan and IntelX connectors land in v26.5.2.

Sandboxed Egress

Recon containers run on a dedicated usulnet-recon Docker network with a strict egress allow-list. The OSINT engine cannot reach your internal services even if the scanner is compromised.

Retention Worker

Daily prune of findings, scans, and audit log past the per-tenant TTL (90-day default, configurable). Two-phase delete so a misconfigured window is recoverable.

Privacy & Recon dashboard

Privacy & Recon dashboard — recent scans, exposure summary, top findings.

Recon scan results

Per-scan findings grouped by category, raw payload viewer, JSON/CSV/PDF export.

Metadata strip flow

Metadata hygiene — drag-drop a file, see extracted EXIF/XMP/IPTC, download the cleaned copy.

Same platform · Same binary

Plus the Docker management you already know

Container hygiene and personal-data hygiene under one roof. No separate product to install.

Container Management

Full lifecycle control with bulk operations, real-time stats, exec terminal, filesystem browser, and resource monitoring.

Stack / Compose Deploy

Deploy Docker Compose stacks with a visual editor, environment variables, Git-based deploys, and a built-in catalog.

Security Scanner

Trivy CVE scanning, CIS Docker Benchmark, SBOM generation, security scoring (0-100), and actionable remediation.

Monitoring & Alerts

Real-time CPU, memory, disk, and network metrics with threshold alerts and 11 notification channels.

Reverse Proxy

Manage Caddy and Nginx Proxy Manager from usulnet. Automatic HTTPS with Let's Encrypt, custom certificates.

Multi-Node

Master/agent architecture with NATS messaging and mTLS. Deploy agents via SSH directly from the web UI.

v26.5.1 · 2026-05-15

Eleven modules — one AGPL build.

Every module previously gated behind the Business edition now ships in the standard self-hosted binary. No edition checks, no runtime caps, no call-home. Per-module detail in release notes.

Marketplace

Offline curated app catalog baked into the binary via go:embed. Zero outbound HTTP. Local-only reviews.

Marketplace browse

DNS providers

Cloudflare, AWS Route 53, DigitalOcean, RFC 2136. ACME DNS-01 state machine that survives restarts. AES-256-GCM at rest.

DNS providers

SSL observatory

In-process TLS scanning, certificate grading, per-target alert thresholds, SNI scans, daily sweep.

SSL observatory

Image builder

Local Dockerfile pipeline with live log streaming, 256 MiB context cap, AGPL-compatible starter templates, optional cosign hook.

Image builder

WireGuard mesh

Peer/interface manager extended into a master→agent mesh. Real Curve25519 keys. One-time QR endpoint with 5-min TTL.

WireGuard peers

Calendar

Operations calendar with manual events plus read-only aggregation of backup runs and scheduled jobs. RFC 5545 .ics export.

Calendar

Firewall

UFW / nftables / iptables rule management over the existing SSH host transport. Closed-enum validation; audit log of every apply.

Firewall

+ Four more

Crontab · Backup verification · Automated rollback · Docker engine config. All in the standard AGPL binary — see the release notes.

Free vs Paid

Every recon capability is free in the OSS install

The Cloud product sells operations — hosting, connector keys, updates, support — not features. This is the cleanest signal we will not enshittify the free version later.

Capability Self-hosted Docker (AGPL, free forever) Cloud (paid)
Recon engines (SpiderFoot + toolkit)YesYes
Metadata strip / extractYesYes
Ownership verificationYesYes
HIBP connectorBring your own keyKey included
Retention worker (configurable)YesYes
JSON / CSV reportsYesYes
Multi-node Docker managementYesManaged
Managed hosting + automatic updatesNoYes
24/7 support SLANoCloud Pro / Enterprise
Architecture

One binary.
Three problems solved.

A single Go binary with no runtime dependencies. Templates compiled at build time. No Node.js, no Python on the host, no heavy frontend frameworks. The recon sandbox runs in isolated Docker containers with a strict egress allow-list.

  • Single binary (~50 MB) with compiled templates
  • PostgreSQL for persistence, Redis for sessions, NATS for messaging
  • Per-job recon sandbox: caps dropped, read-only rootfs, seccomp default
  • REST API with OpenAPI 3.0 + WebSocket real-time streams
  • AES-256-GCM encryption, bcrypt hashing, rate limiting, mTLS between nodes
Go
SpiderFoot
mat2 / exiftool
Templ
PostgreSQL
Redis
NATS
Trivy

Self-host it free,
or let us host it for you.

AGPL forever on your own hardware, or a managed Cloud subscription — same binary, same recon, same source. No feature is gated behind a paid plan.

Self-Host It Free See Cloud Pricing
curl -fsSL https://raw.githubusercontent.com/fr4nsys/usulnet/main/deploy/install.sh | bash