BuiltWith Cheatsheet
Purpose: Passive technology profiling of a domain — current stack plus historical changes, hosting, analytics, ad networks, ecommerce, CDN, certificates, and more. Useful for OSINT recon without touching the target.
Format: Web service (free tier + paid API). No local install required for basic lookups.
Access Points
| Surface | URL |
|---|---|
| Profile lookup (single domain) | https://builtwith.com/ |
| Free quick lookup | https://builtwith.com/? |
| Trends / market share | https://trends.builtwith.com/ |
| Relationships (same owner / IDs) | https://builtwith.com/relationships/ |
| Redirect graph | https://builtwith.com/redirect/ |
| API docs (paid) | https://api.builtwith.com/ |
| Browser extension (Chrome/Firefox) | search “BuiltWith Technology Profiler” in store |
Quick CLI Lookups (no API key required)
# Open profile in default browser
xdg-open "https://builtwith.com/target.tld"
# Scrape the public profile page (limited; HTML changes)
curl -s -A "Mozilla/5.0" "https://builtwith.com/target.tld" -o builtwith.html
# Extract technology names (rough)
curl -s -A "Mozilla/5.0" "https://builtwith.com/target.tld" \
| grep -oE 'href="/[a-z0-9-]+"[^>]*>[^<]+' | sort -u
For reliable structured data, use the paid API below.
API (Paid) — Cheatsheet
Set BW_KEY in your env first:
export BW_KEY="<your-api-key>"
Domain API — current tech stack
curl -s "https://api.builtwith.com/v21/api.json?KEY=$BW_KEY&LOOKUP=target.tld" | jq .
Free API — current snapshot only
curl -s "https://api.builtwith.com/free1/api.json?KEY=$BW_KEY&LOOKUP=target.tld" | jq .
Domains API — find sites using a tech
curl -s "https://api.builtwith.com/lists7/api.json?KEY=$BW_KEY&TECH=Shopify" | jq .
Relationships API — sites sharing analytics / ad IDs
curl -s "https://api.builtwith.com/rv1/api.json?KEY=$BW_KEY&LOOKUP=target.tld" | jq .
Trends API — adoption stats for a tech
curl -s "https://api.builtwith.com/trends/v6/api.json?KEY=$BW_KEY&TECH=WordPress" | jq .
What It Reveals
- Tech stack: CMS, frameworks, JS libs, web server, OS hints
- Analytics / advertising: Google Analytics IDs, GTM, Meta pixel, Hotjar, ad networks
- Hosting / infra: ASN, hosting provider, CDN, DNS provider, certificate issuer
- Ecommerce: platform, payment processors, shipping integrations
- Email / marketing: SPF/DKIM hints, ESP (Mailchimp, SendGrid), CRM
- Historical changes: when a tech was added/removed (premium tier)
- Relationships: other domains owned by the same entity (shared GA ID, AdSense ID, etc.) — strong OSINT pivot
OSINT Pivots
# Same Google Analytics ID → likely same owner
# Profile page → "Relationship Profile" → list of sibling domains
xdg-open "https://builtwith.com/relationships/target.tld"
# Redirect chain history
xdg-open "https://builtwith.com/redirect/target.tld"
Tips
- Passive only. BuiltWith fetched the target previously; you don’t touch it.
- Historical tech list is great for guessing legacy stacks left exposed on subdomains.
- Shared GA / AdSense IDs are a classic attribution pivot — confirm with
crt.sh, WHOIS, and DNS. - Free tier limits depth — for active engagements, combine with [[wappalyzer]] and [[whatweb]] to get current ground truth.
- BuiltWith data can be stale; verify versions before basing exploitation on them.
Related
- [[wappalyzer]] — live tech detection from your browser.
- [[whatweb]] — active CLI fingerprinting.
- [[netcraft]] — hosting / SSL / OS history with strong passive recon overlap.