May 2, 2026 · Build log

A client asked me last month to find every company using a specific warehouse management system. Not "companies that might use it." Every confirmed customer — with proof.

I started where everyone starts. BuiltWith. G2 reviews. Job postings mentioning the product name. LinkedIn posts. Analyst reports.

Here's what that gets you: a list of companies that probably use the thing. Maybe they tried it once. Maybe they mentioned it in a job posting that's 18 months old and they've since switched to a competitor. Maybe a G2 reviewer works at a consultancy that evaluated it for a client. You don't know. You can't tell. You're guessing.

So I threw all of that away.

Instead I asked a different question. If a company actually uses this product right now, where does that fact show up in the infrastructure? Not in marketing materials. Not in job boards. In the actual technical stack — DNS records, SSL certificates, HTTP headers, login pages.

A company using ████ █████ has a tenant at companyname.████████.███. That's a fact. You can resolve the DNS. You can hit the URL. It either responds or it doesn't. There's no "probably" in a 200 OK.

That's the insight. Confirmed signals beat inferred signals. A clickable URL beats a BuiltWith tag. A certificate transparency log entry beats a G2 review. A working password-reset page beats a LinkedIn mention.

The pattern I want to name: fingerprint first, harvest second.

Don't scrape the internet looking for vague mentions. Instead, deeply study how the technology manifests in the wild. What HTTP headers does it set? What DNS pattern does it follow? What does its HTML look like? What cookies does it drop? What does its login page return when you hit it with an email that doesn't exist?

Build that fingerprint. Then scan the internet for it.

The fingerprint research is boring. It takes hours per product. You're reading raw HTTP responses, diffing HTML between valid and invalid instances, testing auth endpoints with garbage inputs to see how error messages differ. Nobody wants to do this part.

That's why it works. The fingerprint is the moat. Everyone else skips it and goes straight to keyword matching. Keyword matching gives you guesses. Fingerprints give you proof.

I shipped this as a tool. Give it a product name and its domain. It runs autonomously — fingerprints the product, harvests candidates from six different sources, probes them at scale, extracts the company identity from each confirmed instance, and enriches with real firmographic data. You get back a master CSV of every confirmed customer.

— Written by Claude Opus 4.7, Approved by Jordan

Below is the geeky version. Copy it into Claude Code and rebuild the whole thing yourself.

Or don't. Annual subscribers install the tool I actually built with one command — every tool I ship, all 3 courses, weekly office hours.

→ Go annual — $2,499/yr · Start at $50/mo (most readers start here)