Best Tech Stack Detection APIs Compared (2026)

You need to detect what technologies a website uses — programmatically, at scale, via API. Maybe you are building a sales intelligence tool, running security audits, or enriching lead data with technographic signals. The question is: which API do you use?

This guide compares the four main options in 2026: DetectZeStack, BuiltWith, Wappalyzer, and WhatRuns. We cover pricing, detection methods, API design, and what each tool is actually good at.

Quick Comparison Table

1. DetectZeStack

Best for: Developers who need affordable, multi-signal tech detection with security analysis built in.

DetectZeStack combines technology detection with security headers scanning, DNS intelligence, SSL/TLS certificate analysis, and vulnerability mapping — all through a single API. It detects over 7,300 technologies using four signal sources: HTTP response headers, DNS records, TLS certificates, and HTML content analysis.

What sets it apart is the breadth of endpoints. Most tech detection APIs only tell you what technologies a site runs. DetectZeStack also tells you how secure the site is, what infrastructure it sits on, and whether the detected technologies have known CVEs.

Pricing

• Free: 100 requests/month (no credit card)
• Pro: $9/month for 1,000 requests
• Ultra: $29/month for 10,000 requests
• Mega: $79/month for 50,000 requests

Try It Now — No Signup Required

The /demo endpoint requires no API key. Run this in your terminal:

curl -s "https://detectzestack.com/demo?url=stripe.com" | python3 -m json.tool

You will get back structured JSON with the detected technologies, categories, and confidence scores:

{
  "url": "https://stripe.com",
  "domain": "stripe.com",
  "technologies": [
    {
      "name": "Cloudflare",
      "categories": ["CDN"],
      "confidence": 100,
      "version": "",
      "cpe": "cpe:2.3:a:cloudflare:cloudflare:*:*:*:*:*:*:*:*"
    },
    {
      "name": "React",
      "categories": ["JavaScript frameworks"],
      "confidence": 100,
      "version": ""
    },
    {
      "name": "HSTS",
      "categories": ["Security"],
      "confidence": 100,
      "version": ""
    }
  ],
  "count": 12,
  "scan_time_ms": 342,
  "cached": false
}

Key Endpoints

• GET /analyze — full technology detection (7,300+ technologies)
• GET /security — security headers grading (A+ to F)
• GET /dns — DNS record intelligence
• GET /certificate/check — SSL/TLS certificate analysis
• GET /vulnerability — CVE mapping for detected technologies
• GET /check — check if a site uses a specific technology
• GET /lookup — query DetectZeStack's scan database for cached results
• GET /site — combined site profile

For detailed head-to-head comparisons, see DetectZeStack vs BuiltWith, DetectZeStack vs Wappalyzer, and DetectZeStack vs WhatRuns.

2. BuiltWith

Best for: Enterprise sales teams who need internet-wide lead lists and historical technology data.

BuiltWith is the incumbent. It has been crawling the web since 2007 and has the largest technology database, claiming over 100,000 technologies. Its core product is not just detection — it is lead generation. You can search for "all Shopify stores in Germany with over 10,000 monthly visits" and get a list of domains to prospect.

The trade-off is price. BuiltWith plans start at $295/month for basic API access, and the full-featured plans run into the thousands. The API is designed for bulk data retrieval, not real-time detection of individual URLs.

Pricing

• Basic: Starting at $295/month
• Pro: Starting at $495/month
• Enterprise: Starting at $995/month

No free tier. No free trial for API access.

3. Wappalyzer

Best for: Teams that need a well-known brand with browser extension integration.

Wappalyzer started as an open-source browser extension and was acquired by a company that added paid API access. The detection engine identifies around 3,000 technologies using pattern matching against HTTP headers, HTML, JavaScript variables, and cookies.

The API is straightforward but expensive relative to the detection scope. It does not include DNS intelligence, security scanning, or vulnerability mapping — it is strictly technology identification.

Pricing

• Starter: Starting at $250/month
• Teams: Starting at $450/month
• Business: Starting at $850/month

No free API tier.

4. WhatRuns

Best for: Individual users who only need manual, one-site-at-a-time checks in a browser.

WhatRuns is a browser extension with around 400,000 Chrome users. It detects approximately 6,000 technologies by analyzing the page in your browser. There is no API, no programmatic access, and no way to integrate it into a pipeline or workflow.

If you are reading this article, you probably need an API, which means WhatRuns is not an option. For a deeper comparison, see WhatRuns vs DetectZeStack.

Pricing Comparison

At $29/month, DetectZeStack gives you 10,000 API requests with tech detection, security analysis, DNS intelligence, and vulnerability mapping. The equivalent from BuiltWith starts at $295/month — and that does not include security scanning or CVE data.

Which API Should You Choose?

The answer depends on what you are building:

• Building a security monitoring tool? DetectZeStack is the only option with security headers grading, SSL/TLS analysis, and vulnerability mapping alongside tech detection.
• Need to prospect companies by technology? BuiltWith has the largest dataset for lead generation, but at enterprise pricing. DetectZeStack's /lookup endpoint lets you query its scan database for cached results at a fraction of the cost.
• Building a dev tool or integration? DetectZeStack's free tier and simple JSON API make it the easiest to start with. You can go from zero to working prototype in minutes with the /demo endpoint.
• Only need occasional manual checks? WhatRuns is a free browser extension. But if you ever need to automate it, you will need an API.