Recon
Reconnaissance is the first and arguably most important phase of any security assessment. It involves systematically discovering and mapping a target's attack surface — subdomains, IP ranges, open ports, running services, technology stacks, and exposed endpoints — before any active testing begins.
Effective recon separates productive security testing from wasted effort. A thorough recon phase reveals forgotten assets, shadow IT, staging environments, and legacy systems that are often less hardened than primary applications. Many of the highest-impact bug bounty findings come from assets discovered during recon that other hunters overlook.
Modern recon combines passive and active techniques. Passive recon leverages certificate transparency logs, DNS records, web archives, search engine indexes, and public datasets to map infrastructure without touching the target. Active recon involves subdomain brute-forcing, port scanning, directory fuzzing, and technology fingerprinting. Tools like subfinder, httpx, nuclei, katana, and ffuf form the backbone of most researchers' recon pipelines.
Automation is essential at scale. Many hunters build continuous recon pipelines that monitor targets for new subdomains, changed DNS records, and newly exposed services — enabling them to test fresh attack surface before anyone else.
This page collects recon methodologies, tool guides, automation workflows, and techniques for comprehensive attack surface discovery.
| Date Added | Link | Excerpt |
|---|---|---|
| 2026-04-19 NEW 2026 | The 2026 State of Attack Surface Management — ProjectDiscovery | The 2026 State of Attack Surface Management — ProjectDiscovery |
| 2026-04-19 NEW 2026 | The Ultimate Guide to Attack Surface Management Tools in 2025 | The Ultimate Guide to Attack Surface Management Tools in 2025 |
| 2026-04-19 NEW 2026 | Top 10 Attack Surface Management Tools for 2026 — Intruder | Top 10 Attack Surface Management Tools for 2026 — Intruder |
| 2026-04-19 NEW 2026 | 12 Attack Surface Management Tools to Know in 2026 | 12 Attack Surface Management Tools to Know in 2026 |
| 2026-04-19 NEW 2026 | SubFinder: Automating Subdomain Enumeration for Bug Bounty in 2025 | SubFinder: Automating Subdomain Enumeration for Bug Bounty in 2025 |
| 2026-04-17 NEW 2026 | Bug Bounty Recon: Perform Faster Port Scan (Rootsploit) | Bug Bounty Recon: Perform Faster Port Scan (Rootsploit) |
| 2026-04-17 NEW 2026 | Naabu Zero to Hero Guide (Cyber Aryan) | Naabu Zero to Hero Guide (Cyber Aryan) |
| 2026-04-17 NEW 2026 | Mastering Network Scanning: Nmap and Masscan Guide | Mastering Network Scanning: Nmap and Masscan Guide |
| 2026-04-17 NEW 2026 | Naabu Cheat Sheet: Commands & Examples (HighOn.Coffee) | Naabu Cheat Sheet: Commands & Examples (HighOn.Coffee) |
| 2026-04-17 NEW 2026 | naabu: Fast Go port scanner (ProjectDiscovery) | naabu: Fast Go port scanner (ProjectDiscovery) |
| 2026-04-17 NEW 2026 | Recon series #4: Port scanning methods (YesWeHack) | Recon series #4: Port scanning methods (YesWeHack) |
| 2026-04-17 NEW 2026 | bountyRecon: Bash automation for bug bounty recon | bountyRecon: Bash automation for bug bounty recon |
| 2026-04-17 NEW 2026 | JSFScan.sh: JavaScript recon automation (KathanP19) | JSFScan.sh: JavaScript recon automation (KathanP19) |
| 2026-04-17 NEW 2026 | Reconky: Content discovery bash script | Reconky: Content discovery bash script |
| 2026-04-17 NEW 2026 | Bug-Bounty-Automation: Bash recon (Retr0-45809) | Bug-Bounty-Automation: Bash recon (Retr0-45809) |
| 2026-04-17 NEW 2026 | Recon-Script: automation with Nuclei (s1d6point7bugcrowd) | Recon-Script: automation with Nuclei (s1d6point7bugcrowd) |
| 2026-04-17 NEW 2026 | Bug-Bounty-Recon-Automation shell script (Amangupta1234) | Bug-Bounty-Recon-Automation shell script (Amangupta1234) |
| 2026-04-17 NEW 2026 | The Ultimate Guide to Finding Bugs With Nuclei (ProjectDiscovery) | The Ultimate Guide to Finding Bugs With Nuclei (ProjectDiscovery) |
| 2026-04-17 NEW 2026 | The Ultimate Recon Arsenal: 25+ Commands for Bug Bounty Workflow | The Ultimate Recon Arsenal: 25+ Commands for Bug Bounty Workflow |
| 2026-04-17 NEW 2026 | xpfarm: Automated bug bounty & recon framework (GitHub) | xpfarm: Automated bug bounty & recon framework (GitHub) |
| 2026-04-17 NEW 2026 | Automate Your Nuclei Recon Pipeline with VPN + Discord Alerts | Automate Your Nuclei Recon Pipeline with VPN + Discord Alerts |
| 2026-04-17 NEW 2026 | Advanced Recon: Taking Your Subdomain Discovery to the Next Level | Advanced Recon: Taking Your Subdomain Discovery to the Next Level |
| 2026-04-17 NEW 2026 | GitHub dorking for beginners: find more vulnerabilities (Intigriti) | GitHub dorking for beginners: find more vulnerabilities (Intigriti) |
| 2026-04-17 NEW 2026 | google-dorks-bug-bounty (TakSec, GitHub) | google-dorks-bug-bounty (TakSec, GitHub) |
| 2026-04-17 NEW 2026 | How I Found Sensitive Information using GitHub Dorks (Part 3) | How I Found Sensitive Information using GitHub Dorks (Part 3) |
| 2026-04-17 NEW 2026 | The Ultimate Subdomain Recon Playbook | The Ultimate Subdomain Recon Playbook |
| 2026-04-17 NEW 2026 | Complete Guide to Amass Tool (2025 Edition) | Complete Guide to Amass Tool (2025 Edition) |
| 2026-04-17 NEW 2026 | Mastering Passive Reconnaissance for Bug Bounty and Pentesting | Mastering Passive Reconnaissance for Bug Bounty and Pentesting |
| 2026-04-17 NEW 2026 | How to Use Recon-ng Tool for OSINT and Bug Bounty | How to Use Recon-ng Tool for OSINT and Bug Bounty |
| 2026-04-17 NEW 2026 | Mastering OSINT for Bug Bounty: Advanced Deep Recon | Mastering OSINT for Bug Bounty: Advanced Deep Recon |
| 2026-04-17 NEW 2026 | Mastering Passive Information Gathering: Extensive OSINT Guide | Mastering Passive Information Gathering: Extensive OSINT Guide |
| 2026-04-17 NEW 2026 | Google Dorking Mastery: From Passive OSINT to Bug Bounty | Google Dorking Mastery: From Passive OSINT to Bug Bounty |
| 2026-04-17 NEW 2026 | 9 Attack Surface Monitoring Tools in 2026 (SentinelOne) | 9 Attack Surface Monitoring Tools in 2026 (SentinelOne) |
| 2026-04-17 NEW 2026 | Recon Methodology: Subdomain Enumeration | Recon Methodology: Subdomain Enumeration |
| 2026-04-17 NEW 2026 | Recon Guide: Subdomain Enumeration | Recon Guide: Subdomain Enumeration |
| 2026-04-17 NEW 2026 | Bug-Bounty-recon: Automated recon framework (GitHub) | Bug-Bounty-recon: Automated recon framework (GitHub) |
| 2026-04-17 NEW 2026 | Subdomain enumeration: expand attack surface with active, passive methods | Subdomain enumeration: expand attack surface with active, passive methods |
| 2026-04-16 NEW 2026 | Passive Reconnaissance Using OSINT | Passive Reconnaissance Using OSINT |
| 2026-04-16 NEW 2026 | From Recon to Sensitive Key Exposure Using Nuclei | From Recon to Sensitive Key Exposure Using Nuclei |
| 2026-04-16 NEW 2026 | reconFTW: Automated Recon Tool | reconFTW: Automated Recon Tool |
| 2026-04-16 NEW 2026 | A Deep Dive on Katana Field Extraction | A Deep Dive on Katana Field Extraction |
| 2026-04-16 NEW 2026 | Subdomain Takeover in 2025: New Methods and Tools | Subdomain Takeover in 2025: New Methods and Tools |
| 2026-04-16 NEW 2026 | My Complete Recon Workflow for Bug Bounty Hunting (2025) | My Complete Recon Workflow for Bug Bounty Hunting (2025) |
| 2026-04-16 NEW 2026 | Internet-Wide Recon: Moving Past IP-Centric Approaches | Internet-Wide Recon: Moving Past IP-Centric Approaches |
| 2026-04-16 NEW 2026 | The Art of Recon: Strategies for Modern Asset Discovery | The Art of Recon: Strategies for Modern Asset Discovery |
| 2026-04-10 2026 | Recon Roundup: Ultimate Reconnaissance Guide | Recon Roundup: Ultimate Reconnaissance Guide |
| 2026-04-10 2026 | From Recon to Report: Complete Workflow 2025 | From Recon to Report: Complete Workflow 2025 |
| 2026-04-10 2026 | Mastering Recon in Bug Bounty: Advanced Techniques 2025 | Mastering Recon in Bug Bounty: Advanced Techniques 2025 |
| 2026-04-10 2026 | 0-Day Hunting Guide: Recon Techniques Nobody Talks About | 0-Day Hunting Guide: Recon Techniques Nobody Talks About |
| 2026-04-10 2026 | Recon to Master: Complete Bug Bounty Checklist | Recon to Master: Complete Bug Bounty Checklist |
| 2026-04-10 2026 | Awesome Bug Bounty Tools - GitHub | Awesome Bug Bounty Tools - GitHub |
| 2026-04-10 2026 | Automating Subdomain Enumeration: Tools and Techniques at Scale | Automating Subdomain Enumeration: Tools and Techniques at Scale |
| 2026-04-10 2026 | Ultimate Guide to Subdomain Enumeration for Bug Bounty | Ultimate Guide to Subdomain Enumeration for Bug Bounty |
| 2026-04-10 2026 | Amass Cheat Sheet: 70+ Commands for Recon & Bug Bounty | Amass Cheat Sheet: 70+ Commands for Recon & Bug Bounty |
| 2026-04-10 2026 | The Complete Bug Bounty Recon Playbook: 2025 Edition | The Complete Bug Bounty Recon Playbook: 2025 Edition |
| 2026-04-10 2026 | Master Bug Bounty Hunting with Top Recon Tools | Master Bug Bounty Hunting with Top Recon Tools |
| 2026-04-10 2026 | Recon for Bug Bounty: 8 Essential Tools | Recon for Bug Bounty: 8 Essential Tools |
| 2026-04-10 2026 | Bug Bounty 101: Top 10 Reconnaissance Tools | Bug Bounty 101: Top 10 Reconnaissance Tools |
| 2026-04-10 2026 | 2025 Bug Bounty Methodology and Persistent Recon | 2025 Bug Bounty Methodology and Persistent Recon |
| 2026-04-10 2026 | Bug Bounty Recon Methodology 2025 - GitHub | Bug Bounty Recon Methodology 2025 - GitHub |
| 2026-04-06 2026 | Masriyan/Aegis: Windows Attack Surface Discovery Tool | Masriyan/Aegis: Windows Attack Surface Discovery Tool |
| 2026-04-06 2026 | External Attack Surface Management (EASM) | External Attack Surface Management (EASM) |
| 2026-04-06 2026 | Using OWASP Amass with Netlas Module | Using OWASP Amass with Netlas Module |
| 2026-04-06 2026 | The Complete Beginner's Guide to Bug Bounty Reconnaissance | The Complete Beginner's Guide to Bug Bounty Reconnaissance |
| 2026-04-06 2026 | How I Built an Automated Recon Pipeline for Bug Bounty Hunting | How I Built an Automated Recon Pipeline for Bug Bounty Hunting |
| 2026-04-03 2026 | A Step-by-Step Android Penetration Testing Guide | Hack The Box | A Step-by-Step Android Penetration Testing Guide | Hack The Box |
| 2026-04-03 2026 | Mobile App Pentest Cheatsheet | Mobile App Pentest Cheatsheet |
| 2026-04-03 2026 | GarudRecon - Automated Domain Recon with XSS, SQLi, LFI, RCE Detection | GarudRecon - Automated Domain Recon with XSS, SQLi, LFI, RCE Detection |
| 2026-04-03 2026 | Automating Subdomain Enumeration to Discover Critical Vulnerabilities | Automating Subdomain Enumeration to Discover Critical Vulnerabilities |
| 2026-04-03 2026 | SubdomainX: All-in-One Subdomain Enumeration and Reconnaissance Tool | SubdomainX: All-in-One Subdomain Enumeration and Reconnaissance Tool |
| 2026-04-03 2026 | How to Use Amass for Subdomain Enumeration and Recon Like a Pro | How to Use Amass for Subdomain Enumeration and Recon Like a Pro |
| 2026-04-03 2026 | Subfinder Complete Guide 2025: Subdomain Enumeration Mastery | Subfinder Complete Guide 2025: Subdomain Enumeration Mastery |
| 2026-04-03 2026 | Reconnaissance 102: Subdomain Enumeration | ProjectDiscovery | Reconnaissance 102: Subdomain Enumeration | ProjectDiscovery |
| 2025-08-14 2025 | ᴅᴀɴɪᴇʟ ᴍɪᴇssʟᴇʀ on Twitter: "RT @SecurityTrybe: Top 25 Recon Tools and thei | Daniel Miessler shared a tweet about the top 25 Recon Tools, but the content seems to be cut off. It likely refers to a list of tools used for reconnaissance in cybersecurity. Recon tools are essential for gathering information about potential targets to assess vulnerabilities and plan security measures. Daniel Miessler's tweet may have been promoting or sharing valuable resources related to cybersecurity tools and practices. |
| 2025-08-14 2025 | https://github.com/SimplySecurity/SimplyEmail | The link provided leads to a GitHub repository named SimplyEmail under the SimplySecurity organization. The repository likely contains code, documentation, or resources related to email security. For further details, exploring the repository on GitHub is recommended. |
| 2025-08-14 2025 | https://github.com/Ekultek/Zeus-Scanner | The content provided is a link to the GitHub repository for the Zeus-Scanner created by Ekultek. The Zeus-Scanner is likely a security tool or software designed for scanning and analyzing systems for vulnerabilities or threats. By visiting the GitHub link, users can access the source code, documentation, and potentially contribute to the project. It's a tool that may be useful for security professionals, developers, or individuals interested in cybersecurity. |
| 2025-08-14 2025 | https://github.com/m0rtem/CloudFail | The link provided leads to a GitHub repository named CloudFail created by the user m0rtem. The content of the repository likely contains information, code, or tools related to cloud security or penetration testing. It is a resource that users can access to potentially learn more about cloud security vulnerabilities and how to address them. |
| 2025-08-14 2025 | https://github.com/leebaird/discover | The provided link directs to a GitHub repository belonging to a user named leebaird. The repository is named "discover." Unfortunately, without further information or access to the repository, it is not possible to provide a detailed summary of its contents or purpose. It is recommended to visit the GitHub link to explore the repository and its contents further. |
| 2025-08-14 2025 | https://github.com/BishopFox/GitGot | The link provided leads to a GitHub repository named GitGot, created by BishopFox. The content of the repository likely includes information, code, or tools related to GitGot. Users can visit the link to explore the repository and access its contents, which may involve tools or resources related to Git or other relevant topics. BishopFox is the organization or individual behind the GitGot project, and the repository may contain valuable resources for those interested in Git-related tools or projects. |
| 2025-08-14 2025 | https://github.com/s0md3v/Striker | The provided link leads to a GitHub repository for a tool called Striker created by the user s0md3v. Striker is likely a software tool or program, but without further details from the content, its specific functionality or purpose is unclear. The repository on GitHub may contain information about the tool's features, how to use it, and any contributions or issues related to the project. It is recommended to visit the link for more detailed information on Striker and its capabilities. |
| 2025-08-14 2025 | https://github.com/s0md3v/ReconDog | The content provided is a link to a GitHub repository for a tool called ReconDog created by a user named s0md3v. ReconDog is likely a reconnaissance tool used for information gathering and security testing purposes. The GitHub repository contains the source code and documentation for the tool. Users can access the tool, contribute to its development, or use it for their own reconnaissance activities. |
| 2025-08-14 2025 | Arjun | The content provided is simply the name "Arjun." |
| 2020-03-08 2020 | GitHub - redhuntlabs/Awesome-Asset-Discovery: List of Awesome Asset Discovery Resources | The content is a list of valuable resources for asset discovery available on GitHub under the project named "redhuntlabs/Awesome-Asset-Discovery." Users are encouraged to contribute to the development of these resources by creating an account on GitHub. This repository likely contains tools, techniques, or information related to asset discovery, which can be useful for cybersecurity professionals, researchers, or anyone interested in identifying and managing digital assets effectively. |
Frequently Asked Questions
- What is reconnaissance in security testing?
- Reconnaissance is the process of discovering and mapping a target's attack surface before active testing. It includes finding subdomains, IP ranges, open ports, running services, technology stacks, and exposed endpoints. Thorough recon is often the difference between finding critical vulnerabilities and finding nothing.
- What are the essential recon tools?
- Core tools include subfinder and amass for subdomain enumeration, httpx for live host discovery, nmap for port scanning, nuclei for automated vulnerability scanning, katana and gospider for web crawling, ffuf for directory fuzzing, and waybackurls for historical URL discovery. Most hunters combine these into automated pipelines.
- What is continuous recon and why does it matter?
- Continuous recon monitors targets for changes over time — new subdomains, changed DNS records, newly exposed services, or updated technologies. Many high-impact findings come from assets that just appeared. Hunters automate this with cron jobs or services like Chaos by ProjectDiscovery, alerting them to fresh attack surface before competitors.
Weekly AppSec Digest
Get new resources delivered every Monday.