Bug Bounty Recon Workflows
Reconftw, Axiom, ProjectDiscovery — automating recon at scale.
Bug-bounty hunters need to recon dozens (or hundreds) of programs continuously. The 2024–26 meta-pattern: ProjectDiscovery's toolkit (subfinder / dnsx / httpx / naabu / katana / nuclei) chained together by reconftw or distributed across spot VMs by Axiom. For specific tools see Subdomain & Asset Discovery, Web Fuzzing, Vulnerability Scanners (Nuclei), OSINT & Recon. For platforms / payment see Bug-Bounty Platforms.
Meta-pipelines (the orchestrators)
- ★ ★ reconftw (six2dez) — the most-used meta-recon script; orchestrates 100+ tools (subfinder, amass, puredns, httpx, naabu, gau, nuclei, ffuf, etc.) into one workflow. Free OSS.
- ★ Axiom (pry0cc) — distributed bug-bounty infra; spin up spot DigitalOcean / Linode / AWS / IBM Cloud / GCP fleet, parallelise recon across them, tear down. Free OSS — the speed advantage tool.
- EarlyBird (six2dez community offshoot) — early-stage scanner; minimalist.
- bbot (BlackLanternSec) — modular OSINT + recon scanner; Python; growing 2024–26.
- Osmedeus (j3ssie) — automated workflow engine for recon.
- lazyrecon / OneListForAll — older.
- Sn1per — community + paid; broader scope.
- Trickest Workflows — paid; visual workflow builder for bug-bounty / recon tasks.
ProjectDiscovery toolkit (the building blocks)
- ★ Subfinder — passive subdomain enum.
- ★ dnsx — DNS resolution / record types.
- ★ httpx — HTTP probe / fingerprint.
- ★ naabu — fast TCP/UDP port scan.
- ★ katana — modern web crawler.
- ★ nuclei — template-based vuln scanner.
- alterx — subdomain permutation.
- mapcidr / asnmap — CIDR / ASN.
- uncover — Shodan / Censys / FOFA query CLI.
- chaos client — pull pre-curated subdomain DB.
- shuffledns / massdns wrapper.
- Cloudlist — cloud-asset enum across providers.
- simplehttpserver / interactsh — utility helpers.
- interactsh — out-of-band testing (OAST / OOB) — pair with Burp Collaborator-style discovery.
Tomnomnom / hakluke micro-tools
- gau / gauplus — historical URL pulls.
- waybackurls / hakrawler / unfurl / qsreplace / anew / gf / Gxss — pipeline glue.
- httprobe — minimalist live-probe.
- assetfinder — minimalist passive enum.
Notification / monitoring layer
- notify (ProjectDiscovery) — push to Slack / Discord / Telegram.
- ntfy.sh / Pushbullet — generic push.
- CT Watch / certstream — cert-transparency live feed for new subdomains.
- subnotify / monitor.sh — re-run + diff + alert; many DIY scripts.
Storage / dedupe
- anew (tomnomnom) — append-only-if-new.
- redis / sqlite — for deduping at scale.
- interlace — parallelise across IPs.
- GNU parallel — the classic.
- rush — modern parallel runner.
Cloud-bucket / asset hunting
- See Subdomain & Asset Discovery — cloud_enum, S3Scanner, GCPBucketBrute.
- Cloudlist — multi-cloud asset enum from credentials.
Continuous monitoring patterns
- ★ Spin up VPS or k8s cron job → reconftw daily on each program → diff results → notify on new asset / vuln.
- CertStream + subfinder + httpx + nuclei — common "hot subdomain" alarm chain.
- GitHub Actions / Cloudflare Workers — free-ish compute for tiny continuous probes.
- Trickest Workflows / Axiom — for parallel scaled-out recon.
- Outpost / Bountype — paid SaaS bug-bounty automation platforms.
Wordlists
- ★ SecLists (Discovery / Web-Content / DNS-Brute / etc.).
- ★ AssetNote wordlists — tech-specific gold standard.
- OneListForAll (six2dez) — combined.
- Trickest's wordlists.
- resolvers.txt (trickest/resolvers) — vetted DNS resolver list.
OPSEC reminders
- ★ Stay in scope. Always.
- Rate-limit your tools. Aggressive scans on a target in scope can still get you banned.
- Use a dedicated identity for bug-bounty work (separate VPS, separate accounts, separate VPN).
- Save evidence early — programs sometimes patch and the bug disappears mid-report.
- Don't share findings publicly until disclosed.
Pick this if…
- Default automated bug-bounty pipeline: reconftw.
- Need parallel speed: Axiom across spot VPSes.
- Modular OSINT + active enum: bbot.
- One-tool-per-step purity: ProjectDiscovery suite + tomnomnom helpers.
- Visual / paid workflow builder: Trickest.
- Tight-budget continuous monitoring: GitHub Actions cron + reconftw + ntfy.sh.