Tooling

Bug Bounty Recon Workflows

Reconftw, Axiom, ProjectDiscovery — automating recon at scale.

Bug-bounty hunters need to recon dozens (or hundreds) of programs continuously. The 2024–26 meta-pattern: ProjectDiscovery's toolkit (subfinder / dnsx / httpx / naabu / katana / nuclei) chained together by reconftw or distributed across spot VMs by Axiom. For specific tools see Subdomain & Asset Discovery, Web Fuzzing, Vulnerability Scanners (Nuclei), OSINT & Recon. For platforms / payment see Bug-Bounty Platforms.

Meta-pipelines (the orchestrators)

  • ★ ★ reconftw (six2dez) — the most-used meta-recon script; orchestrates 100+ tools (subfinder, amass, puredns, httpx, naabu, gau, nuclei, ffuf, etc.) into one workflow. Free OSS.
  • Axiom (pry0cc) — distributed bug-bounty infra; spin up spot DigitalOcean / Linode / AWS / IBM Cloud / GCP fleet, parallelise recon across them, tear down. Free OSS — the speed advantage tool.
  • EarlyBird (six2dez community offshoot) — early-stage scanner; minimalist.
  • bbot (BlackLanternSec) — modular OSINT + recon scanner; Python; growing 2024–26.
  • Osmedeus (j3ssie) — automated workflow engine for recon.
  • lazyrecon / OneListForAll — older.
  • Sn1per — community + paid; broader scope.
  • Trickest Workflows — paid; visual workflow builder for bug-bounty / recon tasks.

ProjectDiscovery toolkit (the building blocks)

  • Subfinder — passive subdomain enum.
  • dnsx — DNS resolution / record types.
  • httpx — HTTP probe / fingerprint.
  • naabu — fast TCP/UDP port scan.
  • katana — modern web crawler.
  • nuclei — template-based vuln scanner.
  • alterx — subdomain permutation.
  • mapcidr / asnmap — CIDR / ASN.
  • uncover — Shodan / Censys / FOFA query CLI.
  • chaos client — pull pre-curated subdomain DB.
  • shuffledns / massdns wrapper.
  • Cloudlist — cloud-asset enum across providers.
  • simplehttpserver / interactsh — utility helpers.
  • interactsh — out-of-band testing (OAST / OOB) — pair with Burp Collaborator-style discovery.

Tomnomnom / hakluke micro-tools

  • gau / gauplus — historical URL pulls.
  • waybackurls / hakrawler / unfurl / qsreplace / anew / gf / Gxss — pipeline glue.
  • httprobe — minimalist live-probe.
  • assetfinder — minimalist passive enum.

Notification / monitoring layer

  • notify (ProjectDiscovery) — push to Slack / Discord / Telegram.
  • ntfy.sh / Pushbullet — generic push.
  • CT Watch / certstream — cert-transparency live feed for new subdomains.
  • subnotify / monitor.sh — re-run + diff + alert; many DIY scripts.

Storage / dedupe

  • anew (tomnomnom) — append-only-if-new.
  • redis / sqlite — for deduping at scale.
  • interlace — parallelise across IPs.
  • GNU parallel — the classic.
  • rush — modern parallel runner.

Cloud-bucket / asset hunting

Continuous monitoring patterns

  • ★ Spin up VPS or k8s cron job → reconftw daily on each program → diff results → notify on new asset / vuln.
  • CertStream + subfinder + httpx + nuclei — common "hot subdomain" alarm chain.
  • GitHub Actions / Cloudflare Workers — free-ish compute for tiny continuous probes.
  • Trickest Workflows / Axiom — for parallel scaled-out recon.
  • Outpost / Bountype — paid SaaS bug-bounty automation platforms.

Wordlists

  • SecLists (Discovery / Web-Content / DNS-Brute / etc.).
  • AssetNote wordlists — tech-specific gold standard.
  • OneListForAll (six2dez) — combined.
  • Trickest's wordlists.
  • resolvers.txt (trickest/resolvers) — vetted DNS resolver list.

OPSEC reminders

  • Stay in scope. Always.
  • Rate-limit your tools. Aggressive scans on a target in scope can still get you banned.
  • Use a dedicated identity for bug-bounty work (separate VPS, separate accounts, separate VPN).
  • Save evidence early — programs sometimes patch and the bug disappears mid-report.
  • Don't share findings publicly until disclosed.

Pick this if…

  • Default automated bug-bounty pipeline: reconftw.
  • Need parallel speed: Axiom across spot VPSes.
  • Modular OSINT + active enum: bbot.
  • One-tool-per-step purity: ProjectDiscovery suite + tomnomnom helpers.
  • Visual / paid workflow builder: Trickest.
  • Tight-budget continuous monitoring: GitHub Actions cron + reconftw + ntfy.sh.

On this page