| name | recon-osint |
| description | Use when mapping a target's external attack surface or gathering OSINT — subdomain enumeration, attack-surface mapping (httpx/katana/JS secrets), subdomain takeover, multi-cloud/Azure tenant recon, GitHub secret dorking, breach/infostealer credential intel, CVE prioritization (EPSS/KEV) |
| metadata | {"type":"offensive","phase":"reconnaissance","tools":"subfinder, amass, puredns, dnsx, httpx, katana, gau, nuclei, subzy, baddns, cloud_enum, AADInternals, trufflehog, gitleaks, theHarvester, h8mail, shodan, censys","mitre":"TA0043"} |
| kill_chain | {"phase":["recon"],"step":[1],"attck_tactics":["TA0043","TA0006"],"attck_techniques":["T1595","T1595.002","T1590","T1590.001","T1590.002","T1590.005","T1592","T1592.002","T1589","T1589.001","T1589.002","T1593","T1593.001","T1593.003","T1596","T1596.005","T1591","T1583.001","T1213.003"]} |
| depends_on | [] |
| feeds_into | ["vulnerability-analysis","web-pentest","network-attack","exploit-development","cloud-security","mobile-pentest","active-directory-attack","initial-access"] |
| inputs | ["scope_definition","target_list","root_domains","asn_list","email_list"] |
| outputs | ["attack_surface_map","subdomain_list","technology_fingerprint","cve_list","takeover_candidates","leaked_secrets","breach_intel","prioritized_findings"] |
| references | ["references/subdomain-discovery.md","references/attack-surface-mapping.md","references/subdomain-takeover.md","references/cloud-saas-recon.md","references/breach-credential-intel.md","references/cve-exploit-intel.md"] |
| scripts | ["scripts/recon_orchestrator.py","scripts/subdomain_takeover.py","scripts/js_secret_hunter.py","scripts/cloud_asset_enum.py","scripts/breach_intel.py","scripts/cve_prioritizer.py","scripts/wordlist_ranker.py","scripts/hackerone_public_recon.py"] |