Good recon is the difference between a report full of low-severity noise and one that lands a critical. Here's a workflow you can run on any scope.
1. Map the surface
Start wide. Enumerate subdomains from multiple sources, then resolve and probe what's live.
subfinder -d target.com | httpx -title -tech-detect
2. Fingerprint everything
Technology stack tells you which playbook to run. An old framework version is a lead worth chasing.
3. Watch for the forgotten
Staging boxes, exposed .git folders, and dev endpoints are where the real bugs hide. Catalog them before you touch anything.
This is demo content — replace it with your own research.
#recon
#methodology
#subdomains