ReconX
115 recon modules. One command. Full pipeline.
Subdomain enumeration, vulnerability scanning, cloud recon, OSINT — orchestrated in dependency order with false positive reduction. Results visualized in an interactive knowledge graph.
What 115 modules actually do
Each module runs when its dependencies finish. Subdomain tools feed into port scanners, which feed into vuln detectors. No manual wiring.
Reconnaissance
13 modulesSubdomain enumeration, DNS recon, passive sources, CIDR mapping, VHost discovery
$ subfinder, amass, assetfinder, dnsx, shuffledns...
→ pipes into port scanning and web analysis
Web Analysis
17 modulesURL discovery, JS analysis, parameter mining, directory fuzzing, API scanning, CMS detection
Vulnerability Detection
21 modulesNuclei, SQLi, XSS, SSRF, SSTI, subdomain takeover, secrets detection
Cloud & OSINT
22 modulesS3/GCS enumeration, WHOIS, Shodan, Google dorking, GitHub OSINT, email harvesting
Knowledge Graph
BloodHound-style attack surface mapping with domain-to-finding chains and attack paths
ReconX Dashboard
12 pagesWorld map, knowledge graph, findings, attack paths, reports with PDF export
The dashboard after a real scan
Run it yourself
Install, point at a target, get a full recon pipeline with structured output and a live dashboard. That's it.
$ reconx -t target.com --full
[*] Loading 115 modules across 9 categories
[*] Building dependency graph... 247 edges resolved
[→] Phase 1/4: Subdomain enumeration (subfinder, amass, dnsx)
[→] Phase 2/4: Port scan + service fingerprint
[→] Phase 3/4: Web analysis + parameter discovery
[→] Phase 4/4: Vuln detection (nuclei, sqlmap, dalfox)
[*] False positive reduction... removed 34 duplicates
[+] Done in 22m 14s — 247 subdomains, 189 live hosts, 5 critical, 12 attack paths
[*] Dashboard → http://localhost:3000