ReconX Docs
Everything you need to install, configure, and master ReconX. From first scan to continuous monitoring.
Installation
1. Binary (recommended)
Download the prebuilt binary for your platform and activate your license:
# Download the latest release for your platform
wget https://reconx.co.in/releases/reconx-v2.0.0-linux-x64
chmod +x reconx-v2.0.0-linux-x64
mv reconx-v2.0.0-linux-x64 /usr/local/bin/reconx
# Activate your license
reconx --license RX-PRO-xxxxxxxxxxxxBinaries are available for Linux (x64, arm64), macOS (Intel, Apple Silicon), and Windows. Visit your account dashboard for download links and your license key.
2. Docker
Run ReconX in a container with network capabilities:
docker pull reconx/reconx:latest
docker run --cap-add=NET_RAW \
-e RECONX_LICENSE=RX-PRO-xxxxxxxxxxxx \
-v $(pwd)/output:/output \
reconx/reconx -t example.com --full -o /outputThe --cap-add=NET_RAW flag is required for network scanning modules. Mount a volume to persist scan results.
Quick Start
Get your first scan running in seconds:
# Full scan with all modules
reconx -t example.com --full
# Use a scan profile
reconx -t example.com --profile deep
# Specify output directory
reconx -t example.com --full -o ./my-resultsResults are saved to ./reconx_output/example.com/ by default. Use -o to set a custom output directory.
Each scan produces a .reconx bundle that can be loaded into the dashboard for interactive visualization and reporting.
CLI Reference
Command-line flags organized by category.
Core
| Flag | Description |
|---|---|
| -t, --target <host> | Target domain or host |
| --full | Run all 103 modules |
| --profile <name> | Scan profile: quick | standard | deep | full |
| -o, --output <dir> | Output directory path |
Performance
| Flag | Description |
|---|---|
| --threads <n> | Concurrency level (default: 50) |
Authentication
| Flag | Description |
|---|---|
| --cookie <value> | Cookie header for authenticated scanning |
| --cookie-a <value> | Cookie for account A (IDOR testing) |
| --cookie-b <value> | Cookie for account B (IDOR testing) |
| --auth-token <value> | Authorization bearer token |
| --auth-token-a <value> | Auth token for account A |
| --auth-token-b <value> | Auth token for account B |
Scope
| Flag | Description |
|---|---|
| --scope-file <path> | File of in-scope domains/IPs |
| --outscope-file <path> | File of out-of-scope domains/IPs |
Monitoring
| Flag | Description |
|---|---|
| --monitor | Enable continuous monitoring mode |
| --interval <time> | Rescan interval (e.g. 6h, 12h, 1d) |
Server
| Flag | Description |
|---|---|
| --serve | Start the ReconX API server |
| --port <n> | API server port (default: 8080) |
License
| Flag | Description |
|---|---|
| --license <key> | Activate license key |
| --license-info | Display license details |
| -V, --version | Show version |
Scan Profiles
Profiles provide pre-configured module sets for common use cases. Pass --profile <name> to use one.
| Profile | Description | Est. Time |
|---|---|---|
| quick | Fast surface-level discovery — subdomains, DNS, HTTP probing | ~5 min |
| standard | Balanced recon — adds port scanning, crawling, basic vulnerability checks | ~15 min |
| deep | Thorough scan — adds fuzzing, JS analysis, OSINT, all vulnerability templates | ~45 min |
| full | Everything — all 103 modules across all categories | ~2 hours |
Times are approximate and depend on the target's attack surface, network conditions, and configured thread count.
Authentication
For authenticated scanning, pass session cookies or bearer tokens. ReconX supports dual-account mode for IDOR testing.
Single Account
reconx -t example.com --cookie "session=abc123" --full
reconx -t example.com --auth-token "Bearer eyJhbGci..." --fullDual Account (IDOR Testing)
Supply credentials for two accounts. ReconX replays requests with account B's session to detect insecure direct object references:
reconx -t example.com \
--cookie-a "session=user1_token" \
--cookie-b "session=user2_token" \
--fullreconx -t example.com \
--auth-token-a "Bearer eyJ_user1..." \
--auth-token-b "Bearer eyJ_user2..." \
--fullWhen both -a and -bflags are provided, the vulnerability scanner automatically runs IDOR checks by replaying authenticated endpoints discovered from account A using account B's credentials.
Module Catalog
ReconX includes 93 specialized modules across 9 categories. The full module catalog with detailed descriptions and configuration options is available in-app after activation.
Reconnaissance
Subdomain discovery, DNS enumeration, and passive source aggregation
Network
Host probing, port scanning, service identification, and TLS analysis
Web
URL discovery, endpoint extraction, parameter analysis, and content mapping
Cloud
Cloud service enumeration, bucket discovery, and metadata analysis
Intelligence
OSINT gathering, threat intelligence, and digital footprint mapping
Security
Vulnerability scanning, injection testing, and misconfiguration detection
Enrichment
Technology detection, security header analysis, and metadata extraction
Visual
Automated screenshots and report generation
Advanced
Continuous monitoring, diff scanning, and pipeline orchestration
Run reconx --list-modules after activation to view the full catalog, or browse modules interactively in the dashboard.
Dashboard Guide
The ReconX dashboard is an interactive dashboard that visualizes ReconX scan results. Drag and drop your .reconx bundle into the interface, or launch it directly from the CLI.
Getting Started
reconx -t example.com --full --serve --port 8080
# Then open http://localhost:8080 in your browserPages
High-level stats & scan progress
All discovered subdomains & DNS data
Live hosts with technology & status codes
Port scan results & service info
Crawled URLs & parameters
Findings sorted by severity
Interactive relationship graph
Exploitable chain visualization
Emails, metadata, social profiles
Generate & export reports
Chronological scan event log
Configure scan & display options
Knowledge Graph Modes
- ▶Smart Summary: AI-powered natural language overview of findings and relationships.
- ▶Attack Paths: Directed graph showing exploitable chains from entry point to impact.
- ▶Explore: Free-form interactive graph — drag, zoom, filter nodes by type, severity, or category.
Report Templates
| Template | Format | Best For |
|---|---|---|
| Executive | Non-technical stakeholders & management | |
| Technical | Security teams & developers | |
| HackerOne | Markdown | Bug bounty report submission |
| Bugcrowd | Markdown | Bug bounty report submission |
| Markdown | MD | Custom pipelines & documentation |
API Server
ReconX includes a built-in REST API server for programmatic access and integration with the dashboard. Available on Premium and Team plans.
Starting the Server
reconx --serve --port 8080The API server exposes endpoints for starting scans, retrieving results, and managing configurations. The dashboard connects to this server automatically when launched via the CLI.
Full API documentation including endpoint reference, request/response schemas, and authentication details is available after activation. Run reconx --serve --docs to access the interactive API documentation at /docs.
Continuous Monitoring
Enable monitoring mode to automatically re-scan your targets at regular intervals. ReconX diffs results between runs and alerts you to changes.
Basic Usage
# Monitor every 6 hours
reconx -t example.com --monitor --interval 6h
# Monitor with a specific profile
reconx -t example.com --monitor --interval 12h --profile standardSupported Intervals
- •
1h, 6h, 12h— hours - •
1d, 7d— days - •
1w— weekly
ReconX compares each scan against the previous run and highlights new subdomains, open ports, changed services, and new vulnerabilities. Notifications can be configured to deliver alerts to Slack, Discord, email, or custom webhook endpoints via the settings in the dashboard or the API.
Scope Filtering
Control exactly what's in and out of scope using scope files. Essential for bug bounty programs with defined boundaries.
In-Scope File
Create a file listing allowed domains, wildcards, and CIDR ranges:
# scope.txt
*.example.com
api.example.com
10.0.0.0/24Out-of-Scope File
Explicitly exclude hosts that should never be scanned:
# outscope.txt
production.example.com
*.internal.example.com
10.0.0.1Usage
reconx -t example.com --full \
--scope-file scope.txt \
--outscope-file outscope.txtScope filtering is applied at every stage of the scan. Discovered subdomains, resolved IPs, crawled URLs, and all targets are checked against both files before being processed.