Capabilities

103 Modules. 9 Categories. Complete Recon.

A dependency-aware pipeline that orchestrates every phase of reconnaissance — from passive intelligence gathering to active vulnerability detection — in a single, reproducible scan.

Module Categories

13

Reconnaissance

13 modules

Comprehensive asset discovery

  • Multi-source subdomain enumeration from passive and active sources
  • DNS record analysis and zone security assessment
  • CIDR range mapping and reverse IP correlation
  • Virtual host and hidden asset discovery
11

Network

11 modules

Deep network intelligence

  • High-speed alive host detection and probing
  • Full port scanning with service version identification
  • TLS/SSL configuration auditing and certificate analysis
  • WAF detection and IPv6 discovery
17

Web

17 modules

Complete web surface mapping

  • Endpoint discovery from archives, crawling, and JavaScript analysis
  • Hidden parameter detection and API surface mapping
  • Content discovery with recursive fuzzing
  • CMS identification and GraphQL/gRPC enumeration
7

Cloud

7 modules

Cloud infrastructure analysis

  • Storage bucket enumeration and content analysis
  • Cloud provider detection and CDN mapping
  • Metadata service probing and origin IP discovery
15

Intelligence

15 modules

OSINT and threat intelligence

  • Registration data, ASN mapping, and ownership correlation
  • Email harvesting and employee discovery
  • Breach data checking and API key leak detection
  • Google dorking and social media footprinting
21

Security

21 modules

Automated vulnerability detection

  • Template-based vulnerability scanning with thousands of checks
  • Injection testing: SQL, XSS, SSRF, SSTI, CRLF, LFI
  • Subdomain takeover verification and 403 bypass
  • Secret detection and API key validation
7

Enrichment

7 modules

Context and metadata

  • Technology stack fingerprinting with 70+ built-in signatures
  • Security header and SPF/DMARC analysis
  • Favicon hashing and analytics correlation
2

Visual

2 modules

Evidence and reporting

  • Automated webpage screenshots across all discovered hosts
  • Multi-format report generation (5 templates)
9

Advanced

9 modules

Pipeline intelligence

  • Continuous monitoring with scheduled rescans
  • Diff scanning to detect changes between runs
  • False positive reduction via baseline fingerprinting
  • Custom wordlist generation from discovered content
Total: 102 modules across 9 categories
Interface

Dashboard — 12 Interactive Pages

A full-featured web dashboard that transforms raw recon output into actionable intelligence through 12 purpose-built views.

Dashboard

Overview charts, scan stats, and live feed.

World Map

Leaflet-based geolocation of discovered hosts.

Knowledge Graph

3 modes: Smart Summary, Attack Paths, Explore.

Findings

Sortable, filterable vulnerability table.

Assets

Host tree with hierarchical asset view.

Screenshots

Visual gallery of captured web pages.

Recon Detail

Per-host deep dive into all findings.

Cloud Intel

4 tabs: Buckets, CDN, Metadata, Origins.

DNS & Infra

6 tabs: Records, Zones, Misconfig, TLS, WHOIS, ASN.

Attack Paths

Chain viewer showing full exploitation paths.

Tech Stack

Technology inventory across all discovered assets.

Reports

5 templates: Executive, Technical, Compliance, Delta, Full.

Visualization

Attack Path Pipeline

Watch how ReconX chains discoveries into full exploitation paths — from initial entry to data exfiltration.

Entry Pointtarget.com
Subdomainapi.target.com
Open Port:8443 / HTTPS
VulnerabilitySSRF → Internal
Data AccessAWS Metadata
Graph

Knowledge Graph Explorer

Visualize the relationships between domains, subdomains, services, and findings in an interactive force-directed graph.

target.comapi.*dev.*admin.*cdn.*:443:8080:22SQLiXSSSSRFDomainSubdomainVulnerabilityCritical