Why a Raw Subdomain List Is Not Enough
Enumeration is built for completeness — it deliberately casts a wide net and returns every candidate name it can find. That is exactly what you want from discovery, but it means the output is noisy. Feed that raw list straight into a port scanner or vulnerability engine and you waste most of the run on hosts that were never reachable in the first place.
httpx solves all three. It probes the full list in parallel, drops everything that is not live, and enriches what remains with the metadata you need to triage. The result is a short, high-signal target list — the difference between scanning everything and scanning what matters.
What httpx Captures on Every Host
httpx is more than an up/down check. A single probing pass collects a layered profile of each live host that drives every prioritization decision downstream.
Status Codes & Live Filtering
The first job is filtering. httpx records the HTTP status code for every host and can keep only those that respond, separating real targets from dead names. A 200 is an obvious live target; a 403 or 401 often signals something protected and interesting; redirects reveal where traffic actually goes.
Titles & Response Size
The page title and response length give an instant read on what a host is — a login portal, a default server page, a staging copy of production, an admin panel. Grouping hosts by title and size surfaces clusters of similar apps and the odd one out that often deserves a closer look.
Technology Fingerprinting
With -tech-detect, httpx identifies the web server, frameworks, CDNs, and other technologies behind each host. That fingerprint is what lets you prioritize — an outdated server version or a framework with known issues moves to the front of the queue before you run a single deeper scan.
Example httpx Recon Workflow
This workflow picks up exactly where subdomain enumeration left off. It takes the merged subdomain list, probes it for live hosts, enriches the survivors, then hands a clean target list to the active scanning phase.
# Pick up the merged list from the enumeration phase TARGET="example.com" # Probe every host: keep live, capture status, title, tech cat recon/$TARGET/all-subs.txt \ | /opt/homebrew/bin/httpx \ -silent \ -status-code \ -title \ -tech-detect \ -o recon/$TARGET/live-hosts.txt # Output: live-hosts.txt — only hosts that responded
# Keep only interesting status codes, follow redirects, # raise concurrency, and record response size cat recon/$TARGET/all-subs.txt \ | /opt/homebrew/bin/httpx \ -silent \ -mc 200,401,403,500 \ -follow-redirects \ -content-length \ -threads 100 \ -o recon/$TARGET/triaged.txt # Output: triaged.txt — high-signal hosts only
# Strip to bare hosts and feed the scanning phase cat recon/$TARGET/live-hosts.txt \ | awk '{print $1}' > recon/$TARGET/scan-targets.txt # Live, fingerprinted targets now ready for Nmap + Nuclei cat recon/$TARGET/scan-targets.txt \ | /opt/homebrew/bin/nuclei -silent \ -o recon/$TARGET/nuclei.txt # Output: scan-targets.txt feeds the active scan chain
httpx Flag Reference
The flags below cover the core probing workflow — filtering to live hosts, enriching them, and tuning throughput.
| Flag | Role | Notes |
|---|---|---|
| -silent | Output | Suppresses the banner and progress noise — clean output for piping into the next tool |
| -status-code | Filter | Records the HTTP status for each host; the basis of live-host filtering |
| -title | Enrich | Captures the page title — fast context on what each host actually is |
| -tech-detect | Fingerprint | Identifies servers, frameworks, and CDNs to prioritize targets by stack |
| -mc | Filter | Match codes — keep only chosen statuses, e.g. 200,401,403,500 |
| -follow-redirects | Behaviour | Resolves where redirecting hosts actually land instead of stopping at the 3xx |
| -threads | Throughput | Concurrency control — raise for speed, lower to stay gentle on the target |
How PhantomRed Automates httpx Probing
PhantomRed runs host probing as the validation phase of every scan — taking the enumerated host list, probing it in parallel, filtering to live targets, and fingerprinting each one before any active scanning begins. No manual piping, no cleanup between phases.
Within the platform pipeline, probing delivers:
- Live-host filtering Dead names are dropped automatically, so scanning only ever runs against hosts that actually responded.
- Built-in fingerprinting Each live host arrives tagged with its server and stack, ready for the AI layer to prioritize by risk.
- Seamless handoff The validated target list flows straight into Nmap, Nuclei, and FFUF without a manual step in between.
- Scope-aware probing Concurrency and targets stay within the authorized scope you confirmed, keeping probing controlled.
Probing is step two of the full chain — see how it feeds the rest on the autonomous penetration testing page, or generate a custom workflow with the recon workflow generator.
Benefits of Automated httpx Probing
- Signal over noise Only live, responding hosts pass through — every later phase works on a high-signal list.
- Speed Parallel probing clears thousands of hosts in the time a manual pass clears a handful.
- Prioritization Status codes, titles, and tech fingerprints let you attack the most promising hosts first.
- Scan efficiency Filtering before scanning slashes wasted Nmap and Nuclei runs against dead targets.
- Clean handoff One enriched list pipes straight into active scanning — no reformatting required.
- Reproducibility The same probing logic every run means consistent, auditable validation across engagements.
⬡ Continue the Workflow
Related Recon Resources
Explore connected techniques in the PhantomRed Academy workflow library.
Frequently Asked Questions
-
httpx is a fast HTTP probing tool used to take a list of subdomains or hosts and determine which ones are actually alive. It captures the HTTP status code, page title, response size, and detected technologies for each host, turning a raw name list into a clean inventory of reachable, fingerprinted targets ready for the next recon phase.
-
Subdomain enumeration discovers names a target owns — it produces a list of candidate hostnames. Many of those names will not resolve or will not serve anything. httpx probing takes that list and checks which hosts are actually live, what they respond with, and what technology they run. Enumeration finds names; httpx confirms which of them are real, reachable targets.
-
Yes. With the -tech-detect flag, httpx identifies the web server, frameworks, CDNs, and other technologies a host runs by inspecting response headers and body signatures. This fingerprint data helps prioritize targets — for example, flagging an outdated server or a framework with known vulnerabilities before you spend time on deeper scanning.
-
Probing thousands of hosts by hand is slow and the output needs constant cleanup. Automating httpx means every enumerated host is probed consistently, filtered down to live targets, fingerprinted, and handed straight to port scanning and vulnerability detection. It removes a manual bottleneck between discovery and active scanning, and keeps the live-host inventory current on every run.
-
Once httpx has filtered the host list down to live, fingerprinted targets, the next step is active scanning: port scanning with Nmap to map services, vulnerability detection with Nuclei, and content discovery with FFUF. The clean live-host list httpx produces is what makes those phases efficient — they only run against confirmed, reachable targets.
Validate Every Host Automatically
PhantomRed runs enumeration, probing, scanning, and validation in one coordinated scan — filtering to live, fingerprinted targets before any active scan begins.
Start Free Scan →