Why Traditional HTTP Probing Workflows Break
After subdomain enumeration, you are left with a flat text file — potentially thousands of hostnames, most of which point nowhere. Manually checking which respond, on which ports, with what technology stack, is impossible at scale. The old approach of curling hosts one by one, or relying on lightweight probers that only return up/down status, breaks down in three predictable ways.
httpx solves all three — it enriches every host in a single pass, probes arbitrary port lists, and runs hundreds of concurrent requests with built-in rate limiting.
How httpx Improves Offensive Security Workflows
httpx is purpose-built for the pipeline model — it reads from stdin, writes structured output, and chains cleanly between enumeration and scanning. That design unlocks several practical advantages.
One-Pass Enrichment
Rather than confirm liveness and then re-probe for details, httpx captures status code, title, technology stack, content length, web server, and TLS data in a single request cycle. The output is immediately actionable.
Surgical Filtering
Flags like -mc (match status code) and -fc (filter status code) let you narrow thousands of hosts to just the interesting ones — for example, surfacing every host returning a 200 or filtering out noisy 404s before they reach Nuclei.
Machine-Readable Output
The -json flag emits one structured record per host, ready to feed directly into vulnerability scanners, risk-scoring engines, or dashboards without any parsing glue.
Example httpx Recon Workflow
This workflow takes a raw subdomain list, probes it with httpx for live hosts and fingerprints, filters to interesting status codes, then feeds the clean list into Nuclei. Each phase pipes into the next.
# Input: all-subs.txt from Subfinder + Amass TARGET="example.com" # Probe for live hosts with full enrichment /opt/homebrew/bin/httpx \ -list recon/$TARGET/all-subs.txt \ -silent \ -status-code \ -title \ -tech-detect \ -content-length \ -web-server \ -follow-redirects \ -o recon/$TARGET/live-hosts.txt # Output: live-hosts.txt — status, title, tech, size per host
# Probe common non-standard web ports too /opt/homebrew/bin/httpx \ -list recon/$TARGET/all-subs.txt \ -silent \ -ports 80,443,8080,8443,3000,8000,8888 \ -status-code \ -title \ -threads 100 \ -rate-limit 150 \ -o recon/$TARGET/live-allports.txt # Output: live-allports.txt — catches admin panels & dev servers
# Keep only live 200/301/302/401/403 — drop the noise /opt/homebrew/bin/httpx \ -list recon/$TARGET/all-subs.txt \ -silent \ -mc 200,301,302,401,403 \ -json \ -o recon/$TARGET/live-filtered.json # Extract clean URL list for the scanner cat recon/$TARGET/live-filtered.json \ | jq -r '.url' \ > recon/$TARGET/scan-targets.txt # Output: scan-targets.txt — clean URLs ready for Nuclei
# The classic one-liner: subdomains to findings cat recon/$TARGET/all-subs.txt \ | /opt/homebrew/bin/httpx -silent -mc 200 \ | /opt/homebrew/bin/nuclei \ -severity medium,high,critical \ -rate-limit 50 \ -o recon/$TARGET/findings.txt # Output: findings.txt — httpx feeds live hosts directly to Nuclei
httpx Flag Reference
The flags below cover the vast majority of recon use cases. Combine them based on whether you are enriching, filtering, or piping.
| Flag | Purpose | Notes |
|---|---|---|
| -status-code | Show HTTP status | Returns 200, 301, 403, etc. per host — the baseline triage signal |
| -title | Extract page title | Page titles instantly reveal admin panels, login pages, and default installs |
| -tech-detect | Fingerprint stack | Identifies CMS, frameworks, servers via Wappalyzer signatures |
| -follow-redirects | Trace redirects | Resolves the final landing host instead of stopping at a 301 |
| -mc / -fc | Match / filter status | -mc 200,403 keeps only those codes; -fc 404 drops them |
| -ports | Probe extra ports | -ports 8080,8443,3000 catches services off the standard 80/443 |
| -threads / -rate-limit | Throughput control | Tune concurrency and requests/sec to balance speed against target load |
| -json | Structured output | One JSON record per host — pipe into jq, scanners, or dashboards |
How PhantomRed Automates httpx Probing
PhantomRed runs httpx automatically as the bridge phase of every scan — the moment subdomain enumeration finishes, the full host list is probed, filtered, and fingerprinted without any manual step. The enriched live-host data then flows straight into vulnerability scanning.
Within the platform pipeline, httpx delivers:
- Automatic liveness filtering Dead subdomains are dropped before they reach the scanner, cutting wasted scan cycles dramatically.
- Multi-port coverage Non-standard web ports are probed by default, surfacing admin panels and dev servers automatically.
- Technology context for findings Each finding carries the stack fingerprint, so the AI risk summary can reason about exploitability in context.
- Clean handoff to Nuclei Filtered, deduplicated URLs feed the scanning phase with zero manual glue between tools.
See how httpx sits in the wider pipeline on the autonomous penetration testing page, or generate a full custom chain with the recon workflow generator.
Benefits of httpx-Driven Recon Workflows
- Speed at scale Probes thousands of hosts in seconds with concurrent requests and tunable rate limiting.
- Rich enrichment Status, title, tech, server, and TLS data captured in one pass — no re-probing.
- Less downstream waste Filtering dead hosts before scanning cuts Nuclei and FFUF runtime sharply.
- Pipeline-native Reads stdin, writes JSON — chains cleanly between any enumeration and scanning tools.
- Hidden surface discovery Multi-port probing exposes admin panels and APIs that single-port tools miss entirely.
- Reproducible output Identical flags produce identical, auditable results across every engagement.
Related Recon Resources
Explore connected techniques in the PhantomRed Academy workflow library.
Frequently Asked Questions
-
httpx is a fast HTTP probing tool used to filter a raw list of subdomains down to only live HTTP and HTTPS hosts. It also fingerprints each host — capturing status codes, page titles, technologies, content length, and TLS data — turning a flat domain list into an actionable attack surface map.
-
Both probe for live hosts, but httpx is significantly faster and richer. httprobe only confirms whether a host responds, while httpx additionally captures status codes, titles, technology fingerprints, response sizes, and supports filtering, all in one pass. httpx has effectively become the modern standard for HTTP probing in recon.
-
httpx sits between subdomain enumeration and vulnerability scanning. After Subfinder and Amass produce a subdomain list, httpx filters it to live hosts and fingerprints them. That clean, enriched list then feeds Nuclei, FFUF, and katana for the next phase of testing.
-
The most useful flags are -status-code, -title, -tech-detect, -follow-redirects, -content-length, -web-server, and -json for machine-readable output. For large scopes, -threads and -rate-limit control throughput, while -mc and -fc filter results by status code.
-
Yes. httpx is built for piping and scripting, so it slots naturally into automated pipelines. Platforms like PhantomRed run httpx automatically between subdomain discovery and vulnerability scanning, passing enriched live-host data downstream without manual intervention.
Automate Your Entire Recon Pipeline
PhantomRed runs Subfinder, httpx, Nmap, and Nuclei in one coordinated scan — from raw domain to prioritised findings.
Start Free Scan →