⬡ Recon · Step 2

httpx Recon Workflows

Subdomain enumeration hands you a list of names — but a name is not a target. Most of those hosts will not resolve, will not respond, or will sit behind a redirect to somewhere else entirely. httpx is the phase that separates the live from the dead: it probes every host, captures what it responds with, and fingerprints the technology behind it. This guide covers how httpx fits into recon, the flags that matter, the full probing workflow, and how PhantomRed runs it for you.

PhantomRed Academy · Recon Series · Updated June 2026

Why a Raw Subdomain List Is Not Enough

Enumeration is built for completeness — it deliberately casts a wide net and returns every candidate name it can find. That is exactly what you want from discovery, but it means the output is noisy. Feed that raw list straight into a port scanner or vulnerability engine and you waste most of the run on hosts that were never reachable in the first place.

PROBLEM 01
Dead Names
A large share of enumerated subdomains do not resolve or serve nothing. Scanning them burns time and rate limit on hosts that will never produce a finding.
PROBLEM 02
No Context
A bare hostname tells you nothing about what is running there. Without status codes, titles, and technology, you cannot prioritize which hosts deserve attention first.
PROBLEM 03
Wasted Scan Budget
Nmap, Nuclei, and FFUF are expensive to run at scale. Pointing them at unfiltered hosts inflates scan time and noise with no payoff.

httpx solves all three. It probes the full list in parallel, drops everything that is not live, and enriches what remains with the metadata you need to triage. The result is a short, high-signal target list — the difference between scanning everything and scanning what matters.

What httpx Captures on Every Host

httpx is more than an up/down check. A single probing pass collects a layered profile of each live host that drives every prioritization decision downstream.

Status Codes & Live Filtering

The first job is filtering. httpx records the HTTP status code for every host and can keep only those that respond, separating real targets from dead names. A 200 is an obvious live target; a 403 or 401 often signals something protected and interesting; redirects reveal where traffic actually goes.

Titles & Response Size

The page title and response length give an instant read on what a host is — a login portal, a default server page, a staging copy of production, an admin panel. Grouping hosts by title and size surfaces clusters of similar apps and the odd one out that often deserves a closer look.

Technology Fingerprinting

With -tech-detect, httpx identifies the web server, frameworks, CDNs, and other technologies behind each host. That fingerprint is what lets you prioritize — an outdated server version or a framework with known issues moves to the front of the queue before you run a single deeper scan.

Why This Matters Recon is a funnel. Enumeration widens the top to capture everything; httpx narrows it to what is real and worth pursuing. Skip this phase and every later phase runs against noise. Run it well and the rest of the pipeline only ever touches confirmed, fingerprinted, prioritized targets.

Example httpx Recon Workflow

This workflow picks up exactly where subdomain enumeration left off. It takes the merged subdomain list, probes it for live hosts, enriches the survivors, then hands a clean target list to the active scanning phase.

bash Phase 1 — Probe the Enumerated List
# Pick up the merged list from the enumeration phase
TARGET="example.com"

# Probe every host: keep live, capture status, title, tech
cat recon/$TARGET/all-subs.txt \
  | /opt/homebrew/bin/httpx \
    -silent \
    -status-code \
    -title \
    -tech-detect \
    -o recon/$TARGET/live-hosts.txt

# Output: live-hosts.txt — only hosts that responded
bash Phase 2 — Tune for Signal
# Keep only interesting status codes, follow redirects,
# raise concurrency, and record response size
cat recon/$TARGET/all-subs.txt \
  | /opt/homebrew/bin/httpx \
    -silent \
    -mc 200,401,403,500 \
    -follow-redirects \
    -content-length \
    -threads 100 \
    -o recon/$TARGET/triaged.txt

# Output: triaged.txt — high-signal hosts only
bash Phase 3 — Hand Off to Active Scanning
# Strip to bare hosts and feed the scanning phase
cat recon/$TARGET/live-hosts.txt \
  | awk '{print $1}' > recon/$TARGET/scan-targets.txt

# Live, fingerprinted targets now ready for Nmap + Nuclei
cat recon/$TARGET/scan-targets.txt \
  | /opt/homebrew/bin/nuclei -silent \
    -o recon/$TARGET/nuclei.txt

# Output: scan-targets.txt feeds the active scan chain
Operational Note httpx probing sends real requests to the target's hosts, so it counts as active recon. Keep concurrency reasonable on production infrastructure and confirm the hosts are within your authorized scope before probing at high thread counts. Aggressive probing can trip rate limits and WAFs.

httpx Flag Reference

The flags below cover the core probing workflow — filtering to live hosts, enriching them, and tuning throughput.

Flag Role Notes
-silent Output Suppresses the banner and progress noise — clean output for piping into the next tool
-status-code Filter Records the HTTP status for each host; the basis of live-host filtering
-title Enrich Captures the page title — fast context on what each host actually is
-tech-detect Fingerprint Identifies servers, frameworks, and CDNs to prioritize targets by stack
-mc Filter Match codes — keep only chosen statuses, e.g. 200,401,403,500
-follow-redirects Behaviour Resolves where redirecting hosts actually land instead of stopping at the 3xx
-threads Throughput Concurrency control — raise for speed, lower to stay gentle on the target

How PhantomRed Automates httpx Probing

PhantomRed runs host probing as the validation phase of every scan — taking the enumerated host list, probing it in parallel, filtering to live targets, and fingerprinting each one before any active scanning begins. No manual piping, no cleanup between phases.

Within the platform pipeline, probing delivers:

Probing is step two of the full chain — see how it feeds the rest on the autonomous penetration testing page, or generate a custom workflow with the recon workflow generator.

Benefits of Automated httpx Probing

Related Recon Resources

Explore connected techniques in the PhantomRed Academy workflow library.

Frequently Asked Questions

Validate Every Host Automatically

PhantomRed runs enumeration, probing, scanning, and validation in one coordinated scan — filtering to live, fingerprinted targets before any active scan begins.

Start Free Scan →