The three most important tools in the automated pentesting stack โ what they do, the flags that matter, and how to chain them into a single recon pipeline.
Nmap, Nuclei, and FFUF together cover the three most valuable phases of external reconnaissance: understanding what is running (Nmap), detecting known vulnerabilities against what is running (Nuclei), and discovering hidden attack surface that isn't linked anywhere (FFUF).
Each tool is best-in-class for its specific job. Nmap is the standard for port and service discovery. Nuclei is the fastest way to run thousands of vulnerability templates. FFUF is the fastest web fuzzer available for path and parameter discovery. Chaining them in sequence produces a comprehensive initial recon pass without manual intervention between steps.
PhantomRed runs this entire chain automatically server-side. This guide covers how to run and chain them yourself โ including the specific flags that matter for bug bounty and pentest workflows.
Nmap (Network Mapper) is the standard tool for discovering open ports, running services, and software versions on a target. For pentest recon, the goal is to build a complete picture of what is exposed and what software is running before running any vulnerability scanner.
| Flag | What it does |
|---|---|
| -sV | Service version detection โ identifies software names and version strings on open ports |
| -sC | Runs default NSE scripts โ anonymous FTP, HTTP info, SSL certs, SMB info, and more |
| -F | Fast mode โ scans only the top 100 most common ports instead of all 65535 |
| -p- | Scans all 65535 ports โ slower but finds non-standard service ports |
| -T3 | Normal timing โ balanced speed vs stealth. Use T4 for speed, T2 for quieter scanning |
| -oN | Normal output format โ human-readable file output for review and documentation |
| -oG | Greppable output โ machine-parseable format, easy to pipe into other tools |
| -iL | Input from file โ scan a list of targets instead of a single host |
| --open | Only show open ports โ filters out closed and filtered ports for cleaner output |
Nuclei is a fast, template-based vulnerability scanner developed by ProjectDiscovery. It runs community and official templates against targets to detect CVEs, exposed admin panels, default credentials, misconfigurations, and security header issues. With 9000+ templates, it is the fastest way to run a comprehensive vulnerability check against a discovered attack surface.
| Flag | What it does |
|---|---|
| -u | Single target URL or host to scan |
| -l | Input from file โ list of URLs or hosts |
| -t | Template path โ specify a template directory or individual template file |
| -severity | Filter by severity: critical, high, medium, low, info โ use critical,high for first pass |
| -tags | Filter by template tags: cve, misconfig, exposed-panels, default-logins, and more |
| -o | Output file path for findings |
| -json | JSON output format โ machine-parseable, good for piping into reports |
| -rate-limit | Max requests per second โ reduce to avoid triggering WAFs or rate limits |
| -c | Concurrency โ number of templates to run in parallel. Default 25, reduce if unstable |
| -update-templates | Pull latest templates from the community repo before scanning |
FFUF (Fuzz Faster U Fool) is the fastest web fuzzer in the standard pentest toolkit. It discovers hidden directories, admin panels, backup files, API endpoints, and unlinked parameters by substituting a wordlist into a URL pattern. For bug bounty work, FFUF often finds the most interesting attack surface that isn't discoverable by Nuclei or Nmap.
| Flag | What it does |
|---|---|
| -u | Target URL with FUZZ as the injection point (e.g. https://target.com/FUZZ) |
| -w | Wordlist path โ the list of values to substitute at FUZZ position |
| -mc | Match HTTP status codes โ only show responses with these codes (e.g. 200,301,302,403) |
| -fc | Filter status codes โ hide responses with these codes (e.g. -fc 404 to hide not-found) |
| -fs | Filter by response size โ hide responses of a specific byte size (filters false positives) |
| -o | Output file for results |
| -of | Output format โ json, csv, html, md, or all |
| -t | Threads โ number of concurrent requests. Default 40, increase for speed |
| -rate | Rate limit in requests per second โ reduce to avoid WAF blocks |
| -recursion | Recurse into discovered directories โ finds nested paths automatically |
| -e | Extensions to append โ e.g. -e .php,.bak,.txt to find backup files |
The full power of these tools comes from chaining them: Nmap discovers what is running, Nuclei checks what is running for known vulnerabilities, and FFUF finds hidden attack surface on the discovered web services.
Run Nmap against your scope. Extract live web hosts (ports 80, 443, 8080, 8443) for the next stages.
Feed the web hosts from Stage 1 into Nuclei. Start with high-severity templates for fastest triage.
Run FFUF against each live web host to discover hidden directories, admin panels, and backup files.
PhantomRed executes Nmap, Nuclei, FFUF, and SQLMap server-side in a single automated pipeline. Submit a target and get a risk-scored, AI-analyzed report โ without managing any of the above locally.
Guides, comparisons, and resources for bug bounty hunters and pentesters.
PhantomRed chains the full pipeline server-side. Submit a target, get a risk-scored report. Free tier includes 3 scans per month โ no credit card required.