Enter a target and get a complete, copy-paste ready recon pipeline — Subfinder, Nmap, Nuclei, FFUF, and SQLMap commands tailored to your scope and context.
PhantomRed executes this entire pipeline server-side — Subfinder, Nmap, Nuclei, FFUF, SQLMap — and returns AI-triaged findings ranked by severity. No local tool installation. No manual correlation.
A recon workflow generator is a utility that takes a target domain or IP address and produces a complete, ordered set of offensive security commands — covering subdomain enumeration, live host validation, port scanning, CVE detection, directory fuzzing, and injection testing.
Instead of manually constructing commands for each tool, remembering exact flags, and figuring out how to chain outputs between stages, the generator produces a ready-to-run pipeline in seconds. Each command is tailored to your scope type (single domain, wildcard, IP range, or API) and your context (bug bounty, pentest, or CTF) — so the flags, port lists, and template sets match your actual engagement.
This tool is built for offensive security operators who know what they're doing but don't want to spend 20 minutes constructing the same recon setup for every new target. It's the same pipeline that PhantomRed's autonomous penetration testing engine runs server-side — made available as a free command-line generator.
Bug bounty hunters working large program scopes — wildcard domains with hundreds of subdomains, complex API surfaces, broad IP ranges — face a scaling problem. Manual recon doesn't scale. Running tools one by one, formatting output, and cross-referencing results across 6-8 tools takes hours per target. Automation is how serious hunters cover scope faster than the competition.
Subfinder and Amass discover subdomains via passive DNS, certificate transparency logs, and third-party APIs — building the full target surface before any active scanning begins.
httpx filters the subdomain list down to hosts that are actually responding — eliminating dead endpoints before Nmap and Nuclei waste time on them.
Nmap scans validated live hosts for open ports and service version banners — identifying attack surface beyond port 80 and 443, including exposed databases, admin panels, and staging services.
Nuclei runs a curated template library against live targets — detecting CVEs, default credentials, misconfigured cloud storage, exposed admin interfaces, and SSRF endpoints.
FFUF fuzzes web services for hidden directories, backup files, API routes, and parameter injection points — finding endpoints that don't appear in source code or sitemaps.
SQLMap tests discovered parameter-accepting endpoints for SQL injection — targeting the endpoints surfaced by FFUF rather than guessing blindly at the root domain.
The key to efficient bug bounty recon is that each stage feeds into the next. Subdomain output feeds Nmap. Live host list feeds Nuclei. FFUF endpoints feed SQLMap. A workflow generator makes that chaining explicit — you see exactly how each command consumes the previous stage's output.
Here's a complete automated recon workflow for a wildcard bug bounty target (*.example.com), generated by this tool with Bug Bounty context selected:
# Stage 1 — Subdomain Enumeration
subfinder -d example.com -all -recursive -o subdomains.txt
# Stage 2 — Port & Service Scanning
nmap -iL subdomains.txt -sV --open -T3 -p 80,443,8080,8443,8888,9090,9200,6379,27017,3306,5432 -oN nmap_results.txt
# Stage 3 — CVE & Vulnerability Detection
nuclei -l subdomains.txt -t cves/ -t exposures/ -t misconfiguration/ -t vulnerabilities/ -t default-logins/ -severity medium,high,critical -o nuclei_findings.txt
# Stage 4 — Directory & Endpoint Fuzzing
ffuf -u https://example.com/FUZZ -w /usr/share/wordlists/dirb/common.txt -mc 200,301,302,403 -o ffuf_results.json -of json
# Stage 5 — SQL Injection Testing
# Run SQLMap against discovered endpoints from FFUF output
sqlmap -u "https://example.com/page?id=1" --batch --level=2 --risk=1 --output-dir=sqlmap_output/
Each stage is independent — you can run them sequentially or in parallel depending on your setup. The output files (subdomains.txt, nmap_results.txt, nuclei_findings.txt) become the inputs for later stages, creating a complete audit trail of the engagement.
Want this pipeline to run automatically — server-side, with AI-ranked findings? That's exactly what PhantomRed's autonomous pentest engine does. No local installation, no manual chaining, no result correlation overhead.
Manual recon is a ceiling. At some point, running tools one at a time and correlating results by hand limits how many targets you can cover, how fast you can move, and how consistently you can operate. Automation removes that ceiling.
Automated recon pipelines cover a target in minutes. Manual workflows covering the same scope take hours — giving automated operators a first-mover advantage on bug bounty programs.
Automated pipelines don't skip steps when tired or rushed. Every target gets the full workflow — subdomain enum, port scan, CVE check, content discovery — without human shortcuts.
Run the same recon workflow across 50 subdomains as easily as across 5. Automated pipelines scale linearly with compute — manual workflows scale with headcount.
Automated enumeration finds subdomains, ports, and endpoints that manual recon misses — increasing the probability of discovering vulnerabilities before other researchers do.
The operators who consistently find high-severity bugs in large programs are almost always running automated pipelines. The workflow generator here gives you the commands. PhantomRed gives you the execution engine.