Case Studies

Real-world examples of reconFTW in action.

Case Study 1: Bug Bounty - New Program Launch

Scenario: A new bug bounty program launched with *.target.com in scope. Goal is to find vulnerabilities quickly before other hunters.

Target Profile

Scope: *.target.com (wildcard)
Size: Unknown (new program)
Time: 4 hours before others catch up
Goal: Quick wins - subdomain takeovers, exposed panels, known CVEs

Configuration

# Custom config: bounty-rush.cfg

# Fast subdomain enumeration
SUBBRUTE=false           # Skip brute-force (time-consuming)
SUBPERMUTE=false         # Skip permutations
SUBIAPERMUTE=false

# Essential web checks only
WEBPROBESIMPLE=true
WEBPROBEFULL=false       # Skip detailed probing

# Priority vulnerability checks
NUCLEICHECK=true
NUCLEI_SEVERITY="critical,high"  # Only high-impact
SUBTAKEOVER=true         # Quick wins

# Skip slow modules
FUZZ=false
XSS=false
SQLI=false
SSRF_CHECKS=false

Execution

# Phase 1: Quick passive recon (15 minutes)
./reconftw.sh -d target.com -p

# Review subdomains found
wc -l Recon/target.com/subdomains/subdomains.txt
# 847 subdomains

# Phase 2: Fast vulnerability scan (2 hours)
./reconftw.sh -d target.com -r -f bounty-rush.cfg --adaptive-rate

# Phase 3: Check results immediately
cat Recon/target.com/subdomains/takeover.txt
cat Recon/target.com/vulns/nuclei_output.json | jq -r 'select(.severity=="critical")'

Results

Finding

Severity

File Location

Subdomain takeover on old.target.com

High

subdomains/takeover.txt

Exposed Jenkins on ci.target.com

Critical

vulns/nuclei_output.json

S3 bucket listing

Medium

osint/cloud_enum.txt

3 exposed admin panels

High

vulns/nuclei_output.json

Time to first finding: 23 minutes (subdomain takeover)

Key Takeaways

Passive first - Always run -p before full recon
Skip slow modules - Brute-force can wait
Focus on quick wins - Takeovers, panels, known CVEs
Review as you go - Don't wait for full scan to complete

Case Study 2: Security Assessment - Enterprise Client

Scenario: Contracted for a security assessment of a Fortune 500 company. Need full coverage with minimal disruption.

Target Profile

Scope: corp.example.com + IP range 10.0.0.0/8 (internal)
Size: Large enterprise (~5,000 subdomains expected)
Time: 1 week engagement
Goal: Complete asset inventory, all vulnerabilities documented

Pre-Engagement Setup

# Create scope files
echo "*.corp.example.com" > scope-in.txt
echo "*.internal.example.com" >> scope-in.txt

echo "vpn.corp.example.com" > scope-out.txt
echo "mail.corp.example.com" >> scope-out.txt

Configuration

# Custom config: enterprise-assessment.cfg

# Thorough enumeration
SUBBRUTE=true
subs_wordlist="${tools}/subdomains_n0kovo_big.txt"
SUBPERMUTE=true
SUBIAPERMUTE=true

# All web checks
WEBPROBESIMPLE=true
WEBPROBEFULL=true
SCREENSHOT=true

# Full vulnerability assessment
NUCLEICHECK=true
NUCLEI_SEVERITY="critical,high,medium"
FUZZ=true
XSS=true
SQLI=true
SSRF_CHECKS=true
CORS=true

# Rate limiting (be respectful)
HTTPX_RATELIMIT=50
NUCLEI_RATELIMIT=100
ADAPTIVE_RATE_LIMIT=true

# Save everything
PORTSCANNER=true
PORTSCAN_ACTIVE=true

Execution Plan

Day 1-2: Reconnaissance

# External reconnaissance
./reconftw.sh -d corp.example.com -r \
  -i scope-in.txt -x scope-out.txt \
  -f enterprise-assessment.cfg

# OSINT deep dive
./reconftw.sh -d corp.example.com -n  # OSINT only

Day 3-4: Vulnerability Assessment

# Full vulnerability scan
./reconftw.sh -d corp.example.com -a \
  -i scope-in.txt -x scope-out.txt \
  -f enterprise-assessment.cfg

# Review and prioritize
cat Recon/corp.example.com/vulns/nuclei_output.json | \
  jq -r 'select(.severity=="critical")' > critical_findings.json

Day 5: Deep Dive on Findings

# Re-scan specific high-value targets
./reconftw.sh -d api.corp.example.com -a --deep

# Manual verification of critical findings

Results Summary

Deliverable Generation

# Export all critical/high findings
cat Recon/corp.example.com/vulns/nuclei_output.json | \
  jq -r 'select(.severity=="critical" or .severity=="high") | 
  [.host, .severity, ."template-id", .name] | @csv' > findings.csv

# Generate AI report
./reconftw.sh -d corp.example.com -y --ai-report full

Key Takeaways

Scope files are essential - Prevent accidental out-of-scope testing
Rate limiting - Enterprise WAFs will block aggressive scans
OSINT is gold - GitHub secrets often provide initial access vectors
Document everything - Use --deep on interesting assets

Case Study 3: Red Team - Distributed Scanning with Axiom

Scenario: Red team engagement against a large organization. Need to enumerate quickly across multiple regions without attribution.

Target Profile

Scope: bigcorp.com and all subsidiaries
Size: Very large (10,000+ subdomains estimated)
Time: 48 hours for initial recon
Goal: Complete external footprint, identify entry points

Infrastructure Setup

# Launch Axiom fleet (20 instances across regions)
axiom-fleet reconftw -i 20 --regions nyc1,lon1,sgp1,ams3

# Verify fleet
axiom-ls

Configuration

# Custom config: redteam-distributed.cfg

# Aggressive enumeration (fleet handles load)
SUBBRUTE=true
SUBPERMUTE=true
SUBRECURSIVE=true
SUB_RECURSIVE_BRUTE=true

# Full web checks
WEBPROBESIMPLE=true
WEBPROBEFULL=true

# All vulnerability checks
NUCLEICHECK=true
NUCLEI_SEVERITY="critical,high,medium,low"
FUZZ=true
XSS=true
SQLI=true

# Axiom configuration
AXIOM=true
AXIOM_FLEET_NAME="reconftw"
AXIOM_FLEET_COUNT=20
AXIOM_FLEET_SHUTDOWN=false  # Keep for multiple scans

Execution

# Create target list
cat << EOF > targets.txt
bigcorp.com
subsidiary1.com
subsidiary2.com
acquired-company.com
EOF

# Launch distributed scan
./reconftw.sh -l targets.txt -a -v -f redteam-distributed.cfg

Monitoring Progress

# Watch fleet activity
axiom-exec 'ps aux | grep -E "(nuclei|httpx|subfinder)"' -f reconftw

# Check intermediate results
axiom-exec 'wc -l /tmp/subdomains.txt' -f reconftw

# Pull partial results
axiom-scp 'reconftw*:/home/op/Recon' ./partial_results/ -f reconftw

Results

Scan completed in: 14 hours (vs estimated 72 hours single-machine)

Target

Subdomains

Web Servers

Critical

High

bigcorp.com

8,234

2,847

subsidiary1.com

1,892

623

subsidiary2.com

945

312

acquired-company.com

2,134

892

Total

13,205

4,674

Entry Points Identified:

Exposed Citrix gateway (CVE-2023-XXXX)
Password spraying vector (O365 enumeration)
VPN with default credentials
Subdomain takeover → potential phishing vector
API key leaked in JS files → internal API access

Cost Analysis

Fleet: 20 × $0.03/hr × 14 hours = $8.40
Total scan cost: Under $10 for massive reconnaissance

Post-Scan Cleanup

# Merge all results
axiom-scp 'reconftw*:/home/op/Recon' ./final_results/ -f reconftw

# Shutdown fleet
axiom-rm 'reconftw*' -f

Key Takeaways

Axiom is cost-effective - Massive scans for dollars, not hours
Regional distribution - Avoids geo-blocking
Keep fleet alive - Reuse for multiple targets
Merge results carefully - Use provided merge scripts

Case Study 4: Continuous Monitoring - CI/CD Integration

Scenario: Security team wants automated weekly scans of all company assets with alerts for new findings.

Setup

Weekly cron job:

# /etc/cron.d/reconftw-weekly
0 2 * * 0 /opt/reconftw/scripts/weekly_scan.sh

Scan script:

#!/bin/bash
# weekly_scan.sh

TARGETS="/opt/targets/company_domains.txt"
CONFIG="/opt/reconftw/configs/weekly.cfg"
OUTPUT="/opt/recon_results/$(date +%Y-%m-%d)"

# Run scan
cd /opt/reconftw
./reconftw.sh -l "$TARGETS" -r -f "$CONFIG" -o "$OUTPUT"

# Generate diff from last week
./scripts/diff_results.sh "$OUTPUT" "$LAST_WEEK"

# Send notification
./scripts/notify.sh "$OUTPUT/diff_report.txt"

Configuration

# weekly.cfg - Balanced for regular monitoring

# Standard enumeration
SUBBRUTE=false          # Passive only for regular scans
SUBPERMUTE=false

# Web checks
WEBPROBESIMPLE=true
SCREENSHOT=true

# Vulnerability focus
NUCLEICHECK=true
NUCLEI_SEVERITY="critical,high"
SUBTAKEOVER=true

# Notifications
SLACK_WEBHOOK="https://hooks.slack.com/services/XXX"
NOTIFY=true
NOTIFY_CONFIG="${tools}/notify-config.yaml"

Diff Script

#!/bin/bash
# diff_results.sh

NEW=$1
OLD=$2

echo "=== New Subdomains ===" > "$NEW/diff_report.txt"
comm -23 <(sort "$NEW/subdomains/subdomains.txt") \
         <(sort "$OLD/subdomains/subdomains.txt") >> "$NEW/diff_report.txt"

echo -e "\n=== New Vulnerabilities ===" >> "$NEW/diff_report.txt"
diff "$OLD/vulns/nuclei_output.json" "$NEW/vulns/nuclei_output.json" \
  | grep "^>" >> "$NEW/diff_report.txt"

Alert Output

🔔 Weekly Recon Report - 2024-01-15

=== New Subdomains (12) ===
new-api.company.com
staging2.company.com
...

=== New Vulnerabilities (3) ===
[CRITICAL] api.company.com - CVE-2024-XXXX
[HIGH] staging.company.com - exposed-admin
[HIGH] new-api.company.com - default-credentials

Full report: /opt/recon_results/2024-01-15/

Key Takeaways

Passive for monitoring - Brute-force only for initial scans
Diff is everything - Focus on changes, not full results
Alert on severity - Critical/High only for notifications
Archive results - Keep history for trend analysis

Quick Reference: Scenario → Configuration

Scenario

Mode

Key Flags

Config Changes

Bug bounty rush

-p then -r

--adaptive-rate

Disable slow modules

Enterprise assessment

-a

-i, -x, -f

Rate limiting, thorough

Red team (distributed)

-a -v

--vps

Axiom fleet config

CI/CD monitoring

-r

-o, -f

Passive only, notifications

Quick triage

-p

None

Default passive

Deep dive (single target)

-a --deep

None

Enable everything

Documentation Info Branch: dev | Version: v3.0.0+ | Last updated: February 2026

PreviousOPSEC & Legal NextTroubleshooting

Last updated 2 minutes ago

Good afternoon

hashtagCase Study 1: Bug Bounty - New Program Launch

hashtagTarget Profile

hashtagConfiguration

hashtagExecution

hashtagResults

hashtagKey Takeaways

hashtagCase Study 2: Security Assessment - Enterprise Client

hashtagTarget Profile

hashtagPre-Engagement Setup

hashtagConfiguration

hashtagExecution Plan

hashtagResults Summary

hashtagDeliverable Generation

hashtagKey Takeaways

hashtagCase Study 3: Red Team - Distributed Scanning with Axiom

hashtagTarget Profile

hashtagInfrastructure Setup

hashtagConfiguration

hashtagExecution

hashtagMonitoring Progress

hashtagResults

hashtagCost Analysis

hashtagPost-Scan Cleanup

hashtagKey Takeaways

hashtagCase Study 4: Continuous Monitoring - CI/CD Integration

hashtagSetup

hashtagConfiguration

hashtagDiff Script

hashtagAlert Output

hashtagKey Takeaways

hashtagQuick Reference: Scenario → Configuration

Case Study 1: Bug Bounty - New Program Launch

Target Profile

Configuration

Execution

Results

Key Takeaways

Case Study 2: Security Assessment - Enterprise Client

Target Profile

Pre-Engagement Setup

Configuration

Execution Plan

Results Summary

Deliverable Generation

Key Takeaways

Case Study 3: Red Team - Distributed Scanning with Axiom

Target Profile

Infrastructure Setup

Configuration

Execution

Monitoring Progress

Results

Cost Analysis

Post-Scan Cleanup

Key Takeaways

Case Study 4: Continuous Monitoring - CI/CD Integration

Setup

Configuration

Diff Script

Alert Output

Key Takeaways

Quick Reference: Scenario → Configuration