Performance Tuning

Optimize reconFTW for your target size, hardware, and time constraints.

Quick Tuning Profiles

Copy-paste these configurations based on your scenario:

Small Target (< 100 subdomains)

# In reconftw.cfg - Small target, thorough scan

# Enable DEEP mode (more thorough)
DEEP=true
DEEP_LIMIT=500
DEEP_LIMIT2=2000

# Moderate threads (don't overwhelm small infra)
HTTPX_THREADS=50
FFUF_THREADS=40
NUCLEI_RATELIMIT=100

# Enable all checks
NUCLEICHECK=true
FUZZ=true
CORS=true
XSS=true
SQLI=true

# Time estimate: 1-2 hours

Medium Target (100-1,000 subdomains)

# In reconftw.cfg - Medium target, balanced

# Standard DEEP limits
DEEP_LIMIT=500
DEEP_LIMIT2=1500

# Higher threads
HTTPX_THREADS=100
FFUF_THREADS=60
NUCLEI_RATELIMIT=150

# Core checks enabled
NUCLEICHECK=true
FUZZ=true
XSS=true
SQLI=true

# Skip some heavy checks
SMUGGLING=false
WEBCACHE=false
PROTOTYPE_POLLUTION=false

# Time estimate: 2-4 hours

Large Target (1,000-10,000 subdomains)

# In reconftw.cfg - Large target, efficient

# Lower DEEP limits (skip intensive checks for large lists)
DEEP_LIMIT=200
DEEP_LIMIT2=500

# High threads
HTTPX_THREADS=150
FFUF_THREADS=80
NUCLEI_RATELIMIT=200

# Essential checks only
NUCLEICHECK=true
FUZZ=false          # Too slow for large targets
XSS=true
SQLI=false          # Use nuclei SQLi templates instead

# Skip slow modules
SMUGGLING=false
WEBCACHE=false
PROTOTYPE_POLLUTION=false
GRAPHQL_SCAN=false
WEBSOCKET_CHECKS=false

# Time estimate: 4-8 hours

Massive Target (10,000+ subdomains)

# In reconftw.cfg - Massive target, speed priority

# Minimal DEEP mode
DEEP_LIMIT=100
DEEP_LIMIT2=200

# Maximum threads
HTTPX_THREADS=200
FFUF_THREADS=100
NUCLEI_RATELIMIT=300

# Only nuclei scanning
NUCLEICHECK=true
FUZZ=false
XSS=false
SQLI=false
SSRF_CHECKS=false
CORS=false

# Use Axiom for distribution
AXIOM=true
AXIOM_FLEET_COUNT=20

# Time estimate: 8-24 hours (or 2-4 with Axiom)

Understanding DEEP Mode

DEEP mode runs additional checks when target size is below threshold.

How It Works

Target subdomains count:
├── Below DEEP_LIMIT (500) → Run intensive checks (DEEP mode)
├── Below DEEP_LIMIT2 (1500) → Run moderate checks
└── Above DEEP_LIMIT2 → Skip intensive checks

What DEEP Mode Enables

Check

Without DEEP

With DEEP

Permutations

Basic

AI + Regex permutations

Fuzzing

Top dirs only

Full wordlist

JS Analysis

Extract endpoints

Full secret scanning

Nuclei

Critical/High only

All severities

Parameter discovery

Skip

Full discovery

Configuring DEEP Limits

# For thorough scanning (small targets)
DEEP_LIMIT=1000
DEEP_LIMIT2=3000

# For fast scanning (large targets)
DEEP_LIMIT=100
DEEP_LIMIT2=300

# Disable DEEP mode entirely
DEEP=false

Thread Optimization

By Tool

Tool

Default

Min (Stealth)

Max (Speed)

Notes

HTTPX_THREADS

200

HTTP probing

FFUF_THREADS

100

Directory fuzzing

NUCLEI_RATELIMIT

150

500

Vuln scanning (req/sec)

DALFOX_THREADS

200

500

XSS testing

TLSX_THREADS

1000

200

2000

TLS analysis

RESOLVE_DOMAINS_THREADS

150

300

DNS resolution

By Hardware

System

Threads Multiplier

Example

1 CPU / 1GB RAM

0.5x

HTTPX_THREADS=25

2 CPU / 4GB RAM

1x (default)

HTTPX_THREADS=50

4 CPU / 8GB RAM

HTTPX_THREADS=100

8+ CPU / 16GB+ RAM

3-4x

HTTPX_THREADS=200

Memory Considerations

High-memory tools:

nuclei - Keep under 200 ratelimit on low-memory systems
ffuf - Reduce threads on large wordlists
katana - Can be memory-intensive on large sites

# Low memory system (2GB)
HTTPX_THREADS=30
FFUF_THREADS=20
NUCLEI_RATELIMIT=50

# High memory system (16GB+)
HTTPX_THREADS=150
FFUF_THREADS=80
NUCLEI_RATELIMIT=300

Rate Limiting Strategies

Adaptive Rate Limiting

# Enable automatic adjustment
./reconftw.sh -d target.com -r --adaptive-rate

# Or in config
ADAPTIVE_RATE_LIMIT=true
MIN_RATE_LIMIT=10        # Never go below this
MAX_RATE_LIMIT=500       # Never exceed this
RATE_LIMIT_BACKOFF_FACTOR=0.5    # Reduce by 50% on errors
RATE_LIMIT_INCREASE_FACTOR=1.2   # Increase by 20% on success

Manual Rate Limiting

# Global rate limit
./reconftw.sh -d target.com -r -q 50  # 50 req/sec

# Per-tool limits in config
HTTPX_RATELIMIT=50
NUCLEI_RATELIMIT=50
FFUF_RATELIMIT=50

When to Reduce Rates

Symptom

Action

429 errors

Reduce ratelimit by 50%

Connection timeouts

Reduce threads

WAF blocks

Use --adaptive-rate, reduce to 30 req/sec

Server errors (5xx)

Reduce threads AND ratelimit

Timeout Configuration

# In reconftw.cfg

# HTTP timeouts
HTTPX_TIMEOUT=10        # Seconds per request
FFUF_TIMEOUT=10
NUCLEI_TIMEOUT=15

# DNS timeouts  
DNS_TIMEOUT=5

# For slow targets
HTTPX_TIMEOUT=30
NUCLEI_TIMEOUT=30

Wordlist Optimization

Subdomain Wordlists

Wordlist

Size

Use When

subdomains.txt (default)

~100K

Standard scans

subdomains_n0kovo_big.txt

~1M

DEEP mode / thorough

Custom small list

~10K

Fast scans / CI/CD

# Fast scan - small wordlist
subs_wordlist="${tools}/subdomains_small.txt"

# Thorough scan - large wordlist
subs_wordlist="${tools}/subdomains_n0kovo_big.txt"

Fuzzing Wordlists

Wordlist

Size

Time Impact

Small (~5K)

Fast

5-10 min/target

Medium (~20K)

Moderate

20-40 min/target

Large (~100K+)

Slow

1-2 hours/target

# Fast fuzzing
fuzz_wordlist="${tools}/fuzz_small.txt"

# Thorough fuzzing  
fuzz_wordlist="${tools}/fuzz_wordlist.txt"

Recommended Wordlists

# Download optimized wordlists
# SecLists
git clone https://github.com/danielmiessler/SecLists.git ~/wordlists

# Assetnote
wget https://wordlists-cdn.assetnote.io/data/manual/best-dns-wordlist.txt

Module-Specific Tuning

Nuclei Optimization

# Severity filtering (faster)
NUCLEI_SEVERITY="critical,high"  # Skip medium/low/info

# Template exclusion
NUCLEI_EXTRA_ARGS="-etags dos,fuzz"  # Skip DoS and heavy fuzz templates

# Timeout
NUCLEI_TIMEOUT=10

# For large scans
NUCLEI_RATELIMIT=200
NUCLEI_FLAGS="-silent -retries 1"  # Reduce retries

Subdomain Enumeration

# Fast passive only
SUBBRUTE=false          # Skip brute-force
SUBPERMUTE=false        # Skip permutations
SUBIAPERMUTE=false      # Skip AI permutations

# Thorough
SUBBRUTE=true
SUBPERMUTE=true
SUBIAPERMUTE=true
SUBREGEXPERMUTE=true
SUB_RECURSIVE_PASSIVE=true

Fuzzing

# Fast
FUZZ=false  # Skip entirely, rely on nuclei

# Or minimal fuzzing
FFUF_THREADS=20
fuzz_wordlist="${tools}/fuzz_small.txt"

# Thorough
FUZZ=true
FFUF_THREADS=80
fuzz_wordlist="${tools}/fuzz_wordlist.txt"

Axiom Scaling

Fleet Sizing

Target Size

Fleet Size

Est. Time

< 100 subs

3-5

30 min

100-1000

5-10

1-2 hours

1000-10000

10-20

2-4 hours

10000+

20-50

4-8 hours

Cost Optimization

# Cheapest instances
AXIOM_INSTANCE_TYPE="s-1vcpu-1gb"  # $0.007/hr on DO

# Cost example:
# 10 instances × 2 hours × $0.007 = $0.14 per scan

Fleet Configuration

# In reconftw.cfg
AXIOM=true
AXIOM_FLEET_NAME="reconftw"
AXIOM_FLEET_COUNT=10
AXIOM_FLEET_LAUNCH=true
AXIOM_FLEET_SHUTDOWN=true  # Destroy after scan

Time Estimates

By Mode

Mode

Small (<100)

Medium (100-1K)

Large (1K-10K)

-p (passive)

5-10 min

10-20 min

20-40 min

-s (subs)

15-30 min

30-60 min

1-2 hours

-r (recon)

30-60 min

1-3 hours

3-6 hours

-a (all)

1-2 hours

2-5 hours

5-12 hours

Speed vs Thoroughness

Fast ←————————————————————————→ Thorough

-p           -s           -r           -a
Passive    Subs only    Full recon   All + vulns
~15 min    ~30 min      ~2 hours     ~4 hours

Common Tuning Scenarios

"I need results in 30 minutes"

# Passive only
./reconftw.sh -d target.com -p

"Overnight scan, make it thorough"

# Config: Enable everything, DEEP mode
DEEP=true
DEEP_LIMIT=2000

./reconftw.sh -d target.com -a

"Bug bounty, new program rush"

# Fast but complete
DEEP_LIMIT=300
FUZZ=false
./reconftw.sh -d target.com -r --adaptive-rate

"Red team, need to stay quiet"

# Low and slow
HTTPX_RATELIMIT=10
NUCLEI_RATELIMIT=10
HTTPX_THREADS=10
./reconftw.sh -d target.com -p  # Start passive

Monitoring Performance

Check Progress

# Watch log
tail -f Recon/target.com/.log/reconftw.log

# Check completed functions
ls Recon/target.com/.called_fn/

# Count results
wc -l Recon/target.com/subdomains/subdomains.txt

Resource Monitoring

# CPU/Memory
htop

# Disk
df -h

# Network
iftop  # or nload

TL;DR Quick Config

# SMALL target - be thorough
DEEP=true && HTTPX_THREADS=50 && NUCLEI_RATELIMIT=100

# LARGE target - be efficient  
DEEP_LIMIT=200 && HTTPX_THREADS=150 && FUZZ=false

# QUIET scan - low profile
HTTPX_RATELIMIT=10 && NUCLEI_RATELIMIT=10

# FAST scan - speed priority
./reconftw.sh -d target.com -p  # Just passive

Documentation Info Branch: dev | Version: v3.0.0+ | Last updated: February 2026

PreviousAdvanced Usage NextData Model & I/O

Last updated 30 minutes ago

Good afternoon

hashtagQuick Tuning Profiles

hashtagSmall Target (< 100 subdomains)

hashtagMedium Target (100-1,000 subdomains)

hashtagLarge Target (1,000-10,000 subdomains)

hashtagMassive Target (10,000+ subdomains)

hashtagUnderstanding DEEP Mode

hashtagHow It Works

hashtagWhat DEEP Mode Enables

hashtagConfiguring DEEP Limits

hashtagThread Optimization

hashtagBy Tool

hashtagBy Hardware

hashtagMemory Considerations

hashtagRate Limiting Strategies

hashtagAdaptive Rate Limiting

hashtagManual Rate Limiting

hashtagWhen to Reduce Rates

hashtagTimeout Configuration

hashtagWordlist Optimization

hashtagSubdomain Wordlists

hashtagFuzzing Wordlists

hashtagRecommended Wordlists

hashtagModule-Specific Tuning

hashtagNuclei Optimization

hashtagSubdomain Enumeration

hashtagFuzzing

hashtagAxiom Scaling

hashtagFleet Sizing

hashtagCost Optimization

hashtagFleet Configuration

hashtagTime Estimates

hashtagBy Mode

hashtagSpeed vs Thoroughness

hashtagCommon Tuning Scenarios

hashtag"I need results in 30 minutes"

hashtag"Overnight scan, make it thorough"

hashtag"Bug bounty, new program rush"

hashtag"Red team, need to stay quiet"

hashtagMonitoring Performance

hashtagCheck Progress

hashtagResource Monitoring

hashtagTL;DR Quick Config

Quick Tuning Profiles

Small Target (< 100 subdomains)

Medium Target (100-1,000 subdomains)

Large Target (1,000-10,000 subdomains)

Massive Target (10,000+ subdomains)

Understanding DEEP Mode

How It Works

What DEEP Mode Enables

Configuring DEEP Limits

Thread Optimization

By Tool

By Hardware

Memory Considerations

Rate Limiting Strategies

Adaptive Rate Limiting

Manual Rate Limiting

When to Reduce Rates

Timeout Configuration

Wordlist Optimization

Subdomain Wordlists

Fuzzing Wordlists

Recommended Wordlists

Module-Specific Tuning

Nuclei Optimization

Subdomain Enumeration

Fuzzing

Axiom Scaling

Fleet Sizing

Cost Optimization

Fleet Configuration

Time Estimates

By Mode

Speed vs Thoroughness

Common Tuning Scenarios

"I need results in 30 minutes"

"Overnight scan, make it thorough"

"Bug bounty, new program rush"

"Red team, need to stay quiet"

Monitoring Performance

Check Progress

Resource Monitoring

TL;DR Quick Config