Ethical Hacking Academy · Lesson

Recon at Scale

Automate discovery.

Why Recon Wins Bounties

In bug bounty hunting, reconnaissance often decides who finds the bug first. The more attack surface you discover, the more likely you are to find something others missed.

Forgotten subdomains run old, vulnerable code
Hidden APIs and dev environments leak data
The widest recon usually finds the freshest bugs

Recon at scale means automating discovery across large scopes.

Subdomain Enumeration: Passive

Passive enumeration gathers subdomains from public data sources without touching the target directly: certificate transparency logs, search indexes, and threat-intel feeds.

Tools aggregate dozens of these sources at once.

# Aggregate subdomains from many passive sources
subfinder -d example.com -all -o subs_passive.txt

# Amass in passive mode
amass enum -passive -d example.com

All lessons in this course

Choosing Targets
Recon at Scale
Finding Common Bugs
Writing Great Reports

← Back to Ethical Hacking Academy