DEV.co
Open-Source Security · six2dez

reconftw

reconFTW is a bash-based automated reconnaissance tool that orchestrates subdomain enumeration, vulnerability scanning, OSINT, and web analysis to streamline penetration testing workflows. It integrates multiple third-party tools and supports distributed scanning, Docker, and infrastructure-as-code deployment.

Source: GitHub — github.com/six2dez/reconftw
7.8k
GitHub stars
1.2k
Forks
Shell
Primary language
MIT
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositorysix2dez/reconftw
Ownersix2dez
Primary languageShell
LicenseMIT — OSI-approved
Stars7.8k
Forks1.2k
Open issues2
Latest releasev4.1 (2026-03-07)
Last updated2026-06-29
Sourcehttps://github.com/six2dez/reconftw

What reconftw is

Written in Bash with support for Go, Python, and other underlying tools, reconFTW automates reconnaissance phases including passive/active subdomain discovery, certificate transparency, web vulnerability checks (XSS, SSRF, SQLi, LFI, SSTI), OSINT (email/credential leaks, GitHub analysis, cloud storage enumeration), and DNS/port scanning. Deployable via Docker, Terraform, Ansible, and local installation with modular configuration.

Quickstart

Get the reconftw source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/six2dez/reconftw.gitcd reconftw# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Bug bounty and penetration testing workflows

Automates the initial recon phase to enumerate subdomains, identify live hosts, and detect common vulnerabilities (XSS, SSRF, SQLi) across large target scopes efficiently.

OSINT and threat intelligence gathering

Integrates email/credential leak detection, GitHub secret scanning, Microsoft 365 tenant mapping, metadata extraction, and cloud storage enumeration for comprehensive target profiling.

Distributed scanning at scale

Supports AX Framework for distributed execution across multiple agents, enabling faster reconnaissance on large domains and wide-scope assessments.

Implementation considerations

  • Installation requires bash, git, and ~20+ external dependencies (subfinder, nuclei, nmap, jq, curl, etc.); local or Docker setup both require careful environment configuration.
  • Modular design via configuration file allows customization but demands understanding which tools to enable/disable based on scope and API quota limits.
  • Execution time scales with target scope; distributed scanning via AX Framework adds operational complexity but can reduce wall-clock time significantly.
  • Outputs are text/JSON; integration with Faraday or custom parsers needed for centralized reporting or SIEM ingestion.
  • API keys and credentials (e.g., for GitHub, credential databases) must be configured upfront; exposure or quota exhaustion can halt reconnaissance.

When to avoid it — and what to weigh

  • Production application infrastructure scanning — Design is oriented toward offensive security testing, not continuous monitoring or integration into production security stacks. No guardrails for safe production use.
  • Strict compliance or air-gapped environments — Many integrated tools rely on external APIs (Google dorks, GitHub repos, credential databases, cloud provider APIs). May not suit isolated networks or strict data residency policies.
  • Need for formal vendor support or SLAs — Community-driven open-source project with no commercial support model, SLA, or guaranteed maintenance response times.
  • Minimal or no Linux/bash expertise in your team — Core tool is a bash script with heavy dependency management. Requires comfort troubleshooting shell script failures and managing external tool versions.

License & commercial use

Licensed under MIT (permissive OSI license). Allows commercial use, modification, and distribution with attribution and no warranty.

MIT license permits commercial use. However, reconFTW is an offensive security tool; legal use depends on target authorization and applicable jurisdiction laws. Users are solely responsible for compliance. No warranty or indemnity provided by developers. Commercial entities should ensure proper authorization before use and consider liability implications.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityModerate
DEV.co fitGood
Assessment confidenceHigh
Security considerations

reconFTW is an offensive security tool intended for authorized testing only. Security considerations: (1) API keys and credentials must be managed securely in config files; exposure risks credential compromise. (2) Tool outputs may contain sensitive data (live hosts, exposed APIs, leaked credentials); restrict output file access. (3) Integrated tools (nuclei, subfinder, etc.) depend on external services and databases; verify their security posture. (4) No formal security audit or supply-chain verification data provided. (5) Bash script execution carries standard injection risks if inputs are not sanitized; review code if modifying. (6) Distributed scanning via AX Framework introduces agent-to-controller communication; secure setup required.

Alternatives to consider

Nmap + custom bash orchestration

Lower-level, no external dependencies, but requires manual integration of each tool (subfinder, nuclei, etc.) and lacks unified configuration/reporting.

Metasploit Framework

Broader post-exploitation capabilities and commercial support available, but heavier footprint, steeper learning curve, and less focused on OSINT/subdomain enumeration.

Burp Suite Enterprise or Acunetix

Commercial, vendor-backed vulnerability scanning with formal support and compliance reporting, but higher cost, less modular, and requires different deployment model (not bash-driven).

Software development agency

Build on reconftw with DEV.co software developers

Explore reconFTW on GitHub, review the GitBook documentation, and join the Discord community to learn best practices for your security assessments. Ensure proper authorization before use.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

reconftw FAQ

Do I need to install all the external tools, or can I pick and choose?
reconFTW is modular. The configuration file allows enabling/disabling specific modules. However, core dependencies (bash, git, jq, curl) are required; optional tools (nuclei, nmap, etc.) can be installed selectively based on which reconnaissance phases you need.
Can I use reconFTW without Docker?
Yes. Local installation is supported on Linux/macOS. Docker is optional and simplifies dependency management, but requires managing external tool versions and API credentials yourself in local mode.
Is reconFTW safe for production network scanning?
No. It is designed for offensive security testing with prior authorization. It is not suitable for continuous monitoring or production infrastructure scanning without explicit scope approval. Always obtain written consent before use.
What happens if an external API (GitHub, credential database) goes down?
Modules depending on that API will fail. The tool continues with enabled modules; specific failures are reported in logs. Plan for API downtime and have fallback strategies for critical reconnaissance phases.

Work with a software development agency

Adopting reconftw is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source security software in production.

Ready to streamline your reconnaissance workflow?

Explore reconFTW on GitHub, review the GitBook documentation, and join the Discord community to learn best practices for your security assessments. Ensure proper authorization before use.