reconftw
reconFTW is a bash-based automated reconnaissance tool that orchestrates subdomain enumeration, vulnerability scanning, OSINT, and web analysis to streamline penetration testing workflows. It integrates multiple third-party tools and supports distributed scanning, Docker, and infrastructure-as-code deployment.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | six2dez/reconftw |
| Owner | six2dez |
| Primary language | Shell |
| License | MIT — OSI-approved |
| Stars | 7.8k |
| Forks | 1.2k |
| Open issues | 2 |
| Latest release | v4.1 (2026-03-07) |
| Last updated | 2026-06-29 |
| Source | https://github.com/six2dez/reconftw |
What reconftw is
Written in Bash with support for Go, Python, and other underlying tools, reconFTW automates reconnaissance phases including passive/active subdomain discovery, certificate transparency, web vulnerability checks (XSS, SSRF, SQLi, LFI, SSTI), OSINT (email/credential leaks, GitHub analysis, cloud storage enumeration), and DNS/port scanning. Deployable via Docker, Terraform, Ansible, and local installation with modular configuration.
Get the reconftw source
Clone the repository and explore it locally.
git clone https://github.com/six2dez/reconftw.gitcd reconftw# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Installation requires bash, git, and ~20+ external dependencies (subfinder, nuclei, nmap, jq, curl, etc.); local or Docker setup both require careful environment configuration.
- Modular design via configuration file allows customization but demands understanding which tools to enable/disable based on scope and API quota limits.
- Execution time scales with target scope; distributed scanning via AX Framework adds operational complexity but can reduce wall-clock time significantly.
- Outputs are text/JSON; integration with Faraday or custom parsers needed for centralized reporting or SIEM ingestion.
- API keys and credentials (e.g., for GitHub, credential databases) must be configured upfront; exposure or quota exhaustion can halt reconnaissance.
When to avoid it — and what to weigh
- Production application infrastructure scanning — Design is oriented toward offensive security testing, not continuous monitoring or integration into production security stacks. No guardrails for safe production use.
- Strict compliance or air-gapped environments — Many integrated tools rely on external APIs (Google dorks, GitHub repos, credential databases, cloud provider APIs). May not suit isolated networks or strict data residency policies.
- Need for formal vendor support or SLAs — Community-driven open-source project with no commercial support model, SLA, or guaranteed maintenance response times.
- Minimal or no Linux/bash expertise in your team — Core tool is a bash script with heavy dependency management. Requires comfort troubleshooting shell script failures and managing external tool versions.
License & commercial use
Licensed under MIT (permissive OSI license). Allows commercial use, modification, and distribution with attribution and no warranty.
MIT license permits commercial use. However, reconFTW is an offensive security tool; legal use depends on target authorization and applicable jurisdiction laws. Users are solely responsible for compliance. No warranty or indemnity provided by developers. Commercial entities should ensure proper authorization before use and consider liability implications.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Moderate |
| DEV.co fit | Good |
| Assessment confidence | High |
reconFTW is an offensive security tool intended for authorized testing only. Security considerations: (1) API keys and credentials must be managed securely in config files; exposure risks credential compromise. (2) Tool outputs may contain sensitive data (live hosts, exposed APIs, leaked credentials); restrict output file access. (3) Integrated tools (nuclei, subfinder, etc.) depend on external services and databases; verify their security posture. (4) No formal security audit or supply-chain verification data provided. (5) Bash script execution carries standard injection risks if inputs are not sanitized; review code if modifying. (6) Distributed scanning via AX Framework introduces agent-to-controller communication; secure setup required.
Alternatives to consider
Nmap + custom bash orchestration
Lower-level, no external dependencies, but requires manual integration of each tool (subfinder, nuclei, etc.) and lacks unified configuration/reporting.
Metasploit Framework
Broader post-exploitation capabilities and commercial support available, but heavier footprint, steeper learning curve, and less focused on OSINT/subdomain enumeration.
Burp Suite Enterprise or Acunetix
Commercial, vendor-backed vulnerability scanning with formal support and compliance reporting, but higher cost, less modular, and requires different deployment model (not bash-driven).
Build on reconftw with DEV.co software developers
Explore reconFTW on GitHub, review the GitBook documentation, and join the Discord community to learn best practices for your security assessments. Ensure proper authorization before use.
Talk to DEV.coRelated on DEV.co
Explore the category and the services that help you build with it.
reconftw FAQ
Do I need to install all the external tools, or can I pick and choose?
Can I use reconFTW without Docker?
Is reconFTW safe for production network scanning?
What happens if an external API (GitHub, credential database) goes down?
Work with a software development agency
Adopting reconftw is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source security software in production.
Ready to streamline your reconnaissance workflow?
Explore reconFTW on GitHub, review the GitBook documentation, and join the Discord community to learn best practices for your security assessments. Ensure proper authorization before use.