DEV.co
Open-Source Security · reconmap

reconmap

Reconmap is an open-source penetration testing and vulnerability assessment platform built on JavaScript that helps security teams plan, execute, and report on assessments collaboratively. It automates command execution, output parsing, and report generation while supporting AI integration via Model Context Protocol (MCP).

Source: GitHub — github.com/reconmap/reconmap
938
GitHub stars
133
Forks
JavaScript
Primary language
Apache-2.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositoryreconmap/reconmap
Ownerreconmap
Primary languageJavaScript
LicenseApache-2.0 — OSI-approved
Stars938
Forks133
Open issues9
Latest release3.2.2 (2026-06-26)
Last updated2026-07-05
Sourcehttps://github.com/reconmap/reconmap

What reconmap is

JavaScript-based security operations platform with Docker/Docker Compose deployment, featuring command automation, vulnerability tracking, multi-format report generation (Word, Markdown, HTML), and MCP support for LLM integration. Backend API, frontend dashboard, and CLI tools comprise the modular architecture.

Quickstart

Get the reconmap source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/reconmap/reconmap.gitcd reconmap# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Penetration Testing Engagement Management

Execute and track security commands across reconnaissance through reporting phases; ideal for teams conducting structured assessments with built-in command output capture and vulnerability correlation.

MSSP Service Delivery Automation

Streamline end-to-end engagement workflows for managed security service providers seeking collaboration-first platforms with automated reporting and command scheduling capabilities.

AI-Assisted Security Assessment Summaries

Leverage MCP integration with LLMs to generate AI-assisted vulnerability summaries and findings, reducing time spent on manual analysis documentation.

Implementation considerations

  • Docker and Docker Compose are mandatory; ensure infrastructure supports container orchestration and persistent volume management for database/report storage.
  • MCP integration with AI assistants requires compatible client setup; verify LLM endpoint compatibility (OpenAI, Anthropic, or self-hosted options) before deployment.
  • User access control and team collaboration features exist but role-based permissions scope and multi-tenancy model require architectural review.
  • Command execution automation demands secure credential storage and secret management; review how API credentials for integrated tools are encrypted and rotated.
  • Report generation formats (Word, Markdown, HTML) require testing with your organization's templates and compliance frameworks to ensure output consistency.

When to avoid it — and what to weigh

  • Requires Windows-Only Deployment — Docker and Docker Compose are primary deployment mechanisms; traditional Windows-only environments without containerization support are unsupported.
  • Need Enterprise SIEM/SOAR Integration Out-of-Box — No explicit documentation of native SIEM or SOAR integrations; custom development likely required for enterprise tool ecosystems beyond MCP.
  • Minimal Vulnerability Database Dependency — Unknown whether Reconmap provides built-in NVD/CVE lookups or requires external feeds; integration approach not clearly stated in provided data.
  • Regulated Compliance Environments Without Audit Trail Confirmation — Compliance-specific audit logging and regulatory framework support (HIPAA, PCI-DSS, SOC 2) not clearly documented; requires technical review for regulated deployments.

License & commercial use

Licensed under Apache License 2.0 (Apache-2.0), an OSI-approved permissive open-source license permitting commercial use, modification, and distribution with attribution.

Apache-2.0 is a permissive OSI license that permits commercial use. However, the project description mentions a hosted SaaS offering at netfoe.com; review whether your intended use (internal tool vs. commercial resale) may have business model implications with the maintainers. No explicit proprietary restrictions are stated in the license itself.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityModerate
DEV.co fitGood
Assessment confidenceHigh
Security considerations

Container-based deployment inherits Docker security posture; review secret management for API credentials and database access. No explicit security audit, penetration testing report, or vulnerability disclosure policy provided. MCP integration with external LLMs introduces data flow considerations—validate whether command outputs and vulnerability data leave your infrastructure. Database encryption, network isolation, and authentication mechanisms require configuration review before production use.

Alternatives to consider

Burp Suite Enterprise

Proprietary, mature web app security platform with built-in scanning and reporting; stronger for focused web penetration testing but less collaboration-centric for multi-discipline assessment workflows.

Nessus + Tenable Lumin

Established vulnerability management with cloud-based dashboard and risk quantification; better for continuous scanning but less flexible for manual penetration testing engagement workflows.

Metasploit Community + Custom Reporting

Free exploit framework with strong pentesting communities; requires significant custom development for engagement lifecycle management and report generation compared to Reconmap's built-in features.

Software development agency

Build on reconmap with DEV.co software developers

Ready to streamline your penetration testing workflows? Conduct a technical review with your team using the live demo, then contact Devco for architecture assessment, deployment planning, and integration with your security tool ecosystem.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

reconmap FAQ

Can I use Reconmap on-premises in a regulated environment (healthcare, finance)?
Yes, Docker Compose deployment supports on-premises installation. However, compliance-specific audit logging, encryption, and role-based access control requirements should be validated against your regulatory framework (HIPAA, PCI-DSS, SOC 2) before production deployment; not explicitly documented in provided data.
How does Reconmap handle API credentials and secrets for integrated tools?
Unknown. The data mentions command automation and tool integration but does not specify encryption, secret rotation, or credential vault mechanisms. This requires technical review of the API backend before operational use.
Does Reconmap include vulnerability databases or require external feeds?
Unknown. No mention of built-in NVD/CVE databases or integration with commercial feeds (e.g., Qualys, Rapid7). Integration approach should be clarified with maintainers or code review.
Is the MCP integration production-ready?
The README lists MCP support as a capability but does not detail maturity, supported LLMs, or data privacy guardrails. Test with your intended AI assistant and validate data flows before production reliance.

Software developers & web developers for hire

DEV.co helps companies turn open-source tools like reconmap into production software. Our software development services cover the full lifecycle — architecture, web development, integration, and maintenance — delivered by software developers and web developers who ship. Engage our software development agency to implement or customize it for your open-source security stack.

Evaluate Reconmap for Your Security Operations

Ready to streamline your penetration testing workflows? Conduct a technical review with your team using the live demo, then contact Devco for architecture assessment, deployment planning, and integration with your security tool ecosystem.