reconmap
Reconmap is an open-source penetration testing and vulnerability assessment platform built on JavaScript that helps security teams plan, execute, and report on assessments collaboratively. It automates command execution, output parsing, and report generation while supporting AI integration via Model Context Protocol (MCP).
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | reconmap/reconmap |
| Owner | reconmap |
| Primary language | JavaScript |
| License | Apache-2.0 — OSI-approved |
| Stars | 938 |
| Forks | 133 |
| Open issues | 9 |
| Latest release | 3.2.2 (2026-06-26) |
| Last updated | 2026-07-05 |
| Source | https://github.com/reconmap/reconmap |
What reconmap is
JavaScript-based security operations platform with Docker/Docker Compose deployment, featuring command automation, vulnerability tracking, multi-format report generation (Word, Markdown, HTML), and MCP support for LLM integration. Backend API, frontend dashboard, and CLI tools comprise the modular architecture.
Get the reconmap source
Clone the repository and explore it locally.
git clone https://github.com/reconmap/reconmap.gitcd reconmap# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Docker and Docker Compose are mandatory; ensure infrastructure supports container orchestration and persistent volume management for database/report storage.
- MCP integration with AI assistants requires compatible client setup; verify LLM endpoint compatibility (OpenAI, Anthropic, or self-hosted options) before deployment.
- User access control and team collaboration features exist but role-based permissions scope and multi-tenancy model require architectural review.
- Command execution automation demands secure credential storage and secret management; review how API credentials for integrated tools are encrypted and rotated.
- Report generation formats (Word, Markdown, HTML) require testing with your organization's templates and compliance frameworks to ensure output consistency.
When to avoid it — and what to weigh
- Requires Windows-Only Deployment — Docker and Docker Compose are primary deployment mechanisms; traditional Windows-only environments without containerization support are unsupported.
- Need Enterprise SIEM/SOAR Integration Out-of-Box — No explicit documentation of native SIEM or SOAR integrations; custom development likely required for enterprise tool ecosystems beyond MCP.
- Minimal Vulnerability Database Dependency — Unknown whether Reconmap provides built-in NVD/CVE lookups or requires external feeds; integration approach not clearly stated in provided data.
- Regulated Compliance Environments Without Audit Trail Confirmation — Compliance-specific audit logging and regulatory framework support (HIPAA, PCI-DSS, SOC 2) not clearly documented; requires technical review for regulated deployments.
License & commercial use
Licensed under Apache License 2.0 (Apache-2.0), an OSI-approved permissive open-source license permitting commercial use, modification, and distribution with attribution.
Apache-2.0 is a permissive OSI license that permits commercial use. However, the project description mentions a hosted SaaS offering at netfoe.com; review whether your intended use (internal tool vs. commercial resale) may have business model implications with the maintainers. No explicit proprietary restrictions are stated in the license itself.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Moderate |
| DEV.co fit | Good |
| Assessment confidence | High |
Container-based deployment inherits Docker security posture; review secret management for API credentials and database access. No explicit security audit, penetration testing report, or vulnerability disclosure policy provided. MCP integration with external LLMs introduces data flow considerations—validate whether command outputs and vulnerability data leave your infrastructure. Database encryption, network isolation, and authentication mechanisms require configuration review before production use.
Alternatives to consider
Burp Suite Enterprise
Proprietary, mature web app security platform with built-in scanning and reporting; stronger for focused web penetration testing but less collaboration-centric for multi-discipline assessment workflows.
Nessus + Tenable Lumin
Established vulnerability management with cloud-based dashboard and risk quantification; better for continuous scanning but less flexible for manual penetration testing engagement workflows.
Metasploit Community + Custom Reporting
Free exploit framework with strong pentesting communities; requires significant custom development for engagement lifecycle management and report generation compared to Reconmap's built-in features.
Build on reconmap with DEV.co software developers
Ready to streamline your penetration testing workflows? Conduct a technical review with your team using the live demo, then contact Devco for architecture assessment, deployment planning, and integration with your security tool ecosystem.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
reconmap FAQ
Can I use Reconmap on-premises in a regulated environment (healthcare, finance)?
How does Reconmap handle API credentials and secrets for integrated tools?
Does Reconmap include vulnerability databases or require external feeds?
Is the MCP integration production-ready?
Software developers & web developers for hire
DEV.co helps companies turn open-source tools like reconmap into production software. Our software development services cover the full lifecycle — architecture, web development, integration, and maintenance — delivered by software developers and web developers who ship. Engage our software development agency to implement or customize it for your open-source security stack.
Evaluate Reconmap for Your Security Operations
Ready to streamline your penetration testing workflows? Conduct a technical review with your team using the live demo, then contact Devco for architecture assessment, deployment planning, and integration with your security tool ecosystem.