Scoped Recon Runner

Run a scoped recon scan

Validate a target against the selected platform’s scope rules, then queue the recon worker. Use this only on in-scope assets for active programs.

Current rules

Intigriti: all in-scope targets for the program are allowed (provide the program URL).
HackerOne: all in-scope targets for the program are allowed (provide the program URL).
YesWeHack: all in-scope targets for the program are allowed (provide the program URL).
Bugcrowd: currently limited — only the target encoded in the program URL may be used.
Uploaded scope JSON: target must match an entry in the uploaded file.

Input tips

Targets can be a URL, host/path, or wildcard.
Wildcards must be entered without a scheme (use *.example.com, not https://*.example.com).
Timing: wildcard runs can take up to ~70 minutes; most other runs finish in ~30 minutes.
Keep the bundle — it includes raw logs and exports.

What's included

Free vs Pro features

Free 1 run / 5 days

Scope validation (Bugcrowd / Intigriti / HackerOne / YesWeHack)
Quick or full recon pipeline (inventory, crawl, JS grep, headers)
Unauth samplers: CORS, redirects, rate-limit, echo reflect, login redirect checks
Exports + bundle.zip artifacts
No AI and No Pro plugins

Pro Unlimited runs

Everything in Free
AI Summary appended to findings
Pro plugins: XSS pipeline, msarjun param discovery, takeover checks
Optional OSINT add-ons (e.g., Scribd) when enabled

Connection mode: checking…

Account

Email Password

Wrong password? Reset it. New here? Create an account.

Run history

Last 50 runs (most recent first)

No runs yet.

Start a recon run

Validate scope → queue worker → stream progress

Choose recon path

Public Use platform scope from URL. No manual scope builder needed.

Private Submit proof of access first, then upload/build scope JSON and run.

Guided Fields unlock step-by-step based on your selected path and validation.

Choose a path to begin.

1Path

2Program

3Scope

4Target

5Run

Wizard readiness: waiting for required fields.

Public Program Flow

Use this when the platform scope is accessible via your program URL.

Platform Mode

Bug bounty program URL

Uses your program URL and platform.

Private Program Access Proof

Before private scans are enabled, submit proof that you are enrolled in the private program.

Private platform Private program URL

Program ID (optional) Researcher handle (optional)

Evidence note Private attestation I attest I currently have explicit authorization to test this private program and will only submit in-scope targets.

Private Scope Builder

Unlocked only after private access proof is approved. Upload export JSON or build one manually.

Scope JSON file

Upload a scope export from HackerOne, Bugcrowd, Intigriti, or YesWeHack. Backend blocks targets outside uploaded in-scope and out-of-scope rules.

Scope Builder (paste one target per line)

Compare uploaded private scope against private program/company signals before running.

Builder syntax: one target per line. Use + for in-scope (default) and - for out-of-scope.

Target (URL, host/path, or wildcard) Terms I will run tests only on authorized in-scope targets and accept platform safe-harbor terms.

Public mode uses platform URL scope. Private mode requires approved access proof + uploaded/manual scope JSON.
We’ll add https:// if you paste without it.
Example: https://hackerone.com/acme
Runtime: most runs finish in ~30 minutes. Big wildcards (hundreds of hosts) can take up to 70 minutes.

Results

Idle Progress: 0%

No run yet. Start a scoped recon to see results here.

Full summary (includes all URLs)

Authorized use only

Switch to Quick Mode?

Run a scoped recon scan