The Recon agent walks the public internet the way an offensive team would, pivoting from a single domain to every subdomain, forgotten staging environment, exposed bucket, leaked credential and shadow integration that belongs to you. Continuously, not on a quarterly cadence.
Marketing spins up a microsite. An ex-engineer leaves an S3 bucket public. A vendor exposes your API key in a sample repo. Your asset inventory was stale before you finished writing it. Recon assumes that, and rebuilds the picture every hour from sources attackers actually use.
// CAPABILITY
Feed it a domain. The agent pivots through certificate transparency logs, ASN mappings, passive DNS, archived crawls, code-search and paste sites, surfacing subdomains, dev environments and shadow IT no asset register has.
Every discovered asset is fingerprinted, stack, version, framework, exposed services, secrets in JS bundles, default credentials. The Hive Mind correlates that against known exploits and your code paths to rank what is reachable now.
Every change to your perimeter, a new subdomain, an opened port, a rotated certificate, an exposed API, is captured, diffed and triaged. You are notified the moment the surface changes, not the next time someone runs a scan.
Provide a root domain or org name. No agents, no auth, no scope sheet.
The agent expands across CT logs, DNS, ASN, code search and archives until it stops finding new assets.
Each asset is fingerprinted, ranked by exposure, and routed into the Hive Mind for active testing.
Drift in DNS, certificates, ports or secrets opens an incident before the next deploy.
Most teams discover 30–60% more public assets than their inventory shows on the first scan. The agent finds them, attributes them and tells you who owns them.
Recon scans paste sites, code search and exposed JS bundles for keys, tokens and credentials tied to your domain, and rotates them through the Hive Mind for impact analysis.
Point Recon at the target's domain and get a full attack-surface report, assets, exposure, leaked secrets, deprecated stacks, in hours, not weeks.
When marketing ships a new subdomain or an engineer reopens a staging port, the Hive Mind tests it before attackers find it on Shodan.
// FIELD_NOTE
On the first pass, Recon typically surfaces 30–60% more public assets than the customer's own inventory shows. The unknowns are where the breach lives.
Free for 14 days. Easy onboarding. Live in under five minutes.
EU data residency. Cancel anytime.