๐Ÿ” ThreatTape Recon

Automated Reconnaissance. Professional Reports.

An automated recon and OSINT platform we're building for our own pentest engagements. From domain enumeration through executive profiling, CVE mapping, and compliance-oriented report generation โ€” all in one containerized platform with optional TOR-anonymous scanning.

๐Ÿ› ๏ธ Early Development FastAPI SvelteKit Docker TOR-Anonymous
Request Early Access Schedule Demo
$ threattape-recon scan --target acme.example --tier 1
[AI] Decision: 27 subdomains found โ†’ spawn endpoint scans
[AI] Decision: 4 breached emails โ†’ pivot to person scan
[AI] Decision: exec match (LinkedIn) โ†’ cross-reference Sherlock
[TOR] Rotating exit node 3/5...
[OK] Tier 1 PoC verification ready for review

Authorized Privateering for the Modern Era

A Letter of Marque was a government-issued commission authorizing private operators to attack enemy ships. Same flag, same firepower, same outcome โ€” but sanctioned, scoped, and documented. We're doing the same thing with networks.

Every Recon engagement runs against a written scope, with explicit authorization boundaries, audit-grade chain of custody, and Tier 1 PoC verification gated behind customer sign-off. Tier 2 red-team exploit chains require a separate authorization. You get the same depth a real adversary would reach โ€” without the legal exposure of operating outside the line.

Signed, scoped, and logged. Every action narrated by the decision engine.

AI Decision Engine

What makes ThreatTape Recon different from a tool launcher is the decision engine. You pick a target โ€” a domain, a company, or a person โ€” and the engine decides what to do next, narrating its reasoning to a real-time terminal panel. Subdomain hits spawn endpoint scans. Endpoints with breached emails spawn person scans. Person scans surface social-graph hits that loop back into company intel. The graph is the product, not the tool list.

๐ŸŽฏ

Three Target Types

Domain ยท Company ยท Person. Each target type seeds the decision engine differently โ€” and the engine cross-references findings into the other two.

๐Ÿง 

Autonomous Sub-Scan Spawning

The engine spawns sub-scans automatically based on what it finds. Real-time terminal stream narrates [AI] reason โ†’ action for every decision, so the analyst can audit and override.

๐Ÿ’ฅ

Tiered Exploit Verification

Tier 1: proof-of-concept verification with authorization workflow. Tier 2: red-team scan flag with audit logging; the engagement-scoped UI is on the roadmap. Both gated behind explicit authorization โ€” recon never escalates without consent.

๐Ÿ”—

EDGAR + CGAP Cross-Feed

Connect a Recon engagement to an EDD-i tenant and the decision engine consumes authenticated endpoint inventory (EDGAR) and governance posture (CGAP) to scope external recon against known assets โ€” no duplicate scanning of what's already known.

Core Capabilities

๐ŸŒ

Technical Infrastructure Recon

Automated domain and subdomain discovery using amass and subfinder. Port scanning with nmap, service fingerprinting, and version detection with confidence scoring. Maps the full external attack surface before an adversary does.

๐ŸŽฏ

CVE Mapping & Vulnerability ID

Nuclei-powered vulnerability scanning correlates discovered services against current CVE databases. CVSS scores, remediation priority, and evidence capture โ€” all structured for reporting. Know what's exploitable, not just what's open.

๐Ÿ•ต๏ธ

Executive OSINT

Person-first reconnaissance with company identification. Social media footprint analysis via Sherlock (200+ platforms), email discovery via Hunter.io, breach exposure via Have I Been Pwned and h8mail. Build the target profile that attackers already have.

๐Ÿง…

TOR Anonymous Scanning

Five rotating TOR proxy instances for low-attribution recon. Configurable anonymity level per scan โ€” run stealth assessments without exposing your infrastructure. Scan from the outside the way real adversaries do.

๐Ÿ“„

Professional Report Generation

Multi-format output: PDF, HTML, JSON, CSV, XML. SOC 2 and ISO 27001 compliance templates built in. Executive summary and technical detail layers. Full chain of custody tracking for legal admissibility.

โšก

Real-Time Scan Progress

WebSocket-based live updates stream asset discoveries and vulnerability findings as they happen. Real-time terminal panel narrates the decision engine's reasoning. Concurrency is tuned per scan tier โ€” up to 10 parallel domain scans for company-level fan-out.

Scan Profiles

Four profiles balance speed against depth. TOR-enabled scans run 2โ€“3x longer to maintain anonymity.

โšก Quick
15โ€“20 minutes
High-level overview. Rapid asset discovery and top-severity vulnerability surface. Good for triage.
๐Ÿ” Standard
30โ€“45 minutes
Comprehensive scan covering most common vulnerabilities and full subdomain enumeration. The default for engagements.
๐Ÿ”ฌ Deep
60โ€“90 minutes
Thorough analysis with service version detection, web application profiling, and API discovery. For full assessments.
๐Ÿ‘ป Stealth
2โ€“3 hours
Low-and-slow with TOR routing. Designed to minimize detection signatures while achieving complete coverage.

OSINT & Threat Intel Integrations

Recon pulls from the same data sources threat actors use. No proprietary sensors โ€” just the intelligence the open web already has on your targets.

Hunter.io
Email discovery and verification. Map the human attack surface behind the domain.
HaveIBeenPwned
Breach exposure checking for email addresses associated with the target org.
h8mail
Email-centric breach data collection โ€” complements HIBP for adversarial-style intel.
Sherlock
Social media footprint analysis across 200+ platforms for executive OSINT targets.
holehe
Email-account enumeration across 120+ platforms โ€” find where an executive registered without leaking which one.
EDGAR + CGAP (via EDD-i)
Cross-product integration with the EDD-i platform โ€” feed authenticated endpoint inventory and governance posture back into recon context.
Shodan / VirusTotal
Passive infrastructure intelligence and malware/reputation data for discovered IPs and domains.
amass + subfinder
Industry-standard subdomain enumeration tools for complete external surface mapping.

Technology Stack

Fully containerized multi-service architecture. Each layer scales independently โ€” scanning workers, API backend, and UI are separate containers with isolated networks.

SvelteKit (TypeScript) FastAPI PostgreSQL 15 Redis 7 Celery Docker Compose Nginx WebSockets JWT / OAuth2 nmap nuclei amass subfinder theHarvester Sherlock TOR (5 proxies) WeasyPrint SQLAlchemy 2.0

Minimum specs: 8 cores ยท 32 GB RAM ยท 500 GB SSD

Recon Like the Adversary Does

ThreatTape Recon is in active early development. We're building it for our own engagements first โ€” so it has to work in the real world, not just in demos. If you want early access when we open testing, get on the list.

Request Early Access Schedule a Demo