๐Ÿ” ThreatTape Recon

Automated Reconnaissance. Professional Reports.

Enterprise-grade automated recon and OSINT platform built for penetration testers and security teams. From domain enumeration through executive profiling, CVE mapping, and compliance-ready report generation โ€” all in one containerized platform with optional TOR-anonymous scanning.

๐Ÿ› ๏ธ Early Development FastAPI SvelteKit Docker TOR-Anonymous
Request Early Access Schedule Demo
ThreatTape Recon Dashboard

Core Capabilities

๐ŸŒ

Technical Infrastructure Recon

Automated domain and subdomain discovery using amass and subfinder. Port scanning with nmap, service fingerprinting, and version detection with confidence scoring. Maps the full external attack surface before an adversary does.

๐ŸŽฏ

CVE Mapping & Vulnerability ID

Nuclei-powered vulnerability scanning correlates discovered services against current CVE databases. CVSS scores, remediation priority, and evidence capture โ€” all structured for reporting. Know what's exploitable, not just what's open.

๐Ÿ•ต๏ธ

Executive OSINT

Person-first reconnaissance with company identification. Social media footprint analysis via Sherlock, email discovery via Hunter.io, data breach exposure via HaveIBeenPwned and LeakCheck. Build the target profile that attackers already have.

๐Ÿง…

TOR Anonymous Scanning

Five rotating TOR proxy instances for low-attribution recon. Configurable anonymity level per scan โ€” run stealth assessments without exposing your infrastructure. Scan from the outside the way real adversaries do.

๐Ÿ“„

Professional Report Generation

Multi-format output: PDF, HTML, JSON, CSV, XML. SOC 2 and ISO 27001 compliance templates built in. Executive summary and technical detail layers. Full chain of custody tracking for legal admissibility.

โšก

Real-Time Scan Progress

WebSocket-based live updates stream asset discoveries and vulnerability findings as they happen. Up to 50 concurrent scans via Celery workers. Watch the surface area grow in real time.

Scan Profiles

Four profiles balance speed against depth. TOR-enabled scans run 2โ€“3x longer to maintain anonymity.

โšก Quick
15โ€“20 minutes
High-level overview. Rapid asset discovery and top-severity vulnerability surface. Good for triage.
๐Ÿ” Standard
30โ€“45 minutes
Comprehensive scan covering most common vulnerabilities and full subdomain enumeration. The default for engagements.
๐Ÿ”ฌ Deep
60โ€“90 minutes
Thorough analysis with service version detection, web application profiling, and API discovery. For full assessments.
๐Ÿ‘ป Stealth
2โ€“3 hours
Low-and-slow with TOR routing. Designed to minimize detection signatures while achieving complete coverage.

OSINT & Threat Intel Integrations

Recon pulls from the same data sources threat actors use. No proprietary sensors โ€” just the intelligence the open web already has on your targets.

Hunter.io
Email discovery and verification. Map the human attack surface behind the domain.
HaveIBeenPwned
Breach exposure checking for email addresses associated with the target org.
LeakCheck / IntelX
Leak database searching for credentials, PII, and internal data in the wild.
Sherlock
Social media footprint analysis across 300+ platforms for executive OSINT targets.
Shodan / VirusTotal
Passive infrastructure intelligence and malware/reputation data for discovered IPs and domains.
amass + subfinder
Industry-standard subdomain enumeration tools for complete external surface mapping.

Technology Stack

Fully containerized multi-service architecture. Each layer scales independently โ€” scanning workers, API backend, and UI are separate containers with isolated networks.

SvelteKit (TypeScript) FastAPI PostgreSQL 15 Redis 7 Celery Docker Compose Nginx WebSockets JWT / OAuth2 nmap nuclei amass subfinder theHarvester Sherlock TOR (5 proxies) WeasyPrint SQLAlchemy 2.0

Minimum specs: 8 cores ยท 32 GB RAM ยท 500 GB SSD  |  Recommended production: 16 cores ยท 64 GB ECC RAM ยท 2 TB NVMe ยท 10 Gbps

Recon Like the Adversary Does

ThreatTape Recon is in active early development. We're building it for our own engagements first โ€” so it has to work in the real world, not just in demos. If you want early access when we open testing, get on the list.

Request Early Access Schedule a Demo