The only recon pipeline that thinks for itself. Point it at target domains, gather intelligence, and get prioritized, actionable findings instantly.
Contributing: Want to help build or extend BBPTS? Start with CONTRIBUTING.md. If you want proof that it finds real-world issues, read the case study walkthrough.
brew install developer-army/bbpts/bbpts| Feature | BBPTS (Go) | ReconFTW (Bash) | BBOT (Python) |
|---|---|---|---|
| Runtime | Single compiled binary, no interpreter | Heavy dependencies, shell scripts | Python interpreter, virtualenvs |
| Interface | Live TUI + Local Web Dashboard | Raw terminal stdout logs | Terminal CLI / JSON outputs |
| FP Filtering | Body-fingerprinted active filtering | Grep/heuristic-based | Signature-based checks |
| Bounty Native | Direct H1/Bugcrowd program & scope loader | Manual text file list input | Text files / custom integrations |
brew tap developer-army/bbpts
brew install bbptsgit clone https://github.com/Developer-Army/BBPTS.git
cd BBPTS && go build -o bbpts ./cmd/bbptsdocker pull ghcr.io/developer-army/bbpts:latest
docker run --rm -v $(pwd)/results:/app/results ghcr.io/developer-army/bbpts -i targets.txtexample.com
https://api.example.com
bbpts -i targets.txtYour reports are automatically generated under the ./results/ folder:
report.html— Interactive visual dashboardreport.json— Structured machine-readable findings
[ Targets Input ] ➔ [ Stage 1: Subdomain Discovery ] (subfinder, amass, assetfinder, chaos)
│
▼
[ Stage 2: DNS & Port Scanning ] (dnsx, puredns, naabu)
│
▼
[ Stage 3: HTTP & Web Probing ] (httpx, katana, gau, shodan)
│
▼
[ Stage 4: Fuzzing & Vuln Scanning ] (nuclei, dalfox, cors, default_creds)
│
▼
[ Interactive HTML/JSON Reports ]
BBPTS aggregates and correlates output from the best open-source security tools:
- Asset Discovery:
subfinder,amass,assetfinder,chaos,crtsh,github - Network Scan:
naabu,dnsx,puredns,massdns - Web Recon:
httpx,katana,gau,hakrawler,shodan,wafw00f,gowitness - Vuln Checkers:
nuclei,dalfox,ffuf,gobuster,feroxbuster,trufflehog,cors,jwt_analyzer,bypass403,firebase_recon,mass_assignment,source_map,default_creds
| Flag | Short | Description | Default |
|---|---|---|---|
-input |
-i |
Target domains file or single URL | |
-tools |
-t |
Comma-separated list of specific tools to run | |
-mode |
Scan mode: light, medium, or full |
medium |
|
-threads |
Go worker threads | 32 |
|
-rate-limit |
Max requests per second limit | 50 |
|
-tui |
Enable interactive TUI dashboard | true |
|
-web |
-w |
Launch local web dashboard | false |
-port |
Dashboard port | 8080 |
|
-doctor |
Verify external tool availability & paths | false |
Warning
Active scanning generates substantial network traffic. Ensure you have explicit authorization to scan target networks and keep targets strictly within program scope boundaries.
