AI-Powered Attack Surface Management Platform
Reconny is a production-grade, scalable reconnaissance automation system that replicates and enhances the manual bug bounty workflow using a modular pipeline architecture with AI-driven analysis.
Reconny transforms the traditional recon workflow into an automated, intelligent pipeline:
Traditional Manual Recon → Run tools → Parse output → Analyze → Find bugs
Reconny → Job-based pipeline → Distributed workers → AI analysis → Attack surface graph
- 13-Stage Pipeline: Subdomain enum → Live probing → Crawling → JS analysis → Vuln scanning → AI insights
- Job-Based Architecture: Queue-driven, stateful, resumable scans
- Horizontal Scaling: Add workers on-demand for massive scans
- AI Analysis Layer: GPT-powered attack surface prioritization
- Attack Surface Graph: Visual navigation of domain → subdomains → endpoints → vulnerabilities
- RESTful API: Full programmatic control
- Modern Dashboard: React + TypeScript with real-time updates
- Multi-Project Support: Organize scans by bug bounty programs
User → API → Job Queue → Workers → Pipeline Stages → AI Analysis → Reports
↓
PostgreSQL + Redis + File Storage
- Subfinder (subdomain enumeration)
- Httpx (live host probing)
- Technology detection
- Katana (web crawling)
- JavaScript extraction
- Endpoint extraction from crawl
- JavaScript downloading
- Static JS analysis for hidden endpoints
- Endpoint aggregation & deduplication
- Full URL reconstruction
- Httpx endpoint probing
- Nuclei vulnerability scanning
- AI-based prioritization & reporting
- Docker & Docker Compose
- Python 3.11+
- Node.js 18+ (for frontend)
- Recon tools: subfinder, httpx, katana, nuclei
# Clone repository
git clone https://github.com/yourusername/Reconny.git
cd Reconny
# Copy environment template
cp .env.example .env
# Edit .env with your configuration
# Start infrastructure
docker-compose up -d
# Run backend
cd backend
pip install -r requirements.txt
uvicorn app.main:app --reload
# Run worker (separate terminal)
celery -A app.tasks.celery_app worker --loglevel=info
# Run frontend (separate terminal)
cd frontend
npm install
npm run dev# Via API
curl -X POST http://localhost:8000/api/v1/scan/start \
-H "Content-Type: application/json" \
-d '{"target_domain": "example.com", "user_id": "user123"}'
# Via Dashboard
# Open http://localhost:3000 and create a new scanReconny/
├── backend/ # FastAPI backend
│ ├── app/
│ │ ├── api/ # REST endpoints
│ │ ├── pipeline/ # 13 pipeline stages
│ │ ├── workers/ # Celery workers
│ │ ├── ai/ # AI analysis engine
│ │ ├── models/ # Database models
│ │ └── integrations/ # Tool wrappers
├── frontend/ # React + TypeScript dashboard
│ ├── src/
│ │ ├── features/ # Feature modules
│ │ ├── components/ # UI components
│ │ ├── pages/ # Page components
│ │ ├── graphs/ # Attack surface visualization
│ │ └── charts/ # Analytics charts
├── storage/ # Scan results & artifacts
├── infrastructure/ # Docker, K8s configs
└── docs/ # Architecture & API docs
Key environment variables:
# Database
DATABASE_URL=postgresql://user:pass@localhost/reconny
# Redis Queue
REDIS_URL=redis://localhost:6379/0
# AI
OPENAI_API_KEY=sk-...
AI_MODEL=gpt-4
# Tools
SUBFINDER_PATH=/usr/local/bin/subfinder
HTTPX_PATH=/usr/local/bin/httpx
KATANA_PATH=/usr/local/bin/katana
NUCLEI_PATH=/usr/local/bin/nucleiPOST /api/v1/scan/start # Start new scan
GET /api/v1/scan/{job_id} # Get scan status
GET /api/v1/scan/{job_id}/logs # Stream logs
GET /api/v1/scan/{job_id}/results # Get results
POST /api/v1/projects # Create project
GET /api/v1/projects # List projectsFull API documentation: http://localhost:8000/docs
# Run tests
pytest
# Format code
black backend/
isort backend/
# Type checking
mypy backend/
# Run single pipeline stage (testing)
python -m backend.app.pipeline.stages.01_subfinder --domain example.comWe welcome contributions! Please see CONTRIBUTING.md for guidelines.
Key Rules:
- Limit PRs to 5 files or less
- All code must be reviewed before merge
- Vibe coding is encouraged, but quality is required
- Tests are mandatory
MIT License - See LICENSE for details
Reconny is designed for authorized security testing only. Users are responsible for ensuring they have permission to scan target domains. Unauthorized scanning may be illegal.
Built with:
- ProjectDiscovery tools (subfinder, httpx, katana, nuclei)
- FastAPI, Celery, PostgreSQL, Redis
- OpenAI GPT models
- React, TypeScript, TailwindCSS
- Issues: GitHub Issues
- Docs: Documentation
- Security: Report vulnerabilities privately to security@reconny.io
Star this repo if Reconny helps your security research!