playbook@hunt: ~/methodology
0%
playbook@hunt:~$

PLAYBOOK

A repeatable methodology to run on every target — scope, recon, mapping, testing, proof, report. Loosely follow it, tick steps as you go, and reset for the next hunt. The right tools and sites live at every stage.

6phases
0checkpoints
1loop, repeated
SCOPE FIRST. Every step below assumes the asset is in scope and the program permits the action. Out-of-scope testing isn't research — it's an incident. When in doubt, ask the program, don't test.
//

The loop

Six phases, run top to bottom, then back to recon for the next pass. This is a guide, not a cage — skip and reorder as the target demands, but the hunters who find the most bugs are the ones who cover the surface methodically. Tap a phase to expand it; tap any step to check it off.

0 / 0 done
//

The loadout

The tools and sites that show up across the loop, grouped by where you'll reach for them. Free and open-source unless noted; install the recon CLIs once and you'll use them on every target.

Recon & assets

Discovery & mapping

  • ffufcontent & parameter fuzzing
  • feroxbusterrecursive content discovery
  • Arjunhidden HTTP parameter finder
  • SecListsthe wordlists for all of it

Proxy & testing

  • Burp Suitethe core testing proxy
  • Caidofast modern alternative
  • nucleitemplated checks at scale
  • sqlmapSQLi confirmation (in-scope, careful)

Proof & utilities

Learn & reference

Programs

//

Field notes

The habits that separate consistent hunters from one-bug-wonders, plus a passive recon starter you can adapt.

// habits that pay

  • Recon never ends. Re-run subdomain enumeration on a schedule — new assets ship constantly, and the fresh ones are the least-tested.
  • Go where others don't. Staging, dev, admin, internal APIs, and recently-acquired domains are softer than the flagship app everyone hammers.
  • Read disclosed reports for the target's stack before you start; you'll learn its recurring weak spots.
  • Keep growing your own kit — a personal checklist, wordlist, and notes vault that compounds every hunt.
  • Burp extensions worth having: Autorize (access control), Param Miner, Logger++, Turbo Intruder, JWT Editor, Hackvertor.

// passive recon starter

A simple chain to go from a root domain to live, interesting hosts. Adapt to the program's rules — confirm automation is allowed first.

# subdomains -> resolve -> live hosts $ subfinder -d target.com -silent \ | dnsx -silent \ | httpx -silent -title -tech-detect # historical endpoints for one host $ echo target.com | gau --subs \ | sort -u > urls.txt # quick templated pass (in-scope only) $ httpx -l hosts.txt -silent \ | nuclei -silent

Then load the interesting hosts into Burp and start mapping by hand.