A repeatable methodology to run on every target — scope, recon, mapping, testing, proof, report. Loosely follow it, tick steps as you go, and reset for the next hunt. The right tools and sites live at every stage.
Six phases, run top to bottom, then back to recon for the next pass. This is a guide, not a cage — skip and reorder as the target demands, but the hunters who find the most bugs are the ones who cover the surface methodically. Tap a phase to expand it; tap any step to check it off.
The tools and sites that show up across the loop, grouped by where you'll reach for them. Free and open-source unless noted; install the recon CLIs once and you'll use them on every target.
The habits that separate consistent hunters from one-bug-wonders, plus a passive recon starter you can adapt.
A simple chain to go from a root domain to live, interesting hosts. Adapt to the program's rules — confirm automation is allowed first.
Then load the interesting hosts into Burp and start mapping by hand.