Network Reconnaissance

VirusTotal

Multi-engine malware scanner and threat intelligence platform for files, URLs, IPs, and domains

httpx

A high-speed HTTP probing tool that turns raw host lists into triaged, fingerprinted web targets ready for investigation.

Nooelec NESDR SMArt v5

The RTL-SDR alternative with tighter frequency accuracy and a complete antenna bundle — better value than the V4 if you don't need shortwave.

subfinder

Fast passive subdomain enumeration that gives pentesters a clean starting point for external recon.

Amass

Map an organization's full external attack surface — ASNs, domains, subdomains, and infrastructure relationships — through 50+ integrated data sources and a persistent graph database.

Awesome OSINT

A massive, investigator-friendly directory for finding the right OSINT tools before you waste time using the wrong ones.

C2 Tracker

A live C2 infrastructure feed that helps defenders hunt, block, and correlate active command-and-control servers by framework type.

crt.sh

Passive certificate transparency searches uncover subdomains and related infrastructure before you ever touch the target.

DorkSearch

889,000+ pre-built Google dorks with an AI dork builder for instant recon

Flightradar24

Real-time and historical flight tracking via a global ADS-B receiver network

reNgine

Run subfinder, amass, httpx, naabu, and nuclei as configurable YAML pipelines across multiple targets — with a persistent database, screenshot gallery, and notification integrations managed through a web UI.

Web Check

Paste a URL and get DNS records, SSL details, security headers, tech stack, WHOIS, and 100+ more domain intelligence checks in a single browser view — in under thirty seconds.

BuiltWith

Technology intelligence — find what any website is built with and who else uses it

Open-Asm

An open-source ASM platform that helps defenders turn scattered internet-facing assets into a trackable external inventory.

osmedeus

A recon orchestration engine that helps operators run complex attack surface discovery workflows with concurrency, dependencies, and structured output.

Penetration Testing Cheat Sheet

A command-first offensive security reference that helps testers find the exact syntax they need during active engagements.

r1cksec/cheatsheets

A compact infosec reference repository that gives pentesters fast command lookups for Active Directory, bash, and common offensive workflows.

scilla

An all-in-one recon tool that gives bug hunters a fast first-pass view of DNS, subdomains, ports, and web paths from one binary.

Scope

Pull public bug bounty scope data from one GitHub repository instead of checking every platform by hand.

secator

A CLI-first orchestration layer that standardizes how pentest teams run, chain, and store results from their security toolchain.

shuffleDNS

A fast DNS brute-force and validation tool that cleans passive subdomain results and extends coverage with wildcard-aware active discovery.

SpiderFoot

Map a target's full digital footprint automatically — domains, IPs, emails, names, and ASNs across 500+ sources.

Sucuri

Website security platform used by investigators to analyze site integrity, malware, and CDN infrastructure

TCM Security OSINT Course

Practical OSINT training for investigators and security professionals

WebCheck-OSINT

A lightweight way to pull website infrastructure, DNS, TLS, and fingerprinting checks into one fast first-pass recon view.

Censys

Internet-wide scanner with certificate transparency coverage no other tool matches.

FOFA

A web-focused internet asset search engine that helps analysts pivot from one exposed fingerprint to broader infrastructure quickly.

GrayHatWarfare

Find exposed cloud storage faster by searching indexed public S3 buckets and blob containers tied to real targets.

LeakIX

Internet-wide scanner for exposed services and data leaks, with a focus on misconfigured databases and sensitive data exposure

nomore403

A fast 403 bypass automation tool that turns forbidden content discovery results into systematically tested access-control edge cases.

openSquat

An open source monitoring tool that helps defenders catch brand lookalike domains before phishing campaigns go live.

Photon

Crawl a target website once and walk away with internal URLs, email addresses, social media links, JavaScript files, and exposed secrets — all organized into separate files ready for downstream investigation.

reconFTW

A full-scope domain recon framework that chains proven CLI tools into one repeatable workflow for broad attack surface discovery.

Recorded Future

The leading threat intelligence platform for enterprise security teams

SkyOSINT

Real-time satellite tracking and space intelligence platform combining orbital data with geopolitical analysis

Surfshark

VPN with built-in identity monitoring and anonymous browsing identity tools

Ubikron

The OSINT browser extension that runs 200+ enrichments from any web page

WiGLE

Crowdsourced wireless network database mapping billions of Wi-Fi, Bluetooth, and cell networks globally

YARD Stick One

Sub-1 GHz wireless transceiver for 433/868 MHz IoT, key fob, and industrial protocol analysis — the dedicated tool for the RF bands that run smart devices.

ADS-B Exchange

The only major flight tracker that refuses to filter opt-out aircraft

AirNav Radar FlightStick

A purpose-built ADS-B receiver with integrated filter and LNA — better 1090 MHz decode performance out of the box than any generic RTL-SDR dongle.

cariddi

A fast Go web crawler that plugs cleanly into recon pipelines to uncover endpoints, JavaScript URLs, and exposed secrets at scale.

discover

A Kali-native bash automation wrapper that speeds up standard recon, scanning, and payload generation without forcing you into a heavyweight framework.

IVRE

Turn your Nmap and Masscan output into a persistent, queryable network intelligence database with Shodan-style query capabilities against your own infrastructure.

mihari

A rule-driven OSINT hunting engine that automates recurring infrastructure queries and alerts only on what is newly discovered.

Pulsedive

Community-driven threat intelligence platform with enriched IOC data and free analyst-grade lookups

SEMrush

Competitive intelligence and web footprint analysis for digital investigators

Adalanche

A single-binary Active Directory graph tool that helps operators find ACL-driven escalation paths without standing up a separate graph database.

Hacking Tools (aw-junaid)

A multi-language security tool collection that helps researchers study how offensive and analysis utilities are built across different ecosystems.

Criminal IP

IP and domain scanner that scores addresses by malicious activity and maps CVEs to exposed service banners.

Findomain

A fast passive subdomain enumerator that adds built-in monitoring, history, and alerting for newly exposed assets.

Netlas

Internet scanning platform with 8 billion+ indexed IP addresses for attack surface and infrastructure analysis

Recon-ng

CLI-based web reconnaissance framework modeled after Metasploit

Setapp

Curated Mac app subscription with several tools useful for investigators and security researchers

theHarvester

Passively harvest emails, subdomains, and hostnames from public sources before you touch a single target system.

FlightAware

US commercial flight tracking with FAA data integration and a developer-friendly API

metabigor

A zero-configuration ASN and network scope discovery tool that helps hunters map organizational IP space without API setup.

Mitaka

A browser extension that turns highlighted indicators into instant OSINT and threat intelligence lookups without breaking analyst flow.

SecurityTrails

Historical DNS and domain intelligence database covering 10+ years of infrastructure changes

GreyNoise

Internet noise classifier that separates mass-scanning background traffic from targeted activity so you can stop chasing ghosts in your SIEM.

MarineTraffic

Real-time ship tracking via a global AIS receiver network — the default starting point for maritime OSINT

Onyphe

Cyber defense search engine indexing internet-wide scan data, threat intelligence feeds, and passive DNS

sitedorks

Run the same dork across multiple search engines and target site collections without rebuilding every query by hand.

Maltego

The gold standard for visual link analysis and OSINT pivoting

ZoomEye

Chinese-operated internet search engine for cyberspace — maps exposed services and devices globally

OpenSky Network

Free ADS-B flight tracking API with multi-year historical archive — the right tool when Flightradar24's history tier is too expensive.

VesselFinder

AIS-based ship tracking that earns its place as a cross-reference tool — and occasionally the primary one