How I Automated My Bug Bounty Recon Pipeline Using Nmap + Nuclei + FFUF

I didn't set out to build a tool. I set out to stop losing weekends.

Six months into hunting on public programs, my recon had quietly turned into a second job. A program would expand scope overnight, I'd wake up to four hundred new subdomains, and before I could test a single interesting thing I had to grind through the same mechanical sequence I'd run a hundred times before. Enumerate. Probe. Scan. Sort. Re-sort. Throw away the noise. By the time I got to the part that actually required a brain, the day was gone.

This is the story of how I turned that grind into a pipeline — and what broke along the way, because plenty did.

The problem nobody warns you about

Recon doesn't scale the way you think it will. The first time you chain a few tools together it feels like magic. Then the target gets big, and the magic turns into a mess.

The failure mode is always the same: you run the right tools in the wrong order, or with the wrong limits, and the output becomes unusable. Nuclei firing nine thousand templates at a list of dead hosts. A WAF silently rate-limiting you so half your "findings" are actually connection errors. Re-scanning a program you hunt weekly and re-triaging the same two hundred known results because you never diffed against last time.

None of these are exotic problems. They're the boring, repetitive ones — which is exactly why they're worth automating.

The chain that actually works

After enough false starts, the sequence I settled on was deliberately simple:

subfinder -d target.com -silent \
  | httpx -silent \
  | nuclei -t cves/,exposures/ -severity medium,high,critical -rl 50 -silent

subfinder -d target.com -silent \
  | httpx -silent \
  | nuclei -t cves/,exposures/ -severity medium,high,critical -rl 50 -silent

Subfinder finds the subdomains. httpx filters them down to what's actually alive — this is the step everyone skips and everyone regrets skipping. Running Nuclei directly against a raw subdomain list means scanning parked pages, redirect chains, and hosts that haven't existed in a year. You get garbage, slowly.

Only the live hosts reach Nuclei, and Nuclei only runs scoped template directories at a sane rate limit. That -rl 50 is not optional. Without it Nuclei defaults to 150 requests per second globally, which on a real target list reads as a denial-of-service attempt and gets you blocked — or worse, reported.

That's the whole trick. Filter hard, scope tight, throttle deliberately.

The lessons that cost me something

A clean command line hides how much I learned the hard way. Three things in particular:

False positives are a workflow problem, not a tool problem. Early on I'd see an "exposed .git directory" finding and get excited. Then I'd check, and it was a 403 — the directory was referenced but not actually browsable. Nuclei matched a pattern; it didn't confirm exploitability. I now treat every template match as a lead, not a conclusion. The automation surfaces candidates. A human confirms them. Skip that and you'll burn your reputation submitting non-issues.

Rate limits are reconnaissance too. The first time a program's WAF throttled me, I didn't notice — I just saw a wave of connection timeouts that Nuclei dutifully logged as if they were results. I spent an evening triaging noise that didn't exist. Now I watch error rates as closely as findings. A sudden spike in timeouts means I'm being blocked, not that I found something.

Diffing is the difference between a tool and a habit. On a program I hunt regularly, ninety percent of any re-scan is identical to the last one. Re-reading all of it is how you miss the ten percent that's new. Saving JSON output per run and surfacing only net-new findings turned a two-hour triage into a ten-minute one:

bash

cat live.txt | nuclei -severity critical,high -rl 50 -json -o run-new.json

cat live.txt | nuclei -severity critical,high -rl 50 -json -o run-new.json

Then a simple comparison against the previous run's output tells me what actually changed.

Where FFUF fits

Subdomain and template scanning find the obvious surface. FFUF finds what's hiding behind it — the admin panel nobody linked to, the backup file someone forgot, the endpoint that isn't in any sitemap. Once httpx has given me a list of live hosts, FFUF fuzzes them for content discovery, and the interesting hits feed right back into the next round of targeted scanning.

The point is that none of these tools is the answer on its own. The value is in the handoffs — subfinder's output becoming httpx's input becoming Nuclei's target list becoming FFUF's seed. Each tool is a stage. The pipeline is the product.

Where it broke down — and what I did about it

Here's the honest part. Even with the chain working, I was still the bottleneck.

Every stage needed me to babysit it. Tweak a flag, re-run, wait, eyeball the output, decide what fed forward. The commands were automated; the judgment wasn't. And judgment is the slow part — deciding which findings matter, writing them up in a way a triager will accept, remembering the context of a program I last touched three weeks ago.

So I started building the thing I actually wanted: a system that ran the whole chain end to end and did the first pass of analysis itself. Recon, scanning, and an AI layer that reads the raw output and tells me why a finding matters and what to check before reporting — not just that a template fired. That became PhantomRed, and building it taught me more about my own workflow than years of running the tools manually ever did.

The biggest realization: most of what I'd been doing by hand wasn't skill. It was overhead. The skill was in the last mile — the validation, the write-up, the judgment call. Everything before that was a pipeline waiting to be built.

If you're starting from scratch

You don't need a platform to get most of this value. You need three habits:

1. Always filter live before you scan. httpx between enumeration and Nuclei, every time.
2. Throttle on purpose. -rl 50 as a baseline, lower on sensitive targets, and watch your error rates.
3. Diff every re-scan. Save structured output and only look at what's new.

That alone will give you back most of the weekends recon quietly steals. If you want the full chain — Nmap, Nuclei, and FFUF wired together with the rate-limiting and triage logic baked in — I wrote up the complete workflow here.

Automation didn't make me a better hunter. It just cleared away everything that was stopping me from doing the part I was actually good at.

I'm building PhantomRed in public — autonomous AI penetration testing for bug bounty hunters and security researchers. If you want to follow the build, phantomred.com.