pentest-osint-recon

The Pentest OSINT Recon skill is a specialized agentic workflow designed for security researchers, penetration testers, and DevSecOps teams to automate the initial phases of external security assessments. By leveraging a multi-stage approach, this agent systematically discovers, categorizes, and analyzes a target organization's internet-facing footprint, transforming raw data into actionable security intelligence. It effectively bridges the gap between manual enumeration and vulnerability assessment, enabling teams to maintain constant awareness of their attack surface.

• Automated Domain Enumeration: Integrates industry-standard tools like amass and subfinder to map subdomains and identify related infrastructure assets.

• Tech Stack Profiling: Utilizes httpx and whatweb to perform banner grabbing and fingerprinting on discovered web services, identifying the specific software versions and frameworks in use.

• Information Leak Detection: Searches through public records, search engines, and theharvester to identify exposed employee emails, social media presence, and leaked credentials.

• Vulnerability Correlation: Maps identified software versions and technologies against known CVE databases to provide a prioritized view of potential weaknesses.

• Asset Relationship Mapping: Correlates IP addresses, domains, and web technologies to identify hidden connections or neglected shadow IT infrastructure.

• Input requirements include a target domain or organization name and a defined scope for the assessment.

• Expected outputs consist of a structured reconnaissance report, including a list of active subdomains, identified technology stacks, detected vulnerabilities (CVEs), and exposed information pointers.

• The agent is designed to run periodically, allowing for continuous attack surface monitoring as the target organization's infrastructure changes.

• Users should ensure all reconnaissance activities are performed within the scope of authorized penetration testing agreements and follow responsible disclosure practices.

• Performance may vary based on external tool availability and the target's network security posture, such as rate-limiting or WAF interference.