Beginner Recon Checklist (Step-by-Step Guide for Bug Bounty & Pentesting)

Beginner Recon Checklist (Step-by-Step Guide for Bug Bounty & Pentesting) | by Riya Limba - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original Beginner Recon Checklist (Step-by-Step Guide for Bug Bounty & Pentesting) Reconnaissance (Recon) is the first and most important step in cybersecurity testing. Before finding vulnerabilities, you must collect… Riya Limba Follow ~4 min read · April 3, 2026 (Updated: April 3, 2026) · Free: Yes Reconnaissance (Recon) is the first and most important step in cybersecurity testing. Before finding vulnerabilities, you must collect information about the target . Good recon increases your chances of finding bugs faster. This Beginner Recon Checklist will help you follow a clear, structured process without confusion. What is Recon in Cybersecurity? Recon (Reconnaissance) is the process of gathering information about a target such as: Domains Subdomains IP addresses Technologies used Endpoints Parameters Hidden files The goal is to increase attack surface before testing for vulnerabilities. Beginner Recon Checklist (Step-by-Step) 1. Find Root Domain Start with the main domain of the target. Example: example.com You usually get this from: Bug bounty program scope Company website HackerOne / Bugcrowd program Why this matters: Everything starts from the root domain . 2. Subdomain Enumeration Find all subdomains related to the target. Example: api.example.com dev.example.com admin.example.com test.example.com Beginner tools: Subfinder Assetfinder Amass Why this matters: Subdomains often contain test environments and hidden apps . 3. Check Live Subdomains Not all subdomains are active. Check which ones are live. Example: api.example.com (live) dev.example.com (dead) admin.example.com (live) Beginner tools: httpx httprobe Why this matters: Only live targets can be tested. 4. Find URLs / Endpoints Now collect URLs from live subdomains. Example: /login /api/user /dashboard /admin Beginner tools: gau waybackurls katana Why this matters: More URLs = more testing opportunities. 5. Extract Parameters Look for URLs with parameters. Example: example.com/page?id=10 example.com/search?q=test example.com/redirect?url=site.com Why this matters: Parameters are commonly vulnerable to: XSS SQL Injection Open Redirect IDOR 6. Find JavaScript Files JavaScript files often contain hidden endpoints. Example: app.js main.js config.js Why this matters: JS files may expose: API endpoints Keys Tokens Hidden routes 7. Technology Detection Identify technologies used by the target. Example: React PHP Nginx AWS Tools: Wappalyzer BuiltWith WhatWeb Why this matters: Helps you choose right testing approach . 8. Directory & File Discovery Find hidden directories and files. Example: /admin /backup /dev /.env Tools: dirsearch ffuf gobuster Why this matters: Hidden directories often contain sensitive data. 9. Screenshot Recon (Optional but Useful) Take screenshots of all live subdomains. Tools: Aquatone Eyewitness Why this matters: Helps quickly identify: Login panels Admin dashboards APIs Internal apps 10. Organize Your Recon Data Keep everything organized. Example structure: target/ ├── subdomains.txt ├── live.txt ├── urls.txt ├── params.txt └── js.txt Why this matters: Organized recon = faster bug hunting Simple Beginner Recon Flow Root Domain ↓ Subdomain Enumeration ↓ Check Live Domains ↓ Collect URLs ↓ Extract Parameters ↓ Find JS Files ↓ Directory Brute Force ↓ Start Testing Beginner Recon Mistakes to Avoid ❌ Running tools without understanding ❌ Not checking scope ❌ Testing dead subdomains ❌ Not saving recon data ❌ Skipping JavaScript files ❌ Testing without recon Pro Tips for Beginners ✔ Quality recon is better than fast recon ✔ Manual recon finds hidden bugs ✔ Read JavaScript files carefully ✔ Focus on parameters ✔ Always check archived URLs Final Thoughts Recon is where real bug hunting starts . The more data you collect, the more vulnerabilities you can find. Beginners should focus on learning recon first , not tools. Because: Tools collect data. Hunters find bugs. #cybersecurity #bug-bounty #ethical-hacking #web-security #osint Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).