Subfinder
Passive subdomain enumeration aggregating many OSINT sources with resolver validation options.
Why it is included
Core open-source link in the ProjectDiscovery recon toolkit.
Best for
Mapping external attack surface before deeper scanning.
Strengths
- Many sources
- Fast
- API keys optional
Limitations
- Passive intel quality varies by target and keys
Good alternatives
OWASP Amass · theHarvester
Related tools
Security & Privacy
OWASP Amass
Attack surface mapping engine: DNS, certificates, APIs, scraping, and graphing for deep asset discovery.
Security & Privacy
theHarvester
E-mail, subdomain, and host harvesting from search engines, PGP servers, and common OSINT APIs.
Security & Privacy
Metasploit Framework
Modular exploitation framework with payloads, encoders, auxiliaries, and integration points for exploit development.
Security & Privacy
OWASP ZAP
OWASP flagship web app scanner and proxy: automated checks, manual request tampering, scripting, and CI integrations.
Security & Privacy
sqlmap
Automatic SQL injection and database takeover helper with fingerprinting, data exfiltration, and OS-shell paths.
Security & Privacy
Nikto
Web server scanner that probes for dangerous files, outdated software, and misconfigurations via many checks.