Reconnaissance
How the recon agent maps your application into an asset graph
Role
Reconnaissance is the first agent in every pentest. Its job is to turn a starting URL (and any credentials you provide) into a complete asset map — the graph of nodes and relationships that every later agent reasons over.
Recon does not look for vulnerabilities. It builds the picture the auditor needs to decide where vulnerabilities are likely to be.
What it discovers
- Pages and routes — Every reachable page in your web app, including dynamically rendered content
- API endpoints — Backend endpoints the frontend calls, plus their HTTP methods
- Authentication flows — Sign-in, sign-up, and session handling, in both logged-out and logged-in states
- Backends & services — Application servers, auth providers, third-party SaaS, cloud resources, and data stores
- Technologies — Frameworks, libraries, and platforms, fingerprinted from responses
- Relationships — How assets connect: which page calls which API, which API uses which backend, where data is stored
Intelligent crawling
Unlike a traditional crawler that follows links blindly, recon:
- Executes JavaScript — Discovers content in single-page apps and dynamically rendered routes
- Follows authentication — Replays the credentials you supply to crawl the authenticated surface, not just the public shell
- Understands context — Distinguishes marketing pages from authenticated app areas from admin consoles
- Collapses templates — Folds
/products/1,/products/2, … into a single route template with an instance count, so the graph stays readable
Automatic platform detection
You don't configure platform-specific settings. Recon automatically detects the platforms your application is built on and tags the relevant nodes, so the auditor can target platform-specific weaknesses:
| Platform | Detected via | Surfaced to the auditor |
|---|---|---|
| Supabase | URL patterns, SDK usage | RLS policies, storage buckets, edge functions, anonymous access |
| Firebase | Config objects, SDK imports | Firestore/RTDB rules, storage rules, API key exposure |
| Vercel / Next.js | Headers, deployment patterns | NEXT_PUBLIC_ exposure, API routes, middleware |
| Convex | Client configuration | Function permissions, database access |
If you add one of these platforms later, recon picks it up on the next pentest — no configuration changes needed.
When recon gets blocked
If recon reaches an asset but can't go further — a login wall, MFA, a CAPTCHA, or a rate limit — it records a discovery blocker on that node instead of silently giving up. You see exactly where coverage stopped, why, and what (if anything) you can do about it. See discovery blockers and WAF Bypass Configuration.
Next steps
Last updated: June 11, 2026