Recon Agent

Recon Agent maps the attack surface before active testing begins. It uses ProjectDiscovery’s open-source toolkit to enumerate assets, discover infrastructure, and build a complete picture of what exists and where to look: without touching the target directly.

What it does

Subdomain enumeration: discovers subdomains via passive DNS sources and certificate transparency logs
Domain discovery: maps domain associations, related infrastructure, and hosting relationships
DNS reconnaissance: resolves DNS records and identifies CDN, cloud, and hosting providers
Asset inventory: builds a structured inventory of hosts, IPs, and services for downstream agents
PDCP integration: uses ProjectDiscovery Cloud Platform APIs for enriched passive intelligence when an API key is configured

How it fits in

Recon Agent runs at the start of most Thorough mode tasks. Its output feeds directly into testing agents so they work against a complete, verified target list rather than a partial one. It is passive-only and makes no direct requests to the target.

Agent Swarm

ProjectDiscovery Agent

⌘I

​What it does

​How it fits in

What it does

How it fits in