TERRA ReconOS · Passive Intelligence Platform · Bug Bounty

Recon like a seasoned hunter.

14 passive modules. LLM-powered attack chain correlation. Cross-scan memory that maps entire org attack surfaces over time. All requests originate from your browser — your IP, your accountability.

▶ Start Scanning See Features
14
Passive Modules
~45s
Full Scan Time
0
Server HTTP to target*
Scan history memory
TERRA ReconOS
terra reconos — passive scan engine v6.0
How It Works

Three phases.
One workflow.

From URL to actionable playbook in under a minute.

01
🔍
Passive Recon
14 modules run in parallel from your browser. Headers, JS secrets, GraphQL, certificate transparency, Wayback history, WAF detection — all fetched from your IP, never the server.
02
🧠
Expert Analysis
Claude Haiku correlates findings into attack chains. Not just a list of issues — a structured playbook with exploitability scores, false-positive flags, and exact next steps per finding.
03
🗺️
Cross-Scan Memory
Every scan stores fingerprints. Scan a subdomain — the system finds it shares infra with a previously-scanned target. Subdomain gap analysis shows what you haven't touched yet.
14 Passive Modules

Everything runs
from your browser.

No server proxying. No shared IP. Scan data stays yours.

🛡️
Security Headers
CSP, HSTS, X-Frame-Options, Referrer-Policy, Permissions-Policy — with weak value detection, not just presence checks.
passive
🔍
JS Analysis
Extracts API endpoints and scans for 15 secret patterns (AWS keys, Stripe, JWT, Firebase, Slack) with low false-positive tuning.
passive
🔌
API Surface
GraphQL introspection detection, Swagger/OpenAPI discovery, JWT decode + algorithm audit, WebSocket detection.
passive
🧬
Tech Fingerprint
30+ technology signals from headers and body. EOL PHP detection, CMS identification, third-party tracker enumeration.
passive
🧱
WAF Detection
12 WAF/CDN vendor signatures. Rate limit context-aware: no WAF + no headers = High risk. WAF detected = downgraded to Info.
passive
📂
Path Discovery
60+ paths in batches of 8 parallel. Critical findings GET-verified to eliminate HEAD false positives. .git, .env, backups, admin.
passive
🔐
Auth Surface
Maps login, OAuth, SAML, 2FA endpoints. Detects missing CSRF protection. HTTP method audit (TRACE, DEBUG, OPTIONS).
passive
🔓
Leakage & SQLi
14 DB error patterns, stack traces, path disclosure. SQLi detection via explicit error strings only — no size comparison, low FP.
passive
📜
Wayback History
5000 historical URLs via CDX API. Discovers old endpoints, parameter names, sensitive file extensions. Requests go to archive.org.
passive
🔎
CT Subdomains
Certificate Transparency via crt.sh. Auto-categorizes into dev, admin, CI/CD, database, VPN. Probes live status of high-value subs.
passive
📄
Security.txt & OIDC
RFC 9116 parser, bug bounty platform detection, .well-known/ exploration: OpenID config, JWKS, mobile app associations.
passive
🤖
AI Code Patterns
9 signature vulnerabilities in LLM-generated code: JWT algo confusion, placeholder creds, SQL concat, CORS reflection, path traversal, insecure deserialization + business logic signals.
AI-specific
🔒
SSL / TLS + DNS
Server-side: TLS protocol probes, cert expiry, weak keys. SPF, DMARC, CAA records. Subdomain takeover via dangling CNAME detection.
server-side
Verification Pass
Post-scan accuracy layer: re-evaluates CORS, cookies, rate limit, and path findings with content analysis. Removes false positives, upgrades confirmed findings.
accuracy
* SSL/TLS and DNS checks run server-side (require socket access). All other modules run from your browser.
Expert AI Analysis

Findings are just data.
Context is intelligence.

🧠 Claude Haiku

Attack chain correlation — not a checklist

Most scanners list findings independently. A missing security header is a missing security header. TERRA ReconOS correlates: .git exposed → source code → hardcoded credentials → admin panel. That's a critical attack chain, not three Medium findings.

The expert system also flags false positives — things like CORS wildcards on public CDN endpoints, or rate limit headers absent because Cloudflare handles it silently. Context matters.

6
Analysis layers
$0.002
Avg cost/scan
~8s
Analysis time
⛓ Attack Chain Example — Auto-Generated
C
.git/config accessible — full source code downloadable via git clone
H
Source analysis reveals hardcoded DB credentials in config/database.php
H
/phpmyadmin found accessible — DB management panel exposed
C
Full database compromise via credential reuse — CRITICAL chain
🎯 Hunter's next step: Download repo via git clone https://target.com/.git, grep for DB_ variables, attempt phpmyadmin login with found credentials.
Cross-Scan Memory

One scan is recon.
Many scans is intelligence.

The only passive recon tool that gets smarter the more you use it.

🔗
Infrastructure Correlation
Scan api.target.com — system finds it shares IP subnet and server signature with app.target.com scanned last week. Same infra = same vulnerabilities.
📊
Subdomain Gap Analysis
CT logs revealed 47 subdomains. You've scanned 6. Coverage: 13%. Suggested next targets ranked by category risk: dev, admin, CI/CD first.
🧬
Pattern Recognition
3 scanned targets all running nginx/1.18.0 — likely same internal deployment template. If one has a config issue, they probably all do.
Comparison

Where TERRA fits.

Not a replacement for Burp. A smarter starting point before you open Burp.

Feature TERRA ReconOS Nikto Nuclei Burp Suite Pro Manual
Setup required Browser only Install + CLI Install + templates Install + license None
Scan origin IP ✓ Your IP Server/VPS IP Server/VPS IP Your IP Your IP
Wayback URL history ✓ 5000 URLs Plugin Manual
CT subdomain discovery ✓ + categorized Template Manual crt.sh
LLM attack chain analysis ✓ Claude Haiku
Cross-scan memory ✓ Persistent DB
False positive context ✓ WAF/CORS aware High FP Template-dep. Manual review Human
Export HTML report ✓ Self-contained Text/CSV JSON/SARIF DIY
Active vulnerability testing ✕ Passive only
Cost API key only Free Free $449/yr Free
Architecture

Hybrid by design.

Built for accountability. Every scan is traceable to a real person, not a datacenter.

🌐 Browser Modules (your IP)
12 modules make direct HTTP requests from your browser. The target sees your IP address — same as manual testing.
👤Your browser → target.com
📡Headers, JS files, paths, certs
🌍archive.org (Wayback CDX)
🔎crt.sh (Certificate Transparency)
🧠api.anthropic.com (Expert analysis)
✓ Your IP is logged per scan for full accountability
⚙️ Server Modules (server IP)
2 modules require server-side execution: SSL socket probing and DNS record queries. These cannot run in a browser.
🔒TLS socket → target:443 (cert, protocols)
🌍dns_get_record (SPF, DMARC, CAA, MX)
💾Scan fingerprints → MariaDB
🔗Cross-scan relation matching
These 2 modules only do passive reads — no path probing from server
TERRA RECONOS

Start hunting smarter.

Passive recon. LLM correlation. Cross-scan memory.
Everything a hunter needs before opening Burp.

▶ Create Account Sign In
Internal use only · Legal bug bounty targets only · Your IP is logged per scan