BBOT: Automating the OSINT Kill Chain with a Single Command
Recon Village @ DEF CON 34 • August 6-9, 2026
Abstract
Reconnaissance is the foundation of every successful engagement but fragmented tooling, manual chaining, and missed data leave gaps that cost you findings. BBOT (Bighuge BLS OSINT Tool) was built to solve that. Developed by Black Lantern Security, BBOT is a recursive, event-driven OSINT framework that replaces the traditional phased approach with continuous, real-time discovery every new piece of data is immediately fed back into the scan engine to uncover what linear workflows miss.
This is a fully hands-on workshop. Attendees will install and configure BBOT, then run it live against their own scoped bug bounty targets turning the session into real reconnaissance rather than a slide-driven demo. We'll cover BBOT's 100+ module architecture spanning subdomain enumeration, cloud asset discovery, email harvesting, web spidering, and vulnerability scanning with Nuclei, all chainable in a single command and firing recursively in real time. Along the way we'll dig into scope management, passive vs. active recon tradeoffs, and the web hacking modules that can point you toward real findings.
By the end of the session, attendees will walk away with actual scan output from a live target, a repeatable BBOT-driven recon workflow they can drop into their next program, and a clear understanding of how to triage findings into real submissions. Whether you're new to automated recon or a seasoned bug bounty hunter still stitching tools together by hand, this workshop will change how you approach OSINT at scale.
Module 1 — Why BBOT? The Problem with How We Recon Now
The fragmented toolchain problem: Amass → Subfinder → httpx → manual grep
Why phased OSINT misses things — and what recursive, event-driven recon solves
BBOT's origin at Black Lantern Security and design philosophy
Quick architecture overview: modules, events, presets, scope
3.0 Updates - Rustification of HTTP and DNS
Q&A / audience skill check
Module 2 — Getting Oriented: Installation, Config & First Scan
Verify install and run bbot --help
Listing and exploring modules with bbot -l
Understanding flags vs. modules vs. presets
Exercise 2.1: Run your first subdomain scan
Reading and understanding BBOT output
Scan output folders, naming conventions, and where data lives
Module 3 — Subdomain Enumeration Deep Dive
How BBOT's recursive engine finds more than traditional tools
Passive vs. active enumeration — when to use each
Subdomain mutations and wordcloud usage
Exercise 3.1: Full active subdomain enum
Module 4 — Going Deeper: Cloud, Email & Asset Discovery
Cloud enumeration: S3 buckets, Azure blobs, GCP assets
Email harvesting for org footprinting
Combining flags for broader discovery
Exercise 4.1: Run a combined cloud + email + subdomain scan
Identifying misconfigured or exposed cloud assets in output
Discussion: how these findings translate to bug bounty submissions
Module 5 — Web Hacking Modules & Vulnerability Scanning
Overview of BBOT's web module suite: httpx, gowitness, wappalyzer, nuclei
Web spidering for email, secrets, and exposed paths
Nuclei integration — what it scans for and how to interpret results
Exercise 5.1: Full web scan with screenshots
Exercise 5.2: Kitchen sink scan (instructor-guided, safe target only)
Setting expectations: BBOT points you at the doors — you still have to kick them open
Module 6 — Triage, Workflow & What Happens After the Scan
How to structure your post-BBOT workflow: what to investigate first
Prioritizing findings by severity and exploitability
Avoiding common pitfalls: rate limiting, duplicate findings, out-of-scope mistakes
Building a repeatable bug bounty recon workflow around BBOT
Scheduling and automating recurring scans for continuous monitoring
Wrap-Up & Q&A
Recap of key takeaways
Recommended next steps and resources
GitHub, docs, and community links
Open Q&A
Prerequisites
- Hardware
- Laptop with 8GB RAM minimum
- At least 5GB free disk space (for BBOT installs, dependencies, and scan output)
- Preferred a Linux based Operating System
- Software
- Python 3.9 or higher
- BBOT installed with either uv or pipx
Speaker
Black Lantern Security
Mark is an Operator & Lead trainer with Black Lantern Security. He spends his free time regularly doing CTFs and helping mentor those in his community.
View full speaker profile →