Back to Talks 2026
Workshopbeginner

BBOT: Automating the OSINT Kill Chain with a Single Command

Recon Village @ DEF CON 34August 6-9, 2026

Friday, August 7 · 3:30 PM – 6:00 PMRecon Village Workshop Area

Abstract

Reconnaissance is the foundation of every successful engagement but fragmented tooling, manual chaining, and missed data leave gaps that cost you findings. BBOT (Bighuge BLS OSINT Tool) was built to solve that. Developed by Black Lantern Security, BBOT is a recursive, event-driven OSINT framework that replaces the traditional phased approach with continuous, real-time discovery every new piece of data is immediately fed back into the scan engine to uncover what linear workflows miss.

This is a fully hands-on workshop. Attendees will install and configure BBOT, then run it live against their own scoped bug bounty targets turning the session into real reconnaissance rather than a slide-driven demo. We'll cover BBOT's 100+ module architecture spanning subdomain enumeration, cloud asset discovery, email harvesting, web spidering, and vulnerability scanning with Nuclei, all chainable in a single command and firing recursively in real time. Along the way we'll dig into scope management, passive vs. active recon tradeoffs, and the web hacking modules that can point you toward real findings.

By the end of the session, attendees will walk away with actual scan output from a live target, a repeatable BBOT-driven recon workflow they can drop into their next program, and a clear understanding of how to triage findings into real submissions. Whether you're new to automated recon or a seasoned bug bounty hunter still stitching tools together by hand, this workshop will change how you approach OSINT at scale.

Module 1 — Why BBOT? The Problem with How We Recon Now

The fragmented toolchain problem: Amass → Subfinder → httpx → manual grep

Why phased OSINT misses things — and what recursive, event-driven recon solves

BBOT's origin at Black Lantern Security and design philosophy

Quick architecture overview: modules, events, presets, scope

3.0 Updates - Rustification of HTTP and DNS

Q&A / audience skill check

Module 2 — Getting Oriented: Installation, Config & First Scan

Verify install and run bbot --help

Listing and exploring modules with bbot -l

Understanding flags vs. modules vs. presets

Exercise 2.1: Run your first subdomain scan

Reading and understanding BBOT output

Scan output folders, naming conventions, and where data lives

Module 3 — Subdomain Enumeration Deep Dive

How BBOT's recursive engine finds more than traditional tools

Passive vs. active enumeration — when to use each

Subdomain mutations and wordcloud usage

Exercise 3.1: Full active subdomain enum

Module 4 — Going Deeper: Cloud, Email & Asset Discovery

Cloud enumeration: S3 buckets, Azure blobs, GCP assets

Email harvesting for org footprinting

Combining flags for broader discovery

Exercise 4.1: Run a combined cloud + email + subdomain scan

Identifying misconfigured or exposed cloud assets in output

Discussion: how these findings translate to bug bounty submissions

Module 5 — Web Hacking Modules & Vulnerability Scanning

Overview of BBOT's web module suite: httpx, gowitness, wappalyzer, nuclei

Web spidering for email, secrets, and exposed paths

Nuclei integration — what it scans for and how to interpret results

Exercise 5.1: Full web scan with screenshots

Exercise 5.2: Kitchen sink scan (instructor-guided, safe target only)

Setting expectations: BBOT points you at the doors — you still have to kick them open

Module 6 — Triage, Workflow & What Happens After the Scan

How to structure your post-BBOT workflow: what to investigate first

Prioritizing findings by severity and exploitability

Avoiding common pitfalls: rate limiting, duplicate findings, out-of-scope mistakes

Building a repeatable bug bounty recon workflow around BBOT

Scheduling and automating recurring scans for continuous monitoring

Wrap-Up & Q&A

Recap of key takeaways

Recommended next steps and resources

GitHub, docs, and community links

Open Q&A

Prerequisites

  • Hardware
  • Laptop with 8GB RAM minimum
  • At least 5GB free disk space (for BBOT installs, dependencies, and scan output)
  • Preferred a Linux based Operating System
  • Software
  • Python 3.9 or higher
  • BBOT installed with either uv or pipx

Speaker

Mark Gaddy
Mark Gaddy

Black Lantern Security

Mark is an Operator & Lead trainer with Black Lantern Security. He spends his free time regularly doing CTFs and helping mentor those in his community.

View full speaker profile →