BBOT maps internet exposure recursively

BBOT is an open-source Python recon tool for recursive internet scanning, OSINT, and attack surface work. Here is what its public GitHub metadata supports

2026-05-15 GIGATAP Team #security
#recon#attack-surface-management#osint

What BBOT is#

BBOT is an open-source Python project from Black Lantern Security. Its GitHub description is short and direct: “recursive internet scanner for hackers.” The repository positions the tool around reconnaissance, attack surface management, OSINT, subdomain enumeration, threat intelligence, bug bounty work, and pentesting.

That matters because these jobs often break down in the same place: the first map is incomplete. An organization may know its main domains, cloud accounts, and public applications. It may not have a clean view of forgotten subdomains, exposed services, related assets, or infrastructure that appears through recursive discovery.

BBOT appears to sit in that gap. Based on its public repository metadata, it is not just filed as a scanner. Its topics include attack-surface-management, EASM, OSINT framework, subdomain scanner, recursion, automation, CLI, Neo4j, recon, and threat intelligence. That suggests a tool aimed at collecting and expanding internet-facing leads rather than checking one host in isolation.

The important word is “suggests.” The public GitHub metadata tells us the project’s declared scope and ecosystem signals. It does not prove production readiness, safety properties, detection quality, or operational fit for a specific team.

The concrete problem it tries to solve#

Reconnaissance is usually less glamorous than exploitation, but it often decides whether the rest of the work is useful. If the asset list is wrong, vulnerability scanning becomes narrow. If the subdomain map is stale, exposure reviews miss real targets. If OSINT data is not connected, analysts spend time stitching together leads by hand.

BBOT’s public positioning points at recursive discovery. In practical terms, recursive internet scanning means the tool can start with known inputs and use discovered data to find more related data. A domain may lead to subdomains. A subdomain may lead to hosts, services, names, or other artifacts. Those artifacts may become new inputs.

This style is useful in several common workflows:

  • External attack surface reviews, where the first task is finding what the organization exposes.
  • Bug bounty reconnaissance, where researchers need fast asset expansion before deeper testing.
  • Pentest preparation, where scope needs to be translated into real internet-facing targets.
  • Threat intelligence and OSINT work, where relationships between domains, infrastructure, and identifiers matter.
  • Security automation, where repeated recon jobs need consistent output rather than ad hoc notes.

The repository’s topic list also mentions Neo4j. That is relevant because graph storage is often used when relationships matter: domains to subdomains, hosts to services, identities to infrastructure, and so on. The metadata alone does not define exactly how BBOT uses Neo4j, but it does reinforce the idea that the project is about connected discovery, not only one-off probing.

Who should care#

The obvious audience is security operators who do external recon: pentesters, bug bounty hunters, red teams, ASM/EASM teams, and OSINT analysts. The project is written in Python, which also makes it approachable for teams that want to inspect behavior, modify modules, or wire the tool into existing automation.

The repository has visible community signals: 9,683 stars, 803 forks, and 63 watchers at the time reflected in the source item. Those numbers do not guarantee quality. They do show that the project has attracted attention from the security tooling community.

The license is AGPL-3.0. That is not a footnote. AGPL licensing can matter for organizations that modify, host, or integrate software into services. Teams should review license obligations before building internal workflows or commercial services around the project.

BBOT may also interest defenders who do not run offensive programs. External asset discovery is not only a red-team problem. Blue teams need to know what attackers can enumerate. If a tool helps expose forgotten internet-facing assets, it can support hygiene work before those assets become incident evidence.

What not to overclaim#

The public repository metadata does not support claims that BBOT is safe for every environment, complete in coverage, production-ready, stealthy, compliant with every target’s rules, or superior to other ASM tools. It also does not tell us whether a given module is passive, active, noisy, rate-limited, or appropriate for a third-party target.

That distinction matters. Recon tooling can touch systems you do not own. It can generate traffic, trigger alerts, violate program rules, or produce data that needs careful handling. A tool being open source does not remove operational responsibility.

The repository description also uses hacker-oriented language. That does not by itself define acceptable use. The acceptable use boundary depends on authorization, scope, local law, contract terms, and platform rules. For bug bounty work, scope and rate limits should be checked before running any automated scanner.

The source item also does not provide a security audit, release history analysis, dependency review, or benchmark. Readers should treat this as a project note based on public GitHub metadata, not as an endorsement or deployment recommendation.

What to verify before using it#

Before putting BBOT into a workflow, teams should check the repository directly. Start with the README, install instructions, module documentation, configuration model, and examples. Confirm what inputs it expects and what outputs it creates.

A practical review should include:

  • Scope control: can you limit targets tightly enough for your rules of engagement?
  • Module behavior: which modules are passive, active, authenticated, or noisy?
  • Output handling: where does collected data go, and does it include sensitive information?
  • Dependencies: what packages and services does it require?
  • Update activity: what changed recently, and are issues or pull requests maintained?
  • License fit: does AGPL-3.0 work for your organization’s intended use?
  • Integration cost: can it export data in a format your team already uses?
  • Safety testing: can you run it first against owned lab domains before wider use?

For teams with mature security operations, the key question is not “does this tool find things?” It is “can we control what it does, explain its results, and repeat it safely?”

Bottom line#

BBOT is a Python-based open-source recon project with a clear public focus: recursive internet scanning, attack surface management, OSINT, subdomain discovery, and automation. Its GitHub metadata shows strong community interest and an AGPL-3.0 license.

The useful way to evaluate it is operational. If your work depends on mapping internet-facing assets, BBOT is worth a closer look. But treat the repository as the starting point, not the conclusion. Read the docs, test on owned scope, verify module behavior, and check license obligations before wiring it into real engagements.