ThinRecon · active reconnaissance

Free authorised active reconnaissance of your public surface.

Targeted, hands-on tooling — httpx, nmap, subfinder, sslyze, nuclei, katana, gau, and trufflehog — orchestrated by our reasoning model, now including authenticated, proof-of-vulnerability testing: our agent creates its own throwaway test accounts to exercise logged-in flows. Proof-of-vulnerability only: no bulk data extraction, no denial-of-service, no destruction of real accounts or data. Free while we onboard our first cohort of customers.

Submit the engagement. Enter your work email and the authorising officer, then accept the Rules of Engagement. We test the domain of your email — scope is optional.
The authorising officer authorises. We email them a one-click link. The active reconnaissance starts the moment they click it — never before.
Report by email. When the active recon completes, the findings land in your inbox — with critical issues flagged as critical.

Target

Your work email

We test the public surface of your email's domain — e.g. acme.com from you@acme.com. You can only test a domain you hold an address at. We do not test government or critical-infrastructure domains.

Scope (optional)

Leave this blank and we test your email's root domain. Only add lines here to widen scope to specific subdomains or hosts.

In scope (optional, one per line, max 200)

Wildcards (*.acme.com) are allowed. Subdomains must resolve under your email's domain. Blank means just the root domain.

Out of scope (optional, one per line)

Anything we must NOT touch. A blank line is fine; we already exclude anything outside the in-scope list.

Authorising officer

The person whose authority makes this engagement legitimate. They must either be you, or have given you written authorisation.

Full name

Title

Work email

Auto-filled from their name and your work-email domain. Edit it if your organisation uses a different address format.

Rules of Engagement

I am authorised to engage ThinSky to perform active security testing of my email's domain and the in-scope assets I have listed, and I have the authority to grant that authorisation. I authorise authenticated, exploit-driven testing of the in-scope assets — this includes ThinSky's agent creating its own throwaway test accounts to exercise authenticated flows, optionally using scoped test credentials I supply, and demonstrating proof-of-vulnerability with data access bounded to a single row count, one masked record, or a screenshot — never bulk data. Testing is strictly limited to the in-scope assets and expressly excludes denial-of-service of any kind, destruction or modification of real accounts or data, password changes on real accounts, persistence, and detection-evasion. ThinSky begins the moment the authorising officer clicks the authorisation link emailed to them. I accept the ThinSky Terms of Service governing this engagement.

What this means: authenticated testing with agent-created throwaway accounts is in scope. We never run denial-of-service or destructive actions, and we never touch your real accounts or data.

I have read the Rules of Engagement above and I accept them on behalf of the authorising officer named above.

By submitting, you authorise ThinSky to scan the public surface of your email's domain under the Rules of Engagement above. We log the IP, browser, and timestamp. Nothing runs until the authorising officer clicks the link we email them. Use of this feature is governed by our Terms of Service.

What runs (and what doesn't)

httpx — maps your public surface: hosts, status, titles, server tech.
subfinder — passive subdomain discovery across many public sources, widening the in-scope host list.
nmap — top-1000 TCP ports, escalating only if findings justify it.
sslyze — TLS protocols, certificates, HSTS, Heartbleed, ROBOT.
nuclei — ProjectDiscovery template set across OWASP A01/A03/A05/A06/A07/A08/A10.
katana — crawls for sensitive paths to feed into nuclei.
gau — pulls historical URLs from public web archives to surface forgotten endpoints.
trufflehog — scans crawled JavaScript and assets for leaked secrets — API keys, tokens, credentials.

We do test authenticated flows — our agent creates its own throwaway test accounts (or uses scoped credentials you supply) to reach logged-in surfaces. We do not attempt bulk data extraction, denial-of-service, destruction or modification of real accounts or data, password changes on real accounts, persistence, or detection-evasion. Findings are proof-of-vulnerability only.

Check the authorising officer's inbox.