reNgine

reNgine is an open-source, automated reconnaissance framework designed for web application security. It serves as a centralized platform that orchestrates the entire information-gathering process during penetration testing and bug bounty hunting.

Instead of requiring security professionals to manually run, configure, and parse the output of dozens of separate tools (like subdomain finders, port scanners, and directory busters), reNgine acts as a pipeline manager. It chains these tools together, aggregates their results into a single database, and presents the data in a visual dashboard. This allows security teams to focus on analyzing the attack surface rather than on managing tool mechanics.

Core Functionality: The Reconnaissance Pipeline

reNgine operates on the concept of a "Scan Engine," which is a customizable workflow defined in YAML. When a scan is initiated against a target domain (e.g., example.com), reNgine executes the following sequential steps automatically:

• Subdomain Discovery: It queries passive sources (like passive DNS and certificate logs) and performs active brute-forcing to find all subdomains associated with the target.

• Port Scanning: It identifies open ports and running services on the discovered subdomains to find entry points.

• Visual Reconnaissance: It captures screenshots of every live web page, allowing analysts to visually inspect hundreds of sites in minutes to spot login portals or error pages.

• Directory and Endpoint Discovery: It crawls the web pages to find hidden files, directories, and API endpoints that may not be linked from the main page.

• Vulnerability Scanning: It can run lightweight vulnerability scanners (like Nuclei) against the discovered assets to flag low-hanging fruit such as XSS, open redirects, or CVEs.

Key Features and Capabilities

reNgine transforms raw data into actionable intelligence through several key features:

Continuous Monitoring and Change Detection One of reNgine's most valuable features is its ability to track "Drift." It compares the results of the current scan against previous scans to highlight exactly what has changed. It alerts users to new subdomains or newly opened ports, which are often the most vulnerable parts of an attack surface.

Data Correlation reNgine consolidates data from multiple tools into a single view. For example, it correlates a subdomain with its IP address, open ports, technology stack (e.g., "Running Nginx 1.18"), and vulnerability scan results. This contextual view helps analysts quickly assess the risk of a specific asset.

Highly Configurable Scan Engines Users can define the intensity of the scan. A "Passive" scan might only query public records to remain quiet, while an "Active" scan might perform aggressive port scanning and directory busting. This flexibility allows reNgine to be used for both stealthy red team operations and noisy compliance audits.

Project and Target Management It organizes reconnaissance data into specific projects, making it suitable for consultants managing multiple clients or bug bounty hunters tracking different programs.

Strategic Benefits

Efficiency and Speed By automating the repetitive "Discovery" phase of an assessment, reNgine reduces the time required to map an attack surface from days to hours. This allows testers to spend more time on manual exploitation and logic testing.

Visualization of the Attack Surface The graphical dashboard provides high-level metrics (e.g., "Most Common Technologies," "Top Vulnerabilities," "Most Exposed Ports"), which helps in reporting and communicating risk to stakeholders.

Frequently Asked Questions

Is reNgine a vulnerability scanner? Not primarily. While it has some vulnerability-scanning capabilities (via integrations with tools like Nuclei), its primary function is reconnaissance—identifying the assets to scan.

What tools does reNgine use under the hood? reNgine wraps around popular open-source tools such as Amass and Subfinder (for discovery), Naabu (for port scanning), HTTPX (for probing web servers), and Nuclei (for vulnerability templates).

Is reNgine free? Yes, reNgine is open-source software released under the MIT License and is free to use.

How is reNgine deployed? It is typically deployed using Docker, which simplifies installing its many dependencies and underlying tools.

ThreatNG and reNgine: Strategic Intelligence Meets Tactical Reconnaissance

ThreatNG and reNgine function as a powerful, layered reconnaissance ecosystem. ThreatNG serves as the strategic "Intelligence" layer, providing broad, business-aware discovery and risk assessment, while reNgine serves as the tactical "Execution" layer, performing in-depth technical scanning and enumeration.

Together, they create a comprehensive pipeline where ThreatNG identifies where to look (Target Acquisition) and reNgine determines what is technically wrong (Vulnerability Validation). This partnership closes the gap between high-level governance and low-level penetration testing.

External Discovery: Defining the Scope

reNgine is an excellent orchestrator, but it relies on seed domains to begin its work. ThreatNG’s External Discovery engine fuels reNgine by acting as the ultimate target generator.

• Seedless Target Injection: ThreatNG uses recursive discovery to find assets that are not obvious subdomains, such as cloud storage buckets, code repositories, and subsidiary domains that reNgine’s standard wordlists might miss. ThreatNG discovers the "Unknown Unknowns"—like a forgotten marketing microsite on a distinct domain—and feeds these new targets into reNgine’s project scope.

• Shadow Infrastructure Identification: While reNgine scans for subdomains, ThreatNG identifies the broader infrastructure, including Exposed Open Cloud Buckets (S3, Azure Blob). If ThreatNG identifies a public bucket containing source code, it directs the security team to point reNgine at that specific asset to crawl for sensitive files or secrets.

External Assessment: Context Overload

reNgine provides deep technical data (ports, HTTP headers, CVEs). ThreatNG’s External Assessment enriches this raw data with the business and legal context required to make decisions.

• Business Viability Assessment (Financial & Legal Resources):

  • The reNgine Finding: reNgine’s screenshotting module captures a login page for a third-party vendor portal linked to the main domain.

  • ThreatNG’s Contribution: ThreatNG assesses the vendor behind that portal using Financial and Legal Resources. It determines that the vendor is currently in bankruptcy proceedings and has a history of data negligence. This transforms reNgine’s finding from "A Login Page Exists" to "Critical Supply Chain Risk," prompting immediate strategic action.

• Technical Stack Validation (Technical Resources):

  • The reNgine Finding: reNgine reports that a server is running Nginx 1.18.

  • ThreatNG’s Contribution: ThreatNG validates this finding against its global technology database and identifies that this specific version is End-of-Life (EOL). It adds the context that this technology stack is no longer supported, elevating the priority of the finding in the remediation queue.

Investigation Modules: Forensics and Attribution

When reNgine flags a suspicious asset, analysts need to investigate the "Who" and "Why." ThreatNG’s investigation modules provide OSINT tools that enable pivoting from technical scanning to forensic attribution.

• Sanitized Dark Web Investigation:

  • The Workflow: reNgine discovers an exposed administrative panel on a subdomain admin.dev-site.com.

  • ThreatNG Deep Dive: Analysts use ThreatNG’s Sanitized Dark Web module to search for credentials associated with that specific subdomain. Finding "Admin/Password123" listings on the dark web confirms that the panel found by reNgine is not just exposed, but likely already compromised.

• Domain Intelligence and Pivoting:

  • The Workflow: reNgine identifies a subdomain pointing to an unknown IP address.

  • ThreatNG Deep Dive: Analysts use the Domain Intelligence module to pivot on the IP address. They identify the registrant and hosting provider. If the IP is linked to a "Bulletproof Host" often used by attackers, ThreatNG confirms the asset is hostile infrastructure (e.g., a phishing landing page) rather than a legitimate company asset.

• Archived Web Page Investigation:

  • The Workflow: reNgine’s screenshot module shows a blank page or a 404 error for a discovered asset.

  • ThreatNG Deep Dive: Analysts use the Archived Web Page module to view historical snapshots. They discover that 24 hours ago, the page displayed sensitive customer data. This allows the team to treat the "blank page" as a data breach incident requiring forensic review.

Continuous Monitoring: The Trigger Mechanism

reNgine scans are often run on a schedule or on-demand. ThreatNG’s Continuous Monitoring acts as the "Tripwire" that tells reNgine when to scan.

• Event-Driven Reconnaissance: ThreatNG monitors the attack surface for Drift. If ThreatNG detects a new subdomain or a change in a firewall rule (e.g., a firewall rule that suddenly allows Port 445), it triggers an alert. This alert can trigger the security team to immediately launch a targeted reNgine scan of that specific asset, ensuring that deep technical enumeration occurs exactly when the risk appears.

Intelligence Repositories: Threat prioritization

ThreatNG’s Intelligence Repositories help teams prioritize the massive amount of data reNgine produces.

• Ransomware Correlation: reNgine might identify 500 open ports across the estate. ThreatNG identifies that three of those ports are associated with a specific RDP service currently being exploited by a ransomware group. By correlating reNgine’s scan results with ThreatNG’s threat intelligence, the team knows exactly which three ports to close first to prevent a ransomware attack.

Reporting: The Full Picture

ThreatNG’s Reporting capabilities bridge the gap between the technical details and the executive summary.

• Strategic vs. Tactical Reporting: reNgine generates excellent technical reports for pentesters (e.g., "List of XSS endpoints"). ThreatNG generates governance reports for CISOs (e.g., "Overall Attack Surface Score"). Using both provides a complete reporting suite: ThreatNG justifies the budget and strategy to leadership, while reNgine provides the work orders to engineering.

Complementary Solutions

ThreatNG and reNgine work together to create a robust "Red Team / Blue Team" dynamic within the organization.

The Reconnaissance Hand-Off

• Cooperation: ThreatNG performs the Broad Phase reconnaissance. It maps the entire internet to find every company-related asset, including obscure cloud buckets and shadow SaaS. It hands this verified "Target List" to the security team. The team then imports these targets into reNgine to perform Deep Phase reconnaissance (port scanning, directory enumeration, screenshot capture). This ensures reNgine is not wasting resources scanning the wrong things, and that it isn't missing assets it couldn't find on its own.

Vulnerability Validation

• Cooperation: ThreatNG acts as the risk profiler. It might flag an asset as "High Risk" because of its location and business function (e.g., a payment portal). reNgine then runs its Nuclei templates against that asset to check for specific CVEs. If reNgine confirms a vulnerability, the finding is validated. If reNgine finds nothing, the asset remains "High Risk" due to its importance (ThreatNG context), but "Technically Secure" (reNgine validation).

Shadow IT Lifecycle Management

• Cooperation: ThreatNG discovers a Shadow IT asset (e.g., a rouge WordPress site). reNgine scans it and identifies it is running outdated plugins. ThreatNG then provides the investigation tools (Domain Intelligence) to find the owner of the domain so the security team can contact them and enforce the takedown or remediation.

Frequently Asked Questions

Does ThreatNG perform the same scans as reNgine? No. reNgine focuses on active, noisy scanning (port scanning, directory brute-forcing). ThreatNG focuses on passive, strategic discovery (OSINT, business relationships, dark web). They are different sides of the same coin.

Why do I need ThreatNG if I have reNgine? reNgine finds technical flaws; ThreatNG finds business risks. reNgine won't tell you that your vendor is bankrupt or that your credentials are on the dark web. ThreatNG provides the holistic context that technical scanners miss.

Can ThreatNG help configure reNgine? Indirectly, yes. ThreatNG’s discovery data provides the exact list of subdomains and IP ranges to configure as "In-Scope" for reNgine projects, ensuring 100% coverage of the attack surface.