$loading...
Passive and active reconnaissance recipes — domains, subdomains, people/email, code, and cloud — for authorized engagements. (20 payloads)
whois example.comdig +nocmd example.com any +noall +answerdig +short txt example.comwhois -h whois.cymru.com " -v 8.8.8.8"dnsrecon -d example.com -t stdcurl -s 'https://crt.sh/?q=%25.example.com&output=json' | jq -r '.[].name_value' | sort -usubfinder -d example.com -all -silentamass enum -passive -d example.comassetfinder --subs-only example.comtheHarvester -d example.com -b allholehe [email protected]curl -s 'https://api.hunter.io/v2/domain-search?domain=example.com&api_key=KEY'# HaveIBeenPwned: check breach exposure for known accounts (with API key)# GitHub dork: org:exampleorg "password" OR filename:.envtrufflehog github --org=exampleorgaws s3 ls s3://example-bucket --no-sign-requestcurl -s 'https://storage.googleapis.com/example-bucket/'exiftool document.pdfexiftool -gps:all -n image.jpgcurl -s https://example.com/sitemap.xml | grep -oE 'https?://[^<]+'Level up your security testing
Install the CLI
npx payload-playgroundExplore All Tools
Encoding, hashing, JWT & more
Browse Cheat Sheets
Quick-reference payload guides
It's a quick-reference collection of 20 OSINT payloads for testing OSINT & Reconnaissance vulnerabilities during authorized penetration testing, bug bounties, and CTFs. Every payload is copy-ready and grouped by attack context.
Copy any payload straight into your authorized test, or use the Recon Hub to apply them interactively. Only test systems you have explicit permission to assess.
Yes — this cheat sheet and all OSINT payloads are completely free, with no account required. Everything runs in your browser.