1. Small Scope
    1. Only Specific URLs are part of Scope. This usually includes staging/dev/testing or single URLs. like: app.harshbothra.tech
      1. Recon To-Do
        1. Directory Enumeration
        2. Technology Fingerprinting
        3. Port Scanning
        4. Parameter Fuzzing
        5. Wayback History
        6. Known Vulnerabilities
        7. Hardcoded Information in JavaScript
        8. Domain Specific GitHub & Google Dorking
        9. Broken Link Hijacking
        10. Data Breach Analysis
        11. Misconfigured Cloud Storage
  2. Medium Scope
    1. Usually the scope is wild card scope where all the subdomains are part of scope. like: Scope: *.harshbothra.tech
      1. Recon To-Do
        1. Subdomain Enumeration
        2. Subdomain Takeover
        3. Probing & Technology Fingerprinting
        4. Port Scanning
        5. Known Vulnerabilities
        6. Template Based Scanning (Nuclei/Jeales)
        7. Misconfigured Cloud Storage
        8. Broken Link Hijacking
        9. Directory Enumeration
        10. Hardcoded Information in JavaScript
        11. GitHub Reconnaissance
        12. Google Dorking
        13. Data Breach Analysis
        14. Parameter Fuzzing
        15. Internet Search Engine Discovery (Shodan, Censys, Spyse, etc.)
        16. IP Range Enumeration (If in Scope)
        17. Wayback History
        18. Potential Pattern Extraction with GF and automating further for XSS, SSRF, etc.
        19. Heartbleed Scanning
        20. General Security Misconfiguration Scanning
  3. Large Scope
    1. Everything related to the Organization is a part of Scope. This includes child companies, subdomains or any labelled asset owned by organization.
      1. Recon To-Do
        1. Tracking & Tracing every possible signatures of the Target Application (Often there might not be any history on Google related to a scope target, but you can still crawl it.) ​
        2. Subsidiary & Acquisition Enumeration (Depth – Max)​
        3. Reverse Lookup
        4. ASN & IP Space Enumeration and Service Identification​
        5. Subdomain Enumeration
        6. Subdomain Takeover
        7. Probing & Technology Fingerprinting
        8. Port Scanning
        9. Known Vulnerabilities
        10. Template Based Scanning (Nuclei/Jeales)
        11. Misconfigured Cloud Storage
        12. Broken Link Hijacking
        13. Directory Enumeration
        14. Hardcoded Information in JavaScript
        15. GitHub Reconnaissance
        16. Google Dorking
        17. Data Breach Analysis
        18. Parameter Fuzzing
        19. Internet Search Engine Discovery (Shodan, Censys, Spyse, etc.)
        20. IP Range Enumeration (If in Scope)
        21. Wayback History
        22. Potential Pattern Extraction with GF and automating further for XSS, SSRF, etc.
        23. Heartbleed Scanning
        24. General Security Misconfiguration Scanning
        25. And any possible Recon Vector (Network/Web) can be applied.​
  4. Based on Scope Based Recon Methodology by Harsh Bothra (@harshbothra_)