About • Download & Install • Updating • Getting Started • Workflows • Troubleshooting • FAQs • YouTube • LinkedIn
<em>🚨 Pre-Alpha Release Out now!! Beta Launch @ DEFCON 33 Bug Bounty Hunting Village!!! 🚨</em>
My full bug bounty hunting methodology built into a single framework! Automate the most common bug bounty hunting workflows and Earn While You Learn!
Watch This Video First Watch This Video Second
This framework will help you grow as much as my hair did between these videos 😉
The goal of this tool is to eliminate the barrier of entry for bug bounty hunting. My hope is that someone can pick up this tool and start hunting on day one of their AppSec journey 🚀
Howdy! My name is Harrison Richardson, or rs0n (arson) when I want to feel cooler than I really am. The code in this repository started as a small collection of scripts to help automate many of the common Bug Bounty hunting processes I found myself repeating. Over time, I built these scripts into an open-source framework that helped thousands of people around the world begin their bug bounty hunting journey.
However, the first implementation of the framework had a wide range of issues. The majority of the problems were a result of the tool never being designed with the intent of being shared as an open-source project. So I got to work on a version 2 that would solve these problems and bring my vision to life!

The Ars0n Framework V2 is designed to be a tool that allows people to start REAL bug bounty hunting against actual targets on day one! The framework acts as a wrapper around 20+ widely used bug bounty hunting tools and a clever UI design forces the user into a correct hunting methodology. It is literally impossible to use this tool without going through rs0n's process!
The results of each tool are stored in a central database and can be used for understanding/visualizing the target company's attack surface. Each section also includes a "Help Me Learn!" dropdown that includes a lession plan to help the user understand what part of the methodology they are at, what they are trying to acheive, and most importantly the "Why?" behind it.
My hope is that this modular framework will act as a canvas to help share what I've learned over my career to the next generation of Security Engineers! Trust me, we need all the help we can get!!
Pre-Alpha Demo Videos
The Ars0n Framework v2 Includes All These Tools And More!
<a href="https://github.com/owasp-amass/amass">Amass</a> - Advanced attack surface mapping and asset discovery tool for security research
<a href="https://github.com/projectdiscovery/subfinder">Subfinder</a> - Fast and reliable subdomain enumeration tool with multiple data sources
<a href="https://github.com/aboul3la/Sublist3r">Sublist3r</a> - Fast subdomain enumeration tool using various search engines and data sources
<a href="https://github.com/tomnomnom/assetfinder">Assetfinder</a> - Find assets related to a domain using various data sources and APIs
<a href="https://github.com/projectdiscovery/httpx">Httpx</a> - Fast and multi-purpose HTTP toolkit for web reconnaissance and scanning
<a href="https://github.com/jaeles-project/gospider">GoSpider</a> - Fast web spider written in Go for crawling and extracting URLs
<a href="https://github.com/nsonaniya2010/SubDomainizer">Subdomainizer</a> - Advanced subdomain enumeration tool with multiple discovery methods
<a href="https://github.com/digininja/CeWL">CeWL</a> - Custom word list generator that spiders websites to create targeted wordlists
<a href="https://github.com/projectdiscovery/shuffledns">ShuffleDNS</a> - Mass DNS resolver with wildcard filtering and validation capabilities
<a href="https://github.com/projectdiscovery/nuclei">Nuclei</a> - Fast and customizable vulnerability scanner with extensive template library
<a href="https://github.com/projectdiscovery/katana">Katana</a> - Fast and powerful web crawler for discovering hidden endpoints and content
<a href="https://github.com/ffuf/ffuf">FFuf</a> - Fast web fuzzer with support for multiple protocols and advanced filtering
<a href="https://github.com/lc/gau">GAU</a> - Get All URLs tool that fetches known URLs from various historical data sources
<a href="https://github.com/pdiscoveryio/ctl">CTL</a> - Certificate Transparency Log tool for discovering subdomains from SSL certificates
<a href="https://github.com/projectdiscovery/dnsx">DNSx</a> - Fast and multi-purpose DNS toolkit for running multiple DNS queries
<a href="https://github.com/initstring/cloud_enum">Cloud Enum</a> - Multi-cloud OSINT tool for enumerating public resources in AWS, Azure, and Google Cloud
<a href="https://github.com/j3ssie/metabigor">Metabigor</a> - OSINT tool for network intelligence gathering including ASN and IP range discovery
<a href="https://github.com/gwen001/github-search">GitHub Recon</a> - GitHub reconnaissance tool for discovering organization mentions and domain patterns
<a href="https://github.com/projectdiscovery/naabu">Naabu</a> - Fast port scanner for discovering open ports and services
<a href="https://github.com/whoxy/whoxy">Reverse Whois</a> - Reverse WHOIS lookup using Whoxy to find domains registered by the same entity
<a href="https://securitytrails.com">SecurityTrails</a> - Comprehensive DNS, domain, and IP data provider for digital asset discovery
<a href="https://censys.io">Censys</a> - Internet-wide scanning platform for discovering and monitoring assets
<a href="https://shodan.io">Shodan</a> - Search engine for internet-connected devices and services
This framework consists of 20+ Docker containers along w/ a Docker Compose Manifest to automate the process of deploying these containers.
docker-compose.yml filedocker-compose up --buildhttp://localhost (or http://<server-ip> from other machines)HINT: If you get a docker error, the problem is probably w/ docker, not my framework
Step 1: Download the framework
Invoke-WebRequest -Uri "https://github.com/R-s0n/ars0n-framework-v2/releases/download/beta-0.0.7/ars0n-framework-v2-beta-0.0.7.zip" -OutFile "ars0n-framework-v2-beta-0.0.7.zip"
Step 2: Extract the zip file
Expand-Archive -Path "ars0n-framework-v2-beta-0.0.7.zip" -DestinationPath "."
Step 3: Navigate to the framework directory
cd ars0n-framework-v2
Step 4: Start the framework
docker-compose up --build
Step 5: Access the framework at http://localhost
Step 1: Download the framework
curl -L -o ars0n-framework-v2-beta-0.0.7.zip "https://github.com/R-s0n/ars0n-framework-v2/releases/download/beta-0.0.7/ars0n-framework-v2-beta-0.0.7.zip"
Step 2: Extract the zip file
unzip ars0n-framework-v2-beta-0.0.7.zip
Step 3: Navigate to the framework directory
cd ars0n-framework-v2
Step 4: Start the framework
docker-compose up --build
Step 5: Access the framework at http://localhost
Step 1: Download the framework
wget "https://github.com/R-s0n/ars0n-framework-v2/releases/download/beta-0.0.7/ars0n-framework-v2-beta-0.0.7.zip"
Step 2: Extract the zip file
unzip ars0n-framework-v2-beta-0.0.7.zip
Step 3: Navigate to the framework directory
cd ars0n-framework-v2
Step 4: Start the framework
docker-compose up --build
Step 5: Access the framework at http://localhost
The framework includes update scripts that will bring you to the latest version from any previous version. Your scan data, API keys, and settings are stored in Docker volumes and will be preserved automatically.
powershell -ExecutionPolicy Bypass -File update.ps1
chmod +x update.sh
./update.sh
docker-compose.yml and wordlists in case you customized themNote: If you downloaded the framework as a zip file, the update script will initialize a git repository for you automatically. Future updates will be faster since git only downloads what changed.
Once you have the Ars0n Framework v2 running, you'll be presented with a welcome screen that offers several options to begin your bug bounty hunting journey. Here's how to get started:
Best for: Starting fresh reconnaissance on a new target
URL: Specific attack vector targeting a single domain (e.g., "https://hackme.google.com")
Enter Target Information:
For URL targets: Enter the specific URL
Begin Reconnaissance:
Best for: Learning from pre-scanned data or resuming previous sessions
.rs0n file (like those available in the scan data repository).rs0n file.rs0n file:
https://github.com/R-s0n/ars0n-framework-v2-scan-data/raw/refs/heads/main/Grammarly/rs0n-export-2025-07-27T18-19-17.rs0nBest for: Understanding the bug bounty hunting process without running scans
The Ars0n Framework v2 Scan Data Repository contains real-world scan data that you can import to learn:
The Ars0n Framework v2 supports three distinct workflows, each designed for different reconnaissance scenarios and objectives. Each workflow follows rs0n's proven bug bounty methodology and automatically guides users through the correct sequence of tools and techniques.
Objective: Discover and map all digital assets owned by an organization to build a comprehensive attack surface for security testing.
$ claude mcp add ars0n-framework-v2 \
-- python -m otcore.mcp_server <graph>