Skip to content


An Event is a piece of data discovered by BBOT. Examples include IP_ADDRESS, DNS_NAME, EMAIL_ADDRESS, URL, etc. When you run a BBOT scan, events are constantly being exchanged between modules. They are also output to the console:

[DNS_NAME]    sslcert         (distance-0, in-scope, resolved, subdomain, a-record)
 ^^^^^^^^       ^^^^^^^^^^^^^^^^    ^^^^^^^          ^^^^^^^^^^
event type      event data          source module    tags

In addition to the obvious data (e.g., an event also contains other useful information such as:

  • a .timestamp of when the data was discovered
  • the .module that discovered it
  • the .source event that led to its discovery
  • its .scope_distance (how many hops it is from the main scope, 0 == in-scope)
  • a list of .tags that describe the data (mx-record, http-title, etc.)

These attributes allow us to construct a visual graph of events (e.g. in Neo4j) and query/filter/grep them more easily. Here is what a typical event looks like in JSON format:

  "type": "URL",
  "id": "URL:017ec8e5dc158c0fd46f07169f8577fb4b45e89a",
  "data": "",
  "web_spider_distance": 0,
  "scope_distance": 0,
  "scan": "SCAN:4d786912dbc97be199da13074699c318e2067a7f",
  "timestamp": 1688526222.723366,
  "resolved_hosts": [""],
  "source": "OPEN_TCP_PORT:cf7e6a937b161217eaed99f0c566eae045d094c7",
  "tags": [
  "module": "httpx",
  "module_sequence": "httpx"

For a more detailed description of BBOT events, see Developer Documentation - Event.

Below is a full list of event types along with which modules produce/consume them.

List of Event Types

Event Type # Consuming Modules # Producing Modules Consuming Modules Producing Modules
* 12 0 affiliates, csv, discord, http, human, json, neo4j, python, slack, splunk, teams, websocket
ASN 0 1 asn
AZURE_TENANT 1 0 speculate
CODE_REPOSITORY 0 2 github_codesearch, github_org
DNS_NAME 57 42 anubisdb, asset_inventory, azure_realm, azure_tenant, baddns, baddns_zone, bevigil, binaryedge, bucket_amazon, bucket_azure, bucket_digitalocean, bucket_firebase, bucket_google, builtwith, c99, censys, certspotter, chaos, columbus, credshed, crobat, crt, dehashed, digitorus, dnscommonsrv, dnsdumpster, emailformat, fullhunt, github_codesearch, hackertarget, hunterio, internetdb, leakix, massdns, myssl, nmap, oauth, otx, passivetotal, pgp, postman, rapiddns, riddler, securitytrails, shodan_dns, sitedossier, skymem, speculate, subdomaincenter, subdomains, sublist3r, threatminer, urlscan, viewdns, virustotal, wayback, zoomeye anubisdb, azure_tenant, bevigil, binaryedge, builtwith, c99, censys, certspotter, chaos, columbus, crobat, crt, digitorus, dnscommonsrv, dnsdumpster, fullhunt, hackertarget, hunterio, internetdb, leakix, massdns, myssl, ntlm, oauth, otx, passivetotal, rapiddns, riddler, securitytrails, shodan_dns, sitedossier, speculate, sslcert, subdomaincenter, sublist3r, threatminer, urlscan, vhost, viewdns, virustotal, wayback, zoomeye
DNS_NAME_UNRESOLVED 3 0 baddns, speculate, subdomains
EMAIL_ADDRESS 1 6 emails credshed, emailformat, hunterio, pgp, skymem, sslcert
FINDING 2 26 asset_inventory, web_report ajaxpro, baddns, baddns_zone, badsecrets, bucket_amazon, bucket_azure, bucket_digitalocean, bucket_firebase, bucket_google, bypass403, dastardly, git, host_header, hunt, internetdb, newsletters, ntlm, nuclei, paramminer_cookies, paramminer_getparams, paramminer_headers, secretsdb, smuggler, speculate, telerik, url_manipulation
GEOLOCATION 0 2 ip2location, ipstack
HASHED_PASSWORD 0 2 credshed, dehashed
HTTP_RESPONSE 18 1 ajaxpro, asset_inventory, badsecrets, dastardly, dotnetnuke, excavate, filedownload, host_header, hunt, newsletters, ntlm, paramminer_cookies, paramminer_getparams, paramminer_headers, secretsdb, speculate, telerik, wappalyzer httpx
IP_ADDRESS 9 3 asn, asset_inventory, internetdb, ip2location, ipneighbor, ipstack, masscan, nmap, speculate asset_inventory, ipneighbor, speculate
IP_RANGE 3 0 masscan, nmap, speculate
OPEN_TCP_PORT 4 5 asset_inventory, fingerprintx, httpx, sslcert asset_inventory, internetdb, masscan, nmap, speculate
ORG_STUB 1 1 github_org speculate
PASSWORD 0 2 credshed, dehashed
PROTOCOL 0 1 fingerprintx
SOCIAL 3 1 github_org, gowitness, speculate social
STORAGE_BUCKET 7 5 bucket_amazon, bucket_azure, bucket_digitalocean, bucket_file_enum, bucket_firebase, bucket_google, speculate bucket_amazon, bucket_azure, bucket_digitalocean, bucket_firebase, bucket_google
TECHNOLOGY 2 5 asset_inventory, web_report badsecrets, dotnetnuke, gowitness, internetdb, wappalyzer
URL 19 2 ajaxpro, asset_inventory, bypass403, ffuf, generic_ssrf, git, gowitness, httpx, iis_shortnames, ntlm, nuclei, robots, smuggler, speculate, telerik, url_manipulation, vhost, wafw00f, web_report gowitness, httpx
URL_HINT 1 1 ffuf_shortnames iis_shortnames
URL_UNVERIFIED 5 13 filedownload, httpx, oauth, social, speculate azure_realm, bevigil, bucket_file_enum, excavate, ffuf, ffuf_shortnames, github_codesearch, gowitness, hunterio, postman, robots, urlscan, wayback
USERNAME 1 2 speculate credshed, dehashed
VHOST 1 1 web_report vhost
VULNERABILITY 2 10 asset_inventory, web_report ajaxpro, baddns, baddns_zone, badsecrets, dastardly, dotnetnuke, generic_ssrf, internetdb, nuclei, telerik
WAF 1 1 asset_inventory wafw00f
WEBSCREENSHOT 0 1 gowitness

Findings Vs. Vulnerabilities

BBOT has a sharp distinction between Findings and Vulnerabilities:


  • There's a higher standard for what is allowed to be a vulnerability. They should be considered confirmed and actionable - no additional confirmation required
  • They are always assigned a severity. The possible severities are: LOW, MEDIUM, HIGH, or CRITICAL


  • Findings can range anywhere from "slightly interesting behavior" to "likely, but unconfirmed vulnerability"
  • Are often false positives

By making this separation, actionable vulnerabilities can be identified quickly in the midst of a large scan