Skip to content


An Event is a piece of data discovered by BBOT. Examples include IP_ADDRESS, DNS_NAME, EMAIL_ADDRESS, URL, etc. When you run a BBOT scan, events are constantly being exchanged between modules. They are also output to the console:

[DNS_NAME]    sslcert         (distance-0, in-scope, resolved, subdomain, a-record)
 ^^^^^^^^       ^^^^^^^^^^^^^^^^    ^^^^^^^          ^^^^^^^^^^
event type      event data          source module    tags

In addition to the obvious data (e.g., an event also contains other useful information such as:

  • a .timestamp of when the data was discovered
  • the .module that discovered it
  • the .source event that led to its discovery
  • its .scope_distance (how many hops it is from the main scope, 0 == in-scope)
  • a list of .tags that describe the data (mx-record, http-title, etc.)

These attributes allow us to construct a visual graph of events (e.g. in Neo4j) and query/filter/grep them more easily. Here is what a typical event looks like in JSON format:

  "type": "URL",
  "id": "URL:017ec8e5dc158c0fd46f07169f8577fb4b45e89a",
  "data": "",
  "web_spider_distance": 0,
  "scope_distance": 0,
  "scan": "SCAN:4d786912dbc97be199da13074699c318e2067a7f",
  "timestamp": 1688526222.723366,
  "resolved_hosts": [""],
  "source": "OPEN_TCP_PORT:cf7e6a937b161217eaed99f0c566eae045d094c7",
  "tags": [
  "module": "httpx",
  "module_sequence": "httpx"

For a more detailed description of BBOT events, see Developer Documentation - Event.

Below is a full list of event types along with which modules produce/consume them.

List of Event Types

Event Type # Consuming Modules # Producing Modules Consuming Modules Producing Modules
* 11 0 affiliates, csv, discord, http, human, json, neo4j, python, slack, teams, websocket
ASN 0 1 asn
DNS_NAME 56 43 anubisdb, asset_inventory, azure_realm, azure_tenant, bevigil, binaryedge, bucket_amazon, bucket_azure, bucket_digitalocean, bucket_firebase, bucket_google, builtwith, c99, censys, certspotter, chaos, columbus, credshed, crobat, crt, dehashed, digitorus, dnscommonsrv, dnsdumpster, dnszonetransfer, emailformat, fullhunt, github, hackertarget, hunterio, leakix, massdns, myssl, nmap, nsec, oauth, otx, passivetotal, pgp, rapiddns, riddler, securitytrails, shodan_dns, sitedossier, skymem, speculate, subdomain_hijack, subdomaincenter, subdomains, sublist3r, threatminer, urlscan, viewdns, virustotal, wayback, zoomeye anubisdb, azure_tenant, bevigil, binaryedge, builtwith, c99, censys, certspotter, chaos, columbus, crobat, crt, digitorus, dnscommonsrv, dnsdumpster, dnszonetransfer, fullhunt, hackertarget, hunterio, leakix, massdns, myssl, nsec, ntlm, oauth, otx, passivetotal, rapiddns, riddler, securitytrails, shodan_dns, sitedossier, speculate, sslcert, subdomaincenter, sublist3r, threatminer, urlscan, vhost, viewdns, virustotal, wayback, zoomeye
DNS_NAME_UNRESOLVED 3 0 speculate, subdomain_hijack, subdomains
EMAIL_ADDRESS 0 6 credshed, emailformat, hunterio, pgp, skymem, sslcert
FINDING 2 21 asset_inventory, web_report badsecrets, bucket_amazon, bucket_azure, bucket_digitalocean, bucket_firebase, bucket_google, bypass403, git, host_header, hunt, ntlm, nuclei, paramminer_cookies, paramminer_getparams, paramminer_headers, secretsdb, smuggler, speculate, subdomain_hijack, telerik, url_manipulation
GEOLOCATION 0 2 ip2location, ipstack
HASHED_PASSWORD 0 2 credshed, dehashed
HTTP_RESPONSE 12 1 badsecrets, excavate, filedownload, host_header, hunt, ntlm, paramminer_cookies, paramminer_getparams, paramminer_headers, secretsdb, speculate, wappalyzer httpx
IP_ADDRESS 7 3 asn, asset_inventory, ip2location, ipneighbor, ipstack, nmap, speculate asset_inventory, ipneighbor, speculate
IP_RANGE 1 0 speculate
OPEN_TCP_PORT 4 4 asset_inventory, fingerprintx, httpx, sslcert asset_inventory, masscan, nmap, speculate
PASSWORD 0 2 credshed, dehashed
PROTOCOL 0 1 fingerprintx
SCAN 1 0 masscan
SOCIAL 0 1 social
STORAGE_BUCKET 7 5 bucket_amazon, bucket_azure, bucket_digitalocean, bucket_file_enum, bucket_firebase, bucket_google, speculate bucket_amazon, bucket_azure, bucket_digitalocean, bucket_firebase, bucket_google
TECHNOLOGY 2 2 asset_inventory, web_report gowitness, wappalyzer
URL 18 2 asset_inventory, bypass403, ffuf, generic_ssrf, git, gowitness, httpx, iis_shortnames, ntlm, nuclei, robots, smuggler, speculate, telerik, url_manipulation, vhost, wafw00f, web_report gowitness, httpx
URL_HINT 1 1 ffuf_shortnames iis_shortnames
URL_UNVERIFIED 5 12 filedownload, httpx, oauth, social, speculate azure_realm, bevigil, bucket_file_enum, excavate, ffuf, ffuf_shortnames, github, gowitness, hunterio, robots, urlscan, wayback
USERNAME 0 2 credshed, dehashed
VHOST 1 1 web_report vhost
VULNERABILITY 2 4 asset_inventory, web_report badsecrets, generic_ssrf, nuclei, telerik
WAF 0 1 wafw00f
WEBSCREENSHOT 0 1 gowitness

Findings Vs. Vulnerabilities

BBOT has a sharp distinction between Findings and Vulnerabilities:


  • There's a higher standard for what is allowed to be a vulnerability. They should be considered confirmed and actionable​ - no additional confirmation required
  • They are always assigned a severity. The possible severities are: LOW, MEDIUM, HIGH, or CRITICAL​


  • Findings can range anywhere from "slightly interesting behavior" to "likely, but unconfirmed vulnerability"​
  • Are often false positives

By making this separation, actionable vulnerabilities can be identified quickly in the midst of a large scan