/categories/methodology/ Recent content in Methodology on Hugo -- gohugo.io Mon, 01 Sep 2025 00:00:00 +0000 /blog-posts/apex-hunting-101/ Mon, 01 Sep 2025 00:00:00 +0000 /blog-posts/apex-hunting-101/ Goal: turn a single target into a wide, defensible attack surface by discovering apex domains owned by the company, its acquisitions, and its sub-organizations—using only open sources. Great bugs often live just outside the obvious example.com. If you can map acquired brands and subsidiaries, you’ll uncover older tech stacks, forgotten portals, and regional sites that are still very much in scope for “wide-scope” programs. Below is the exact recon playbook I use.