theHarvester and Recon-ng: OSINT Toolchain in 2026

Last updated: April 26, 2026

theHarvester and Recon-ng are the venerable command-line OSINT frameworks. Where modern tools (subfinder, amass) excel at subdomain enumeration, theHarvester and Recon-ng excel at people, email, and breadth-of-source-aggregation. This article covers their practitioner workflow in 2026 and how they fit alongside newer tooling.

theHarvester

theHarvester aggregates names, emails, hosts, and subdomains from public sources. Wide source list including Bing, DuckDuckGo, GitHub, Hunter, Shodan, VirusTotal, LinkedIn (limited), Crtsh, RapidDNS, and many more.

# Basic enumeration
theHarvester -d target.com -l 500 -b all

# Specific source
theHarvester -d target.com -b linkedin
theHarvester -d target.com -b github-code

# Save results
theHarvester -d target.com -l 500 -b all -f target-results.html

Output includes:

• Email addresses (employee identification)
• Subdomains
• Hosts and IPs
• People (names from search results)
• Linked URLs

API keys for paid services (Hunter.io, Shodan, Censys, VirusTotal) substantially expand results. Free run finds public-facing data; paid integrations find indexed-deeply data.

Recon-ng

Recon-ng is a modular reconnaissance framework written in Python. Plugins (called “modules”) cover specific data sources. The framework provides a database to track findings across an investigation.

# Setup
recon-ng

# Create a workspace
[recon-ng] [default] > workspaces create target

# Add domain
[recon-ng] [target] > db insert domains
domain (TEXT): target.com

# Load and run a module
[recon-ng] [target] > modules load recon/domains-hosts/hackertarget
[recon-ng] [target] [hackertarget] > run

# Pivot to next module
[recon-ng] [target] > modules load recon/hosts-ports/shodan_ip
[recon-ng] [target] [shodan_ip] > run

# View accumulated data
[recon-ng] [target] > show hosts
[recon-ng] [target] > show contacts

The workspace concept is powerful — entities (domains, hosts, contacts, vulnerabilities) accumulate across module runs. Reports generated at the end summarise everything.

The combined workflow

1. Subdomain breadth — subfinder + amass + crt.sh
2. Email / people enumeration — theHarvester + Hunter.io
3. Code / GitHub — theHarvester github-code module + GitHub web search
4. Tech fingerprinting — httpx tech-detect + Wappalyzer
5. Service exposure — Shodan / Censys via theHarvester or directly
6. Pivoting — Recon-ng workspace tracking findings, running specific modules per finding type
7. Visualisation — Maltego for the relationship graph

The 2026 reality

Many of theHarvester’s data sources have closed or limited their APIs. LinkedIn integration is heavily restricted. Search engines rate-limit aggressively. The free-tier results have shrunk; paid integrations have grown in importance.

Recon-ng’s marketplace has a long tail of unmaintained modules. The active core remains useful but practitioners often write custom modules for specific investigations.

Modern alternatives that have eaten some of theHarvester’s lunch:

• SpiderFoot — newer open-source OSINT framework with web UI
• Maltego — visual graph plus rich transform marketplace
• Custom Python scripts using shodan / censys / virustotal APIs directly

The takeaway

theHarvester and Recon-ng remain useful tools in the OSINT toolkit but no longer the primary engines. Use theHarvester for breadth-of-public-source aggregation; use Recon-ng for workflow continuity across an investigation. Layer with modern tools for subdomain depth, Maltego for visualisation, and direct API integrations for primary sources.