Using N8N To Orchestrate Web and Mobile Bug Hunting

Introduction

Modern bug hunting increasingly relies on automation, integration, and orchestration to scale reconnaissance and streamline reporting. Manual workflows struggle to keep pace with the complexity and speed of modern attack surfaces.

This setup demonstrates how n8n serves as a centralized control plane to coordinate multiple tools and data flows across the bug-hunting lifecycle. Through AutoAR’s REST API, it automates comprehensive web reconnaissance and attack surface mapping, while Notion provides a single source of truth for tracking targets and scan states. Discord delivers real-time operational alerts, and AI-assisted reporting ensures consistent, high-quality documentation of findings.

Advanced mobile analysis is handled through APKX, an integrated Android/iOS pipeline connected to n8n. This enables intelligent caching, deep static and dynamic analysis, MITM patching, and automated report generation from app binaries acquired via store integrations.

Together, these components form a scalable, modular, and intelligent framework that enhances the efficiency and precision of modern bug bounty operations.


Architecture Overview

Component
Purpose

n8n

Event bus, scheduler, and workflow engine

AutoAR

Web reconnaissance and attack surface scanning via REST API (subfinder, httpx, dnsx, naabu, nuclei, Dalfox, trufflehog, ffuf/fuzzuli, etc.)

APKX (Android/iOS)

Mobile analysis pipeline integrated via n8n — advanced APK/IPA analysis, intelligent caching, pattern matching, MITM patching, and HTML/JSON reporting

Notion

Source of truth for targets and scan statuses

Discord

Real-time notifications (capacity, completion, errors)

AI Reporting

Uses OpenRouter models to generate structured Markdown reports


Workflow in Practice

1. Intake in Notion

  • Targets and scan types are defined in a Notion database.

  • n8n monitors for new or updated entries and triggers workflows automatically.

2. Capacity Guard

  • n8n queries AutoAR /capacity.

  • If the system is at capacity, n8n posts a Discord warning and defers the task to maintain stability.

3. Launch Scan

  • n8n submits a POST /scan request to AutoAR with the chosen scan type.

  • AutoAR executes asynchronously and stores results under new-results/.

4. Persistence and Status

  • When the scan completes, n8n marks the Notion item as Completed.

  • Discord receives a concise notification with any relevant artifacts (lists, findings, wordlists).

5. AI-Assisted Reporting

  • Structured findings are sent to an LLM via OpenRouter.

  • The model drafts a clean Markdown report, which is written back to Notion for analyst review and validation.

Workflow In Practice

  1. Intake in Notion

  • New items are added to a Notion database with fields like Target and Scan Type.

  • n8n watches Notion and triggers when a new/updated record needs a scan.

  1. Capacity Guard

  • n8n queries AutoAR /capacity. If at capacity, a Discord warning is posted and the item is deferred.

  1. Launch Scan

  • n8n POSTs to AutoAR /scan with the chosen scan type. AutoAR runs asynchronously and stores results under new-results/.

  1. Persistence and Status

  • Once completed, n8n sets the Notion item to “Completed”. Discord receives a concise completion message and, when useful, file artifacts (lists, findings, wordlists).

  1. AI‑Assisted Reporting

  • A dedicated n8n flow sends structured findings to an LLM via OpenRouter and writes a clean, templated markdown report back into Notion for review.

Scan Types

Type
Description
Best Use

Domain

Full reconnaissance: subdomains, live hosts, URLs, tech stack, DNS checks, nuclei templates, reflection, JS exposure, ports, and vulnerabilities

Comprehensive program coverage

Subdomain

Focused scan on one subdomain with same modules as Domain

Deep-dive triage of high-value assets

liteScan

Fast subdomain enumeration, live hosts, tech detection, reflection, and nuclei checks

Quick actionable overview

fastLook

Minimal recon: subenum → live hosts → URLs → tech detect → reflection

Rapid prioritization

JSScan

JavaScript collection and analysis for secrets, XSS, and API endpoints

JS-heavy applications

JSMonitor

Monitors JS files for modifications

Detecting new endpoints or changes or secrets

BackupScan

Fuzzes for exposed backups/config files

Backup Files Exposure

S3Scan

Tests S3 bucket permissions

Cloud exposure assessment

GitHub (Repo/Org/Wordlist)

Secret detection, wordlist generation, and org-wide scanning via trufflehog and gh CLI

Source code and org monitoring

Monitoring

Periodic re-scans for changes or new findings

Continuous program intelligence


Mobile Pipelines

Android (APKX)

  • Orchestrated via n8n to the APKX backend.

  • Analysis capabilities: 1600+ security patterns, exported components review, deep links, insecure storage, cert pinning, debug mode, Janus vulnerability detection.

  • Operational features: Queueing, intelligent caching, multi-store downloads (APKPure, Play Store, F-Droid, AppGallery), optional MITM patching, and HTML/JSON reporting.

  • Storage: GitLab integration for zero-local storage and automatic synchronization.

  • Status updates and completions are tracked in Notion and broadcast to Discord.

iOS (APKX iOS)

  • Similar orchestration with capacity checks, job submission, and reporting.

  • Capabilities: IPA analysis, plist parsing, ATS review, jailbreak detection, keychain inspection, and binary analysis.

  • Download: ipatool integration with authenticated access.

  • Storage: GitLab-backed artifact management.

Screenshots


Tooling Ecosystem

  • Subdomain/Host: subfinder, httpx, dnsx

  • Ports: naabu

  • Vulnerability Templates: nuclei (public/custom)

  • Web Vulns: Dalfox, GF patterns, reflection checks

  • Content Discovery: ffuf, fuzzuli

  • GitHub: trufflehog, gh CLI, raw REST fallback

  • Mobile: APKX pipelines for Android/iOS


Discord Integration

  • Notifications: Capacity warnings, completion summaries, and error alerts.

  • Artifact Sharing: Wordlists, secrets, and scan summaries via file attachments.

  • APKX Reports: Mobile HTML/JSON results posted with download links.

  • Rich Embeds: Structured messages containing metadata and findings counts.

  • Webhooks: Per-scan configuration for targeted reporting.


Why This Automation Works

  • Consistency: Every run is defined, logged, and repeatable.

  • Scale: Capacity checks prevent overload and ensure reliable throughput.

  • Speed: One action in Notion triggers the full automation chain.

  • Signal Over Noise: Discord carries essential alerts; Notion holds structured data.

  • Extensibility: New tools are simple new nodes or API routes.

  • Quality: AI-assisted reporting enforces structured documentation with minimal manual overhead.


Outcome

This architecture transforms reconnaissance and analysis into a controlled, repeatable system. n8n orchestrates, AutoAR executes, Notion tracks, Discord informs, and AI accelerates reporting — creating a professional, maintainable, and extensible foundation for modern bug bounty operations.

Last updated

Was this helpful?