1. Small Scope
   1. Only Specific URLs are part of Scope. This usually includes staging/dev/testing or single URLs. like: app.harshbothra.tech
      1. Recon To-Do
         1. Directory Enumeration
         2. Technology Fingerprinting
         3. Port Scanning
         4. Parameter Fuzzing
         5. Wayback History
         6. Known Vulnerabilities
         7. Hardcoded Information in JavaScript
         8. Domain Specific GitHub & Google Dorking
         9. Broken Link Hijacking
         10. Data Breach Analysis
         11. Misconfigured Cloud Storage
2. Medium Scope
   1. Usually the scope is wild card scope where all the subdomains are part of scope. like: Scope: *.harshbothra.tech
      1. Recon To-Do
         1. Subdomain Enumeration
         2. Subdomain Takeover
         3. Probing & Technology Fingerprinting
         4. Port Scanning
         5. Known Vulnerabilities
         6. Template Based Scanning (Nuclei/Jeales)
         7. Misconfigured Cloud Storage
         8. Broken Link Hijacking
         9. Directory Enumeration
         10. Hardcoded Information in JavaScript
         11. GitHub Reconnaissance
         12. Google Dorking
         13. Data Breach Analysis
         14. Parameter Fuzzing
         15. Internet Search Engine Discovery (Shodan, Censys, Spyse, etc.)
         16. IP Range Enumeration (If in Scope)
         17. Wayback History
         18. Potential Pattern Extraction with GF and automating further for XSS, SSRF, etc.
         19. Heartbleed Scanning
         20. General Security Misconfiguration Scanning
3. Large Scope
   1. Everything related to the Organization is a part of Scope. This includes child companies, subdomains or any labelled asset owned by organization.
      1. Recon To-Do
         1. Tracking & Tracing every possible signatures of the Target Application (Often there might not be any history on Google related to a scope target, but you can still crawl it.) ​
         2. Subsidiary & Acquisition Enumeration (Depth – Max)​
         3. Reverse Lookup
         4. ASN & IP Space Enumeration and Service Identification​
         5. Subdomain Enumeration
         6. Subdomain Takeover
         7. Probing & Technology Fingerprinting
         8. Port Scanning
         9. Known Vulnerabilities
         10. Template Based Scanning (Nuclei/Jeales)
         11. Misconfigured Cloud Storage
         12. Broken Link Hijacking
         13. Directory Enumeration
         14. Hardcoded Information in JavaScript
         15. GitHub Reconnaissance
         16. Google Dorking
         17. Data Breach Analysis
         18. Parameter Fuzzing
         19. Internet Search Engine Discovery (Shodan, Censys, Spyse, etc.)
         20. IP Range Enumeration (If in Scope)
         21. Wayback History
         22. Potential Pattern Extraction with GF and automating further for XSS, SSRF, etc.
         23. Heartbleed Scanning
         24. General Security Misconfiguration Scanning
         25. And any possible Recon Vector (Network/Web) can be applied.​
4. Based on Scope Based Recon Methodology by Harsh Bothra (@harshbothra_)