Today we’re excited to announce the arrival of BBOT 3.0. This is a huge update with numerous new features and improvements.
There are a few major themes to the BBOT 3.0 update:
Performance
Key components of BBOT have been rewritten in Rust. We’ve written our own native DNS and HTTP libraries in Rust: BlastDNS and BlastHTTP, specifically for BBOT. These enable a significant performance boost and reduce our dependency on external libraries for core functions.
BlastDNS is 15x faster than our original library, dnspython.
While we are saying goodbye to dnspython, we want to thank its creator Bob Halley for such a useful library, and for his responsiveness to our issues and feature requests over the years! He is a legend.BlastHTTP replaces both httpx and our old subprocess-based HTTP engine with a single, in-process client that every module shares. It drives everything from simple URL probing to full-blown directory brute-forcing (our new webbrute module) at speeds comparable to dedicated tools like FFUF without ever leaving the BBOT process. Add built-in rate limiting and native batch requests, and BBOT can now hit thousands of URLs concurrently while staying light on memory.
Memory consumption was a problem on large scans before, and it’s much improved now. We’ve made multiple rounds of memory profiling and optimizations, cutting memory waste large and small. The most notable is HTTP responses now can spill onto the disk instead of staying in RAM the entire scan.
CPU use has also been dramatically tuned. We’ve tightened CPU heavy tasks to be more efficient, and moved intense tasks off the main event loop, to keep the scan running smoothly.
In the past, we’ve had face-offs between BBOT and other comparable tools:
We wanted to do something similar, but just between BBOT 2 and 3. The results even surprised us. First, we did a scan of mubi.com with a variety of profiles, including a passive subdomain enumeration profile, and three different intensities of web content processing:
As you can see, finding the same results was possible using a fraction of the CPU and Memory, and the scan completed quicker.
Of course, the scale of a scan changes the profile significantly, so here’s an example of a larger scan, just doing non-active subdomain enumeration:
On this larger scan, we see the scan speed essentially evens out. However, here we actually found more subdomains. The Memory and CPU improvements are less pronounced without the heavier web modules in-play, but still notable.
Persistent Asset Storage
BBOT 3.0’s output has been adapted to work better with SIEMs, SQL and noSQL databases out of the box. No more siem_friendly option - siem_friendly is simply the default.
Getting the data where it needs to go is easier than ever, too. BBOT 3.0 ships a suite of new output modules for databases and message queues, including MongoDB, Elasticsearch, Kafka, RabbitMQ, NATS, and ZeroMQ, alongside BBOT’s existing SQL outputs.
Consistency and Maturity
We’ve strengthened preset validation. Before, errors in a preset would just silently fail in the background. Now, when your preset has a problem, you’ll see exactly what you need to fix the moment the scan loads, often with a “did you mean...?” hint for typos (e.g. Did you mean “scope.strict”?).
We reworked the targets and seeds system to make advanced scoping simpler. BBOT now cleanly separates your target (what defines scope) from your seeds (the hosts a scan actually starts from). For the common case they’re identical and nothing changes, but when you need it, you can scope a scan to one set of hosts while seeding it from another. No more --whitelist juggling.
Finally, we standardized naming across BBOT: more consistent preset, flag, and tag names, all following one predictable convention (full rename list in the breaking-changes section below).
New Modules
The following are new modules in 3.0:
New Features
The following features are new in BBOT 3.0:
Tighter ASN Integration
You can now specify ASNs as targets in BBOT:
# portscan an ASN
bbot -t AS1234 -m portscanUnder the hood, this queries the free ASNDB API, part of the new BBOT.IO API Hub. This API is leveraged both for target calculation and for fetching more ASN data during the scan. The free tier supports 10 requests per minute. This should be enough for most scans, but API keys can be purchased at the Developer Portal for much higher speeds. A single API key can be used across all the APIs.
Lightfuzz Improvements (Web Scanning)
Lightfuzz is our take on dynamic application security testing (DAST), and it’s had a major overhaul.
New ssrf submodule. Detects Server-Side Request Forgery out-of-band: it injects Interactsh URLs across multiple schemes (http://, https://, and bare host, for servers that prepend their own scheme) and confirms the finding via real DNS/HTTP callbacks rather than guessing from response differences.
Sharper detection across the board. The full submodule lineup (sqli, xss, cmdi, crypto, serial, ssti, path, esi) was tuned to cut noise, so the findings that come back are the ones actually worth chasing.
Rebuilt preset tiers. Lightfuzz now ships as a clean set of tiers: web/lightfuzz as the balanced default, web/lightfuzz-heavy, and web/lightfuzz-max when you want to turn everything up. (The old web/lightfuzz-medium and web/lightfuzz-superheavy tiers are gone.)
AGENTS.md
With the advent of Claude Code (and its cousins Cursor, Windsurf, Antigravity, etc.), contributing to BBOT is easier than ever. To streamline this even further, we’ve compiled a new AGENTS.md to help you and your AI write the best possible BBOT module. 🧡
Breaking Changes
Be aware there are a few breaking changes to the CLI syntax and output format which may require you to update your scripts.
1. Target Behavior
There have been changes to the way BBOT handles scope. If you’re accustomed to just using -t, this won’t affect you. However if you use the more advanced scope features like --whitelist and --blacklist, you’ll want to read this.
Previous versions of BBOT had three main flags for specifying targets:
--target (-t)--whitelist (-w)--blacklist (-b)
Targets automatically became seeds, and if you didn’t specify --whitelist, targets became whitelist too. This sometimes caused confusion, since it wasn’t clear how to specify custom seeds. Also, you could miss out on results if your targets weren’t in your whitelist.
The new flags are:
--target (-t)--seeds (-s)--blacklist (-b)
These behave almost the same, except that now --target always controls your scope. By default it also seeds the scan. If you want, you can override with --seeds. Additionally, passive modules now accept seeds by default, even if they’re not in-scope.
This is especially useful if you want to define your scope by IP, but seed the scan with domains. In other words, you want to scan *.evilcorp.com, but just the half of evilcorp.com subdomains that fall inside your IP scope.
bbot -t 10.1.1.0/24 -s evilcorp.com -f subdomain-enum2. Vulnerabilities
VULNERABILITY events have been removed, and have been merged into FINDING events, which have several new fields:
name— a generic description common to all findings of the same type. This makes it easier to collapse and categorize them.confidenceseverity
3. JSON output format: .data and .data_json event fields
The main breaking change in BBOT 3.0 is that the name of the .data field is different depending on whether it’s a str or dict. This is meant to make parsing easier, both for scripts and external aggregation tools like Elasticsearch:
.data: string.data_json: dictionary
The siem_friendly option has been removed, since BBOT data is now SIEM-friendly by default.
4. Migration from Poetry to UV
BBOT now uses uv for Python package management and publishing. You can still use pip or pipx if you want, but uv is now the recommended way for both users and devs to install BBOT, and is more than 10x faster thanks to Rust:
# quick uv run (for users)
uvx bbot -t evilcorp.com -p subdomain-enum
# tool install
uv tool install bbot
# add BBOT to Python project (for devs)
uv add bbot5. Naming Standardization
We’ve cleaned up BBOT’s naming across flags, presets, and tags to be more consistent and self-documenting.
Flag Renames:
web-basic → web
web-thorough → web-heavy
In 3.0 the old two-flag aggressive/deadly scheme was replaced by two independent axes: loud (network volume) and invasive (destructiveness), and each module was re-tagged with whichever combination applies.
The safe flag is retained and is now mutually exclusive with loud and invasive, making it easy to filter: -rf safe gives you only non-intrusive modules.
The --allow-deadly CLI gate has been removed. Instead, BBOT prints a warning when loud or invasive modules are enabled, and you can exclude them with -ef loud or -ef invasive.
Preset Renames:
web-basic → web
web-thorough → web-heavy
spider-intense → spider-heavy
baddns-intense → baddns-heavy
nuclei-intense → nuclei-heavy
lightfuzz-medium → lightfuzz (now the standard/default)
lightfuzz-superheavy → lightfuzz-max
The naming convention is now: base name for the standard version, -heavy for the more thorough variant, -light for the lightweight variant, and -max for maximum intensity.
6. Module Changes
Some of these changes actually occurred in final versions of 2.x, but including them since they are still recent changes.
Module renames:
httpx→http (now uses our very own BlastHTTP!)
ffuf→webbrute (also uses BlastHTTP)
ffuf_shortnames→webbrute_shortnames
output.http→output.webhook
bucket_azure → bucket_microsoft
extractous → kreuzberg
censys split into censys_dns and censys_ip
vhost → virtualhost (significantly upgraded)
Modules removed:
wappalyzer (its python-Wappalyzer dependency had been unmaintained for 6+ years)
azure_realm (its functionality was merged into the existing azure_tenant module)
smuggler (outdated and unmaintained. We just might be busy cooking up a replacement! :D)
digitorus (its source site now sits behind a Cloudflare challenge)
passivetotal (the PassiveTotal v2 API was decommissioned after RiskIQ’s acquisition by Microsoft)
sitedossier (heavily captcha- and rate-limited, returns significant junk data over a plain-HTTP endpoint)
wpscan (heavy Ruby/compiler install footprint and an unmaintained upstream)
Documentation
There are a lot more details that we can cover here, so we created a 2.x → 3.0 migration guide within our docs to serve as comprehensive documentation of all the significant changes.
We’ve also updated our documentation generally too, to keep it up to date and useful.
There are some interesting new sections in the docs too: like our new scan sanity guide.
Conclusion
We hope you enjoy these improvements to BBOT. Stay tuned for even bigger upcoming releases, including BBOT Server, BBOT.io APIs, and our new Enterprise ASM offering!




