📰 Originally published on SecurityElites — the canonical, fully-updated version of this article.
The hunters consistently landing first-blood findings on new programme scope additions aren’t faster at manually running recon. They have automation running while they sleep. A new subdomain goes live on their target at 2am. Their pipeline discovers it by 2:05am, probes it for live services, scans it with Nuclei templates, and pings their phone with the result. They’re in the application by 9am. Everyone else opens their laptop and starts their manual recon session at 9am — and finds the scope addition already has a disclosed finding.
That Bug Bounty automation lab setup costs under $100 in hardware — a Raspberry Pi 5 is $60. The tool stack is entirely open source. The running cost is less than a coffee per month in electricity. And once it’s built and configured, it runs continuously without any manual intervention.
Here’s the exact stack I run, the exact commands that wire it together, and the exact pipeline that generates notifications when something new and interesting appears on your targets.
🎯 What You’ll Build
Hardware setup: Raspberry Pi 5 or VPS configured as a 24/7 recon machine
Full ProjectDiscovery tool stack: Subfinder, Httpx, Nuclei, Notify — all installed and configured
API key configuration that doubles subdomain discovery coverage at zero cost
Automated pipeline script that runs the full recon chain on a cron schedule
Slack/Telegram notifications for new subdomains and Nuclei findings — to your phone
⏱️ 25 min read · 2-3 hours to build end-to-end ### 📋 Contents 1. Hardware: Raspberry Pi 5 vs VPS — Which to Choose 2. 4 Tools That Cover Your Entire Automation Pipeline 3. API Keys — Free Tier Configurations That Matter 4. Wiring It Together — Your First Automation Pipeline 5. Continuous Monitoring — Change Detection and Alerting 6. Notifications — Getting Findings to Your Phone ## Hardware: Raspberry Pi 5 vs VPS Two practical options under $100. The Raspberry Pi 5 (4GB) costs about $60 plus a microSD card. It draws less than 10W, runs 24/7 for roughly $0.50/month in electricity, and runs all Go-based security tools natively on 64-bit ARM. After year one your running costs are negligible. The downside: you need to handle home networking if you want to SSH in remotely.
A cloud VPS at $4-6/month (Vultr, Hetzner, DigitalOcean all have options in this range) has no upfront cost, is accessible from anywhere without networking setup, and is easy to snapshot and rebuild. The downside: $50-70/year ongoing. If you plan to run this for 2+ years, the Raspberry Pi wins on cost. If you want the simplest possible remote access, the VPS wins on convenience.
RASPBERRY PI 5 SETUP — INITIAL CONFIGURATIONCopy
Hardware shopping list (prices approximate)
Raspberry Pi 5 4GB ~$60
64GB microSD (Samsung Endurance) ~$12
Official Pi 5 power supply ~$12
Case (optional, Argon NEO 5) ~$15
Total: ~$85-100
OS setup
Download: Raspberry Pi Imager → flash Raspberry Pi OS (64-bit, Lite)
Enable SSH in Imager → boot Pi → ssh pi@raspberrypi.local
Install Go (required for all ProjectDiscovery tools)
wget https://go.dev/dl/go1.22.linux-arm64.tar.gz
sudo tar -C /usr/local -xzf go1.22.linux-arm64.tar.gz
echo ‘export PATH=$PATH:/usr/local/go/bin:~/go/bin’ >> ~/.bashrc
source ~/.bashrc
go version
go version go1.22 linux/arm64
4 Tools That Cover Your Entire Automation Pipeline
Every serious bug bounty automation setup I’ve seen uses Project Discovery tools as the backbone. They’re designed to work together, stdin/stdout chaining is built in, and the template library behind Nuclei is maintained by the community with daily additions. Four tools cover the complete pipeline from domain input to actionable finding.
INSTALL THE COMPLETE TOOL STACKCopy
Install all 4 core tools via Go
go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
go install -v github.com/projectdiscovery/notify/cmd/notify@latest
Verify installations
subfinder -version && httpx -version && nuclei -version && notify -version
Update Nuclei templates (do this daily)
nuclei -update-templates
[INF] nuclei-templates are already updated to the latest version: v9.x.x
Optional extended stack
go install -v github.com/projectdiscovery/katana/cmd/katana@latest # crawler
go install -v github.com/lc/gau/v2/cmd/gau@latest # URL discovery
go install -v github.com/tomnomnom/anew@latest # unique new lines
securityelites.com
Bug Bounty Automation Pipeline — Data Flow
SUBFINDER
target.com → 47 subdomains (passive, 50+ sources)
↓ pipe
HTTPX
47 subdomains → 31 live hosts (status 200/301/403) + titles + tech
↓ pipe
NUCLEI
31 live hosts → 3 findings (1 critical CVE, 2 misconfigs)
↓ pipe
NOTIFY
3 findings → Slack/Telegram notification to your phone
Total runtime:
~8 minutes for a typical 50-subdomain target · runs via cron at 2am daily
📸 Bug bounty automation pipeline showing the full data flow from domain input to phone notification. Subfinder discovers 47 subdomains passively — no active scanning, no footprint on the target network. Httpx narrows those to 31 live hosts with their HTTP status codes and technology stack. Nuclei scans all 31 live hosts and finds 3 issues: one critical CVE match and two misconfigurations. Notify delivers those 3 findings to Slack within seconds of detection. Total wall-clock time: 8 minutes. This pipeline runs at 2am every morning while you sleep.
📖 Read the complete guide on SecurityElites
This article continues with deeper technical detail, screenshots, code samples, and an interactive lab walk-through. Read the full article on SecurityElites →
This article was originally written and published by the SecurityElites team. For more cybersecurity tutorials, ethical hacking guides, and CTF walk-throughs, visit SecurityElites.
Top comments (0)