What I Actually Use (and Why Less Beats More)
If you're new to this series, these posts explain how I use tools โ not just which ones:
- How I Decide a Tool Result Is Worth My Time
- From Signal to Impact
- Authorization Is a Graph, Not a Check
- Finding IDORs the Right Way (Burp-Only)
- Burp Suite Repeater: How Professionals Find IDORs
- 403 Bypass Techniques Explained (Without Abuse)
- Mastering ffuf: From Discovery to Real Bugs
- nuclei Without Noise: A Practical Guide
- httpx: Turning Subdomains into Attack Surface
- katana vs waymore: When to Use Which
This post is the practical snapshot of my 2026 workflow.
No hype. No "install 50 tools." Just what actually earns me reports.
๐ง Philosophy First: Tools Don't Find Bugs โ You Do
Before the stack, the mindset:
- Tools find signals
- Humans build impact
- Automation reduces noise
- Manual testing creates value
This is the thread through the whole series.
If your stack feels overwhelming, it's probably working against you.
๐ Recon Layer
โ httpx
What I use it for: Turning raw subdomains into living attack surface
- Status codes
- Tech stack hints
- Redirect behavior
- API exposure
This filters dead noise early.
โ Deep dive: httpx: Turning Subdomains into Attack Surface
โ katana + waymore
What I use them for (together):
- katana โ live crawling & modern routes
- waymore โ historical endpoints, old APIs, forgotten paths
They complement each other.
โ Deep dive: katana vs waymore: When to Use Which
๐ Discovery Layer
โ ffuf
What I use it for:
- Endpoint discovery
- Parameter discovery
- File exposure
- Admin panels
- Feature flags
ffuf gives me surface area. It doesn't give me bugs.
โ Deep dive: Mastering ffuf: From Discovery to Real Bugs
โ nuclei (carefully)
What I use it for:
- Confirming known issues
- Catching low-hanging fruit
- Prioritizing manual testing
- Template-driven signals
I treat nuclei as:
A noisy assistant, not a decision-maker.
โ Deep dive: nuclei Without Noise: A Practical Guide
๐งช Manual Testing Layer
โ Burp Suite (Repeater is the core)
This is where bugs are actually found:
- Role comparison
- State transitions
- IDOR testing
- Auth bypass logic
- API behavior differences
Repeater is my main "thinking space."
โ Deep dives:
- Burp Suite Repeater: How Professionals Find IDORs
- Finding IDORs the Right Way (Burp-Only)
๐ Access Control Layer
โ Custom logic testing
Not a tool โ a method:
- Role switching
- State mutation
- Cross-feature references
- Graph mapping
This is where:
- Privilege escalation
- Account takeover
- Authorization bugs actually emerge.
โ Deep dive: Authorization Is a Graph, Not a Check โ Workflow: From Signal to Impact
๐งจ Exploitation Tools (Rarely, Carefully)
โ ๏ธ sqlmap
I only use sqlmap when:
- I already suspect injection
- Manual testing shows anomalies
- The endpoint influences queries
sqlmap is not a recon tool. It's a confirmation tool.
โ Deep dive: Why sqlmap Fails (And When It Doesn't)
โ ๏ธ XSStrike
Occasional use when:
- Reflection is obvious
- Context is clear
- I already see DOM behavior
Manual XSS testing comes first.
๐ง What I Don't Use Much Anymore
Not because they're bad โ because they don't fit my workflow:
- Massive auto-scanners
- Blind spraying tools
- Huge recon frameworks
- "One-click pwn" setups
They create noise and kill thinking.
๐งฉ The Real Stack Is a Flow, Not a List
My real stack looks like:
httpx โ katana/waymore โ ffuf โ nuclei (filtered) โ Burp โ Graph thinking โ Chain building
Tools feed thinking. Thinking creates bugs.
๐ Final Thoughts
Your stack shouldn't feel impressive.
It should feel boring and effective.
If your tools:
- Reduce noise
- Increase signal
- Support manual reasoning
You're doing it right.
If your tools replace thinking โ you're losing.
๐ If this post helped, please clap โ it helps this series reach serious learners.
โ Support my work: ๐ https://buymeacoffee.com/ghostyjoe
๐ฌ Your Turn
What tools are actually earning you reports in 2026?
- What did you stop using?
- What surprised you by being useful?
Drop a comment โ I read them all and shape future posts around real struggles.