Dimension scores are derived from public data and fields; weighted into the composite. Reference only.
honoki.net is a personal blog focused on web security research, hands-on Bug Bounty work, and open-source tools. The article mainly highlights two tools: WILSON Cloud Respwnder and BBRF. The former is used for self-hosted DNS/HTTP interaction logging and notifications, serving as a long-term, controllable alternative to tools like Burp Collaborator or Interactsh. The latter is the Bug Bounty Reconnaissance Framework, designed to organize reconnaissance data such as domains, IPs, and program scope.
In terms of protection category, this is not a WAF, EDR, or vulnerability-scanning SaaS product. It is more of an offensive-security and vulnerability-verification aid. WILSON can log DNS and HTTP requests in real time, retain full HTTP requests including POST bodies, and send alerts to Slack or Discord. It can also customize content and DNS records via NGINX, PHP Web Server, and bind9. BBRF uses CouchDB as a central JSON document store, with a Python CLI for managing programs, inscope/outscope assets, domains, and IPs, and can be integrated into pipelines with tools such as subfinder.
Deployment is mainly self-hosted. WILSON requires a domain name, docker-compose, and a notification Webhook. BBRF can be deployed on a cloud server, local Docker, and also supports AWS Lambda/Serverless scenarios. The article does not mention commercial pricing or paid plans; only a comment notes that an AWS t3a.small costs about $13.5/month, while local deployment can reduce costs. Integrations are fairly open, relying on HTTP APIs, JSON, command-line pipelines, Slack/Discord Webhooks, NGINX, and bind9, making it suitable for building personal or small-team security testing workflows.
The strengths are closely aligned with real Bug Bounty pain points: WILSON addresses the limited time window of OOB interaction monitoring, while BBRF solves the problem of reconnaissance results being scattered across multiple tools and hard to reuse. The tools are open, self-hosted, and extensible. The downsides are also clear: there is no information on enterprise-grade compliance certifications, SLA, access governance, or commercial support. Deployment requires experience with DNS, Docker, CouchDB, and cloud services. BBRF also explicitly does not support URLs, ports, services, or IPv6, so its data model has limited coverage.
It is suitable for security researchers, bug bounty hunters, penetration testers, and small teams that want to build their own reconnaissance data warehouse or OOB callback monitoring service. It is not a good fit for large enterprises expecting an out-of-the-box product, procurement compliance, and unified reporting. The article does not discuss access from China. Dependencies such as GitHub, Slack, Discord, and AWS may involve network or payment uncertainty in mainland China. In practice, users could consider local Docker deployment, self-hosted notification channels, or alternative tool combinations such as Burp Collaborator, Interactsh, Amass, ffuf, and massdns.
⚠ This review is compiled from public sources and does not constitute a purchase recommendation. Verify all facts on the vendor's official site. Verify on honoki.net official site.
honoki.net is an Unknown Security provider. TG4G tracks its product information, an overall rating of 6.0/10, and a China-accessibility score of China direct-connect friendly. Click "Visit Official Site" to reach honoki.net directly.