BBOT 3.0.0
Warning
Upgrading from 2.x is not drop-in. The CLI, flags, preset syntax, event API, config keys, and module set all changed in backwards-incompatible ways. Read the 2.x to 3.0 migration guide before upgrading. The changes most likely to bite:
-snow means--seeds, not--silent(silent moved to-S). A script passing-sfor quiet output will now add a seed instead, with no error.--whitelistwas retired:-t/--targetsnow defines scope, and-s/--seedsdrives the scan.--allow-deadlywas removed, and several flags were renamed (e.g.noisytoloud).- Module options are now pydantic-validated; the legacy options dict hard-fails.
- Some event types, event attributes, and config keys were renamed or removed.
Highlights
- New HTTP engine (blasthttp): in-process, rate-limited HTTP replacing the httpx subprocess (#2992, #3021)
- New DNS engine (BlastDNS) (#3042)
- Pydantic config + preset validation: typos and type errors are caught before a scan starts (#2486, #3058)
- Scope rework: clean split between target (scope) and seeds (drivers);
--whitelistretired (#2789) - Findings and Vulnerabilities unified, with Severity and Confidence (#2436, #2740)
- asndb: faster ASN enrichment, plus ASNs usable as scan targets (#2957, #2741)
- Lightfuzz overhaul: new SSRF and ESI submodules, far fewer false positives (#2967)
- Major performance work: memory and CPU optimizations, bounded DNS caches, HTTP body stripping, string interning (#2953, #3085, #3088)
- Preset naming / tag standardization across flags, presets, and event tags (#2986)
- New modules: MongoDB / Elastic / Kafka / RabbitMQ / ZeroMQ / NATS outputs, legba, trajan, virtualhost, waf_bypass, dnsspf, Hetzner bucket
- Modules removed: wappalyzer, smuggler, digitorus, sitedossier, passivetotal, wpscan
Core & Packaging
- Packaging moved from Poetry to uv + hatchling, and supported Python is now 3.10 - 3.14 (#2900, #2731).
- Config values and presets are validated with pydantic before a scan runs, so typos and wrong types fail fast instead of silently doing nothing. The legacy per-module options dict is no longer accepted (#2486, #3058, #3119).
- Malformed YAML in a config or preset now produces a readable error instead of a stack trace (#3159).
- New
--reset-config/--reset-secretsto regenerate stale config files (#3240).
Scope & Targeting
- Scope was reworked around a target/seeds split:
-t/--targetsdefines scope,-s/--seedssupplies the starting events,--whitelistis gone, and--strict-scopenow means "this exact host only" (#2789). - ASNs can be used directly as scan targets (#2741).
- Files can be passed as targets, seeds, or blacklist entries inside presets, and target lists may contain comments (#2996, #3031).
HTTP & Web
- All web traffic now runs in-process through one shared, rate-limited client (blasthttp) instead of a separate httpx subprocess (#2992, #3021).
- HTTP wildcard/catch-all host detection cuts false positives on servers that answer every request (#3164).
429 Too Many Requestsresponses are now honored for rate limiting (#3145).- HTTP timeout settings were consolidated into one place (#3222).
- SSL verification was split so BBOT verifies its own infrastructure calls by default while still not verifying untrusted target traffic (#3186).
DNS
- New DNS resolution engine, BlastDNS (#3042).
- Fixed the DNS brute-force canary check, which was silently non-functional (#3005).
- SPF records now yield the IPs and CIDRs they authorize (#3144).
- Better graph fidelity for shared infrastructure, and noisy PTR floods are collapsed / filtered by default (#3141, #3115, #3039).
Findings & Output
- Findings and Vulnerabilities are now a single event type carrying Severity and Confidence (#2436, #2740).
- Human-readable stdout for every event type, improved URL display, and a finding-severity breakdown in the status line (#3035, #3023, #3024).
- Output modules are additive: enabling one keeps the defaults, with a new
exclude_output_modulesto opt out (#3221). - Findings are de-duplicated in output, and
--no-coloris supported (#3074).
Modules
New:
- Output modules: MongoDB, Elastic, Kafka, RabbitMQ, ZeroMQ, and NATS.
legba- credential brute-forcing across many services.trajan- scans GitHub, GitLab, Azure DevOps, Jenkins, and JFrog for misconfigurations.virtualhost- virtual-host fuzzing.waf_bypass- WAF-bypass detection.shodan_enterprise- Shodan Enterprise API integration.- Hetzner object-storage bucket enumeration.
Removed: wappalyzer, smuggler, digitorus, sitedossier, passivetotal, wpscan.
Notable improvements:
- Lightfuzz overhaul: new SSRF and ESI submodules, "try POST as GET," a default WAF filter, and a large false-positive reduction across padding-oracle, deserialization, and SQLi detection (#2967, #2950, #2784).
- webbrute reworked around HttpCompare baselines; paramminer dedup and wordlist cleanup; gowitness reliability fixes; concurrent probing in aspnet_bin_exposure (#3166, #3067, #3180).
- shodan_idb now enriches CVE findings with severity and CVSS (#3082).
- Bundled scanners and signatures updated (nuclei, trufflehog, baddns, badsecrets).
Performance
- Broad memory and CPU pass: bounded (LRU) DNS caches, HTTP response bodies stripped after processing, repeated strings interned, and reduced event-loop saturation and allocation pressure - meaningfully lower memory footprint on large scans (#2953, #3085, #3088, #3003, #3002).
Security
- Hardened pickle handling in webbrute_shortnames plus additional input-validation patches (#3200, #3196, #3201).
Documentation
- New 2.x to 3.0 migration guide and a full documentation refresh (#3128).