RMM: Transforming Flat Reconnaissance Data Into Visual Mind Maps
Hook
Bug bounty hunters often collect thousands of subdomains during reconnaissance, but staring at a flat text file makes it nearly impossible to identify patterns, organizational structure, or attack surface hierarchy—RMM solves this with a single pipe command.
Context
Security reconnaissance workflows have a visualization problem. Tools like subfinder, amass, and assetfinder excel at discovering subdomains, often generating lists with hundreds or thousands of entries. But raw domain lists are cognitively overwhelming—it’s difficult to understand organizational structure, identify interesting patterns like staging environments clustered under specific branches, or spot anomalies that might indicate shadow IT.
Inspired by Jason Haddix’s TBHM (The Bug Hunter’s Methodology) v4 workshop, RMM (Recon MindMap) was created to bridge this gap. Instead of building yet another enumeration tool, developer Alevsk recognized that the real bottleneck was transforming existing reconnaissance output into formats that human brains can actually process. Mind mapping software like Obsidian and Xmind provide excellent hierarchical visualization capabilities, but they don’t natively understand domain structures. RMM acts as the translator, converting flat domain lists into hierarchical trees that these tools can render beautifully.
Technical Insight
At its core, RMM is a domain hierarchy parser built as a single-pass pipeline processor. The architecture is deliberately minimal: read input (stdin or file), construct a tree structure, serialize to the requested format. The tool appears to split domains on dots and build a tree from right to left, treating TLDs as roots and subdomains as nested children.
The parsing logic appears to process domains like dev.api.microsoft.com by first creating a com node, then nesting microsoft under it, then api under that, and finally dev as a leaf. When a second domain like staging.api.microsoft.com arrives, the parser likely reuses the existing com → microsoft → api path and adds staging as a sibling to dev. This deduplication would be crucial when processing large reconnaissance outputs where hundreds of subdomains might share common parent domains.
The real engineering value is in the output formatters. RMM supports multiple distinct formats, each tailored to specific mind mapping tools:
# Default list format (tab-indented hierarchy)
curl https://example.com/domains.txt | ./rmm
# Markdown format for Obsidian Mind Map plugin
curl https://example.com/domains.txt | ./rmm -o markdown
# JSON-based Canvas format for Obsidian Canvas
curl https://example.com/domains.txt | ./rmm -o obsidian > recon.canvas
# YAML for programmatic processing
curl https://example.com/domains.txt | ./rmm -o yamlThe Obsidian Canvas formatter generates JSON documents that define nodes and connections for visualization. Here’s how you’d integrate it into a reconnaissance workflow:
# Enumerate subdomains with subfinder
subfinder -d microsoft.com -silent | \
# Pass through RMM to generate Canvas format
./rmm -o obsidian > microsoft-recon.canvas
# Copy to your Obsidian vault
cp microsoft-recon.canvas ~/ObsidianVault/Security/microsoft-recon.canvasThe Docker implementation demonstrates RMM’s pipeline-friendly design. This makes it trivial to incorporate into automated reconnaissance pipelines:
# Volume mount for file input, pipe JSON output to jq for validation
docker run -v $(pwd)/domains.txt:/tmp/domains.txt \
alevsk/rmm:latest -f /tmp/domains.txt -o json | jq .The architecture choice to use stdin/stdout as the primary interface is deliberate—it follows the Unix philosophy of doing one thing well and composing with other tools. RMM doesn’t try to be an enumeration tool, a screenshot tool, or a vulnerability scanner. It’s purely a formatter that sits between reconnaissance tools and visualization software, which makes it incredibly flexible. You can chain it with any subdomain enumeration tool, feed it historical data from previous scans, or even use it to visualize DNS zone transfers.
Gotcha
RMM is intentionally limited in scope, which becomes apparent when you need anything beyond basic domain hierarchy visualization. The tool processes only domain strings—it has no concept of IP addresses, open ports, HTTP status codes, technologies detected, or any other metadata that modern reconnaissance tools typically collect. If you’re using tools like httpx or nuclei that enrich subdomains with additional context, that information is completely lost when piping through RMM.
The README explicitly marks server mode and auto-update functionality as TODO, meaning these features don’t exist despite being mentioned in the help text. There’s no web interface for teams to collaboratively visualize reconnaissance data, and you can’t automatically update the binary without manually rebuilding or pulling new Docker images. For practitioners running continuous reconnaissance, the lack of a server mode means you can’t easily share live-updating mind maps with your team—each person needs to regenerate their own visualizations from the latest domain lists.
When processing very large domain lists (thousands of subdomains), the output may require manual adjustments in your mind mapping tool. The tool also doesn’t preserve any previous manual adjustments you might have made—regenerating output files completely overwrites your previous versions and any layout customizations.
Verdict
Use RMM if you’re conducting security reconnaissance or bug bounty hunting and need to quickly transform subdomain enumeration results into visual hierarchies for pattern recognition and reporting. It excels in workflows where you’re processing domain lists from tools like subfinder, amass, or assetfinder and want to understand organizational structure at a glance. The pipe-friendly design makes it perfect for integrating into shell scripts and automation pipelines, and the multiple output formats provide genuine flexibility for different visualization tools. Skip RMM if you need metadata-rich visualizations that include port information, HTTP responses, or vulnerability data—this tool strips everything except domain hierarchy. Also skip it if you’re looking for a complete reconnaissance platform with discovery capabilities; RMM is purely a formatting utility that requires external enumeration tools. Finally, be aware that the server and update commands mentioned in the help text are not yet implemented, so plan for manual binary management and individual workflow integration.
