Turning Subdomain Chaos into Visual Intelligence with RMM

Hook

Security researchers often discover hundreds of subdomains during reconnaissance, then spend hours manually organizing them in spreadsheets. This single-binary Go tool eliminates that tedious workflow entirely by transforming flat domain lists into structured mind maps in seconds.

Context

Anyone who's performed reconnaissance on a target organization knows the problem: subdomain enumeration tools like subfinder, amass, or assetfinder dump hundreds or thousands of domains into a flat text file. You're left staring at lines like 'api.staging.prod.company.com' and 'admin.legacy.company.com' with no clear way to understand the infrastructure topology. Are there patterns? Which business units have the most exposed services? Where are the staging environments clustered?

Traditionally, security researchers either grep through these lists repeatedly or manually copy-paste domains into mind mapping software, painstakingly building hierarchies by hand. This is where Recon MindMap (RMM) enters. Built specifically for bug bounty hunters and penetration testers, RMM parses domain lists and automatically generates hierarchical structures that map directly to how DNS namespaces actually work. It outputs in multiple formats—plain lists, markdown, JSON, YAML, and Obsidian Canvas—so you can immediately visualize reconnaissance data in tools you already use. The tool represents a focused solution to a specific pain point: bridging the gap between reconnaissance output and the visual analysis phase where you identify attack surface and scope boundaries.

Technical Insight

RMM's architecture is refreshingly straightforward: it's a parser-formatter pipeline with zero external dependencies beyond Go's standard library. The tool reads domain names (either from stdin or a file), splits each domain on the dot separator, and constructs a tree structure where each node represents a domain component. This tree is then serialized into various output formats depending on your target visualization tool.

The core parsing logic revolves around reversing domain components to build the tree from right to left (TLD to subdomain). Here's a simplified example of how you'd use RMM in a typical reconnaissance workflow:

# First, enumerate subdomains with your tool of choice
subfinder -d example.com -silent > domains.txt

# Transform the flat list into a markdown mind map
cat domains.txt | rmm -format markdown > recon-map.md

# Or output as JSON for programmatic processing
rmm -input domains.txt -format json > domains.json

# For Obsidian users, generate a Canvas file directly
rmm -input domains.txt -format obsidian > example-recon.canvas

The Obsidian Canvas format is particularly interesting because it's a JSON structure that defines nodes (representing domain components) and edges (representing hierarchical relationships). Each node gets x/y coordinates for automatic layout, which means you can open the .canvas file in Obsidian and immediately see a visual map without manual placement. This is a significant time-saver when dealing with complex infrastructures that might have 50+ unique subdomains across multiple depth levels.

From an implementation perspective, RMM demonstrates the power of single-purpose tools. The entire codebase fits in a few hundred lines of Go, with the tree-building logic isolated in a dedicated package. This design makes the tool trivially maintainable and auditable—critical concerns when running tools during security assessments. The absence of external dependencies means you can compile RMM to a static binary and run it on any Linux system without worrying about missing libraries or version conflicts.

The multi-format output system uses Go's interface-based design. Each formatter (markdown, JSON, YAML, Obsidian) implements a common interface that accepts the domain tree and returns a serialized representation. This makes adding new formats straightforward: implement the interface, add a command-line flag case, and you're done. It's the kind of extensibility that doesn't require a plugin system or complex abstractions.

One particularly clever aspect is how RMM handles the Obsidian Canvas coordinate system. Instead of randomly placing nodes, it calculates positions based on tree depth and sibling count, creating a left-to-right, top-to-bottom layout that's immediately readable. For a domain like 'api.v2.staging.company.com', you'd see 'com' as the root, 'company' as a child, 'staging' as a grandchild, and so on, with each level indented horizontally. This spatial organization mirrors how humans naturally conceptualize domain hierarchies.

The Docker container option is another thoughtful touch for security-conscious users. Since reconnaissance often involves running unfamiliar tools on sensitive data, the containerized deployment provides isolation without sacrificing the tool's lightweight nature. You can bind-mount your domain list, run the container, and output results without installing anything on your host system.

Gotcha

RMM's singular focus is both its strength and its limitation. The tool does no validation or deduplication of input domains, which means if your reconnaissance output contains duplicates or malformed entries, they'll flow straight through to your mind map. You'll need to preprocess your data with sort -u or similar commands if you want clean output. This is a reasonable trade-off for a single-purpose tool, but it does mean RMM isn't a complete reconnaissance pipeline on its own.

The documentation reveals several incomplete features that could catch you off guard. Server mode and update functionality are marked as TODO in the README, suggesting planned features that don't yet exist. More significantly, there are no examples of complex domain hierarchies or guidance on handling edge cases like internationalized domain names (IDN) or domains with unusual TLD structures. If you're working with non-standard domains, you'll be experimenting to see what works.

The Obsidian Canvas format implementation, while functional, doesn't expose configuration options for node sizing, colors, or layout direction. You get the default layout or nothing, which may not match your preferred visual style. If you're particular about how your mind maps look, you'll likely need to manually adjust the generated Canvas file or use one of the other output formats and import it into a more configurable mind mapping tool. The tool also doesn't handle extremely large domain lists gracefully—if you're processing thousands of domains, the resulting mind map becomes visually overwhelming regardless of format, and RMM provides no filtering or grouping mechanisms to manage this complexity.

Verdict

Use RMM if you're conducting security reconnaissance or bug bounty work and regularly process subdomain enumeration results that need visual organization. It's particularly valuable if you use Obsidian for note-taking and want to integrate reconnaissance data directly into your knowledge base, or if you need to quickly generate hierarchical views of domain structures for client reports. The tool excels in environments where you need a reliable, auditable binary with no dependencies that can run in restricted or containerized contexts. Skip RMM if you need a comprehensive reconnaissance framework with validation, deduplication, and active probing capabilities—tools like aquatone or gowitness offer more complete workflows. Also skip it if your domains don't follow standard hierarchical patterns or if you require extensive customization of visualization output. RMM is a scalpel, not a Swiss Army knife: it does one thing exceptionally well but won't replace your entire recon toolkit.