RECON

1 - Use Xmind to Note Take flawless

2 - Find acquisitions through Crunchbase

3 - ASP Enumeration -  bgp.he.net

4 - ASN Enumeration = cmdline (Tool metabigor) (tool ASN lookup online) > With Amass(e.i root@TBox4:~/tools/Asnlookup# amass intel -asn 34343)

5 - Reverse WHOIS {With Whoxy.com} (For automation use Domlink)

6 - Ad/Analytics Relationships (builtwith.com) (Firefox extension too)

7 - Google-Fu - google the following - Copyright test,terms of service text, privacy policy text." (E.i C 2019 Twitch Interactive, Inc "inurl:twitch)

8 - Shodan (Architecture scanning)

Next is finding subdomains

Subdomain Enumeration:
1 - Linked and JS Discovery
2 - Subdamin Scraping ++
3 - Subdomain Bruteforce

1 The workflow, Linked Discovery (with Burp Suite Pro - preference)
when going into scope tag, use advance scope, and add the host (ie twitch) show only in scope items checkbox

export data, not clean
1 - Select all hosts in the site tree
2 - in PRO ONLY right click the selected hosts
3 - Go to "Engagement tools" -> "Analyze target"
4 - Save report as an html file
5 - Copy the hosts from the "Target" section

automation uses two tools - GoSpider & hakrawler

Subdomain Enumeration (with SubDomainizer)

1 - Find subdomains referenced in js files
2 - Find cloud services referenced in js files
3 - Use the Shannon Entropy formula   to find potentially sensitive items in js files
NOTE: It will take a whole page and scan for js files to analyze


2 Subdomain Scraping

Subdomain Scraping Sources, Infrastructure Sources, Search Sources, Certifcate Sources, Security  Sources

Subdomain Scraping Example(Google)
site:twitch.tv -www.twitch.tv -watch.twitch.tv -dev.twitch.tv

Subdomain Scraping (Amass)

Subdomain Scraping (Subfinder v2)

Subdomain Scraping (github-subdomains.py) written by Gwendal Le Coguic

Subdomain Scraping (shosubgo)

Subdomain Scraping (Cloud Ranges) Sam Erb has a good tool

3 Subdomain Bruteforcing

Subdomain Bruting, guessing for live subdomains    
Subdomain Bruting (Amass)
Enum tool using Brute Switch
 amass enum -brute -d twitch.tv -src

You can also specify any numbero f resolvers
 amass enum -brute -d twitch.tv -rf resolvers.txt -w bruteforce.list

Subdomain Bruting (ShuffleDNA) Acts as a wrapper for Amass

Subdomain Bruting Lists
Tailored Wordlists
Massive Wordlists
Customized wordlists
AssetNote can be useful

Alteration Scanning (WAF Bypass)

Other

Port Analysis (masscan) for IPs

Port Analysis (dnmasscan) for domains and acts as a wrapper for masscan

Service Scanning (brutespray) masscan > Nmap service scan -oG > Brutespray credential bruteforce

Github Dorking (MANUAL) - reveals forgotten info that is public

Screenshotting is important (Aquatone, Httpscreenshot, Eyewitness.

Subdomain takeover (Can I take over xyz) finds exposes CNAMES

Subdomain takeover (Subover & nuclei)

AUTOMATION++

Extending tools (interlace) Interlace by Michael Skelton aka Codingo, This tool helps you automate

Extending Tools(Anything TomNomNom writes) his extensive repo tools are awesome

Frameworks C,B,A,S from C to rough to S to very clean frameworks
 C-tiers fit good into automation

Intrigue.io & AssetNote & Spiderfoot & Project Discovery Framework(Unreleased) are S-tier. These good programs cost a lot to an individual doing bug bounties.