Blog · Attribution
Which recon tool actually earned the bounty? The case for attribution
Ask a hunter which of their tools earned them the most money last year and you'll usually get a shrug. They run several, findings pile up, reports eventually pay, and the connection between the payout and the tool that surfaced it is lost. That missing link has a name — attribution — and it's the difference between guessing what your stack is worth and knowing.
The problem: findings and payouts live in separate worlds
A typical recon setup produces a stream of findings from multiple sources: subdomain enumeration here, a nuclei template there, a manual poke that turned into something. Weeks later a report pays. By then, can you say which scan run surfaced the asset? Which day it first appeared? Which tool in your stack put it in front of you? Most people can't — and that means every renewal decision about paid tooling is made on vibes.
What attribution means
Attribution is stamping every finding with the context needed to trace it later: the scan run that produced it, the asset it belongs to, the date it first surfaced, and the source that found it. When those four things travel with the finding, a paid report is no longer a mystery — you can follow it straight back to the exact monitoring event that earned it.
This is the attribution loop: monitoring surfaces an asset, the asset produces a finding, the finding becomes a report, the report pays, and the payout connects cleanly back to the monitoring event at the start. Close that loop and your recon stops being a black box.
Why it decides what your stack is worth
The renewal question for any paid tool is brutally simple: what did this actually earn? Without attribution you can't answer it, so you either keep paying for tools out of habit or cut ones that were quietly carrying you. With attribution, the answer is a fact, not a feeling. You see which sources surface the assets that turn into paid reports, double down on those, and drop the ones that never earned their keep. Recon without attribution is a cost you can't measure; recon with attribution is an investment you can optimize.
It also sharpens how you hunt
Attribution isn't only a bookkeeping win. When you can see that, say, freshly-discovered subdomains on a particular kind of program convert to bounties far more often than anything else, that changes where you spend your time. The data about which monitoring events pay compounds into a sharper hunting strategy — you stop guessing which corners of your scope are worth the hours.
Building it in, not bolting it on
You can approximate attribution by hand — timestamped notes, a spreadsheet linking findings to runs — but it decays the moment you get busy, which is exactly when a bounty lands. The durable version is having it built into the platform: every finding carries its scan, asset, date, and source automatically, so the trace is always there when a report finally pays. That's the model ASMHunter is built around, and it's the answer to the renewal question that most recon tooling can't give you.
ASMHunter stamps every finding with the scan, asset, and date that surfaced it, so a paid bounty traces back to the monitoring event that earned it. Start free, or read the guide to continuous attack surface monitoring.