← All posts
Guides · · 7 min read

From install to your first findings in 10 minutes

A real quickstart: install the CLI, log in, enrol a node, launch a subdomain enumeration against an authorized target, and watch findings stream in. With the exact commands.

This is the fast path: one host, the CLI, and a single workflow that produces real findings. Budget about ten minutes. By the end you will have a node online, a subdomain enumeration running across it, and an exported result set. If the nouns here (node, workflow, finding) are new to you, read the Crossfyre mental model first, then come back.

Heads up

Authorized targets only. Run scans against assets you own or have explicit written permission to test. Subdomain enumeration, port scanning, and content discovery are active reconnaissance and are illegal against systems you do not have authorization for. Pick a target you control before you start.

Step 0: prerequisites

You need a Crossfyre account (sign up free), a Linux or macOS host you can run commands on as root, and Docker installed on that host. The engines persist scan state to a local Postgres that the CLI runs as a Docker container, so Docker has to be there before you enrol the node:

bash
# install Docker if you do not have it curl -fsSL https://get.docker.com | sh

Step 1: install the CLI

One command installs the crossfyre CLI and the node worker. Every binary is signed and its SHA-256 is verified against the release manifest before it lands:

bash
curl -fsSL https://get.crossfyre.io/install.sh | sudo bash

The installer drops the binaries in /opt/crossfyre/bin and links crossfyre into your PATH. If your shell says command not found right after, open a new shell so the PATH change takes effect.

Step 2: log in

Authenticate the CLI to your account. You can use an API key, your username and password, or a browser flow:

bash
crossfyre login

This saves a session on the host so the node can talk to the control plane with credentials scoped to it.

Step 3: enrol the node

In the dashboard, go to Nodes, create a node, and copy its node key. Then on the host run node init and paste the key when prompted. This one command does a lot: it installs the engines you select, provisions the local Postgres, and installs an OS service so the node comes back up after a reboot:

bash
sudo crossfyre node init
Note

For this walkthrough, install at least voyage (subdomain enumeration). You can add the others any time with crossfyre extension install pulse or crossfyre extension install all.

Step 4: confirm the node is online

Ask the control plane what it sees. node list shows your whole fleet with live online/offline status:

bash
crossfyre node list

You want your new node showing online. If it shows offline, check the local daemons with crossfyre node status and bring the service up with sudo crossfyre node up.

Step 5: launch your first workflow

Now the recon. In the dashboard, start a subdomain enumeration workflow against an authorized target (a domain you own). The control plane decomposes the workflow into operations and dispatches them to your online node, which runs voyage: passive OSINT sources first, then active DNS brute-forcing against a wordlist.

Prefer the terminal, or want to run without the control plane at all? You can execute a workflow script locally:

bash
# run a workflow locally against an authorized domain crossfyre run subdomain-enum.cfx domain:example.com

Launching from the dashboard is what you want for the distributed version, where work spreads across your fleet and survives a dropped node.

Step 6: watch findings stream in

Open the Findings explorer. Results land live as operations complete, not in a dump at the end. Each discovered subdomain shows up as a finding you can act on. Filter the set as it grows:

  • By severity, to surface what matters first.
  • By method, to separate passive (OSINT) from active (brute-forced) discovery.
  • By host, to focus on one part of the surface.

Wire up a notification channel (Discord, Slack, or email) and you get pinged the moment the run finishes, so you do not have to sit watching the explorer.

Step 7: export

When the run is done, export the finding set for your report or your pipeline. The explorer exports to CSV, JSON, or Markdown. JSON if you are piping into other tooling, Markdown if you are dropping straight into a writeup.

That is the full loop: install, log in, enrol, launch, read, export. You now have a working node you can point at the next authorized target, and adding more nodes is the same node init on each box.

If something is off: crossfyre doctor

When a step does not behave, the first move is always the same:

bash
crossfyre doctor

doctor diagnoses the environment in one pass: whether Docker is installed and running, whether the database container is healthy, whether the release CDN is reachable, and whether your PATH is set up. Most first-run snags trace back to one of those. The two most common:

  • node init fails or engines will not start: Docker is not installed or not running. Install it from get.docker.com and start the daemon.
  • node shows offline: check local daemons with crossfyre node status, then sudo crossfyre node up.

The full command reference, requirements, and troubleshooting table live in the docs. Want to understand the credit cost of that first scan before you scale up? Read how credits work.

Create an account and have a node online in the next ten minutes.

Start free
#getting-started#cli#nodes#tutorial