loading
Loading content
loading
Passive reconnaissance collects intelligence about a target without ever contacting its systems. Instead of probing the target, an operator queries sources that already hold the data: certificate transparency logs, search engine indexes, WHOIS records, code repositories, breach datasets, and passive DNS providers that record historical resolutions. Because none of these queries reach the target's infrastructure, nothing lands in its logs and the work stays undetectable.
This mode matters for two reasons. It is quiet, which suits engagements where you want to map a footprint before tipping off defenders. It is also broad, since aggregating third-party data often reveals forgotten subdomains, stale records, and assets the target itself has lost track of. Most passive work draws directly on OSINT techniques and feeds the wider recon effort.
Passive recon scales cleanly in an automated workflow. You query many data sources in parallel, normalize and deduplicate the results, and pass clean candidate hosts into subdomain enumeration and resolution. Running this on a schedule builds a historical record of how the surface drifts, all without a single packet sent to the target.
Related terms