loading
Loading content
loading
Also known as recon
Reconnaissance is the information-gathering phase that opens almost every engagement. Before touching a target, an operator builds a picture of its domains, IP ranges, technologies, employees, and exposed services. The quality of this phase shapes everything that follows, since you cannot test what you never found.
Recon splits into two modes. Passive recon pulls from third-party sources, such as certificate logs, search engines, and public datasets, without sending traffic to the target. Active recon queries the target directly through probes like port scans and DNS lookups, which is louder but more complete. Most of the data-gathering side draws on OSINT, the practice of mining openly available information.
In practice recon means enumerating the footprint: subdomain enumeration to find hostnames, DNS enumeration to map records and resolve them to IPs, and asset discovery to tie everything into a single inventory.
Recon suits automation well because it is repetitive and benefits from breadth. A workflow can run dozens of discovery tools in parallel, merge and deduplicate their output, and re-run on a schedule so the inventory tracks a surface that never stops changing.
Related terms