Reconnaissance is the information gathering phase that precedes any attack. Before attempting to exploit a vulnerability or compromise a system, a capable attacker will spend time building a detailed picture of the target: what systems are exposed, what software they run, who works there, and what relationships exist between assets.
Reconnaissance falls into two categories:
Passive reconnaissance involves gathering information without directly interacting with the target’s systems by relying on publicly available sources. This includes:
- DNS records
- WHOIS registration data
- SSL/TLS certificate transparency logs
- internet scanning databases such as Shodan and Censys
- LinkedIn and company websites
- job postings (which often reveal technology stacks)
- leaked credential databases.
An attacker can build a substantial picture of an organisation’s infrastructure and personnel without sending a single packet to their network. This is the domain of OSINT .
Active reconnaissance involves directly probing target systems, which can include:
- port scanning to identify open services with banner grabbing to determine software versions
- web application crawling
- DNS enumeration
This phase generates traffic that a well-configured monitoring system could detect, although it often blends in with ordinary internet background noise. Active reconnaissance typically follows passive recon and is guided by what was already learned.
The information that’s gathered during the reconnaissance phase shapes every decision an attacker makes: which vulnerabilities to target, which employees to approach through phishing, and which internet-facing systems to prioritise.
Organisations rarely have a complete view of what an attacker could learn about them before making contact. An OSINT and reconnaissance assessment can highlight this information from an attacker’s perspective by revealing exposed credentials, personnel data, infrastructure details, and misconfigurations that are publicly visible but not actively monitored.