02
15 min read · 5 briefings

Reconnaissance & OSINT

Before an attacker touches your systems, they read everything you left lying in the open.

01 Passive vs. active reconnaissance

Reconnaissance is stage one of the Kill Chain and, quietly, the stage where most of the real work happens. It splits into two modes distinguished by whether you interact with the target at all.

Passive reconnaissance gathers information without sending a single packet to the target's own infrastructure. You read public records, search engines, social media, code repositories, and third-party databases. Because you never touch the target, it is nearly undetectable and, for public data, generally lawful. Active reconnaissance interacts directly — pinging hosts, resolving DNS against the target, connecting to a service to read its banner. It yields fresher, more precise data, but it leaves logs and, done without authorization, it can already cross the legal line.

PassiveActive
Touches target?NoYes
Detectable?RarelyYes — appears in logs
Data freshnessCan be staleCurrent
Authorization needed?Public data: generally noYes, if it probes systems you do not own
Insight Defenders should assume the passive picture of their organization is already complete in an adversary's hands. The useful question is not "can they find this?" but "given that they can, does it help them?"

02 Open-source intelligence (OSINT)

OSINT is intelligence assembled entirely from publicly available sources. Individually each source is innocuous; the danger is in the aggregation. A patient analyst stitches fragments into a map of your organization's people, technology, and habits. Common source categories include:

  • Domain and network records — WHOIS registration data, DNS records, and Certificate Transparency logs, which publicly list every TLS certificate ever issued for your domains, quietly revealing subdomains you thought were private.
  • Internet-wide scan data — services like Shodan and Censys continuously index exposed devices and services, so an attacker can query for your exposed assets without ever scanning you.
  • People data — job postings that name your exact tech stack, LinkedIn org charts, conference talks, and employee social media.
  • Code and documents — public code repositories with committed secrets, and document metadata (EXIF, authorship, software versions) embedded in published PDFs and images.
Watch out A recruiter's post reading "seeking an engineer with 5 years of Fortinet, Splunk, and Okta experience" is a free inventory of your security stack. Attackers read job ads as reconnaissance documents.

03 Footprinting and attack surface mapping

Footprinting is the systematic build-out of a target's profile from those OSINT fragments: which domains and IP ranges it owns, which cloud providers it uses, who its employees are, and which technologies it runs. The end product is a picture of the attack surface — the total set of points where an unauthorized user could try to enter or extract data.

Attack surface is bigger than most organizations think. It includes obvious things (the corporate website, the VPN gateway) and forgotten ones: a marketing microsite from a campaign three years ago, a staging server someone spun up "temporarily," an S3 bucket left public, a subdomain pointing at a decommissioned service that an attacker can re-register (a subdomain takeover).

You cannot defend an asset you do not know you own. Shadow IT is not a policy problem; it is an unmonitored attack surface.

Modern practice treats this as a continuous discipline called External Attack Surface Management (EASM): tooling that repeatedly rediscovers everything the organization exposes to the internet, from the outside, the way an attacker would. The goal is to shrink surprises — to make the defender's map at least as complete as the adversary's.

04 Why oversharing is a real risk

The most damaging reconnaissance material is often given away freely, because no single disclosure feels risky. This is aggregation risk: the whole is far more dangerous than the sum of its parts.

Consider how a targeted phishing pretext gets built. From a conference talk, an attacker learns your company migrated to a specific cloud platform. From LinkedIn, they identify the engineer who led it and the executive she reports to. From a data broker or a past breach, they find her personal email and phone number. From a photo she posted from the office, EXIF metadata and a visible badge reveal the building and the badge design. None of these facts is secret. Assembled, they are a convincing, personalized lure — the raw material for spear phishing.

Insight Oversharing is rarely one careless act; it is the cumulative exhaust of normal professional life. That is what makes it hard to police and important to design around.

The lesson is not "post nothing." It is to recognize that public information has a second audience, and to keep the highest-value details — internal tooling, security controls, org structure, travel plans of executives — off the public record by default.

05 How defenders shrink their footprint

Defenders cannot un-publish the internet, but they can systematically reduce and monitor what they expose. The playbook is conceptual and entirely defensive:

  • Maintain an authoritative asset inventory. Know every domain, IP, cloud account, and service you own. Most breaches of exposed assets trace back to something nobody knew was there.
  • Practice data minimization. Strip metadata from published documents, scrub secrets from code before it goes public, and keep tech-stack specifics out of job postings where possible.
  • Decommission cleanly. Tear down old subdomains and DNS records so they cannot be hijacked, and retire staging systems rather than leaving them exposed.
  • Monitor your own exposure. Query Certificate Transparency and internet-scan data about yourself, and watch breach-notification and paste sites for leaked credentials.
  • Train people on the aggregation risk so employees understand why a harmless-looking post can complete an attacker's picture.
Pro tip The single highest-leverage defensive habit here is inventory. Attack surface management fails the moment your inventory is out of date, because you end up defending the assets you remember while the attacker probes the ones you forgot.

Field Glossary

Passive reconnaissance
Information gathering that never touches the target's own systems, relying instead on public and third-party sources; nearly undetectable.
Active reconnaissance
Directly probing a target's infrastructure (pinging, DNS resolution, banner grabbing) for fresher data, at the cost of leaving detectable traces.
OSINT
Open-Source Intelligence — actionable intelligence assembled from publicly available data, where the danger lies in aggregating many innocuous sources.
Attack surface
The complete set of points where an unauthorized actor could attempt to enter, interact with, or extract data from a system or organization.
Certificate Transparency
Public, append-only logs of issued TLS certificates that inadvertently reveal an organization's subdomains and internal hostnames.
Subdomain takeover
Hijacking a subdomain whose DNS still points at a decommissioned or unclaimed service, letting an attacker host content under the victim's domain.
EASM
External Attack Surface Management — continuously rediscovering an organization's internet-exposed assets from the outside to close the gap with an attacker's view.

Knowledge Check

Field Assessment

0 / 3

01 What most clearly separates passive from active reconnaissance?

02 Why is a detailed job posting a reconnaissance concern?

03 Which defensive practice most directly addresses forgotten, exposed assets?

ESC
↑↓ navigate jack in