Skip to content
Fast-turnaround security assessments available — 10+ years development & security experienceGet started
Back to Glossary
Glossary2 min read

Reconnaissance

The initial phase of a security assessment where information about the target is systematically gathered to identify attack surfaces and potential vulnerabilities.

Reconnaissance is the information-gathering phase that precedes active testing in a security assessment. During recon, the tester collects as much information as possible about the target organization's infrastructure, technologies, and attack surface. The quality of reconnaissance directly determines the effectiveness of subsequent testing because it reveals where to focus attention and what attack vectors are most likely to succeed.

How It Works

Passive reconnaissance gathers information without directly interacting with the target. This includes reviewing DNS records, certificate transparency logs, WHOIS data, job postings that reveal technology stacks, public code repositories, cached web pages, and social media profiles. Passive techniques leave no trace on the target's systems and can reveal subdomains, IP ranges, email formats, technology choices, and organizational structure.

Active reconnaissance involves directly probing the target's systems. Port scanning identifies open services, banner grabbing reveals software versions, directory enumeration discovers hidden paths and files, and technology fingerprinting identifies frameworks, web servers, and content management systems. Active reconnaissance is more invasive and may be detected by security monitoring, so it is always performed within the agreed scope of an engagement.

The output of reconnaissance is a comprehensive map of the attack surface. This includes all discovered subdomains, IP addresses, open ports and services, web application endpoints, API documentation, technology versions, and any information that suggests potential vulnerabilities. Forgotten subdomains pointing to decommissioned infrastructure, development environments exposed to the internet, or outdated software versions are all common findings that emerge during reconnaissance and often lead to significant vulnerabilities.

Why It Matters

Thorough reconnaissance is what separates a superficial security test from a comprehensive assessment. Attackers invest heavily in reconnaissance because understanding the target's environment reveals the path of least resistance. Security assessments that include rigorous recon consistently produce more findings and higher-impact results because they test the full attack surface rather than just the obvious entry points.

Need your application tested? Get in touch.

Related terms

Penetration TestingSecurity AssessmentSubdomain Takeover

Need your application tested?

We find these vulnerabilities in real applications every day.

Request an Assessment