What is Passive vs Active Reconnaissance?
Also: Passive Recon vs Active Recon · Passive vs Active Information Gathering · Non-Intrusive vs Intrusive Reconnaissance
Definition
Passive reconnaissance collects intelligence about a target without ever sending it a packet, by mining third-party data such as certificate transparency logs, passive DNS, WHOIS, and public OSINT, so the target sees nothing. Active reconnaissance probes the target directly with traffic it can attribute to you, for example port scans or live endpoint requests, trading stealth for fresher, ground-truth data.
In depth
The split between passive and active reconnaissance is fundamentally a question of who generates the observable evidence. In passive reconnaissance the data already lives in someone else's systems, so collecting it produces no log entry on the target. MITRE ATT&CK formalizes this as the Search Open Technical Databases family (T1596), including DNS/Passive DNS (T1596.001), where adversaries query "centralized repositories of logged DNS query responses" instead of asking the target's nameservers directly. Active reconnaissance is the opposite: MITRE's Active Scanning (T1595) describes probing "victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction." That single phrase, direct interaction, is the entire dividing line.
Passive sources are richer than most people expect. Certificate transparency logs, defined by RFC 6962 as a public, append-only record of every TLS certificate a CA issues, let anyone enumerate hostnames from the Subject Alternative Name fields, surfacing staging servers, internal tools, and forgotten subdomains that never appear in a zone transfer. Passive DNS aggregators replay historical resolutions so you can see where a name pointed last year. WHOIS and registrar data, public code repositories, job postings, search-engine dorks against the Google Hacking Database, and breach dumps round out the picture. None of these touch the target. The trade-off is that you only learn what a third party has already indexed, so the data can be stale, partial, or silent about a host that exists but has never been certificated, resolved publicly, or crawled.
Active reconnaissance closes that gap by talking to the asset itself. Port scanning with Nmap confirms which ports are open right now; banner grabbing reveals the actual software and version answering; subdomain and virtual-host brute forcing finds names no public source ever recorded; and authenticated or unauthenticated requests to live endpoints confirm whether a service is genuinely reachable and exploitable. This is ground truth rather than inference. The cost is that every probe is a packet a defender can log, rate-limit, alert on, or block. As OWASP's Web Security Testing Guide frames the same distinction in an assessment context, a tester first explores an application "as a user" during passive testing, then "begins to use the methodologies described in the following sections" during active testing, which is where intrusive probing begins.
The practical discipline is sequencing, not choosing one or the other. Mature reconnaissance runs passive first to build the broadest possible map for free and in silence, then spends noisy active probes only against the assets that passive data flagged as interesting. This minimizes both wasted effort and detectable footprint. It is worth differentiating these two from adjacent terms: passive reconnaissance is not the same as OSINT, which is a category of source rather than a stance toward detectability; and active reconnaissance is not the same as exploitation, which attempts to actually compromise a system rather than merely characterize it. Reconnaissance, passive or active, stops at understanding the target.
Scope and authorization land very differently across the two. Passive reconnaissance against any organization relies entirely on data that is already public and held by third parties, so it generally raises no authorization question, though some jurisdictions and source terms-of-service still impose limits. Active reconnaissance is categorically different: sending probes to infrastructure you do not own or lack written permission to test can constitute unauthorized access under laws such as the U.S. Computer Fraud and Abuse Act. This is why every legitimate engagement begins with a defined scope and a rules-of-engagement document. The detectability that makes active recon noisy is the same property that makes it legally and contractually consequential, you are leaving attributable evidence on someone else's system.
Why it matters
If you do not understand which of your assets an attacker can discover passively, you are blind to the cheapest, quietest half of their playbook, and it is the half you cannot detect. An adversary can rebuild your external footprint from certificate transparency logs and passive DNS in an afternoon, for free, and your SIEM will record nothing because the queries never hit your infrastructure. That forgotten staging subdomain in a CT log, the dangling DNS record in a passive-DNS replay, the admin panel a search engine cached, are all handed to attackers before any probe you could alert on is ever sent. Conversely, if you treat active scanning as the only real reconnaissance, you will scan too narrowly, miss the assets that only passive sources reveal, and generate so much noise against the wrong targets that the genuine exposures drown in it. Getting the passive-versus-active distinction right is the difference between seeing your attack surface the way an attacker does and trusting a stale asset spreadsheet that the public internet has already contradicted.
How Legba Recon uses it
Legba Recon is built around the same sequencing a disciplined adversary uses, so you get the full passive picture before a single attributable packet is sent. It starts entirely passive: pulling certificate transparency logs, passive DNS history, and public OSINT to enumerate your real footprint of domains, subdomains, and hosts with zero traffic to your infrastructure, surfacing the forgotten and never-inventoried assets that this stage uniquely reveals. It then escalates to active reconnaissance only against the assets that passive data flagged, probing live services and grabbing banners the way MITRE's T1595 describes, so the inventory reflects what is genuinely exposed today rather than what a third party indexed months ago. Because that active step is scoped to assets you own and have authorized, Recon keeps the legally consequential probing inside clear rules of engagement. Every finding is then validated to strip false positives and mapped to a concrete exposure, so you receive not a raw passive-versus-active data dump but a prioritized report of exactly what an attacker's reconnaissance would surface, ranked by what to fix first.
Explore Legba Recon →Methodology
Each finding-type guide is built from Legba Recon's real detection and validation logic, reviewed by a named security contributor, and cited against primary sources such as OWASP, CISA, NIST, and MITRE. We update pages when the underlying guidance changes. See our contributors and company.
FAQs.
References.
- 01Active Scanning, Technique T1595 - EnterpriseMITRE ATT&CK
- 02
- 03
- 04WSTG: Introduction and Objectives (Passive and Active Testing)OWASP Foundation
