What is Reconnaissance?

Reconnaissance answers a single question before anyone touches a payload: what does the target actually look like from the outside? In MITRE ATT&CK terms it is tactic TA0043, defined as the phase where "the adversary is trying to gather information they can use to plan future operations." It sits in the PRE (pre-compromise) stage, ahead of Resource Development and Initial Access, because the quality of every later move depends on how accurately the attacker has mapped the terrain. The same logic underpins a legitimate engagement: OWASP's Web Security Testing Guide opens its methodology with an entire Information Gathering category precisely because, in its words, before attacking an application you need to understand it.

The first axis everyone learns is passive versus active. Passive reconnaissance never sends a packet that the target can attribute to you. It leans on open-source intelligence (OSINT): WHOIS and registrar records, public DNS data, certificate transparency logs, code repositories, job postings, breach dumps, and search-engine dorking against the Google Hacking Database. Because the data already lives in third-party systems, the target sees nothing and the activity is effectively undetectable. The trade-off is staleness and incompleteness, you only learn what someone else has already indexed.

Active reconnaissance closes that gap by interacting with the target directly, and MITRE captures it as Active Scanning (T1595) with three sub-techniques: Scanning IP Blocks (T1595.001), Vulnerability Scanning (T1595.002), and Wordlist Scanning (T1595.003). This is port scanning with Nmap, banner grabbing, virtual-host and subdomain brute forcing, and probing live endpoints. Active recon is far richer, it confirms which hosts are actually up, which ports are open right now, and which software versions are running, but every probe is a packet the defender can log, alert on, or block. The art of the discipline is sequencing: harvest everything cheaply and silently with passive methods first, then spend noisy active probes only where the passive picture says something interesting lives.

It is worth distinguishing reconnaissance from the terms it is often confused with. Discovery (TA0007 in ATT&CK) is internal enumeration performed after a foothold already exists; reconnaissance is the external, pre-access view. Scanning and enumeration are techniques used during recon, not synonyms for it. And attack surface management is the continuous, defensive practice of running this same reconnaissance against yourself, on a schedule, so that you find the exposed RDP port, the dangling DNS record, or the public storage bucket before an adversary indexes it. Reconnaissance is the verb; your attack surface is the noun it produces.

Reconnaissance also feeds directly into the rest of the kill chain. The output, a prioritized inventory of hosts, services, technologies, identities, and likely entry points, is what lets an attacker choose a reliable initial-access vector instead of guessing. MITRE notes that recon intelligence is leveraged to plan and execute Initial Access, to scope and prioritize post-compromise objectives, and to drive further reconnaissance. That feedback loop is why thorough recon makes attacks both more likely to succeed and harder to detect: the attacker arrives already knowing where the soft spots are.