Reconnaissance
What is Reconnaissance?
ReconnaissanceThe first phase of an attack, in which adversaries gather information about a target's people, technology, and exposure before launching intrusion attempts.
Reconnaissance is the information-gathering stage that precedes intrusion. In MITRE ATT&CK it appears as tactic TA0043 and includes techniques such as scanning IP ranges, harvesting employee names from LinkedIn, OSINT collection, DNS enumeration, and searching for exposed credentials on paste sites. It is also the first phase of the Lockheed Martin Cyber Kill Chain. Reconnaissance can be passive — pulling data already published on the internet — or active, where the attacker directly probes the target and may generate telemetry. Defenders reduce reconnaissance value through attack surface management, deception, brand monitoring, takedown services, and by detecting suspicious scanning or enumeration in network logs.
● Examples
- 01
Scraping a company's GitHub organization for hard-coded credentials and internal hostnames.
- 02
Mass scanning the internet for exposed RDP servers and pre-authentication banners.
● Frequently asked questions
What is Reconnaissance?
The first phase of an attack, in which adversaries gather information about a target's people, technology, and exposure before launching intrusion attempts. It belongs to the Defense & Operations category of cybersecurity.
What does Reconnaissance mean?
The first phase of an attack, in which adversaries gather information about a target's people, technology, and exposure before launching intrusion attempts.
How does Reconnaissance work?
Reconnaissance is the information-gathering stage that precedes intrusion. In MITRE ATT&CK it appears as tactic TA0043 and includes techniques such as scanning IP ranges, harvesting employee names from LinkedIn, OSINT collection, DNS enumeration, and searching for exposed credentials on paste sites. It is also the first phase of the Lockheed Martin Cyber Kill Chain. Reconnaissance can be passive — pulling data already published on the internet — or active, where the attacker directly probes the target and may generate telemetry. Defenders reduce reconnaissance value through attack surface management, deception, brand monitoring, takedown services, and by detecting suspicious scanning or enumeration in network logs.
How do you defend against Reconnaissance?
Defences for Reconnaissance typically combine technical controls and operational practices, as detailed in the full definition above.
● Related terms
- defense-ops№ 265
Cyber Kill Chain
Lockheed Martin's seven-stage model that describes how a targeted intrusion progresses from reconnaissance to actions on objectives.
- compliance№ 687
MITRE ATT&CK
A globally accessible knowledge base of adversary tactics and techniques observed in real-world attacks, maintained by MITRE.
- defense-ops№ 072
Attack Surface Management (ASM)
Continuous discovery, inventory, classification, and monitoring of all assets that expose an organization to potential cyberattack.
- defense-ops№ 1148
Threat Intelligence
Evidence-based knowledge about threats and threat actors — including indicators, TTPs and context — used to guide security decisions and detection.
- defense-ops№ 535
Initial Access
The MITRE ATT&CK tactic (TA0001) that covers techniques attackers use to first establish a foothold inside a target environment.
- defense-ops№ 325
Discovery (MITRE Tactic)
The MITRE ATT&CK tactic (TA0007) covering techniques attackers use to learn about a compromised environment after gaining access.