Skip to content

Next edition July 6th, 2026

Offensive security

Reconnaissance (Recon)

Reconnaissance, or recon, is the information-gathering phase of a security assessment in which a tester maps an organization's assets, technologies, endpoints, and people before any active testing. It is split into passive recon (collecting public data without touching the target) and active recon (directly probing the target).

Author
parth-narula
Reading time
3 min read
Last updated

Reconnaissance is where almost every successful attack and every successful test begins. Before you can find a vulnerability, you have to know what exists. Recon is the disciplined process of discovering and mapping everything a target exposes, from domains and APIs to technologies and people. It is the first phase of nearly every offensive methodology, and the one that most often separates productive testers from frustrated ones.

Why It Matters

The quality of your reconnaissance sets a ceiling on everything that follows. You cannot exploit an endpoint you never found, test an API you never discovered, or chain a vulnerability on a subdomain you never enumerated. This is why experienced penetration testers and bug bounty hunters often spend the majority of their time on recon: a wider, more accurate map of the attack surface almost always converts into more and better findings.

The bugs that others miss usually live in the parts of the attack surface nobody bothered to map: an old API version, a forgotten subdomain, a staging server with weaker security, or an undocumented endpoint hidden in a JavaScript file. Recon is how you find them first.

Passive vs. Active Reconnaissance

In a bug bounty program you must keep active recon strictly within the published scope and rate limits, because aggressive scanning can be treated as an attack.

The Reconnaissance Workflow

A typical flow moves from the least intrusive to the most:

  1. Passive OSINT to learn the organization, its brands, and its public footprint.
  2. Subdomain enumeration to expand from one domain to the full estate.
  3. Port and service scanning with Nmap to see what is running.
  4. Content and endpoint discovery to map the application itself.

Core Recon Techniques and Tools

  • Subdomain enumeration with Amass and Subfinder to find assets beyond the main site.
  • Content and endpoint discovery with ffuf and Gobuster.
  • JavaScript review to extract hidden API paths and leaked keys.
  • Google dorking to surface exposed files and disclosure policies.
  • Certificate transparency (crt.sh) to discover hostnames from issued TLS certificates.
  • Technology fingerprinting to learn the frameworks in use and target known weaknesses.

Recon in Practice

For a single application, recon means registering accounts, listing every feature and user role, and finding documentation like Swagger files, exactly the structured mapping process described in our guide to choosing your first bug bounty target. For network-level work, pair recon with a formal methodology and frameworks like MITRE ATT&CK, which catalogs reconnaissance as the first stage of real-world intrusions.

Recon is not a box you tick once and move past. The best testers return to it throughout an engagement, because every new finding reveals new parts of the attack surface worth mapping.

In the Bootcamp

How We Teach Reconnaissance (Recon)

In our Cybersecurity Bootcamp, you won't just learn about Reconnaissance (Recon) in theory. You'll practice with real tools in hands-on labs, guided by industry professionals who use these concepts daily.

Covered in:

Module 10: Penetration Testing and Ethical Hacking

Related topics you'll master:MetasploitNmapBurp SuitePrivilege Escalation
See How We Teach This

360+ hours of expert-led training • CompTIA Security+ included