Reconnaissance is the first phase of most security assessments. It identifies technologies, exposed services, and potential weak points.

Passive recon uses public sources such as DNS records, certificates, and metadata. Active recon interacts directly with targets, like port scanning.

Effective recon maps attack surface: domains, subdomains, APIs, authentication flows, and third-party integrations.

"The better your recon, the fewer blind spots you'll have later."

Keep recon organized in notes with timestamps and evidence so findings are easy to validate and communicate.

Respect scope at all times — unauthorized scanning can become illegal quickly.