This page explains the difference between passive and active reconnaissance, why the stage matters, and what defenders can monitor for early warning signs.
During reconnaissance, attackers collect information about a target organization, system, or network before attempting intrusion. The goal is to reduce uncertainty and identify potential entry points.
Reconnaissance can generally be divided into two categories: passive reconnaissance and active reconnaissance.
Passive recon includes examining public records, searching domain registration information, reviewing social media, or analyzing leaked credentials from previous breaches. Attackers often begin here because these techniques are difficult for defenders to detect.
Active reconnaissance may involve scanning a network to identify open ports, probing web servers to determine software versions, or mapping exposed services. It provides more precise information, but it is also more likely to trigger firewalls, intrusion detection, or suspicious logging events.
Reconnaissance often represents the earliest detectable stage of an attack. Monitoring unusual scanning behavior, abnormal DNS requests, and large scale probing attempts can provide valuable warning signs before an attacker gains access.
