Reconnaissance

Reconnaissance (recon) is the first phase of any penetration test, involving systematic information gathering about the target to map its attack surface and identify potential vulnerabilities. Recon is divided into passive reconnaissance (gathering information without directly interacting with the target, using OSINT, DNS records, certificate transparency logs) and active reconnaissance (directly probing the target with port scans, directory brute-forcing, and service enumeration).

Key reconnaissance activities include: subdomain enumeration (finding all subdomains of a target domain), port and service scanning (identifying running services), technology fingerprinting (identifying web servers, frameworks, and libraries), directory and file discovery (finding hidden paths and backup files), and API endpoint enumeration.

Thorough reconnaissance often determines the success of a pentest — the more complete the attack surface map, the more likely critical vulnerabilities are to be found.

How APVISO tests for this: APVISO has a dedicated recon agent that performs comprehensive attack surface mapping. It discovers subdomains via DNS brute-forcing and certificate transparency, scans for open ports and services, fingerprints web technologies, and enumerates directories and API endpoints — building a complete target profile before the scanner agent begins testing.