Pentest Process: Recon
What is recon?
Recon is the short form of Reconnaissance, it is the second phase of a penetration test. Like the scoping phase, it is methodical, deliberate, and governed by clearly defined constraints. Operating within those same constraints, recon advances the engagement by actively constructing an accurate picture of the attack surface based on observable hosts, services, identities, trust relationships, and exposure points present at the time of testing.
In the sections that follow, we will examine how recon is conducted within scope, how information is systematically gathered and validated, and why this phase largely determines the effectiveness of every step that follows.
Objectives of Recon
The primary objective of recon is to reduce uncertainty about the target environment while remaining strictly within the defined scope of the engagement. Rather than attempting to exploit systems immediately, recon focuses on understanding what systems exist, how they are exposed, and how they relate to one another through observable hosts, services, identities, access points, and trust relationships.
Recon also serves a validation function. Asset inventories, network diagrams, and documentation provided during scoping are often incomplete, outdated, or inaccurate. Recon allows the tester to confirm what is actually present and accessible at the time of testing, ensuring that subsequent phases are based on observed reality rather than assumption.
Reconnaissance within scope
Recon does not expand or reinterpret the agreed scope of an engagement. All recon activity must be conducted within the same legal, technical, and operational boundaries defined during scoping, including in-scope and out-of-scope assets, authentication limitations, authorized testing windows, and permitted techniques.
During recon, testers will inevitably encounter references to systems, domains, or services that fall outside the defined scope through sources such as DNS records, application responses, trust relationships, or network routing information. While these findings may be relevant from a risk perspective, they must not be actively tested. Instead, they should be documented and reported as observations. Maintaining scope discipline at this stage is critical, as recon is where scope creep most commonly occurs through discovery rather than intent.
Within these constraints, recon is typically conducted using a combination of passive and active techniques, each differing in level of interaction, visibility, and risk.
Passive reconnaissance
Passive recon involves gathering information without directly interacting with target systems in a way that alters state or generates noticeable traffic. The goal is to collect contextual and environmental data while minimizing operational impact.
This may include analyzing publicly available information, metadata, or indirect responses that reveal details about infrastructure, services, identities, or technology implementation. This type of recon is typically low risk and often performed early in the engagement, as it helps shape subsequent decisions while preserving discretion and stability.
Active reconnaissance
Active recon involves controlled interaction with in-scope systems to elicit responses that reveal additional detail about services, configurations, and access controls. Unlike passive techniques, active recon introduces carries a higher risk of detection or unintended impact.
For this reason, active recon must be carefully scoped, rate-limited, and aligned with the rules of engagement. It is generally conducted incrementally, building on passive findings rather than attempting exhaustive discovery. When performed responsibly, active recon provides the depth and accuracy required to move confidently into exploitation while remaining within authorized boundaries.
Enumeration and Relationship Discovery
After recon, enumeration is the next logical step. This process involves systematically extracting detail from systems and services identified during recon. At this stage, the tester seeks to identify identities, roles, permissions, service configurations, trust relationships, and access paths that are reachable within scope.
Where recon establishes what exists, enumeration focuses on how those components behave, what they expose, and how they relate to one another within the environment. Effective enumeration relies on leveraging information gathered during earlier recon to deepen understanding of access, trust, and system interactions, rather than attempting indiscriminate discovery.
Because enumeration can generate large volumes of partial or low-signal data, it is easy to pursue misleading paths and waste time on findings that do not meaningfully contribute to risk. For this reason, information gathered during enumeration must be validated and correlated before further action is taken, ensuring that observed relationships are accurate and capable of supporting meaningful findings in later phases of the assessment.
Common reconnaissance pitfalls
One of the most common pitfalls during recon is overreliance on automated tools. While automation is essential for scale and coverage, tools do not determine accuracy. They generate signals based on heuristics, signatures, and assumptions that may not hold true in a given environment. Treating tool output as authoritative rather than indicative often leads to flawed conclusions about the attack surface.
This overreliance introduces the problem of false positives and false negatives. False positives occur when tools report exposures, services, or behaviors that do not actually exist, often due to generic signatures, misleading banners, or incomplete context. False negatives occur when genuine exposures are missed because they fall outside a tool’s detection logic or are obscured by environmental factors. Both distort situational awareness: false positives waste time and effort, while false negatives create blind spots that can undermine the assessment.
Another common failure is confusing discovery with validation. A true positive is only established when an observed condition can be consistently reproduced and confirmed through controlled interaction. Likewise, a true negative is determined by actively disproving an assumed exposure, not by the absence of a tool alert. Automated tools alone cannot reliably make these distinctions, as they lack the contextual understanding required to interpret behavior within scope.
Finally, poor manual follow-through compounds these issues. Recon that relies solely on automation often misses subtle behaviors, trust relationships, or access patterns that do not present as explicit findings. Manual probing is necessary to validate assumptions, correlate results across multiple sources, and determine whether a discovery meaningfully contributes to risk. Effective recon uses tools to guide attention, but depends on disciplined manual analysis to produce accurate, defensible conclusions.
From reconnaissance to exploitation
With recon and enumeration complete, the assessment can now transition into exploitation. At this point, the tester has moved beyond assumptions and surface-level discovery and has developed a validated understanding of the attack surface, system behaviors, and trust relationships within scope.
Exploitation builds directly on this foundation. The next phase focuses on using confirmed findings to safely and intentionally test whether identified weaknesses can be abused to achieve the agreed success criteria, while remaining within the same legal and operational constraints defined at the outset of the engagement.