In plain English
Reconnaissance is the intelligence-gathering phase that happens before an attacker makes their first move. This includes searching public sources (OSINT), scanning internet-facing systems for open ports, and identifying which software versions are running. What attackers find in this phase shapes every subsequent decision about how to attack.
Full definition
Before an attacker touches a single system, they spend time learning about the target. uses publicly available information: your company's domain registrations, job advertisements that reveal which security tools you use, LinkedIn profiles that map your org chart, and certificates logged in public transparency databases that expose internal subdomains. None of this touches your systems, so it generates no alerts.
Active reconnaissance involves probing internet-facing systems directly. Port scanning identifies which services are exposed. Banner grabbing reveals software versions. Tools like Shodan index internet-connected devices continuously, meaning an attacker does not need to scan you themselves if your firewall or camera system is already catalogued there. What they find shapes the attack: a VPN appliance running a version with a known exploit is a different opportunity than a well-patched perimeter.
In a penetration test, IronSights conducts the same reconnaissance phase an attacker would, before attempting any exploitation. This often produces findings the client did not expect: staging environments exposed to the internet, forgotten subdomains pointing to decommissioned systems, or MX records revealing an email gateway the IT team thought was internal. Knowing what an attacker can see before they act is more useful than discovering it after an incident.
