Offensive Security / Recon Index Purpose This index is the root entry point for the offensive-security / recon branch of the cybersecurity vault. Use it to: - structure attacker-style discovery and enumeration thinking - separate passive recon, active recon, enumeration, and validation workflows - connect reconnaissance to attack surface mapping, web security, and API security - build a repeatable operator mindset instead of ad hoc scanning Use Reference Registry — Offensive Security as the source of truth for references in this branch. Return to Cybersecurity Index for root navigation across branches. Before this branch: - Foundations (Phase 0). - Networking — the substrate every recon technique probes. - Attack Surface Mapping — recon turns surface into evidence. - Pair every note with its Detection Engineering counterpart. Recommended learning order Phase 1 — Recon foundations recon passive-recon active-recon Phase 2 — Asset and technology discovery public-asset-discovery company-mapping tech-stack-fingerprinting Phase 3 — Operational enumeration enumeration subdomain-enumeration host-and-port-discovery Phase 4 — Validation and transition to testing scope-validation service-validation recon-to-testing-handoff cloaking-and-security-evasion Core offensive / recon cluster Branch maturity This branch is depth-mature as of 2026-04-29. All 12 atomic notes follow the canonical 11-section template, include practical labs, and now carry worked examples that turn discovered leads into validated evidence, scope decisions, and testing handoffs. Foundations recon passive-recon active-recon Asset discovery public-asset-discovery company-mapping tech-stack-fingerprinting Enumeration enumeration subdomain-enumeration host-and-port-discovery Validation and handoff scope-validation service-validation recon-to-testing-handoff cloaking-and-security-evasion Scan engineering (depth) nmap-timing-and-evasion packet-fragmentation-and-decoy-scans masscan-internet-scale-scanning rustscan-and-nse-pipeline idle-scan-and-ipid-side-channels nse-vuln-category-audit Active Directory and identity attacks Promoted to its own branch on 2026-05-10. See Identity and Active Directory for Kerberoasting, AS-REP Roasting, BloodHound, DCSync, and related notes. Defender-side scan telemetry Scan Anomaly Detection and Fingerprint Analysis Zeek, Suricata, and NetFlow Analysis EDR Network Observability and Process Correlation Cross-links to other branches Attack surface mapping attack-surface-mapping external-attack-surface endpoint-discovery admin-interface-discovery Subdomain Takeover OSINT OSINT OSINT Triage Company OSINT OSINT Reporting Networking dns-resolution dns-security ports-and-services nmap-scanning Service Enumeration Detection engineering Detection Engineering Network Telemetry Sources and Visibility IDS/IPS and Behavioral Detection Pipelines Wireless security Wireless Security Wi-Fi Monitor Mode Evil Twin Access Points Bettercap Workflows Cloud security Cloud Security Basics Cloud Network Boundaries Cloud IAM Boundaries Public Cloud Storage Exposure Web/API security api-inventory-management broken-access-control ssrf cors-misconfiguration Bot Detection Signals Evilginx and Reverse Proxy Phishing Security playbooks test-client-ip-spoofing Suggested future notes osint-triage search-engine-operators google-dorking breach-and-leak-intelligence social-media-osint email-and-phone-osint image-and-location-osint historical-internet-artifacts js-recon route-guessing wordlist-strategy bug-bounty-recon-loop Possible future playbooks build-recon-pipeline map-public-attack-surface enumerate-admin-interfaces validate-staging-hosts enumerate-public-apis trace-subdomain-ownership Branch maintenance notes Use reference-registry-offensive-security before adding references. Keep this branch focused on discovery, validation, scope, and handoff. Keep exploitation details in Web Security, API Security, or Security Playbooks. zSecurity-derived OSINT topics now live in OSINT. Keep this branch focused on recon workflow and handoff. zSecurity-derived wireless topics now live in Wireless Security. Keep this branch focused on general recon workflow and handoff. zSecurity-derived cloud topics now live in Cloud Security. Keep this branch focused on general recon workflow and handoff. Maintain the handoff pattern: every recon note should show how a raw clue becomes either validated context, a scoped test candidate, a no-action decision, or an owner/remediation path. References Foundational: OWASP WSTG latest — https://owasp.org/www-project-web-security-testing-guide/latest/ Research / Deep Dive: ProjectDiscovery recon series — https://projectdiscovery.io/blog/reconnaissance-a-deep-dive-in-active-passive-reconnaissance Foundational: OSINT Framework — https://osintframework.com/