Offensive Security / Recon Index
Purpose
This index is the root entry point for the offensive-security / recon branch of the cybersecurity atlas.
Use it to: - structure attacker-style discovery and enumeration thinking - separate passive recon, active recon, enumeration, and validation workflows - connect reconnaissance to attack surface mapping, web security, and API security - build a repeatable operator mindset instead of ad hoc scanning
Use Reference Registry — Offensive Security as the source of truth for references in this branch. Return to Cybersecurity Index for root navigation across branches.
Before this branch: - Foundations (Phase 0). - Networking — the substrate every recon technique probes. - Attack Surface Mapping — recon turns surface into evidence. - Pair every note with its Detection Engineering counterpart.
Recommended learning order
Phase 1 — Recon foundations
Phase 2 — Asset and technology discovery
Phase 3 — Operational enumeration
Phase 4 — Validation and transition to testing
Core offensive / recon cluster
Branch maturity
This branch is depth-mature as of 2026-04-29.
All 12 atomic notes follow the canonical 11-section template, include practical labs, and now carry worked examples that turn discovered leads into validated evidence, scope decisions, and testing handoffs.
Foundations
Asset discovery
Enumeration
Validation and handoff
Scan engineering (depth)
- nmap-timing-and-evasion
- packet-fragmentation-and-decoy-scans
- masscan-internet-scale-scanning
- rustscan-and-nse-pipeline
- idle-scan-and-ipid-side-channels
- nse-vuln-category-audit
Active Directory and identity attacks
Promoted to its own branch on 2026-05-10. See Identity and Active Directory for Kerberoasting, AS-REP Roasting, BloodHound, DCSync, and related notes.
Defender-side scan telemetry
- Scan Anomaly Detection and Fingerprint Analysis
- Zeek, Suricata, and NetFlow Analysis
- EDR Network Observability and Process Correlation
Cross-links to other branches
Attack surface mapping
- attack-surface-mapping
- external-attack-surface
- endpoint-discovery
- admin-interface-discovery
- Subdomain Takeover
OSINT
Networking
Detection engineering
- Detection Engineering
- Network Telemetry Sources and Visibility
- IDS/IPS and Behavioral Detection Pipelines
Wireless security
Cloud security
Web/API security
- api-inventory-management
- broken-access-control
- ssrf
- cors-misconfiguration
- Bot Detection Signals
- Evilginx and Reverse Proxy Phishing
Security playbooks
Suggested future notes
- osint-triage
- search-engine-operators
- google-dorking
- breach-and-leak-intelligence
- social-media-osint
- email-and-phone-osint
- image-and-location-osint
- historical-internet-artifacts
- js-recon
- route-guessing
- wordlist-strategy
- bug-bounty-recon-loop
Possible future playbooks
- build-recon-pipeline
- map-public-attack-surface
- enumerate-admin-interfaces
- validate-staging-hosts
- enumerate-public-apis
- trace-subdomain-ownership
Branch maintenance notes
- Use reference-registry-offensive-security before adding references.
- Keep this branch focused on discovery, validation, scope, and handoff.
- Keep exploitation details in Web Security, API Security, or Security Playbooks.
- zSecurity-derived OSINT topics now live in OSINT. Keep this branch focused on recon workflow and handoff.
- zSecurity-derived wireless topics now live in Wireless Security. Keep this branch focused on general recon workflow and handoff.
- zSecurity-derived cloud topics now live in Cloud Security. Keep this branch focused on general recon workflow and handoff.
- Maintain the handoff pattern: every recon note should show how a raw clue becomes either validated context, a scoped test candidate, a no-action decision, or an owner/remediation path.
References
- Foundational: OWASP WSTG latest — https://owasp.org/www-project-web-security-testing-guide/latest/
- Research / Deep Dive: ProjectDiscovery recon series — https://projectdiscovery.io/blog/reconnaissance-a-deep-dive-in-active-passive-reconnaissance
- Foundational: OSINT Framework — https://osintframework.com/