Reconnaissance consists of techniques that involve adversaries actively or passively gathering information that can be used to support targeting. Such information may include details of the victim organization, infrastructure, or staff/personnel. This information can be leveraged by the adversary to aid in other phases of the adversary lifecycle, such as using gathered information to plan and execute Initial Access, to scope and prioritize post-compromise objectives, or to drive and lead further Reconnaissance efforts.
Tactic Overview
Tactic ID: TA0043 — Matrix: Enterprise — Techniques: 11
The Reconnaissance tactic represents a phase in the adversary lifecycle where the adversary is trying to gather information they can use to plan future operations. This tactic is part of the MITRE ATT&CK Enterprise matrix and encompasses 11 known techniques that adversaries employ during this phase of an attack.
Understanding this tactic is critical for defenders to build effective detection strategies and implement appropriate countermeasures. Organizations should map their security controls against each technique to identify coverage gaps and prioritize defensive investments.
Techniques (11)
The following techniques are categorized under the Reconnaissance tactic in the MITRE ATT&CK Enterprise matrix:
| Technique ID | Name | Description | MITRE Reference |
|---|---|---|---|
T1595 | Active Scanning (3 sub-techniques) | Adversaries probe victim infrastructure via network traffic to gather targeting information. Includes scanning IP blocks, vulnerability scanning, and wordlist scanning. | T1595 |
T1592 | Gather Victim Host Information (4 sub-techniques) | Adversaries gather information about victim hosts including hardware, software, configurations, and security measures. This data informs exploitation decisions. | T1592 |
T1589 | Gather Victim Identity Information (3 sub-techniques) | Adversaries collect victim identity information such as credentials, email addresses, and employee names to support targeting operations. | T1589 |
T1590 | Gather Victim Network Information (6 sub-techniques) | Adversaries gather information about the victim's network topology, IP ranges, DNS records, and security appliances. | T1590 |
T1591 | Gather Victim Org Information (4 sub-techniques) | Adversaries research victim organizations to understand business relationships, physical locations, and organizational structure. | T1591 |
T1598 | Phishing for Information (4 sub-techniques) | Adversaries send phishing messages designed to elicit sensitive information rather than execute malicious code, targeting credentials and intelligence. | T1598 |
T1597 | Search Closed Sources (2 sub-techniques) | Adversaries search closed or private databases including dark web forums, threat intelligence feeds, and paid services for victim information. | T1597 |
T1596 | Search Open Technical Databases (5 sub-techniques) | Adversaries search freely available technical databases such as WHOIS, DNS registries, certificate transparency logs, and CDN data. | T1596 |
T1593 | Search Open Websites/Domains (3 sub-techniques) | Adversaries search open websites and domains including social media, job listings, and code repositories for victim information. | T1593 |
T1681 | Search Threat Vendor Data | Adversaries review publicly available threat intelligence vendor reports to identify defensive capabilities and security posture. | T1681 |
T1594 | Search Victim-Owned Websites | Adversaries search victim-owned websites for sensitive information including organizational structure, contacts, and technical details. | T1594 |
Detection & Mitigation
Organizations should implement layered defenses addressing each technique within this tactic. Below are key mitigation strategies recommended by Mjolnir Security analysts.
Key Mitigations
- Pre-compromise monitoring
- Limit public exposure of organizational data
- Monitor for scanning activity
- Implement OPSEC practices
Detection Strategies
Effective detection of Reconnaissance techniques requires a combination of log analysis, behavioral monitoring, and threat intelligence correlation. Security teams should focus on establishing baselines for normal activity and alerting on deviations that may indicate adversary behavior aligned with this tactic.
- SIEM Integration: Correlate events across multiple data sources to detect technique patterns
- Behavioral Analytics: Deploy UEBA solutions to identify anomalous activity indicative of this tactic
- Threat Hunting: Proactively search for indicators of techniques within this tactic using hypothesis-driven investigations
- Purple Teaming: Regularly test detection coverage by simulating techniques from this tactic
Associated Threat Actors
The following threat actors are known to heavily leverage techniques from the Reconnaissance tactic:
For comprehensive threat actor profiles, visit the APT Groups Hub.
Resources & References
Defend Against Reconnaissance Techniques
Mjolnir Security provides expert threat intelligence, purple team exercises, and detection engineering services to help organizations defend against adversary tactics mapped to the MITRE ATT&CK framework.
Stay updated on MITRE ATT&CK developments and threat intelligence insights.
View All Reports →Written by Mjolnir Security Research — Published March 7, 2026