Back to Blog

Someone Is Already Watching: What Passive Recon Reveals Before You Do

March 6, 2026
6 min
security asm attack-surface recon offensive-security

Here’s a question worth sitting with: do you know who’s already looking at your organization’s infrastructure?

Not hypothetically. Right. Now. Before any engagement begins, before any audit is scheduled. There’s a universe of data about your external attack surface that exists whether you look at it or not. Certificate transparency logs. Continuous internet-wide port scans. Archives of every URL anyone’s ever submitted for public analysis. Historical crawl databases going back years.

An attacker doesn’t need to knock on your door. They can learn a lot about your organization from the virtual sidewalk.

I was recently engaged by a client to perform a Phase 1 attack surface assessment, passive reconnaissance only. No credentials, no inside access, no active probing. Just open-source intelligence sources and the same methodology an attacker would use in the first stage of targeting an organization.

Before I found my first vulnerability, I found something I wasn’t looking for.

Evidence of Active Targeting

Correlating data across multiple public sources, I found evidence that the client was already under active external reconnaissance by an unknown actor. This wasn’t theoretical risk: it was documented, timestamped activity in public databases. Someone had been systematically monitoring the client’s infrastructure in ways consistent with target development.

The unsettling part: we found this because we looked. The client had no monitoring, no alerting, no visibility into any of it. The reconnaissance was happening silently. Nobody knew.

What Passive Recon Actually Finds

The assessment surfaced findings across several categories:

Shadow IT and exposed infrastructure. Services that were legitimate and business-critical were running on bare IP addresses: no WAF coverage, no DDoS protection, sometimes with default or expired certificates. They weren’t being accessed intentionally from the outside. They were just reachable.

Vendor trust chains. Every third-party vendor you’ve ever onboarded left a trace. CNAME records, subdomain delegations, certificate Subject Alternative Names, etc. are all public record. We reconstructed a detailed vendor inventory entirely from DNS and certificate log data. More importantly, we found a case where a vendor relationship had ended but the DNS record hadn’t been cleaned up, leaving a subdomain takeover risk: an attacker could have served content under the client’s own domain.

Data leakage through public URL archives. Historical crawlers had captured URLs containing what appeared to be PII and session-adjacent tokens, the result of a feature that put sensitive data in query strings instead of request bodies. The data was old, but it was sitting in a public database, indexed and searchable.

End-of-life software on production-adjacent infrastructure. Shodan’s continuous scanning had already found and catalogued open ports, service banners, and software version strings across the client’s footprint. We found a server running an end-of-life web server with known CVEs. Not buried in a dev environment, but sitting adjacent to production, exposed to the internet.

What We Did About It

One critical finding was remediated during the engagement itself: the dangling subdomain was reclaimed before we were finished. The rest was documented, prioritized, and handed off with specific remediation guidance.

The more important outcome was visibility. Before the assessment, the client had no structured picture of their external attack surface. After it, they had a complete inventory: every subdomain, every IP, every vendor relationship that had left a trace in public data, with risk context attached.

That’s the real value. It’s not just finding vulnerabilities. It’s building the map.

Phase 1 Is the Floor, Not the Ceiling

Everything above was accomplished with zero active probing. No requests were sent to the client’s servers. No authentication was attempted. No scanners were run against anything. This was entirely passive. The reconnaissance any attacker performs before doing anything that could be detected.

Phase 2 (active recon actually touching the infrastructure) and Phase 3 (vulnerability scanning and validation) go significantly deeper. What passive recon finds is the baseline. The floor. And in this case, the floor was already busy.

Think your attack surface is under control? It might be worth verifying. Let’s talk. A passive recon engagement is a low-risk, high-signal way to find out what the internet already knows about your organization.

Want the personal version behind this story?

root@wolf-solutions:~$ cat blog --verbose