Reconnaissance

Comprehensive Recon Guide

Comprehensive Recon Guide A practitioner’s reference for web reconnaissance — attack surface discovery, subdomain enumeration, live host probing, content discovery, JS mining, cloud asset hunting, automation, and continuous monitoring. Compiled from 23 research sources. Table of Contents Fundamentals Scope & Target Profiling Subdomain Enumeration DNS Brute Force & Permutation Live Host Discovery & HTTP Probing Port Scanning URL & Endpoint Crawling JavaScript Analysis Content & Directory Discovery Parameter Discovery Technology Fingerprinting Cloud Asset Discovery GitHub & Code Leak Hunting ASN & Infrastructure Expansion Wordlist Resources Automation Pipelines Continuous Monitoring Real-World Recon Wins Quick Reference 1. Fundamentals Recon is 80% of offensive security. The researchers who earn six figures aren’t running more tools than everyone else — they’re running them in smarter pipelines, feeding the output of one into the next, and manually reviewing the long tail that automation misses. Every hour spent deepening the asset inventory pays off when hunting begins: more subdomains means more parameters, more endpoints, more code paths, more chances for a bug nobody else has seen. ...

April 10, 2026 · 25 min · Carl Sampson

Comprehensive OSINT Guide

Comprehensive OSINT Guide A practitioner’s reference for Open Source Intelligence — methodology, collection disciplines, tooling, pivoting techniques, and operational security. Compiled from 34 research sources. Table of Contents Fundamentals The OSINT Lifecycle People OSINT (HUMINT/SOCMINT) Company & Corporate OSINT Infrastructure & Network OSINT Domain, DNS & Certificate Intel Social Media Intelligence Geolocation & Imagery (GEOINT) Breach, Leak & Paste Intel Metadata Extraction Code & Repository OSINT Dark Web & Threat Intel IoT & Device Discovery Tools Reference Automation & Visualization AI-Assisted OSINT Operational Security Legal & Ethical Considerations Quick Reference 1. Fundamentals Open Source Intelligence (OSINT) is the discipline of collecting, correlating, and analyzing information that is publicly or legally available to produce actionable intelligence. “Open source” does not mean “easy” or “low value” — it means no clandestine collection is involved. The sources are lawful: the skill lies in knowing where to look, how to pivot, and how to assemble fragments into a coherent picture. ...

April 10, 2026 · 31 min · Carl Sampson