Before the breach, there is the gaze.
Attackers don’t stumble into your network – they walk in knowing the blueprint. The ritual begins with recon.
Passive Recon – Watch Without a Sound
This is where ghosts gather shadows.
- Shodan – Google for devices. Scanless intel. Your exposed cams and printers? Already archived.
- Amass – Subdomain enumeration with DNS brute, scraping, passive sources – deadly quiet.
- CertSpotter, crt.sh, SecurityTrails – SSL certs, DNS records, leaked metadata. You think you’re hidden. Your digital scent says otherwise.
Active Recon – Knock Once Before Entering
Now the hunter leaves footprints.
- Nmap – Silent SYNs or loud TCP connects. Every service answers, even when you don’t.
- WhatWeb, Wappalyzer – Tech stack exposed. Frameworks, versions, mistakes.
- Spiderfoot HX – Combines passive feeds, OSINT, and probing. You become the hunted.
Every open port is a whisper. Every banner is a scream.
Red Team sees what Blue ignores.
They map you before you secure you.
If you don’t recon yourself, someone else already did.
DeadSwitch | The Cyber Ghost
“In silence, we rise. In the switch, we fade.”
Tom's IT Cafe 