Digital Reconnaissance Fundamentals

Below you'll find a very basic framework to use to build upon for your own operations. There are many, many ways to perform digital intelligence gathering, and the how isn't in scope of this post, but rather the methodologies and reasons why. It's more important to understand why you're doing it and having a framework than the operational side of it; knowing the former will ensure the latter is successful.

Why is this important?

Just like you never drop into an LZ without extensive surveillance, measurement of opfor presence, conducting topography, weather and signals analysis; you should never run an op against an organization without doing the same from a digital perspective.

A highly recommended read, is Joint Publication 3-02.1, Joint Tactics, Techniques, and Procedures for Landing Force Operations.

There's strong correlation and applicability to other disciplines such as Asymmetric and Unconventional Warfare (UW), HUMINT, PSYOPS, and corporate espionage. To sum it up, to be successful on the battlefield (digital or kinetic), you must embrace the full spectrum of operations.

Digital Reconnaissance

We've broken out the key areas to focus on when conducting digital operations, however, it should not be considered exhaustive by any means. It is up to you to take what we've given you and expand and adapt if for your own purposes.

Organizational Charts

Performing discovery on who is employed is extremely important in understanding the human landscape and its exploitability. By identifying the HPTs and HVTs (key players), their job functions, connections within the immediate organization, or outside organizations; it's possible to 'connect the dots' of not just internal reporting structures, but social circles.

With this information, you can focus on specific targeted OSINT and SOCMINT/SMI gathering techniques to learn more about these individuals - being able to stroll into a key players favorite coffee shop and strike up a conversation with them around their interests is extremely powerful. We've been on operations where we've actively participated in activity groups with some of our targets just to befriend them and learn more about their work through casual conversation. Powerful, indeed.


Performing researching via OSINT and SOCMINT/SMI is extremely important if your goal is to gain a level down on the individuals employed by the organization as mentioned earlier. Once you have a list of soft targets, it's time to do some collection to determine which of your HPTs and HVTs would necssitate action.

Social Networking Profiles

Understanding the persona of the individuals being targeted is your first step. Active intelligence gathering is not covered here, however, once you understand your targets, you'll be able to shape your HUMINT operations and create your strategy around PSYOPS, building rapport, and otherwise gaining a foothold with your target. Afterall, people are the weakest link.

The usual suspects: LinkedIn, Facebook, VK, Twitter, Instagram, Tumblr and don't forget online dating sites such as, OkCupid, Tindr/Grindr (these are geolocation based and can be an amazing resource for gathering data and engaging targets around the target profile area).

Corporate Communications

Identifying the communication strategy of your target is imperative in determining how much information they are willing to part with voluntarily and the trust they put in their agents. By identifying these partners, you may be able discover weaknesses that can be exploited through indirect means. Questions to ask yourself... * How does your subject communicate with the outside world? * Do they use third-party mailer services (i.e. MailChimp)? * Do they utilize a dedicated PR agent to publish company news on their behalf? * How is their Marketing done? * Are Annual Reports posted publicly? What do they mean for your subject?

Publicly Posted Jobs

Analyzing publicly posted jobs will give you a wealth of knowledge about the organization, its technology stack and underlying strategies, as well as its growth. By reviewing a few job posts, you can determine how technologically savvy the organization is, how advanced their internal processes may be, and how the inner business processes may operate at the surface level. This is extremely important; especially once you start engaging in HUMINT operations; you can engage human targets with 'insider' knowledge to aid your social engineering campaigns.

Popular locations to search: Organization's Website, LinkedIn, Indeed, CareerBuilder, Monster, et cetera.

Law Suits

Reviewing civil and criminal records, in addition to news articles may reveal more information around your subject than you could otherwise find out in a short period of time. Legal discovery and attestations given in a court of law can potentially reveal internal strife within an organization, which can and should be used to your advantage.

Remember: It's not always best to act upon information as soon as you get it. Wait for the most opportune time, lest you reveal your hand without knowing your enemies.

Determining which firm, or better yet the individual legal council and aides, can further the long game through social engineering and other means.

Digital Footprinting

This is the more technical portion and starts to stray rather quickly from passive techniques to active. With that said, below is only a light list to get you started, however, remember that being passive is the preferred method of collection until you are ready for moving towards direct action against target(s).

  • WHOIS information for domain(s)
  • Website review via Google Dorks (filetypes, sub-domains, and sitemap)
  • IP Address Range Identification
  • Ping Sweeps, Open Ports/Services
  • SMTP information
  • SaaS / IaaS service providers

Physical locations and assets

Discovering all physical locations owned and operating by your subject is imperative. This will include residences, storage units, vehicles (land, sea, air) and other significant assets. For corporate entities, this will include all primary and secondary business locations, off-site and backup storage, data centers, and other corporate assets that an organization might own, rent, or otherwise occupy.

Metadata to collect: * Locations
* Property Owner(s)
* Land and Tax Records * Imagery


When performing discovery on these locations and assets, its recommended to use multiple source for imagery. Google Maps with street and satellite views is decent to get the lay of the land, however, mix it up and use Microsoft's Bing Maps for the Birds Eye View as it may give you better angles, imagery resolution, and potentially better updated satellite imagery. For the level down, research public records to find zoning maps, architectural blueprints and more. Investigate what works best for you.

If your subject is a large corporate entity, your intelligence gathering could (and most likely should) extend into subsidiaries. It's a fine line between collecting more information than you need, however, it's better to have more information than not enough - it's critical to create chronologies and timelines and sort your data based on ranking, scoring, and prioritization.

Next steps: Digital to Physical Collection

Once you've collected remotely (you made a list and double-checked it twice, right?), it's time to conduct surveillance in-person.

To get you started, here are a few things you'll want to consider: * Physical comparison - how does it meet the satellite imagery? * CCTV camera placement and Lighting * Security Guards * Placement * Patrol Paths * Guard 'kit' (armed?) * Badge Usage, Locks and Alarms * Signal emanations (RF, Wireless, other) * Delivery and supply-chain * Foot-traffic patterns (when is it busy?) * Adjacent buildings and FOV * Environmental design * Dumpsters

Once you gather the data needed, you can decide on your plan of action - will your operation continue to be digital, or will you move towards the more physical route? The end goal should be what determine whether you approach from one angle, the other, or somewhere in between. Having collected the information above, you've now narrowed down how to strike, then it's just a matter of when.

Recommended Tools

The following is a short list of tools and resources that will aid you when conducting digital reconnaissance activities. This is not an exhaustive list, but should be a starting point.: * Maltego * TheHarvester * Fierce2 * NMAP * Google Dorks * ReconNG * Jigsaw * The Wayback Machine (


You'll notice a common theme throughout this post; performing digital reconnaissance is just a means to an end, and with effective use of it, you can supplement other offensive operations (HUMINT, PSYOPS, and more).

Important: Remember to exercise OPSEC while performing these activities. Utilize anonymous connection tools such as Tor and VPNs, your browser's private mode (incognito), anonymous pre-paid wireless hotspots, et cetera.

With that, we leave you with some choice quotes from Sun Tzu's Art of War to consider when planning your next op.

Attack where your enemies are not prepared; go to where they do not expect.

This strategy leads to victory in warfare, so do not let the enemy see it.

What enables the enlightened rulers and good generals to conquer the enemy at every move and achieve extraordinary success is foreknowledge.

Foreknowledge cannot be elicited from ghosts and spirits; it cannot be inferred from comparison of previous events, or from the calculations of the heavens, but must be obtained from people who have knowledge of the enemy’s situation.
— Sun Tzo, Art of War

Focusing on the goal

Quote of the day