Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0810: Detection of Search Victim-Owned Websites

DET0810 is a detection strategy for identifying reconnaissance against an organization’s own public websites. The business issue is that public sites often...

EnterpriseDET0810Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0810 is a detection strategy for identifying reconnaissance against an organization’s own public websites. The business issue is that public sites often expose names, roles, contact details, departments, locations, and business relationships that can help an adversary plan targeting before any intrusion occurs. This is difficult to detect with certainty because visiting a public website is normally legitimate activity.

Executive priority

Treat this as an early-warning and exposure-management topic, not a guaranteed intrusion signal. Leaders should ask whether public websites disclose information that materially helps targeting, whether web access logs are retained long enough for incident response, and whether SOC teams know how to use public-site telemetry when investigating reconnaissance or pre-incident activity.

Technical view

The related ATT&CK technique is T1594, Search Victim-Owned Websites, under reconnaissance with PRE platform context. Because the detection strategy has no official detection text and no specified platforms or tactics, defenders should validate coverage around public web properties rather than assume a standard analytic exists. SOC and IR teams should confirm whether they can review access to pages containing employee, department, location, contact, operational, or relationship information and distinguish normal visitor behavior from unusual enumeration or scraping patterns.

Likely telemetry

  • Public web server access logs for victim-owned websites
  • CDN, reverse proxy, or WAF request logs where used for public sites
  • Web analytics records showing page paths, session patterns, referrers, user agents, and request timing
  • Logs for pages that expose employee contact details, departments, locations, business operations, or partner/customer relationship information
  • Content inventory or site governance records identifying what sensitive business information is publicly published

Detection direction

  • Validate that public website telemetry is actually collected, searchable, and retained for IR use; many organizations lack useful logs for marketing-managed or third-party-hosted sites.
  • Look for unusual enumeration of pages likely to support targeting, such as employee, contact, department, location, and business-relationship pages, while accounting for legitimate crawlers, customers, partners, and search engines.
  • Tune detections carefully because the behavior occurs on public assets and can generate high false positives if based only on page visits or volume.
  • Use relationship-driven context: this strategy supports reconnaissance detection for T1594, so findings should enrich threat intelligence and incident triage rather than be treated as proof of compromise by themselves.

Mitigation priorities

  • Review public websites for unnecessary exposure of names, roles, direct contact information, physical locations, operational details, and business relationships.
  • Establish content governance so business owners understand when published information creates targeting value.
  • Ensure logging and retention for public web properties are included in SOC and incident response requirements.
  • Where appropriate, apply reasonable controls against abusive automated access without disrupting legitimate public use.
  • Include public-website reconnaissance evidence in IR playbooks and compliance evidence for monitoring and exposure-management processes.
Analyst notes and limits

This object is a detection strategy, not a technique. Its official description and detection fields are not provided in the supplied STIX data. The strongest context comes from the relationship stating that DET0810 detects T1594, Search Victim-Owned Websites, a reconnaissance technique involving adversary review of victim-owned sites for targeting information.

No official detection logic, platforms, tactics, or data sources were supplied for DET0810. The related technique description is partial. Local website architecture, hosting model, logging coverage, content sensitivity, and normal traffic patterns are required before reliable detection or prioritization can be determined.

Official MITRE ATT&CK definition

Detection of Search Victim-Owned Websites

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1594 Search Victim-Owned Websites This object detects Search Victim-Owned Websites.
Relationship explorer

All related ATT&CK context

detects · Technique T1594: Search Victim-Owned Websites Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
662bb1984377c7db...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 662bb1984377…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0810
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use