Live Active security incident? Get immediate response
MITRE ATT&CK® Tactic

TA0043: Reconnaissance

The adversary is trying to gather information they can use to plan future operations.

Reconnaissance consists of techniques that involve adversaries actively or passively gathering information that can be used to support targeting. Such information may include details of the victim organization, infrastructure, or staff/personnel. This information can be leveraged by the adversary to aid in other phases of the adversary lifecycle, such as using gathered information to plan and execute Initial Access, to scope and prioritize post-compromise objectives, or to drive and lead further Reconnaissance efforts.

EnterpriseTA0043TacticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Reconnaissance matters because it is where an adversary builds the picture needed to choose targets, shape initial access attempts, and prioritize later objectives. For leaders, this is less about a single alert and more about whether the organization understands what information about its people, infrastructure, and operations is exposed and how that exposure could help an attacker plan future activity.

Executive priority

Treat Reconnaissance as an early risk-management and readiness issue. Executives should ask whether internet-facing assets, public organizational details, staff information, and other discoverable data are being managed as part of security governance. The business value is in reducing attacker preparation advantages, improving incident context, and producing evidence that exposure management and security monitoring are intentional rather than reactive.

Technical view

ATT&CK provides this object as an enterprise tactic, not a specific technique, and supplies no platform-specific guidance or detection text. SOC, detection engineering, and IR teams should therefore validate coverage against the specific Reconnaissance techniques relevant to their environment rather than treating TA0043 as directly detectable on its own. The practical focus is mapping what external or internal evidence could show adversary information-gathering and whether that evidence can be correlated with later Initial Access or other lifecycle activity.

Likely telemetry

  • External attack surface and asset inventory records
  • DNS, domain registration, and certificate transparency monitoring where available
  • Web server, application, and perimeter access logs
  • Identity and directory exposure reviews for public staff or role information
  • Security intake records for suspicious inquiries, scanning reports, or pre-incident observations

Detection direction

  • Do not build a generic 'Reconnaissance' alert without technique-level definition; validate detections against specific reconnaissance behaviors in ATT&CK.
  • Correlate unusual information-gathering signals with later authentication, phishing, scanning, or access attempts where local telemetry supports it.
  • Account for false positives from benign research, search engine indexing, security testing, partners, and vulnerability scanners.
  • Identify blind spots where public exposure exists but no monitoring or ownership is assigned, especially for assets, staff information, and infrastructure metadata.

Mitigation priorities

  • Maintain an accurate inventory of internet-facing assets and externally visible organizational information.
  • Reduce unnecessary public exposure of infrastructure, personnel, and operational details where business needs allow.
  • Use exposure management and vulnerability management processes to prioritize information that could support targeting.
  • Ensure SOC and IR playbooks include pre-incident reconnaissance context when assessing suspicious access attempts or campaigns.
  • Document monitoring and exposure-reduction practices as compliance and governance evidence where applicable.
Analyst notes and limits

This tactic is a planning-stage behavior: the adversary is gathering information that may support targeting, Initial Access, post-compromise prioritization, or additional reconnaissance. The supplied object contains no relationships, no specific platforms, and no official detection guidance, so the most defensible use is as a risk and coverage-mapping anchor for more specific techniques.

This take is based only on the supplied ATT&CK tactic fields and the MITRE external reference. No active exploitation, attribution, platform applicability, technique relationships, or guaranteed detection coverage can be inferred from this object alone. Local telemetry, asset exposure, and technique-level ATT&CK mappings are required for implementation.

Official MITRE ATT&CK definition

Reconnaissance

The adversary is trying to gather information they can use to plan future operations.

Reconnaissance consists of techniques that involve adversaries actively or passively gathering information that can be used to support targeting. Such information may include details of the victim organization, infrastructure, or staff/personnel. This information can be leveraged by the adversary to aid in other phases of the adversary lifecycle, such as using gathered information to plan and execute Initial Access, to scope and prioritize post-compromise objectives, or to drive and lead further Reconnaissance efforts.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
94ed4208f561ee58...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 94ed4208f561…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack TA0043
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use