Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1596.004: CDNs

Adversaries may search content delivery network (CDN) data about victims that can be used during targeting. CDNs allow an organization to host content from a distributed, load balanced array of servers. CDNs may also allow organizations to customize content delivery based on the requestor’s geographical region.

Adversaries may search CDN data to gather actionable information. Threat actors can use online resources and lookup tools to harvest information about content servers within a CDN. Adversaries may also seek and target CDN misconfigurations that leak sensitive information not intended to be hosted and/or do not have the same protection mechanisms (ex: login portals) as the content hosted on the organization’s website.[1] Information from these sources may reveal opportunities for other forms of reconnaissance (ex: Active Scanning or Search Open Websites/Domains), establishing operational resources (ex: Acquire Infrastructure or Compromise Infrastructure), and/or initial access (ex: Drive-by Compromise).

EnterpriseT1596.004Sub-techniqueObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This technique matters because CDN data is part of an organization’s public attack surface. Even before compromise, an adversary may use CDN lookup resources or exposed CDN-hosted content to understand where applications, content servers, regions, or misconfigured assets exist. For leaders, the practical issue is whether the organization can prove that CDN-hosted content is inventoried, intentionally exposed, and protected to the same standard as the primary website or application.

Executive priority

Prioritize this as a pre-compromise exposure-management issue. Ask whether CDN usage is centrally inventoried, whether sensitive or unauthenticated content can be reached through CDN paths, and whether audit evidence exists showing periodic review of CDN configuration and hosted content. The business risk is not the lookup itself; it is attackers using exposed CDN information to support further reconnaissance, infrastructure preparation, or initial-access planning.

Technical view

ATT&CK lists this as a PRE-platform reconnaissance sub-technique under Search Open Technical Databases. No official MITRE detection text is provided, but the relationship to DET0809 indicates a detection strategy exists for CDN-related reconnaissance. SOC, detection, and IR teams should validate visibility over CDN assets, public CDN metadata, CDN-hosted content, and misconfiguration findings. Use the relationship context to T1596 and the description’s references to Active Scanning, Search Open Websites/Domains, Acquire Infrastructure, Compromise Infrastructure, and Drive-by Compromise as pivots for investigation context rather than as proof of compromise.

Likely telemetry

  • CDN configuration inventories and change records
  • Public exposure or attack-surface management findings for CDN-hosted assets
  • CDN edge access logs and web request logs, where available
  • DNS, certificate, and domain records associated with CDN-hosted services
  • Records of CDN-hosted files, origins, routing rules, and access-control settings

Detection direction

  • Confirm whether DET0809 or an equivalent internal analytic is implemented and what data sources it depends on.
  • Because MITRE provides no official detection text, treat coverage claims cautiously and validate them with local CDN, DNS, certificate, and web telemetry.
  • Tune for newly exposed CDN assets, unexpected CDN-hosted content, origin leakage, or content that lacks the protection applied to the main website.
  • Correlate CDN exposure findings with other reconnaissance indicators such as open technical database discoveries or subsequent scanning, while avoiding assumptions that public lookup activity alone indicates compromise.
  • Account for false positives from legitimate CDN administration, regional content delivery changes, marketing launches, and routine asset discovery by internal teams.

Mitigation priorities

  • Apply the ATT&CK M1056 pre-compromise principle: reduce the information and weaknesses adversaries can discover before an attack starts.
  • Maintain an authoritative inventory of CDN providers, zones, origins, hosted content, and business owners.
  • Review CDN-hosted content for sensitive data exposure and ensure access controls match the intended audience.
  • Validate CDN configurations for unintended origin exposure, stale content, regional delivery mistakes, and public paths that bypass normal protections.
  • Include CDN assets in vulnerability management, attack-surface reviews, compliance evidence collection, and incident response scoping.
Analyst notes and limits

This object is most useful as a reminder that reconnaissance coverage must include third-party delivery layers, not only owned domains and servers. For Glexia-style defensive planning, the key questions are: what CDN assets exist, who owns them, what is publicly discoverable, and how quickly the organization can correct an exposure.

The supplied ATT&CK object provides no official detection procedure, no named adversary use, and no platform beyond PRE. Any assessment of exploitation, targeting, or detection effectiveness requires local telemetry, CDN provider data, and environment-specific validation.

Official MITRE ATT&CK definition

CDNs

Adversaries may search content delivery network (CDN) data about victims that can be used during targeting. CDNs allow an organization to host content from a distributed, load balanced array of servers. CDNs may also allow organizations to customize content delivery based on the requestor’s geographical region.

Adversaries may search CDN data to gather actionable information. Threat actors can use online resources and lookup tools to harvest information about content servers within a CDN. Adversaries may also seek and target CDN misconfigurations that leak sensitive information not intended to be hosted and/or do not have the same protection mechanisms (ex: login portals) as the content hosted on the organization’s website.[1] Information from these sources may reveal opportunities for other forms of reconnaissance (ex: Active Scanning or Search Open Websites/Domains), establishing operational resources (ex: Acquire Infrastructure or Compromise Infrastructure), and/or initial access (ex: Drive-by Compromise).

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1596 Search Open Technical Databases This object subtechnique of Search Open Technical Databases.
Relationship explorer

All related ATT&CK context

mitigates · Mitigation M1056: Pre-compromise Enterprise subtechnique of · Technique T1596: Search Open Technical Databases Enterprise detects · Detection Strategy DET0809: Detection of CDNs Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1056: Pre-compromise

Pre-compromise mitigations involve proactive measures and defenses implemented to prevent adversaries from successfully identifying and exploiting weaknesses during the Reconnaissance and Resource Development phases of an attack. These activities focus on reducing an organization's attack surface, identify adversarial preparation efforts, and increase the difficulty for attackers to conduct successful operations. This mitigation can be implemented through the following measures:

Limit Information Exposure:

- Regularly audit and sanitize publicly available data, including job posts, websites, and social media. - Use tools like OSINT monitoring platforms (e.g., SpiderFoot, Recon-ng) to identify leaked information.

Protect Domain and DNS Infrastructure:

- Enable DNSSEC and use WHOIS privacy protection. - Monitor for domain hijacking or lookalike domains using services like RiskIQ or DomainTools.

External Monitoring:

- Use tools like Shodan, Censys to monitor your external attack surface. - Deploy external vulnerability scanners to proactively address weaknesses.

Threat Intelligence:

- Leverage platforms like MISP, Recorded Future, or Anomali to track adversarial infrastructure, tools, and activity.

Content and Email Protections:

- Use email security solutions like Proofpoint, Microsoft Defender for Office 365, or Mimecast. - Enforce SPF/DKIM/DMARC policies to protect against email spoofing.

Training and Awareness:

- Educate employees on identifying phishing attempts, securing their social media, and avoiding information leaks.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
5a6f5e76dca6f1cd...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 5a6f5e76dca6…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    DigitalShadows CDN

    Swisscom & Digital Shadows. (2017, September 6). Content Delivery Networks (CDNs) Can Leave You Exposed – How You Might Be Affected And What You Can Do About It. Retrieved October 20, 2020.

    Open source URL
  2. [2]
    mitre-attack T1596.004
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use