This content explores the critical first phase of cybersecurity engagements known as footprinting—mapping a target's public presence while maintaining strict ethical and legal boundaries. It emphasizes the importance of clear goals, tight scope control, and careful use of AI tools to produce valuable, lawful reconnaissance outcomes.
"If it's not in scope, it's not in scope. Not because I'm mean — because I like your career." — Every Responsible Hacker Ever You survived the ethics gauntlet, navigated global cyber laws without accidentally colonizing a new felony, and peeked at how AI supercharges both attack and defense. Now we...
What Footprinting Actually Is (Without Getting Arrested) Footprinting is the process of mapping a target's public-facing presence and potential attack surface using primarily passive or minimally intrusive methods. It answers: What exists? Where is it? Who owns it? How is it exposed? It is not s...
The One-Slide MBA: Goals vs. Scope Goals : What outcome do we want from footprinting? How will we measure "we did the thing"? Scope : The boundaries of what's allowed — assets, methods, timing, depth, data handling. Footprinting without goals creates reports people don't read. Footprinting withou...
SMART Footprinting Goals (Yes, SMART, we’re doing it) Make goals: Specific : "Inventory all internet-facing assets for example.com and subsidiaries" Measurable : "±5% accuracy vs. client CMDB; identify ≥10 misconfigurations or exposures if present" Achievable : "Passive-first within a 2-week win...
Scope Control: The Fence That Saves Friendships Scope is a contract with guardrails. It should be explicit, boring, and beautiful. Scope Dimensions (a non-exhaustive menu) Dimension In-Scope Examples Out-of-Scope/Notes Assets example.com, subdomains, specific IP ranges, official mobile apps ...
The Rules of Engagement (RoE): Your Recon Constitution Here's a template-y vibe you can adapt: Engagement: Q3 External Footprinting Client Authorization: Signed letter (ID #, dates, contacts) Objectives: Asset inventory, exposure identification, ownership validation In-Scope: [domains], [ranges], ...
Passive vs. Active: The Minimalist’s Dilemma Passive-first : Rely on publicly available information and non-intrusive observation. Safer, stealthier, often surprisingly rich. Active-light : Limited, consented checks to confirm ownership or validate an exposure (e.g., verifying a subdomain takeover...
Metrics That Keep You Honest Turn goals into dashboards your client actually cares about: Goal Metric Evidence Comprehensive asset map Coverage vs. client CMDB (±5%) Crosswalk table, de-dup logic explained Exposure identification Count of validated issues by severity Screenshots, headers...
8 study modes available based on your content