learntodriveai.dev/Cybersecurity/Reconnaissance Campaign Design and Adaptive Scanning
Cybersecurity·Project 13·5 units

Reconnaissance Campaign Design and Adaptive Scanning

**Track:** Cybersecurity

§ Brief

You're designing and running a reconnaissance campaign for Dushanbe Textile Complex, a vertically integrated cotton manufacturer in Tajikistan whose deputy director, Firdavs Nazarov, needs to know what the company actually has before an ISO 27001 assessment for Turkish export buyers.

The discipline skills: designing a reconnaissance methodology from a thin brief; choosing an adversary perspective and letting it scope the work; deciding when passive reconnaissance is sufficient and when active probing is justified; running adaptive scans that respond to what you find; deciding what noise level the campaign generates against the defender's stack; and turning raw scan output into an intelligence product the next phase can act on.

The AI-direction lesson: AI executes any methodology you give it but designs none. Asked to "do reconnaissance," it produces a generic dump that ignores what the engagement needs. It does not adopt an adversary perspective, does not know when to stop, and does not consider noise as a design variable. Across a long campaign it loses context -- the same target gets scanned twice, a finding from session one is forgotten in session three. You'll run scoped passive, active, and synthesis agents in parallel, and the central problem is composition: each agent will refer to the same asset under a different name, and reconciling them is your job.

Your Role

You're the lead reconnaissance practitioner. You design the methodology, write the adversary profile, run passive collection, design and execute the active campaign, run a deliberate noise study against the defender's stack, and produce the intelligence product the rest of the engagement will read.

Scaffolding is thin. No methodology template, no scan-plan template, no intelligence-product template. The brief is a forwarded email and a deliberately incomplete asset document. A senior colleague returns for one tightly placed touchpoint -- Marcus Webb reviews your methodology before you commit the active campaign and asks one pointed question about the legacy Windows controllers. He is not present elsewhere. The AI relationship is multi-agent and scoped: separate passive, active, and synthesis agents, each with their own context, under your orchestration.

What's New

Last time you turned an inherited 47-finding assessment into a remediation program for a commercial fishing company in Sierra Leone -- prioritization under operational constraints, three-audience translation, async delegation via Copilot.

Reconnaissance as a campaign, not a tool sequence. Earlier projects had you run scans the engagement plan called for. P13 asks you to design what reconnaissance the engagement needs -- what intelligence, against which targets, in what order, at what depth, with what noise level, and when to stop.

Adversary profile drives the methodology. A nation-state targeting a defense contractor looks for different intelligence than an opportunistic criminal targeting a retail chain. The profile you choose scopes everything you direct AI to find.

Noise becomes a design variable. Aggressive scanning tests whether the defender sees obvious activity; stealthy scanning tests whether they see subtle activity. You decide what detection challenge the campaign creates and execute parts of it both ways against the defender's stack.

The intelligence product is the deliverable. A folder of raw scan output has failed even if comprehensive. You write a structured document with objectives, methodology, findings with confidence levels, an attack-surface map, and recommendations the exploitation phase can act on.

The hard part: knowing when reconnaissance is sufficient. There is always more to find. Sufficiency is defined by the engagement's intelligence requirements, not by tool coverage -- and that judgment is the one AI cannot make for you.

Tools

  • Claude Code, Codex CLI -- driving the scoped reconnaissance and synthesis agents. Continuing.
  • Nmap -- active reconnaissance at multiple noise postures. Continuing.
  • Masscan -- new. Wide-scope port discovery for the campus inventory phase.
  • Amass -- new. Subdomain and infrastructure enumeration.
  • theHarvester -- new. OSINT for company, employees, and exposed credentials.
  • Censys / Shodan-equivalent APIs -- new (via lab stubs). Internet-asset discovery.
  • Certificate Transparency log search -- new. Passive subdomain discovery.
  • Zeek -- new for offensive use. Passive packet-capture characterization in the on-site window.
  • WHOIS, dig, dnsrecon, OWASP ZAP -- familiar. Passive mapping and B2B portal characterization.
  • Suricata, Wazuh, Loki, Grafana -- familiar defender stack for the noise-management study. The lab wires Suricata against the bridge interface (the network-detection signal the noise study reads); Wazuh manager, Loki, and Grafana ship for the rest of the SIEM picture. A production deployment would add osquery on representative hosts and a Promtail log shipper feeding Loki — the noise-study contrast in Unit 4 reads from the wired layer (Suricata).
  • GitHub, Mermaid -- engagement repository and attack-surface map visualisation.

Materials

  • Forwarded first-contact email -- the director's mandate forwarded to the deputy and on to you.
  • Known-assets document -- the thin "what we know about ourselves" Firdavs can offer; deliberately incomplete.
  • Scope and rules of engagement -- authorized targets, prohibited techniques, OT carve-outs, on-site capture window.
  • Campus-network Docker lab -- internet-exposed services, segmented internal networks, legacy embedded controllers, the Chinese-vendor remote access path, the guest Wi-Fi / production VLAN-only separation, the quality control lab's calibration-cloud connection, and a full defender stack.
  • OSINT source stubs -- Censys, Shodan, CT-log, and WHOIS responses for the fictional dushanbe-textile.tj domain.
  • CLAUDE.md -- engagement governance file with reconnaissance-specific verification targets.
  • Engagement memory starter -- slim; you extend it as the campaign takes shape.

The methodology, adversary profile, sufficiency criteria, per-agent specifications, scan plan, noise posture, attack-surface map, and intelligence product are yours to design.