Reconnaissance audit


A reconnaissance audit enables us to identify the attack surface of a company. This type of audit can be the first step of a security audit, before defining the scope of the penetration tests that will be performed later.


Download our business cases

Aim of a reconnaissance audit

The attack surface of a company consists of all components of its information system that are exposed on the Internet. Most of the time, some items are known and listed, while others are not.

The purpose of a reconnaissance audit is to draw a complete map of these elements. Following this type of audit, it becomes possible to restrict the exposure of elements that should not be publicly accessible, as well as to identify the items whose security level must be assessed and reinforced as a priority.

The reconnaissance audit is based on a series of passive searches. Therefore, it is not a penetration test. It is an excellent starting point for a security audit whose scope is not clearly defined at the outset. The results of the reconnaissance audit will then define the scope of the pentest. The reconnaissance audit itself has no defined scope: all the findings concerning the company that commissions the audit will be included in the audit report.

Contact us

Stages of a reconnaissance audit

The preparation phase before this type of audit is very limited. In fact, the name of the targeted company is the only starting point of a reconnaissance audit.

Since this type of audit does not involve aggressive searches, there is no need to define intervention dates or to put in place an emergency communication plan.

Vaadata's team performs the audit remotely from its offices. The deliverable provided at the end of the reconnaissance audit is a report listing all the technical and human elements that a pentester can identify.


Types of elements listed:

  • Domain names
  • IP addresses
  • Servers exposed on the web
  • Web applications, other online services, APIs
  • Technologies used, versions, components
  • Other sensitive technical data exposed
  • Names of people, e-mail addresses, telephone numbers
  • Flowcharts
  • Passwords leaked on the Internet, and other data leaks
Ask for a quotation

Focus on Google Dorks

Google Dorks enable to find information through the use of very precise Google searches.

It is common for documents to be found which are unintentionally available on the Web, because of poor configuration or poor management of files hosted online by a company. In fact, Google continually indexes online sites, which makes it possible to search for interesting information for a cyberattack, by using certain search operators.

For a company, it involves identifying sensitive documents, strategic data or vulnerable services that would be publicly exposed, in order to restrict their access.

Focus on the Dark Web

The dark web is the hidden side of the Internet, made up of sites that are not indexed by search engines and not accessible by standard means. Access uses specific tools such as the Tor network, which is the best known.

This type of network avoids surveillance on the Internet, which is why it is used both by opponents of censorship and by cybercriminals.

For a company, a search for information concerning it on the dark web can identify information that has been hacked or plans for attacks that concern the company.


Our white paper "How to define the scope of a pentest" gives you clues to define the scope and a pentest strategy. It brings together the key points resulting from our discussions with around 200 companies.

Our range of pentests

We cover a wide technical scope, with specific tests for each type of target. The exact area to which the pentest is applied is to be defined directly according to your security priorities, or after a reconnaissance audit phase for identifying the parts that are most at risk from the viewpoint of an attacker.

Contact us