← Concepts
Security Program Management and OversightSY0-701 · Task 5.5

Reconnaissance — SY0-701

What reconnaissance means in cybersecurity, and how to distinguish it from vulnerability scanning and penetration testing on the Security+ exam.

WHAT IT IS

Reconnaissance is the phase of adversarial activity in which a threat actor gathers information about a target before attempting to exploit it. A threat actor is "an individual or a group posing a threat" (NIST SP 800-150). The information collected during reconnaissance constitutes threat information — defined by NIST SP 800-150 as "any information related to a threat that might help an organization protect itself against the threat or detect the activities of an actor." When that raw information is "aggregated, transformed, analyzed, interpreted, or enriched to provide the necessary context for decision-making processes," it becomes threat intelligence (NIST SP 800-150).

Reconnaissance precedes an attack — where "attack" means "any kind of malicious activity that attempts to collect, disrupt, deny, degrade, or destroy information system resources or the information itself" (CNSSI 4009-2015).

Mental model

Think of reconnaissance as the adversary's research phase. A threat actor surveys the environment to find weaknesses before committing to action. A vulnerability is "a weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source" (FIPS 200). Reconnaissance is the act of locating those weaknesses from the outside — before any exploit attempt begins.

The defender's counterpart is understanding what information is visible to an outsider and using that threat information to anticipate adversary moves.

When to use it

The exam tests whether you can distinguish reconnaissance (information-gathering by or simulating an adversary) from adjacent security activities that may look similar but serve different purposes and authorizations.

ActivityWho performs itPrimary purposeGrounding
ReconnaissanceThreat actor (or authorized red team simulating one)Collect information about a target to inform later attack planningThreat actor defined in NIST SP 800-150
Vulnerability scanningAuthorized assessors"Identify hosts/host attributes and associated vulnerabilities"NIST SP 800-115
Penetration testingAuthorized assessors working under defined constraints"Attempt to circumvent or defeat the security features of a system"NIST SP 800-12 Rev. 1
Red team exerciseA group authorized and organized to emulate adversary capabilitiesComprehensive assessment of security posture by simulating adversarial conditionsCNSSI 4009-2015; NIST SP 800-53 Rev. 5

The key axis is authorization and scope: vulnerability scanning and penetration testing are authorized, constrained activities. Reconnaissance as a threat concept describes what an unauthorized threat actor does — though a red team exercise may include a reconnaissance phase when emulating adversary behavior.

COMMON MISCONCEPTION

Candidates frequently treat reconnaissance and vulnerability scanning as interchangeable because both involve probing a target. They are not the same. Vulnerability scanning is performed by authorized assessors to identify hosts and associated vulnerabilities (NIST SP 800-115). Reconnaissance, in the threat model, is conducted by a threat actor — "an individual or a group posing a threat" (NIST SP 800-150) — without authorization, and its goal is information collection rather than a formal security assessment.

A second trap: candidates may assume that any information-gathering step is penetration testing. Penetration testing is specifically "a test methodology in which assessors, typically working under specific constraints, attempt to circumvent or defeat the security features of a system" (NIST SP 800-12 Rev. 1). Reconnaissance alone — even when performed by a red team — does not constitute a penetration test.

How it shows up on the exam

Questions targeting this concept typically ask candidates to identify which activity a described scenario represents. The cognitive target is distinguishing the purpose and authorization of the activity, not just its mechanics.

Signal phrases that point toward a reconnaissance scenario:

  • A threat actor or adversary is gathering information before any exploit or intrusion attempt
  • An actor is mapping network structure, identifying hosts, or researching public-facing information without authorization
  • A red team is emulating adversary behavior at the information-gathering stage of a simulated attack

Candidates should attend to whether the actor is authorized, whether the activity is part of a formal assessment with defined constraints, and whether the goal is information collection or active exploitation. A common error is categorizing any technical probing as a penetration test — penetration testing specifically involves working under defined constraints to attempt circumvention of security features (NIST SP 800-12 Rev. 1), which is a narrower activity than reconnaissance.

Related concepts

Sources

Every claim on this page traces to the public exam blueprint and official documentation:

CutScore is an independent study tool and is not affiliated with, authorized by, endorsed by, or sponsored by Amazon Web Services. “AWS” and “AWS Certified AI Practitioner” are trademarks of Amazon.com, Inc. or its affiliates. All content is independently authored from the public exam blueprint and official documentation — no real exam content is used.

The exam-readiness instrument. Know if you’re ready before you book.

Product
PricingConceptsBlog
Legal
PrivacyTermsRefund policy
Company
Contact
© 2026 The Plain Works Co.AWS and AWS Certified AI Practitioner are trademarks of Amazon.com, Inc. or its affiliates. CutScore is independent and not affiliated with, endorsed by, or sponsored by Amazon Web Services.