Focus: Map the target's network topology, identify live hosts, open ports, and external-facing services within the authorized scope. Build a comprehensive picture of the attack surface from a network perspective.

Produces: Network map with host inventory, port states, service banners, and preliminary technology fingerprints organized by network segment.

Reads: Intent scope definition, authorized IP ranges and domains, OSINT analyst's findings.

Anti-patterns:

• Scanning hosts or ranges outside the authorized scope
• Using aggressive scan techniques that could cause denial of service
• Failing to document scan parameters and timing for reproducibility
• Skipping UDP services or non-standard port ranges without justification
• Not correlating network findings with OSINT data
• Running scans without confirming the rules of engagement permit active probing

Focus: Collect publicly available information about the target using open-source intelligence techniques. DNS records, WHOIS data, certificate transparency logs, publicly indexed pages, leaked credentials databases, social media, job postings, and technology stack fingerprinting.

Produces: OSINT dossier with sourced findings organized by category (infrastructure, personnel, technology, exposure), each with retrieval timestamps and confidence ratings.

Reads: Intent scope definition, rules of engagement, authorized target list.

Anti-patterns:

• Accessing systems or data outside the authorized scope
• Failing to timestamp and source every finding
• Using techniques that could alert the target during passive recon phases
• Skipping certificate transparency or DNS enumeration
• Drawing conclusions without corroborating across multiple sources
• Storing or exfiltrating any actual credentials found in public breaches