Defense Control Range Influences Defensive Mindsets
Having performed both duties, defense is harder than offense; defenders have to execute perfectly 24/7/365 while offenders just have to score once during a moment in time. Entropy is on the attacker’s side. As defenders, we often make the mistake of forgetting that an attack does not begin with a breach. The attack doesn’t start when we get an EDR alert, when a user is successfully phished, when a vulnerability is exploited, or when a password spray allows a VPN foothold.
This “forgetfulness” is understandable and very simple to explain: The reach of telemetry in the modern security stack ends at the edge. We’re beholden to EDR, logs, SEIM, and most of all, our ability to pull meaningful needles from a noisy haystack. We cede so much ground that “assume a breach” becomes a mentality. Due to this lack of range, we start the MTTD (Mean Time to Detect) stopwatch at explosion time rather than left of it. We don’t think about the recon and intent left of the blast.
Everything Starts with Reconnaissance
The truth, and this is born out of many decades of actually being the adversary, is that most serious breaches start with bad intent and initial reconnaissance shortly thereafter. Recon to get those phishing emails and find login endpoints to stuff credentials. Recon to find that backup VPN with no MFA (multifactor authentication) and to find those exploitable web apps/endpoints. The foundational elements of this recon are completely passive, outside the reach of any existing security elements. You can “threat-hunt” globally, or by vertical, all you want, but what does that have to do with your attack surface?
You’re Blind to Passive Recon
I’ll elaborate on passive recon, which we’re currently blind to, very specifically. Finding an organization’s subsidiaries, parents, acquisitions, VIPs, and general structure through OSINT: completely passive. It sends no packets on target, and defenders are blind to it. Locating 95+% of an organization’s DNS namespace is completely passive. Using those DNS domains to find organizational emails & creds disclosed in public breach sources like leakradar and leakcheck is again, totally passive. Scraping LinkedIn for the ultimate username list is passive. Even active recon like port scanning and banner grabbing, is totally passive if an attacker uses resources like Shodan, Censys, etc. before actively probing.
Subfinder (open source DNS enumeration tool) in use
Active Recon
From this point, active reconnaissance and exploitation begin. Technically detectable, but most defenders are more blind to this than they think. You might have phishing campaigns 90% on lock, but the entire internet port-scans, vuln-scans, web-fuzzes, password-sprays, and brute-forces your edge with absolute impunity 24/7/365.
As an offensive operator for over two decades, if my team was detected, it was usually an EDR alert at a point when we had dozens of credentials across multiple beachheads. Often, security analysts kept getting alerts, but when they investigated, the alerts turned out to be triggered by dead-end or misdirected attacker activity that wasn’t actually going anywhere, leaving the analysts with no real threat to respond to. Good luck with that. My point here is we certainly weren’t being detected or stopped at active recon, let alone passive recon.
Putting it all Together
Each attack below looks different on the surface, but all of them required the same foundational reconnaissance:
- Exploited a forgotten UAT endpoint via SQL injection, LFI, RCE, template injection, or auth bypass
- Credential-stuffed an undecommissioned Citrix server with no MFA
- Found app source code or a DB backup exposed on a customer portal
- Gained internal network access through a critical LFI bug on a firewall or UTM
- Used an API secret from an exposed config file to access cloud storage or a database
- Password-sprayed M365 using a 1,200-email list built entirely from passive OSINT
- Exploited yet another critical React RCE CVE (9.5+)
- Reused phished executive credentials to socially engineer a $70k fraudulent wire transfer
In every case, the attacker first had to find something — DNS records, vulnerable endpoints, email addresses, usernames, breached credentials, exposed buckets. That discovery phase is the reconnaissance.
If you could manipulate what an attacker finds during that recon, you could engage the threat before it ever reaches your real attack surface — earlier than any traditional security control allows.
Agentic AI is compressing the kill chain and lowering the bar for attackers — and that makes everything above more urgent. AI (Artificial Intelligence) is already reverse-engineering patches and generating working proof-of-concept exploits for critical vulnerabilities (CVSS 9+) faster than most organizations can find and patch their exposures.
We’re already seeing low-skilled attackers use AI-assisted tools to mass-exploit known vulnerabilities, breach environments, and automatically recon and inventory everything inside.
The capability to attack is getting cheaper, faster, and more capable. The defender’s window is shrinking.
So what?
How could you possibly stop reconnaissance? Oh, I don’t know, maybe ask the participants of any single war over the last 5,000 years. Ask any intelligence agency in existence. Where do humans get the idea to deploy a field of inflatable tanks? It’s baked into biology itself: Look at the leaf insect that identically matches the leaves of a single species of tree or the moth with patterns on its wings mimicking the eyes of the local owl. What’s the fundamental intent of a lie?
IMAGE: AI-generated
Counter-intelligence is a thing. Deception is a thing. It’s just that nobody has brought it to the cybersecurity theatre, or if they did, it was dumb, naive, difficult to deploy, or deployed too far in the kill chain.
You are in control of your own edge. Use what your adversary doesn’t know against them: Which public assets are real and which are traps? With modern cloud orchestration, it’s now possible to lay a minefield of realistic yet fake decoy assets on your edge and in your DNS namespace, using trusted certs. You can draw attacks away from real assets and block anything that attacks your decoys through simple integration into your existing stack. If you have 100 “things” published on your edge, there are now 130, with much more interesting names than your real assets.
What About Non-Targeted / Attacks of Opportunity
Opportunistic attacks are a real but different problem. They’re usually low-skill, and rarely as devastating as a targeted attack — unless the attacker gets lucky or is wielding a fresh exploit you haven’t had time to patch. These are the constant background noise: automated probes and mass scans hitting everyone, all the time.
By definition, an opportunistic attacker isn’t looking for you — they’re sweeping the entire internet. That means they’re just as likely to hit a decoy as a real asset. Put enough decoys in their path, and they’ll almost certainly trip one. That’s actually an advantage you can exploit.
Are We Thinking About This All Wrong?
Why aren’t we doing this? We’re being reactive when we should be proactive. Giving up this much ground by only playing defense isn’t working, and attacker/defender asymmetry is only going to get worse with AI (Artificial Intelligence).
AUTHOR: Divert
About Divert
Defenders have to get it right every hour of every day. Attackers — increasingly armed with AI that automates reconnaissance and compresses the kill chain — only need to get lucky once.
Divert flips that asymmetry by blocking attackers before they reach real infrastructure. Decoy services and credentials are woven across your attack surface, intercepting threats during reconnaissance. Attackers have to avoid every diversion. You only need them to hit one.
Every alert is a confirmed block — no false positives, no cleanup. Just threats stopped before they started.
Deploys at the DNS layer in under 48 hours. No agents, no hardware, no disruption.
Review Your Risk and Security Posture
