4 Passive reconnaissance agents

In offensive security, reconnaissance is where every operation begins, and often where it’s won or lost. Before you exploit a target or even craft a payload, you need to map the terrain. In traditional reconnaissance engagements, this mapping involves a scattered mix of performing manual lookups of various IP addresses and domains, using command-line tools to navigate IT systems, and creating one-off scripts to accomplish specific tasks. Each manual run leaves a trail of ad-hoc notes and screenshots, which makes it difficult to trace your previous steps. Without established and automated IT systems that can comprehensively monitor your IT systems and leave artifacts for review, when someone asks, “Where did this host come from?”, there isn’t a clear answer.

4.1 Why an AI reconnaissance agent?

4.2 The minimal agent architecture

4.2.1 Pipelines vs. scripts

4.2.2 The four building blocks to building ReAct agents

4.2.3 Artifacts provide persistent memory to an agent

4.2.4 Safety gates

4.2.5 Two scripts, one story

4.3 Building the minimal AI recon pipeline

4.3.1 Getting started

4.3.2 Starting the artifact helper

4.3.3 Creating the passive reconnaissance pipeline

4.3.4 Diving into the passive reconnaissance results

4.4 Inspecting your reconnaissance results

4.4.1 Viewing results

4.4.2 Checking for patterns

4.4.3 Clean up and prepare for next steps

4.5 Reading the pipeline like a story

4.5.1 Artifacts as episodes of reasoning

4.5.2 Example: following the trail

4.6 Safety, scope, and ethics

4.6.1 Scope defines the battlefield

4.6.2 Gates keep humans in the loop

4.6.3 Handling and storing data safely

4.6.4 AI models and responsibility

4.7 Summary