From OSINT to Embedded: The Recon Checklist for Black Teams

When conducting a black team engagement, there’s a simple rule that will help you to maximize your chances of success: spend at least 50% of your total engagement time on reconnaissance. If your engagement spans two weeks, then one full week should be dedicated solely to recon.

Recon isn’t just a preliminary task—it’s a deliberate, multi-phase process. It begins at maximum distance, relying solely on digital footprints and satellite imagery. From there, you gradually tighten the noose, moving from virtual observation to physical proximity, and eventually embedding within the environment. You should never move closer to the target until you’ve fully extracted all viable intel at your current range. Every phase should justify the next.

This blog post is designed as a checklist for every recon stage—OSINT, Long Range, Short Range, and Embedded—to help you and your team identify not just what you should be looking for, but what concrete actions you can take at each level to gain the upper hand before you ever touch a badge reader or open a door.

Common Pushback: “Why Spend 50% on Recon When I Can Just Tailgate?”

One of the most common forms of resistance from black teams—especially those newer to the discipline—is the argument:

“Why spend half the engagement on recon when I can just tailgate in?”

It's a fair question on the surface. Tailgating is low effort, high success. It works. But if that’s your entire strategy, then you’re not testing the building—you’re just proving one vulnerability. And frankly, your client didn’t hire you to do the bare minimum.

Let’s be clear: tailgating is a symptom of a security issue, not the full picture. Your job isn't just to gain access—it's to evaluate the target's physical security holistically. If you’re ending your engagement the moment you tailgate in, you’ve missed the point. You haven’t tested the systems, the staff awareness, the procedural controls, the access points, or any of the other real-world paths a determined adversary would explore.

Imagine this: you tailgate in, submit your report, and the client implements anti-tailgating measures—great. But what if there were five other equally easy ways into the building that you never found because you rushed past recon?

• A vendor entrance with no camera coverage.

• A propped emergency exit.

• A badge reader with a known vulnerability.

• A climbable window with no sensors.

• An unsecured underground parking entrance.

If you didn’t detect or test these because you were too quick to score your “win,” you’ve done the client a disservice. They hired you to simulate a real threat, not a lazy one.

A proper black team engagement doesn’t just answer the question, “Can someone get in?” It answers, “How many ways can someone get in, what tools do they need, and what does that say about the organization’s total security posture?”

Recon is what allows you to find those paths. It’s how you map out not just vulnerabilities, but patterns—human, technical, and procedural. The more time you invest in understanding the environment before making a move, the more valuable your test becomes.

Bottom line: if tailgating is the beginning and end of your test, you’ve offered little value. But if recon leads you to tailgating and badge cloning, and PACS vulnerabilities, and procedural gaps with third-party vendors, then you’ve delivered something comprehensive—and something worth paying for.

Recon Isn’t Just Observation — It’s Actionable Preparation

While the term “reconnaissance” often evokes the image of quiet observation—binoculars, note-taking, and data collection from a distance—the reality of a black team engagement is far more dynamic.

Yes, you are gathering intelligence at each stage, but you should also be executing specific actions that make your job easier down the line. Recon isn’t passive—it’s preparatory. If all you’re doing is collecting information without leveraging it to build access, credibility, or strategic advantage, you’re only doing half the job.

At each stage—OSINT, Long Range, Short Range, and Embedded—there are opportunities to act, not just observe. These are small, low-risk tasks that compound in value as the engagement progresses. By the time you're ready to breach, you’re not scrambling for tools or building a plan on the fly. You've already laid the groundwork.

Remember that not every engagement will warrent each type of recon, and this list should always be adjusted for each engagement type and team.

What follows is a list that you and your team can use at each stage of recon to map out both what information should be gathered and actions that can be taken.

OSINT (Open Source Intelligence)

Distance: Virtual — Before leaving your desk.