ETS
Home
Created by Claudiu Tabac - © 2026
This material is open for educational and research use. Commercial use without explicit permission from the author is not allowed.
Category 1 Reconnaissance & Enumeration
Intelligence gathering operations targeting identity infrastructure before credential submission. Adversaries systematically map authentication surfaces, harvest user metadata, and fingerprint federation behavior to build attack foundations.
What This Category Represents
Attack Surface Discovery
Adversaries systematically probe authentication endpoints to map external identity exposure, identify valid usernames, and extract organizational email patterns. These reconnaissance operations require no authentication, exploiting publicly accessible identity infrastructure to build target profiles.
Attackers fingerprint cloud tenant configurations, detect MFA enforcement policies, and analyze federation metadata to identify weak authentication paths and legacy protocol support.
Intelligence Collection Goals
  • Map external identity exposure surfaces
  • Harvest valid usernames and email formats
  • Enumerate MFA and federation behavior
  • Detect legacy authentication paths
  • Fingerprint cloud vs. federated flows
  • Analyze identity metadata leakage
  • Prepare targeted credential campaigns
These patterns establish the foundational intelligence for identity-centric intrusion campaigns across cloud and hybrid environments.
Included Breach Patterns in Category 1
Domain & Identity Surface Scanning
External reconnaissance mapping organizational authentication endpoints and identity infrastructure exposure.
Cloud Tenant Discovery
Enumeration techniques identifying target cloud tenant configurations and service deployments.
Federation Metadata Collection
Harvesting federation configuration data revealing authentication trust relationships and SSO flows.
Email Pattern Harvesting
Systematic extraction of organizational email formats and UPN naming conventions for targeting.
Valid Username Harvesting
Identification of legitimate user accounts through timing and error message analysis techniques.
Cloud Tenant Identity Enumeration
Probing cloud authentication APIs to validate user existence within target tenant environments.
MFA Property Enumeration
Detection of multi-factor authentication enforcement policies and registered authenticator types.
Federation Enumeration
Analysis of federated authentication flows identifying IdP relationships and trust configurations.
Pre-Authentication Behavior Analysis
Probing authentication endpoints to fingerprint security controls before credential submission attempts.
Threat Landscape Summary
Threat Actor Profiles
  • Nation-state APT groups conducting strategic intelligence collection
  • Ransomware operators mapping high-value targets
  • Credential harvesting botnets operating at scale
  • Cloud-native adversaries exploiting SaaS exposures
Follow-On Attack Sequences
Reconnaissance intelligence enables subsequent attack phases including password spraying campaigns, OAuth phishing operations, MFA fatigue attacks, session hijacking, token abuse, and federation manipulation techniques.
Detection Imperative
Category 1 patterns provide defenders visibility into the earliest and most subtle identity attack signals. Identifying reconnaissance activity enables proactive defensive posture before credential compromise occurs.

Defender Advantage: Most organizations significantly underestimate Stage 1/2 identity metadata leakage. Early detection of reconnaissance patterns prevents progression to credential-based intrusion phases.
Critical Operational Characteristics
No Authentication Required
These techniques exploit publicly accessible identity infrastructure and authentication endpoints, requiring no valid credentials or prior access to target environments. Adversaries leverage inherent protocol behaviors and cloud service architectures.
Public Identity Exposure
Attacks exploit public or semi-public identity surfaces including DNS records, cloud authentication APIs, federation metadata endpoints, and error message patterns that leak organizational information.
Cloud-Scale Automation
Reconnaissance operations scale efficiently across thousands of targets using automated tooling, distributed infrastructure, and cloud compute resources to conduct high-volume enumeration campaigns.
Underestimated Risk Vector
Most security programs lack comprehensive visibility into pre-authentication reconnaissance activity. Organizations typically focus detection on post-authentication events, missing critical early-stage attack indicators.
About
Created by Claudiu Tabac — © 2026
This framework is open for educational and research use. Commercial use without explicit permission from the author is not allowed.
Navigation