Offensive Security

Offensive Recon

Master reconnaissance — OSINT, web recon, bug bounty and red team applications in one complete practical course.

Beginner 64 Hours15 Sections30 LabsKCORP
Overview

The most complete offensive reconnaissance course available — OSINT, web recon, bug bounty and red team in one practical programme. Every concept is backed by a hands-on lab; nothing is hypothetical. You will build a full passive-and-active recon pipeline, learn to find what automated scanners miss, and finish able to produce a professional pre-engagement intelligence package.

64Hours
15Sections
30Labs
KCORPCert
Curriculum
15 Sections · 30 Labs · 64 Hours

Where recon sits in the Diamond, Kill Chain, and CHM frameworks and why it decides an engagement.

4 Topics1 Lab

Staying anonymous, in-scope, and legal while gathering intelligence.

6 Topics2 Labs

Advanced dorking and cached-content analysis to surface exposed data.

5 Topics2 Labs

Username enumeration, breach correlation, and social footprinting.

5 Topics2 Labs

Extracting intel from images, metadata, and documents.

5 Topics2 Labs

Profiling org structure, tech stack, and supply-chain relationships.

4 Topics2 Labs

Enumerating DNS, discovering subdomains, and mapping external infrastructure.

7 Topics3 Labs

Cataloguing endpoints, technologies, and hidden functionality.

6 Topics3 Labs

Extracting endpoints and secrets from client-side JS and APIs.

5 Topics2 Labs

Finding exposed credentials, keys, and tokens across public sources.

5 Topics2 Labs

Discovering exposed cloud assets and misconfigured services.

5 Topics2 Labs

Sourcing and correlating breach data as factual context.

4 Topics1 Lab

A repeatable recon-to-report workflow that gets findings paid.

6 Topics2 Labs

Building the pre-engagement intelligence package for operations.

5 Topics2 Labs

Automating the pipeline and applying every technique end to end.

5 Topics2 Labs
Who It's For

Security Practitioners

Pentesters and red teamers building a professional pre-engagement intelligence workflow.

Bug Bounty Hunters

Researchers who want to find what scanners miss and write reports that get paid.

Security Students

Anyone starting in offensive security who wants a complete, practical foundation.

Security Teams

Defenders who want to understand exactly what attackers see before an engagement.

Outcomes & Takeaways
Build a complete passive and active recon pipeline
Discover subdomains, cloud assets and hidden endpoints
Find exposed credentials, API keys and secrets
Write bug bounty reports that get paid
Produce a red team intelligence package
Automate continuous attack-surface monitoring
Course Benefits

Active practitioners

Built from real engagement experience, not textbooks.

30 hands-on labs

Every concept has a dedicated lab. No theory without practice.

5 disciplines in one

OSINT, web recon, bug bounty, red team and automation.

KCORP certificate

Recognised by security teams and hiring clients.

Interested in this course? Our team will reach out within 1 business day.

Enquire Now