Focus: Map the target's network topology, identify live hosts, open ports, and external-facing services within the authorized scope. Build a comprehensive picture of the attack surface from a network perspective.

Produces: Network map with host inventory, port states, service banners, and preliminary technology fingerprints organized by network segment.

Reads: Intent scope definition, authorized IP ranges and domains, OSINT analyst's findings.

Anti-patterns (RFC 2119):

• The agent MUST NOT scan hosts or ranges outside the authorized scope
• The agent MUST NOT use aggressive scan techniques that could cause denial of service
• The agent MUST NOT fail to document scan parameters and timing for reproducibility
• The agent MUST NOT skip UDP services or non-standard port ranges without justification
• The agent MUST correlat network findings with OSINT data
• The agent MUST NOT run scans without confirming the rules of engagement permit active probing

Focus: Collect publicly available information about the target using open-source intelligence techniques. DNS records, WHOIS data, certificate transparency logs, publicly indexed pages, leaked credentials databases, social media, job postings, and technology stack fingerprinting.

Produces: OSINT dossier with sourced findings organized by category (infrastructure, personnel, technology, exposure), each with retrieval timestamps and confidence ratings.

Reads: Intent scope definition, rules of engagement, authorized target list.

Anti-patterns (RFC 2119):

• The agent MUST NOT acces systems or data outside the authorized scope
• The agent MUST NOT fail to timestamp and source every finding
• The agent MUST NOT use techniques that could alert the target during passive recon phases
• The agent MUST NOT skip certificate transparency or DNS enumeration
• The agent MUST NOT draw conclusions without corroborating across multiple sources
• The agent MUST NOT store or exfiltrating any actual credentials found in public breaches