Fox and falcon recon lab

A one-day workshop where stealth meets sight—learn what attackers see, and why that matters.

What is it?

In the Red part of the forest, the fox represents stealth and cunning, while the falcon embodies sharp-eyed strategy. The Fox and falcon recon lab is a hands-on, low-tech day of discovery. Participants play both predator and observer: spotting what outsiders can learn about an organisation—and how easily that information could lead to compromise.

Why it matters

If your team doesn’t know what an attacker can easily spot about your organisation, it’s hard to stop them. Reconnaissance is often the first and easiest step in a security breach. This workshop demystifies how that works while giving you practical insight into reducing your surface of exposure—without needing advanced tech or cloud labs.

Workshop flow (what participants do)

Session

Activity

Real link for background

Falcon’s view (Morning)

Explore publicly available data—like websites, staff bios, and documents—to map what outsiders can see.

See Swoop like falcons and The falcon’s secret stash

Fox’s view (Midday)

Run light, controlled probes (like ping or port scans) in a safe lab environment. Discover which actions are easy to detect.

Based on The falcon’s first dive and Fox hunting through the digital wilds

Fusion session

Blend the two views into an easy-to-read Attack Surface Map (a diagram showing possible entry points). Teams write up a Recon Dossier.

Rooted in Mapping the lay of the land

What you’ll walk away with

  • A one-page Recon Dossier: a simple visual summary of what could be discovered about your organisation.

  • A short checklist of “external signals” defenders should know to look for.

  • A deepened understanding—through lived experience—of what recon feels like from both sides of the fence.

Who is this for?

Perfect for mixed groups: managers, non-tech staff, security leads, and curious minds. No advanced tech background needed—facilitators guide every step so that even non-technical participants feel confident following and contributing.

Delivery at a glance

  • Duration: Full-day (spread across falcon, fox, and combined sessions, with mid-day hands-on labs and final wrap-up).

  • Setup: Easy local lab environment provided (no cloud, just small servers or desktops plus a simple defender toolkit).

  • Why it works: Learners practise real attacker behaviours and defender observations in a narrative and engaging format—with no jargon.