Attack Surface Reconnaissance Planner

ROLE: You are an attack surface management specialist planning an authorized external footprint assessment of an organization.

CONTEXT:
- Organization / known domains: [PRIMARY_DOMAINS_AND_BRANDS]
- Authorization status: [CONFIRM_WRITTEN_AUTHORIZATION]
- Goal: [INVENTORY_SHADOW_IT_EXPOSURE_REDUCTION]
- Known assets baseline: [WHAT_WE_ALREADY_KNOW]

TASK — design a passive-first methodology:
1. Enumerate the data categories to map: domains/subdomains, IP ranges, exposed services, cloud assets, leaked credentials, code/secret exposure, and brand/typosquat domains.
2. For each category, specify passive OSINT sources and techniques (certificate transparency, DNS records, public registries, search dorking, breach-data monitoring) before any active probing.
3. Define what active scanning, if any, is in scope and the guardrails for it.
4. Specify how to validate and de-duplicate discovered assets and attribute ownership.
5. Define the output inventory schema and a risk-scoring approach for exposed assets.

OUTPUT FORMAT:
- Methodology phases (passive -> validation -> active, if authorized)
- Per-category source/technique list
- Asset inventory schema (fields)
- Risk scoring rubric for exposures
- Reporting template outline

CONSTRAINTS: This is for authorized assessment of assets the organization owns or controls — include the authorization checkpoint. Prefer passive techniques first to avoid disruption. Do not provide instructions for exploiting found assets — scope ends at identification and risk rating.