Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.
Training Camp • Cybersecurity Glossary
A reconnaissance action that sends crafted traffic to a target to discover live hosts, open ports, or services before an attack.
Probe Definition: A reconnaissance action that sends crafted traffic to a target to discover live hosts, open ports, or services before an attack.
A probe is a reconnaissance action in which an attacker (or defender) sends crafted traffic to a target to discover live hosts, open ports, running services, or weaknesses. Probing is typically the first stage of an attack, mapping the target's exposure so the attacker can plan exploitation against the most promising entry points.
Probes range from a single connection attempt to large automated scans. Common techniques include ICMP echo requests to find live hosts, TCP SYN probes to detect open ports without completing the handshake, banner grabbing to identify service versions, and application-layer requests that fingerprint software. Tools like Nmap orchestrate these probes and infer the target's operating system and services from the responses, building a picture of the attack surface.
Probing matters because it precedes nearly every targeted intrusion, and the information it gathers determines what an attacker can exploit. Detecting probe patterns early, such as sequential port access or sweeps across an address range, gives defenders a chance to block reconnaissance before exploitation begins. Conversely, exposed services that answer probes with detailed version banners hand attackers a roadmap to known vulnerabilities. Intrusion detection systems and firewalls are tuned to flag and rate-limit probing activity.
For example, before attacking a web server, an adversary runs an Nmap scan that sends SYN packets to common ports. The server replies on 443, and a follow-up banner grab reveals an outdated web server version with a published CVE. The attacker now knows exactly which exploit to attempt. A defender watching the IDS sees the burst of SYN probes from one source, correlates it as a scan, and blocks the IP before the exploit stage.
Turn knowledge into credentials with our instructor-led cybersecurity boot camps.
View All Courses →