Title says it really. I found 2 IPs (different networks but linked in terms of company) and I know their operating systems and ports but they're just the standard email ports. What should I look for now? I know what they're running on the server side and the webserver version for one of them. Should I try to find the versions of php they're to see if there is any exploits? I know one of the websites has a reflected xss vulnerability but it filters out <script> Basically I just don't know how much recon is enough and what to look for. If someone has like a checklist/template (like you would use for doxing) or something to point me in the right direction that would be nice.