For order of business in any appsec reconnaissance usually involves Maltego, Sploitego, and for me HTTPFingerprinting.
Trying to identify the landscape is important as you will want to know how hackers go on the offense and determine your o/s and web server pragmatics.
From moving response date formats ; to changing the Server header, to altering ordering…are all valid ways you can confuse the http reconnasance tools. However one thing remains.
When someone is scanning you? Are you aware?
Let’s take a look at ModSecurity and how it handles the various payloads from a few classic tools.
I always recommend to scan yourself as part of the SDLC in order to see if you have leaky response headers, if your IIS implementation still has the x-powered-by etc.
The more someone knows about your landscape the more they can act on.