Post-access host reconnaissance performed over SSH to evaluate system capabilities and confirm shell privilege context. The activity fingerprints the operating system and kernel, determines CPU architecture and core count, checks for GPU presence, enumerates interactive users, extracts network routing information, validates the hosting organization via external IP lookup, and confirms the current execution identity. This pattern is commonly observed after initial access when attackers assess whether the compromised host is suitable for compute-intensive workloads, lateral movement, or payload deployment.