OSINT and Open Source Reconnaissance
What is OSINT?
Open Source Intelligence (OSINT) gathering is the practice of collecting and analysing information from publicly available sources. It requires no access to your systems, no credentials, and no direct interaction with your infrastructure. Everything identified during an OSINT assessment is information that is already accessible to anyone who knows where to look.
For organisations, the volume of information that accumulates in public sources over time through employee activity, domain registrations, code repositories, data breaches, social media, and document metadata, is often significantly greater than security teams expect. An attacker conducting reconnaissance before a targeted engagement will spend time doing exactly this, building a picture of your organisation’s people, systems, and potential weaknesses before making a single direct request.
An OSINT assessment gives you that same picture first. It identifies what’s exposed, contextualises the risk, and where possible, provides guidance on reducing your exposure before it’s used against you.
When to commission an OSINT assessment
OSINT assessments are relevant across a range of scenarios. The common thread is a need to understand exposure before someone else exploits it.
Before a penetration test or red team engagement:
Understanding your baseline exposure before active testing begins gives both you and your testing team a clearer picture of what an attacker’s starting position would realistically look like. Credential leaks, exposed infrastructure, and accessible documents can all inform and strengthen a subsequent engagement.
Before or during a merger or acquisition:
A target organisation’s online footprint reveals information that may not appear in formal due diligence. This could be exposed credentials belonging to key staff, public code repositories containing sensitive configuration, or infrastructure that suggests undisclosed systems or services. OSINT as part of an M&A process is an increasingly common requirement.
Following a security incident:
Understanding what an attacker may have known about your organisation before gaining access helps contextualise how an incident occurred and what reconnaissance preceded it. It also helps identify whether further exposure remains that could be leveraged in subsequent activity.
As a standalone assessment of your online footprint:
Organisations that handle sensitive data, operate in regulated sectors, or have a high public profile benefit from periodic reviews of their publicly accessible information. What was true of your exposure two years ago may not reflect your current position.
For executive and key individual assessment:
High-profile individuals, such as executives, board members, or high net-worth individuals present a specific exposure profile. Personally identifiable information, family connections, location indicators, and personal credentials in data breaches can all be identified through publicly available sources and represent a meaningful personal and organisational risk.
How we perform OSINT assessments
Our assessments cover a full range of publicly accessible sources that are relevant to your organisation and its people. Assessments are conducted entirely through passive means, where we identify information without making direct requests to your systems or infrastructure.
Infrastructure and domain intelligence
Registered domains, subdomains identified through certificate transparency logs and passive DNS, historical DNS records, exposed services, and hosting infrastructure. This establishes the technical perimeter of what is publicly attributable to your organisation.
Employee and personnel exposure
Staff that are identifiable through LinkedIn, corporate directories, conference appearances, and public profiles. Email address formats, organisational structure, and role details are all information that an attacker could use to construct a targeted phishing campaign.
Credential and breach data
Email addresses and credentials appearing in publicly available breach databases and paste sites. This includes historical dumps as well as more recent exposure. Credentials from a breach may still be in use, or may reveal password patterns that inform further attacks.
Document and metadata exposure
Publicly indexed documents, such as PDFs, spreadsheets, and presentations often contain metadata that reveals internal usernames, software versions, internal hostnames, or authorship information. The documents themselves may also contain sensitive internal content that was never intended for public access.
Code repository exposure
Public repositories on GitHub, GitLab, and other platforms associated with the organisation or its employees are a common source of accidentally exposed credentials, API keys, internal hostnames, and proprietary configuration. Whilst these sorts of risks are usually covered as part of a white-box code review, what we do is to attempt to identify areas where this data has leaked out from trusted sources.
Social media and personal information
Publicly accessible social media activity from the organisation and key individuals are relevant for understanding what operational information is inadvertently disclosed, and for executive and individual assessments where personal exposure is the primary concern.
Physical and location indicators
Image metadata, publicly posted photographs, and location-tagged content that may reveal physical patterns, office locations, or personally identifying information. Primarily relevant for executive and individual assessments.
Supplier and third-party exposure
Information attributable to key suppliers or partners that may indirectly expose your organisation. This includes shared infrastructure, co-referenced credentials, or publicly disclosed relationships that could inform an attacker’s understanding of your supply chain.
What your report includes
Every OSINT assessment is delivered as a written report structured for two audiences: technical teams that need to understand any relevant findings in detail, and senior stakeholders who need to understand the overall exposure and the associated risk with the information that could be gathered.
Executive summary
Covering the overall exposure level, the most significant findings, and the key actions arising from the assessment.
Risk-rated findings
For each item identified, with source attribution, detail on where and how the information was found, and an assessment of the risk it presents.
Attack path narrative
Demonstrating how identified information could be combined by a real attacker. A credential in a breach database, combined with an identified email format and a named individual in a privileged role, tells a different story than any of those findings in isolation.
Remediation and mitigation guidance
Where relevant exposures can be reduced. Not all findings are remediable, and information that is already public cannot always be removed. But where action is possible, specific guidance is provided. Where remediation is not possible, risk acceptance and monitoring recommendations are included.
Methodology and evidence
Documenting the sources consulted, the techniques used, and the evidence that supports each finding. This supports internal review and provides an audit trail for compliance purposes.
How it works
Penetration test pricing varies significantly based on scope and complexity. Understanding these variables helps you get a more accurate quote and ensures your testing budget is spent where it matters most.