Open Source Intelligence (OSINT)

You'd be surprised what's already out there. Let us show you.

Understand what an attacker could find about your organisation before they find it. Our OSINT assessments identify publicly available information across your infrastructure, personnel, and online footprint - all without touching your systems.
Request a Quote
CREST Pathway UK Cyber Security Council member Cyber Essentials certified
OSINT and open source reconnaissance services to identify publicly available information about your organisation

When to Commission an Assessment

When to commission an OSINT assessment

OSINT assessments are relevant across a range of scenarios. The common thread is a need to understand exposure before someone else exploits it.

Before a penetration test or red team engagement

Understanding your baseline exposure before active testing gives both you and your testing team a clearer picture of a realistic attacker's starting position. Credential leaks, exposed infrastructure, and accessible documents can all inform a subsequent engagement.

Before or during a merger or acquisition

A target organisation's online footprint reveals information that may not appear in formal due diligence; exposed credentials belonging to key staff, public code repositories containing sensitive configuration, or infrastructure that suggests undisclosed systems.

Following a security incident

Understanding what an attacker may have known about your organisation before gaining access helps contextualise how an incident occurred and what reconnaissance preceded it. It also identifies whether further exposure remains.

As a standalone footprint review

Organisations that handle sensitive data, operate in regulated sectors, or have a high public profile benefit from periodic reviews of their publicly accessible information. What was true of your exposure two years ago may not reflect your current position.

For executive and key individual assessment

High-profile individuals such as executives and board members present a specific exposure profile. Personally identifiable information, family connections, location indicators, and personal credentials in data breaches can all be identified and represent meaningful personal and organisational risk.

What We Cover

How we perform OSINT assessments

01

Infrastructure & Domain Intelligence

Registered domains, subdomains via certificate transparency logs and passive DNS, historical DNS records, exposed services, and hosting infrastructure attributable to your organisation.

02

Employee & Personnel Exposure

Staff identifiable through LinkedIn, corporate directories, conference appearances, and public profiles. Email address formats, organisational structure, and role details that could inform targeted phishing.

03

Credential & Breach Data

Email addresses and credentials appearing in publicly available breach databases and paste sites. Credentials from a breach may still be in use, or may reveal password patterns that inform further attacks.

04

Document & Metadata Exposure

Publicly indexed documents such as PDFs, spreadsheets, and presentations often contain metadata that reveals internal usernames, software versions, internal hostnames, or authorship information.

05

Code Repository Exposure

Public repositories on GitHub, GitLab, and other platforms associated with the organisation or its employees are a common source of credentials, API keys, internal hostnames, and proprietary configuration.

06

Social Media & Physical Indicators

Publicly accessible social media activity, image metadata, and location-tagged content that may reveal operational information, physical patterns, or personally identifying information.

Key Deliverables

What your report includes

Every OSINT assessment is delivered as a written report structured for two audiences: technical teams that need findings in detail, and senior stakeholders who need to understand overall exposure and associated risk.

Executive Summary

Covering the overall exposure level, the most significant findings, and the key actions arising from the assessment.

Risk-rated Findings

For each item identified, with source attribution, detail on where and how the information was found, and an assessment of the risk it presents.

Attack Path Narrative

Demonstrating how identified information could be combined by a real attacker. A credential in a breach database combined with an identified email format and a named privileged individual tells a different story than any of those findings in isolation.

Remediation & Mitigation Guidance

Where relevant exposures can be reduced. Not all findings are remediable, and information already public cannot always be removed. Where action is possible, specific guidance is provided. Where not, risk acceptance and monitoring recommendations are included.

Don't wait to see what's already out there

Our team are on hand to discuss your requirements and scope an OSINT assessment that meets your needs. A 15-30 minute scoping call is all it takes to get started.

Request a Quote Speak With Our Team