Monthly vulnerability scanning: first month free! Learn more →
Hero

WE ARE

HACKIFY

OSINT - Open Source Intelligence

OSINT - Open Source Intelligence

October 6, 2025 · 4 min read · concepts

osint recon

What is OSINT?

OSINT (Open Source Intelligence) is the systematic gathering and analysis of information from publicly accessible sources. The term comes from the intelligence world, where analysts used it to distinguish secret from public sources. In cybersecurity, OSINT is the first phase of both an attack and a pentest. The goal is to find out what is publicly available about a target, without sending a single packet toward their infrastructure. MITRE ATT&CK categorizes this under the tactic Reconnaissance (TA0043).

OSINT is not hacking. Nothing is abused or bypassed. Everything OSINT yields is already on the internet for whoever knows where to look.

Which sources does OSINT use?

The value of OSINT lies in combining different sources into one coherent picture.

DNS, WHOIS and certificate transparency logs reveal subdomains, mail servers and historical records. Search engines with targeted dorks such as site:example.com filetype:pdf surface documents that are not findable through a website’s navigation. LinkedIn often gives a near-complete picture of the org chart, the technologies in use and recent staff changes.

Code repositories such as GitHub and GitLab regularly contain leftover API keys, database strings or internal configurations. PDFs and Office documents contain metadata with author names, software versions and file paths. Internet scanners such as Shodan and Censys show internet-facing services and certificates. Breach databases such as HaveIBeenPwned show which email addresses of your employees once turned up in a breach. The Wayback Machine and company registers (such as the Dutch Chamber of Commerce) provide historical context. Think of a page you had removed but that is still viewable, or a director who left a while ago.

OSINT in a pentest

In a corporate network pentest, OSINT usually starts with scope verification. Which domains and IP ranges are really yours, and which of those are publicly reachable? That almost always surfaces at least one subdomain or host that nobody had on their radar anymore.

For a phishing simulation, OSINT is the basis for the target list. We combine email addresses we find in public sources with names and roles from LinkedIn, so the phishing attack fits believably into the context of your organization. With spear phishing we go deeper. Personal contexts, recent projects and public statements by the target then go into the phishing scenario the attacker sets up.

During every OSINT round we watch specifically for sensitive information in code repositories or document metadata. It regularly happens that a developer makes a quick test commit with a real API key in it and never reverts it.

What can an attacker do with OSINT?

OSINT on its own does no damage. The information found forms the basis for what comes after.

With a list of email addresses and names, phishing becomes effective. An email from “HR” with the real name of your HR manager gets further than a generic phishing blast. A leaked API key from a GitHub commit gives direct access to your cloud environment, without an attacker having to guess a single password. A forgotten subdomain that points to an expired cloud resource is a classic subdomain takeover, letting an attacker place content under your own domain name. A software version listed in document metadata reveals which vulnerabilities he can try in a targeted way.

In practice OSINT is rarely the hardest part of an attack. It is the part where an attacker decides whether it is worth going further.

How do you reduce your OSINT footprint?

You cannot make your organization completely invisible, and that is not the goal either. You can take away the easy wins for an attacker:

  • Strip metadata from documents before publication. PDF converters and Office settings usually offer an option to remove personal data and file paths.
  • Run secret scanning on your code repositories. Tools such as gitleaks and trufflehog find hardcoded API keys, including in old commits. GitHub and GitLab offer similar native scanning.
  • Clean up DNS records. Wildcard records, old staging subdomains and forgotten cloud resources are the first finds in every OSINT round.
  • Monitor breach databases for your own domain. HaveIBeenPwned offers a free email alert for domains, so you know when credentials have leaked and can force those passwords to be reset.
  • Discuss with your employees which information they share on LinkedIn. A detailed description of your internal IT stack does not belong there.
  • Run an external footprint audit periodically. That can be a standalone job or part of a pentest where it has been agreed.

None of these measures makes OSINT impossible. They do raise the effort an attacker has to put in before finding anything usable.

Frequently asked questions about OSINT

Is OSINT legal?

Gathering publicly available information is allowed in the Netherlands, as long as you stick to the GDPR and to platform terms. For pentest purposes OSINT always starts with explicit client permission and only on systems or people that fall within the agreed scope. Storing or reselling personal data from OSINT research is regulated by the GDPR.

What is the difference between passive and active OSINT?

Passive OSINT does not touch the target. You use only external sources such as search engines, archives and breach databases. Active OSINT sends traffic toward the target, for example DNS queries, banner grabs or subdomain enumeration through DNS brute-force. In practice that line is blurry. We always start passive and only move to active once the pentest is officially running.

How long does an OSINT round take in a pentest?

For a bounded corporate network pentest we usually reserve half a day to a full day. For a targeted spear phishing on a few targets, OSINT often costs more time, because the more detail we find the more believable the phishing scenario becomes.

How do I know what is publicly findable about my organization?

Check HaveIBeenPwned for your email domain to see which accounts appear in old breaches. On top of that, run a few targeted Google dorks on your own domain to see which documents or pages are indexed. For a broader picture, a professional OSINT audit combines dozens of sources into one report. We run that kind of audit as a standalone job or as part of a pentest where it has been agreed.

Related articles

Nmap - Network Mapper

Nmap maps networks: scanning ports, recognizing services and versions, and discovering hosts. The first step of nearly every pentest.

LSASS - Local Security Authority Subsystem Service

LSASS is the Windows process that handles logins and keeps credentials in memory. We show the risk of LSASS dumping in your AD network.

Kerberoasting

Kerberoasting cracks service-account passwords offline from Kerberos TGS tickets. In an AD pentest we almost always find weak service accounts this way.