OSINT does not involve accessing third-party systems. All the intelligence is built on sources that are already public or made accessible by their owners. That is why it is the first phase in pentesting and red team: it produces the map without touching anything, without generating traffic against the target and without crossing into a legal grey zone.
What OSINT is
OSINT (Open Source Intelligence) is the discipline that collects and analyses publicly available information to build actionable intelligence. Its sources are technical (DNS, TLS certificates, ASN, WHOIS, passive scans, public code repositories, paste sites) and non-technical (companies registries, press, social networks, forums, published leaks). It is the first phase of any red team engagement, a central component of threat intelligence programmes and a recurring input for forensic investigation, fraud prevention and attack surface reduction. Serious OSINT practice rests on documented methodologies (SANS, NATO OSINT Handbook, community-published frameworks) and reproducible techniques rather than on personal bookmark collections.
Why it matters
For a security leader, OSINT is the mirror in which the organisation appears as the attackers see it before they launch anything. With far less effort than most people imagine, an outsider can enumerate forgotten domains, exposed administration panels, code repositories with hardcoded credentials, technical staff who advertise themselves on social networks, and old leaks that still feed credential stuffing today. Mapping that perimeter yourself before the attacker does is the only way to shrink it. For regulated programmes (NIS2, DORA, ISO 27001) OSINT provides continuous evidence of real exposure; for targeted phishing and social engineering campaigns it is the attacker's main ammunition. The less exploitable information is public, the more expensive it becomes for the adversary to build a credible lure.
Key points
The four highest-return categories to start with are external technical surface (domains, subdomains, certificates, ASN), code exposure (GitHub, GitLab, paste sites), leaked credentials from historical breaches and human footprint (LinkedIn, press, technical forums). Together they tend to deliver eighty percent of the value of the first cycle.
Serious OSINT is documented. Every finding must record source, date of consultation, evidence (screenshot or copy) and original link. Without that traceability the intelligence is useless for internal decisions and for supporting a complaint, a forensic investigation or a conversation with a supplier.
Bias and obsolescence are the two enemies. A parked page today may be in production tomorrow; an identity surfacing in a 2018 forum may have nothing to do with the current person. Always timestamp the data and, on sensitive targets, contrast each source with at least one independent one.
It is a defensive technique, not just an offensive one. An internal continuous OSINT programme uncovers forgotten subdomains, exposed dashboards, leaked repositories and brand mentions in forums before an attacker arrives. That is the bridge between OSINT and attack surface management and threat intelligence.
Automation provides speed; analysis is human work. Technical platforms (passive DNS, certificates, scanners) deliver raw data; the value emerges when an analyst correlates them, discards noise and builds a narrative. Purely automated OSINT produces bloated reports nobody reads and undefendable decisions.
Example: OSINT as the first phase of a red team against a public-brand company
A company with a public brand and significant internet exposure commissions a red team engagement scoped to test the full access chain from the outside to a critical asset. The first week is spent entirely on OSINT. The team enumerates every domain and subdomain visible from passive sources, cross-references them with certificates issued in the last five years (Certificate Transparency) and discovers three forgotten preproduction environments with open admin panels. GitHub reveals two personal repositories from former employees containing service tokens that still work.
In parallel the human footprint of the executive committee is mapped, public professional interests are identified and a travel pattern emerges that hints at availability windows. A search in public leak collections returns reused passwords for two internal accounts in external services. With that material, and without having touched a single company system yet, the red team prepares a credible targeted phishing lure, an access hypothesis through preproduction and a fallback through the leaked credentials. The final report delivers three viable routes, all built on public data, and the remediation plan focuses on closing exactly what a real attacker would have found first.
Common mistakes
- Mistaking OSINT for Google search. The technical layer (passive DNS, certificates, repository scanning) needs specific tools and operational knowledge. Without that layer the report is incomplete and describes only the most superficial slice of the footprint.
- Not recording source and date for every finding. A piece of intelligence without traceability does not survive a second reading and does not support internal decisions. The discipline of citing and timestamping is what separates professional OSINT from a folder of screenshots.
- Stopping at the first data point without corroboration. An identity in a forum or a password in a leak collection may be irrelevant or expired. On sensitive targets every critical finding needs at least one independent second source.
- Treating OSINT as a one-off exercise. Exposure changes every week: new subdomains appear, third parties issue certificates and new leaks are published. A serious programme runs OSINT on a cadence and integrates it into attack surface management instead of producing an annual snapshot.
- Crossing the legal line without realising. Accessing a forgotten panel with default credentials, downloading a misconfigured private repository or querying paid leak databases (depending on jurisdiction) can be unlawful. Serious OSINT defines its scope with legal review.
Related services
This concept may be related to services such as:
Frequently asked questions
Is OSINT against a company or a person legal?
Generally yes, because it works on public sources. But the limit is in how you access the data and what you do with it. Reaching a forgotten panel with default credentials stops being OSINT and becomes intrusion; downloading a misconfigured private repository may be unlawful in some jurisdictions. A serious programme defines its scope with legal advice.
How is OSINT different from threat intelligence?
OSINT is a collection technique; threat intelligence is the discipline that turns that data (and other data) into actionable intelligence on actors, campaigns and threats. OSINT feeds CTI, but they are not the same: CTI also includes analysis, hypothesis, prioritisation and delivery to internal clients such as SOC, CISO or incident response.
Which sources pay off the most when starting out?
Four categories. External technical surface (domains, subdomains, certificates, ASN). Code exposure (GitHub, GitLab, paste sites). Leaked credentials from historical breaches. And human footprint on professional networks and press. Covering those four typically delivers the bulk of the value in the first cycle.
Is OSINT only useful for offence?
It is also very useful for defence. An internal continuous OSINT programme uncovers forgotten subdomains, exposed dashboards, leaked repositories and brand mentions before an attacker uses them. It is the foundation of attack surface management and a natural feeder for defensive CTI.
Do you need paid tools?
Not to start. There is a broad ecosystem of open tools that covers most cases. Paid platforms add speed, scale and historical data that accelerate large engagements, but a well-run first cycle on free tools already delivers actionable results.