What is corporate reconnaissance?

Key takeaways

• Corporate reconnaissance is OSINT plus passive observation plus targeted partner and vendor intelligence, all directed at a specific attack objective.
• For mid-market manufacturers, the highest-signal sources are LinkedIn (people and relationships), the company website (vendors and customers), SEC and regulatory filings (material events), and the company's own social media (operational rhythm).
• An attacker constructs a model of the organization that defenders rarely see: an external view assembled from a dozen low-value data points into one high-value picture.
• Defenders can run the same reconnaissance against themselves to see what an attacker sees.
• Reduction targets specific high-signal disclosures; broad social-media bans are theater.

What does corporate reconnaissance look like from the attacker's side?

An attacker running corporate reconnaissance against a mid-market manufacturer is building three layers of model.

Layer 1: The organization. Industry, size, products, customers, locations, leadership team, recent material events. The output is a context for everything that follows.

Layer 2: The people. Org chart inferred from LinkedIn, the reporting relationships, the role-to-person mapping, the tenure and career patterns, the visible projects and tools. The output is a target list, with each person tagged for likely attack utility (wire authority, system access, social engineering value, physical access).

Layer 3: The rhythm. When does this organization do what. Payment cycles, vendor visits, conference attendance, executive travel, hiring waves, audit windows, M&A activity. The output is timing.

The three layers combine into specific attack hypotheses. A finance lead at this organization, who started six weeks ago, manages payments for vendor X (named in a recent case study), during a fiscal close window in eleven days. The attacker's question is "what pretext, on what day, would land". The reconnaissance answers it.

A well-run reconnaissance produces a target plan with confidence scoring. Each hypothesis has an expected success probability and a backup hypothesis ready if the first fails. The plan is the operational output of reconnaissance, and it is where defenders rarely see what attackers see.

The four data buckets attackers harvest (people, infrastructure, vendors, schedule)

Corporate reconnaissance organizes around four data buckets. Each one is filled from multiple sources; each one drives a different set of attack hypotheses.

1. People. Names, roles, tenure, contact details, communication style, public history. Primary sources: LinkedIn, company website, SEC filings, press releases, conference programs, podcast appearances. Secondary sources: GitHub, professional society listings, court records, property records. Output: target list with attack-utility scoring.

2. Infrastructure. Domains, subdomains, public-facing services, technologies in use, code in public repositories, SaaS tenants, identity provider. Primary sources: DNS records, certificate transparency logs, passive scanning of public services, job postings disclosing tooling. Secondary sources: vendor case studies, conference presentations by IT staff, public bug reports. Output: technical surface map. See What is attack surface management (ASM)?.

3. Vendors and partners. Who the organization buys from, sells to, depends on, integrates with. Primary sources: company website (customer and partner logos), vendor case studies, press releases, trade publication coverage, SEC filings. Secondary sources: trade-show appearances, podcast partner mentions, LinkedIn skill listings. Output: a list of supply-chain entry points and impersonation candidates. See What is a supply chain attack?.

4. Schedule. When operational pressure exists, when key people travel, when payment cycles close, when audits and inspections happen. Primary sources: SEC filings (fiscal calendar), conference programs, executive social media, company social media, regulatory inspection records. Secondary sources: industry trade calendars, press release timing patterns, vendor visit cycles disclosed in case studies. Output: timing for each attack hypothesis.

A reconnaissance package without all four buckets is incomplete. The cross-bucket combination is what produces the high-confidence hypotheses.

Why public-records and SEC filings matter more than executives realize

Two source categories are routinely underestimated by mid-market manufacturer executives.

SEC filings. For public companies and many private ones with disclosure obligations, filings disclose: material events, executive compensation, equity awards, recent transactions, acquisitions and divestitures, related-party transactions, audit committee composition, material contracts, fiscal calendar, and (in proxy filings) the names and personal background of board members. The information is comprehensive and timestamped. Attackers monitor filings as a primary feed.

Public records. Court records, property records, business registrations, professional licenses, OSHA inspections, EPA filings, building permits, planning documents, election filings. The aggregate of these records produces a picture of an executive's residence, household composition, professional connections, and (sometimes) litigation history that an attacker uses for pretext construction.

Combined with social media and LinkedIn, these records build a profile that goes beyond the professional surface. An attacker who knows where an executive lives, when they bought the house, who their neighbors are, what permits they have filed, and which charity boards they sit on can construct a pretext that is unsettlingly specific. The defender's response is not to remove the records (most are mandatory public disclosure); it is to be aware of what is derivable and design controls (verification habits, callback protocols, two-person workflows) that survive specific pretext.

Examples of reconnaissance outputs that drove successful attacks

Patterns ARG documents from engagement reconnaissance phases:

• New-hire finance pretext from LinkedIn tenure data. A finance team member with three weeks of tenure on LinkedIn. Help-desk vishing call exploits the new-hire pattern: the new hire is more likely to comply with verification requests because they have not built the callback habit.
• Vendor-impersonation from named case study. Vendor's public case study names the manufacturer, the equipment, and the implementation timeline. A pretexted "field-service technician" arrives during the disclosed maintenance window with credentials matching the named vendor.
• CEO conference travel from public program. Conference program lists the CEO as a Tuesday panelist. Wire-fraud pretext to the CFO on Monday afternoon references the conference, the panel, and the hotel by name.
• Executive home address from property records. Cross-referenced with publicly listed charity events the executive attends, the home address and routine become known. Used for higher-confidence vishing pretexts ("calling about the security alert on your home network").
• M&A pretext from SEC filing pattern. Quarterly 10-Q discloses material acquisition activity. During the disclosed deal window, an "attorney" pretext routes a wire from the CFO citing the deal by industry term.
• Identity provider from job posting. Open position lists "experience with Microsoft Entra ID, conditional access policies, and Defender for Identity". The attacker now knows the identity stack and can target consent phishing and MFA fatigue accordingly.

Each example is reconnaissance translated directly into pretext. The translation is what makes the attack work.

How to measure your own reconnaissance footprint

The defender can run the same reconnaissance against the organization that an attacker would. The output is a measurable, ranked exposure list.

A practical assessment process:

1. Define the in-scope individuals. Executives, finance, AP, IT leadership, plant managers, board members. Usually fifteen to forty named people for a mid-market manufacturer.
2. Collect across all four buckets. People, infrastructure, vendors, schedule. Use the same tooling an attacker would (automated OSINT platforms, public-records searches, social-media scrapers).
3. Score each finding by attack utility. A LinkedIn post about a hobby is low utility. A conference talk that exposes voice for cloning is high utility. A job posting that names the EDR product is high utility. An employee's birthday party photo on Facebook with the office in the background is medium utility.
4. Identify the top derived exposures. Combinations that produce specific attack opportunities: a new-hire finance person plus a recurring vendor invoice cycle plus the vendor's case study disclosure of the manufacturer.
5. Produce a ranked reduction list. Three to ten specific changes that lower the top-derived exposures: a vendor case-study amendment, an executive social-media adjustment, a job-posting revision, a personal-record minimization for an executive.

The output is not "remove the company website". It is a targeted set of changes that materially lower the success rate of the most likely attack chains.

Best practices for reducing reconnaissance signal

1. Vendor case-study controls. Review the case studies that name your organization with specificity. Equipment models, implementation dates, technology versions, and named personnel are higher-signal than the marketing benefit requires. Negotiate redactions where appropriate.
2. Job-posting hygiene. Posting hygiene reduces infrastructure disclosure. Describe capabilities ("modern EDR, SIEM, IAM stack") rather than specific products. The recruiting goal is met; the attacker disclosure is not.
3. Executive social-media briefings. Travel patterns, family schedules, operational windows, internal language. Executives can post professional content without exposing the schedule layer that drives high-confidence pretexts.
4. Public-records minimization for executives. Where state law permits, executives can list home addresses through a registered agent or a holding entity. The cost is administrative; the signal reduction is meaningful.
5. LinkedIn coordination. Coordinated guidance on what to list, what to skip. Tool versions and security stack specifics belong in private resumes, not public profiles. Tenure information cannot be hidden, but verification habits should not depend on tenure.
6. Voice exposure reduction for high-value voice clones. Executives with high public-audio volume (frequent podcast guests, frequent webinar presenters) are voice-cloning targets. Reduce volume by a factor; do not eliminate.
7. Conference and speaking calendar review. Public speakers are visible to attackers. Coordinate calendar with the security team so high-impact pretexts (CEO-in-transit wire frauds) are blunted by verification.
8. Continuous reconnaissance against your own organization. The defender can run the same automated reconnaissance an attacker would. ARG includes this as a continuous component of every engagement.

Corporate reconnaissance FAQs

Is corporate reconnaissance the same as OSINT?

Reconnaissance is the broader activity; OSINT is one source category inside it. Corporate reconnaissance also includes passive site observation, partner and vendor intelligence, infrastructure probing through public protocols, and social engineering pre-collection. OSINT is the largest single component but not the whole.

What gets harvested from LinkedIn that matters?

Job titles and reporting structure, tenure (especially new hires), recent role changes, technology and tool experience listed in skills, named vendors and customers in current and past roles, conference and speaking history, recent posts revealing project context, and (most importantly) the relationship graph that shows who works with whom.

Can a small manufacturer reduce its reconnaissance footprint?

Yes, in targeted ways. Job postings can name capabilities rather than specific tools. Vendor case studies can be reviewed before publication. Executive social media can be scoped to professional content without disclosing operational rhythm. The point is not to disappear; it is to remove the highest-signal data points an attacker uses.

What is the difference between active and passive reconnaissance?

Passive reconnaissance gathers information without interacting with the target (public records, search engines, third-party databases). Active reconnaissance touches the target's systems directly (port scans, DNS queries that hit the target's resolvers, calls to vendors or employees). Passive is invisible to the target; active is detectable if the target is looking for it.

How ARG reconstructs an attacker's reconnaissance view per engagement

Reconnaissance against the client is the first deliverable of every ARG engagement. The output is what ARG calls the attacker view: a structured external picture of the organization assembled the way a motivated adversary would assemble it.

The reconnaissance is conducted by James Wall on infrastructure ARG owns. Collection runs across all four buckets (people, infrastructure, vendors, schedule). Sources include OSINT platforms, public-records databases, certificate transparency logs, passive scanning, job-posting scrapes, vendor case-study indexes, and continuous social-media monitoring.

The attacker view feeds two outputs. First, it feeds the adaptive simulation pipeline directly: pretexts for spear phishing, vishing, and (during on-site engagements) physical entries are generated from the current view, not from a template library. Second, the view is delivered to the client as a quarterly defender's perspective: what an attacker sees, what changed since last quarter, what specific reductions would lower the next round of attack success.

The continuous element matters. Reconnaissance is not a one-time engagement output; it is a continuously refreshed model that responds to changes in the organization's public surface (a new vendor announcement, an executive conference appearance, a job posting that discloses new tooling, a regulatory filing that flags an event window). The view is alive; the defender's response is informed by what is actually visible right now.

For founding clients, continuous reconnaissance is included in the monthly retainer alongside continuous penetration testing, adaptive simulation, and the on-site engagement weeks.

Apply as a founding client or see how the engagement works for the full delivery cycle.