What is OSINT (open-source intelligence)?

Key takeaways

• OSINT is the foundation of every modern targeted attack. Reconnaissance is where the work actually happens; exploitation is a secondary step.
• Public sources produce more usable information about a mid-market manufacturer than the organization usually realizes: org charts, vendor lists, technology stacks, executive travel, communication style.
• Modern OSINT is largely automatable; the pipeline matures faster than most defenders' awareness of it.
• OSINT exposure is not just about what is published; it is about what can be derived by combining sources.
• For defenders, the right response is not paranoia about all public information; it is targeted reduction of the specific signals that attackers actually use.

What sources of information does OSINT actually use?

OSINT draws from categories of public information that most organizations underestimate in aggregate. The categories that matter for a mid-market manufacturer:

1. Organizational public surface. Company website (about page, leadership bios, customer logos, case studies, careers pages), SEC filings and regulatory disclosures, press releases, trade publications, conference appearances, podcast guest appearances, marketing video content, partner announcements, M&A activity.

2. Personnel surface. LinkedIn profiles (job history, current role, skills, endorsements, posts, connections), personal social media (Twitter/X, Facebook, Instagram, TikTok), personal blogs, podcast appearances, public speaking history, conference programs and panel listings, GitHub commits, professional society membership.

3. Infrastructure surface. DNS records, certificate transparency logs, BGP and routing data, public-facing services discovered by passive scanning, code in public repositories, leaked credentials in breach corpora, SaaS tenant identifiers, job postings that disclose tooling and infrastructure.

4. Public records. Court records, property records, business registrations, professional licenses, election filings, regulatory inspections (OSHA, EPA), and similar government-source data.

5. Operational and physical surface. Satellite imagery, street view photos, building permits, planning documents, traffic patterns, trade-show appearances, vendor case-study disclosures, the company's own social media showing the inside of the facility.

6. Aggregated and historical. Internet Archive captures of prior website versions, leaked databases of older breaches, archived social media, data broker aggregations, historical SEC filings, archived job postings, archived press releases.

Each category contains low-value individual data points. The value is in combination: connecting an executive's LinkedIn role tenure to their conference talk last quarter to their company's recent press release about a new vendor relationship to their personal Twitter post about traveling to a specific event next week. The combined profile is what produces a successful targeted attack. See What is digital footprint analysis?.

The OSINT lifecycle: collection, processing, analysis, dissemination

OSINT follows a recognizable lifecycle. Each stage has its own automation curve.

1. Direction. What questions does the engagement need to answer. "Who handles wire approvals at this organization", "what is the password reset workflow", "where do the engineering team eat lunch", "who has access to the CAD repository". Direction comes from the engagement objectives; without it, OSINT is just data hoarding.

2. Collection. Automated sourcing across the categories listed above. Crawlers, API integrations, scrapers, and (where appropriate) commercial data providers feed a structured store. The collection layer is mostly mechanical.

3. Processing. Deduplication, entity resolution (the same person across LinkedIn, Twitter, GitHub, and email), normalization, enrichment. This stage produces a structured profile per entity (organization, executive, employee, vendor) ready for analysis.

4. Analysis. Human or human-plus-AI work that turns the structured profile into hypotheses. A profile of an AP clerk plus a profile of a recurring vendor plus the timing of the next payment cycle produces a hypothesis about which pretext, on which day, would land. The analysis stage is where intent and judgment matter most.

5. Dissemination. The output flows into wherever it is used: into the adaptive simulation pipeline for the next round of pretexts, into the adversarial simulation program's monthly packet, into the risk register if a specific exposure warrants escalation.

The lifecycle is continuous in mature programs. Each round of dissemination informs the next round of direction, and the loop never stops.

Why attackers spend more time on OSINT than on exploitation

Three economic reasons drive the OSINT-heavy structure of modern targeted attacks:

1. OSINT is cheap. Most of the information is public. Most of the collection is automatable. Most of the data is repeatable. An attacker can profile dozens of organizations in parallel with marginal cost approaching zero.
2. Exploitation is expensive. Custom malware development, infrastructure procurement, operational security, and burn risk all add to the cost of a single attack. The cost of getting caught (burned infrastructure, attributable artifacts, operational learning leaked to defenders) creates a strong incentive to maximize the probability of success per attempt.
3. OSINT determines the probability of success. A spear phish written from generic context lands at one rate. The same spear phish written from a current OSINT profile of the target lands at a substantially higher rate. The investment in OSINT pays back in success-per-attempt.

The asymmetry favors the attacker. Reconnaissance is cheap; defense against reconnaissance is expensive. The defender can reduce some categories of public information but cannot eliminate the public surface entirely.

Examples of OSINT-driven attacks against named executives

What ARG sees in mid-market manufacturer engagements:

• Conference-aligned wire-fraud pretext. The CEO is a panelist at a public industry conference. The conference program names the panel, the time, and the hotel. A pretext to the CFO references the conference by name and asks for a wire approval "before the panel starts". The pretext lands inside two hours; the visible context overrides the verification habit.
• Podcast-derived voice cloning. The CEO has appeared on three industry podcasts in the last twelve months, with combined audio over three hours. A voice clone is built from the public audio. A vishing call to AP, in the cloned voice, succeeds. See What is voice cloning fraud?.
• Vendor case-study pretext. A vendor's case study names the customer, the equipment, and the implementation timeline. A pretexted "vendor field-service technician" visits the customer's facility during the visible maintenance window; the gate waves them through.
• Acquisition-window M&A pretext. Press release announces an acquisition target. During the deal window, an "attorney" pretext routes a wire from the CFO to a fabricated escrow account.
• Job-posting-derived infrastructure intel. Open job postings name "experience with Defender for Endpoint, Sentinel, and Microsoft 365 E5". The attacker now knows the endpoint and identity stack and can plan techniques accordingly.
• LinkedIn tenure pretext for vishing. A new finance hire's LinkedIn shows three weeks of tenure. A "help desk" vishing call exploits the new-hire pattern: the new hire is more likely to comply with a verification request from "IT" because they have not learned the verification habit yet.

Each example follows the same structure: public information assembled into a pretext that fits the target's current operational context.

How to assess your organization's OSINT exposure

An OSINT exposure assessment maps what an attacker would find about the organization and its key people, then identifies which findings represent material risk.

The assessment covers:

1. Organizational surface. What does the company's website disclose. Customer logos, partner relationships, executive bios, named vendors, named technologies. What does the company's social media show. What information is in current SEC filings, press releases, and trade publications.
2. Executive and key-personnel surface. For each in-scope individual: LinkedIn detail, public speaking history, podcast appearances, social media, personal blog, conference programs. The volume of public audio (relevant for voice cloning) is logged separately.
3. Infrastructure surface. DNS records, certificate transparency logs, technologies disclosed by job postings, public-facing services, leaked credentials in breach corpora. See What is attack surface management (ASM)?.
4. Operational surface. What does the facility look like from outside. Satellite imagery, street view, social media posts showing the inside, vendor-disclosed equipment lists, public planning and building permit records.
5. Derived exposure. Combinations that produce risk. An executive's travel pattern derivable from social media plus their financial-authority role plus the recent press release about an acquisition produces a specific pretext opportunity.

The output is not "stop publishing public information". It is a small list of specific reductions that materially lower attack success rates against the highest-risk roles.

Best practices for reducing OSINT attack surface

1. Reduce executive audio exposure where practical. Voice cloning works on minutes of clear audio. Executives who appear on every industry podcast, run frequent webinars, and present at every conference produce material exposure. The remediation is selective, not absolute: cut the volume by a factor, not to zero.
2. Cleanup of leaked credentials. Periodic checks against breach corpora (HaveIBeenPwned, similar) for organizational and executive credentials. Rotate where current; document where not. The cleanup is ongoing because new breaches surface continuously.
3. Job posting hygiene. Job postings that name specific tooling versions, EDR products, identity providers, and cloud configurations help attackers more than they help recruiting. Generic descriptions work for hiring; specific tool naming is unnecessary disclosure.
4. Vendor case-study controls. Be selective about which customers and which equipment a vendor names in their public marketing. The case study is the attacker's reconnaissance.
5. Executive social media briefings. Executives can post on professional topics without disclosing travel, family schedules, or operational windows. The briefing covers what to post and what not to post; the goal is awareness, not paranoia.
6. Public records monitoring. Regulatory inspections, court records, and similar surface routinely; an attacker watches them. The defender should too.
7. Continuous OSINT against your own organization. The same automation an attacker uses can run for the defender. The output is a continuous view of the public surface as it changes, with alerts on material exposures. ARG runs this as part of the engagement model.

OSINT FAQs

Is OSINT legal?

Yes, when limited to information that is genuinely public and obtained through legitimate access. Public records, websites, social media posts, SEC filings, court records, and similar sources are legal to collect and analyze. Crossing into private accounts, unauthorized access, or scraping in violation of terms of service can move OSINT activity into territory that is legally contested or clearly illegal.

What is the difference between OSINT and threat intelligence?

OSINT is the source category: information collected from publicly available channels. Threat intelligence is the output: assessments of specific threats, often built from a combination of OSINT, private telemetry, partner sharing, and analyst reasoning. OSINT is what feeds threat intelligence; threat intelligence is one application of OSINT among many.

Can OSINT be automated end to end?

Collection and processing are mostly automatable; analysis still requires human judgment for high-stakes outputs. Modern OSINT platforms automate sourcing, deduplication, entity resolution, and basic enrichment. The pivot from raw collection to actionable hypothesis (which person to target with which pretext at which moment) remains a place where human pattern-matching outperforms automation.

How long does OSINT take in a typical engagement?

An initial OSINT sweep against an organization and a defined set of named individuals usually runs three to seven days. Continuous OSINT, where the profile is refreshed automatically as new information becomes public, runs indefinitely with low marginal cost once the pipeline is built.

How ARG uses continuous OSINT to feed adaptive simulation

ARG runs continuous OSINT against every engagement as the input layer of adaptive simulation. The OSINT pipeline is built and operated by James Wall on infrastructure ARG owns and controls.

For each client engagement, the pipeline maintains a refreshed profile of the organization and a named set of in-scope individuals (executives, finance, IT, plant managers, vendors with elevated access). Collection runs continuously across the categories described above; processing produces structured per-entity profiles updated as new information becomes public.

The output feeds the simulation directly. The next round of spear phishing, vishing, smishing, and (during on-site engagements) pretexting pretexts is calibrated to current OSINT context: visible travel, recent press, conference appearances, vendor announcements, personnel changes. A pretext that fit two weeks ago is replaced by a pretext that fits this week. Templates are not used; the system generates per-target lures against current public context.

The pipeline also produces a defender-facing output: a monthly OSINT exposure report for the client. The report tells the organization what an attacker would see this month, what changed, and what specific reductions would lower the next round of attack success. The recommendations are surgical, not blanket.

For founding clients, continuous OSINT is included in the monthly retainer alongside the rest of the adversarial simulation program. Pricing is locked for two to three years.

Apply as a founding client or see how the engagement works for the full delivery cycle.