Skip to content
Breachroad
Back to the blog
Pentest

OSINT: what attackers know about you before they strike

Before an attack lands, a criminal does reconnaissance. We show what OSINT reveals about your company and how to shrink your digital footprint.

KR
Karol Rapacz
3 July 2026 · 12 min read
OSINT: what attackers know about you before they strike

Every serious attack starts not with an exploit but with reconnaissance. Before an attacker sends phishing, tries passwords or calls “from IT”, they spend hours gathering information about the target — and they do it almost entirely from publicly available sources, without breaking any protection. This phase is called OSINT (Open Source Intelligence), and its effectiveness can be surprising: from openly available data you can reconstruct a company’s infrastructure, a list of employees with roles and emails, even their passwords from old breaches. This article shows what an attacker really knows about you — and how to shrink your digital footprint before someone uses it.

What OSINT is

OSINT is collecting and analysing information from open, legally accessible sources: websites, DNS records, certificate logs, social media, search engines, data leaks and documents. Nobody “breaks in” at this stage — the attacker merely puts together what is public anyway. It’s exactly the same work we do as pentesters at the start of every penetration test, only with good intentions. The difference between a defender and an attacker lies not in the tools but in the purpose.

What an attacker finds about your company

1. Your attack surface and infrastructure

This is reconnaissance’s first goal: what systems the company exposes to the internet. From public sources the attacker reconstructs:

  • domains and subdomains — Certificate Transparency logs (crt.sh) reveal even the “forgotten” ones: old-vpn.yourcompany.com, test.yourcompany.com, panel.yourcompany.com,
  • exposed services — login panels, VPNs, mail servers, APIs,
  • the technology stack — which server, CMS, libraries (and from there it’s a short step to known vulnerabilities),
  • email configuration — whether the domain can be spoofed (SPF/DMARC).

You’ll see much of this picture yourself by running our security scanner on your domain — it shows subdomains from CT logs, service exposure and technologies. It’s your free “attacker’s view”.

2. People

Companies are people, and people leave traces. From LinkedIn, “about us” pages and social media, an attacker builds a map of the organisation: who’s the CEO, who’s in accounting, who’s in IT, what the email patterns are ([email protected]). That’s fuel for targeted phishing, CEO fraud (BEC) and vishing — the more they know about structure and relationships, the more convincingly they impersonate.

3. Stolen credentials

This is often the most dangerous category. The attacker checks whether company email addresses appeared in data leaks and infostealer logs. If an employee used their work email on a private, hacked service and reused the password — the attacker has a ready entry, without breaking anything. That’s why it’s worth checking whether your company’s data leaked.

4. Documents and metadata

Publicly available files (PDFs, presentations, spreadsheets) can be a mine of knowledge: author names, software versions, network paths and usernames embedded in metadata, and sometimes sensitive content that shouldn’t have reached the web. Add accidentally exposed files (.env, backups, .git directories) — the scanner flags them as exposure, and the attacker treats them as a gift.

5. Physical and social context

Photos from the office (badges, screens, room layout), industry events, job ads revealing the technologies in use, and even employees’ habits on social media — all of it feeds social engineering scenarios, from impersonating a supplier to tailgating into a building.

Why it matters

OSINT isn’t an attack in itself — it’s the foundation on which effective attacks are built. Targeted phishing works because the attacker knows your name, role and context. Password spraying works because they know the email pattern and passwords from leaks. BEC works because they know who reports to whom and what your invoices look like. The richer the picture they gather during reconnaissance, the less “noisy” and more effective the actual attack. By shrinking your digital footprint, you take away the attacker’s ammunition.

How to shrink your digital footprint

Map your own attack surface. You can’t protect what you don’t know about. Inventory your domains and subdomains (CT logs), exposed services and accounts — start with a scan of your domain. Close or hide behind a VPN whatever doesn’t need to be public (old panels, test environments).

Hide what’s unnecessary. Disable version disclosure in server headers, remove forgotten subdomains, block public access to sensitive files (.git, .env, backups).

Monitor leaks of company addresses. Enable domain monitoring in services like Have I Been Pwned and react when company emails appear in leaks — force a reset and phishing-resistant MFA.

Mind metadata hygiene. Strip metadata from published documents (authors, paths, versions). It’s a simple step that closes a quiet information leak.

Train people and limit oversharing. Make the team aware that public information (roles, projects, office photos) can be used in attacks. It’s not about paranoia but about deliberate sharing.

Set up security.txt. A public vulnerability-reporting channel (/.well-known/security.txt) means a good-faith researcher will report a problem to you before someone else exploits it.

What OSINT looks like in a penetration test

When we run a penetration test, we always start with reconnaissance — exactly as an attacker would. We reconstruct the attack surface, map subdomains, check for credential leaks and build a picture of the organisation. The result is not just a list of technical flaws but also an answer to the question “how much of us is visible from outside, and what follows from it”. For many clients this part is the most eye-opening — because it shows the company as its adversary sees it.

Frequently asked questions (FAQ)

Is OSINT legal? Simply gathering information from publicly available, legal sources is lawful — it underpins competitive analysis, investigative journalism and pentesters’ work. It only becomes illegal when the information is used to commit a crime (a break-in, fraud). Attackers abuse a tool that is itself neutral.

How does an attacker have my employees’ passwords if they didn’t hack us? Usually from other services’ leaks. If an employee used their work address on a private, later-hacked portal and reused the password, the “email + password” pair circulates in public sets. The attacker finds it and tries it in your systems — without breaking anything. That’s why checking leaks and unique passwords matter so much.

Can you disappear from OSINT entirely? No — a company has to be visible to operate (a website, offers, people on LinkedIn). The goal isn’t to disappear but to control the footprint: remove unnecessary exposure, hide versions, close forgotten systems and know what’s public. It’s about minimising ammunition, not invisibility.

How do I check what’s visible about my company myself? Start with a domain scan — you’ll see subdomains, exposed technologies and email configuration. Then: monitor leaks of company addresses, review LinkedIn for oversharing, and check whether you have any publicly accessible sensitive files. The full picture comes from professional reconnaissance as part of a test.

We run a company — is it worth commissioning OSINT reconnaissance? Yes, especially before an important launch or as part of an audit. Reconnaissance shows your company through an attacker’s eyes: what’s exposed, who’s visible, what data leaked. It’s cheap and very practical knowledge — it lets you close gaps before someone unauthorised finds them. Let’s talk.

Summary

OSINT is the invisible first step of almost every attack: from public sources an attacker reconstructs your infrastructure, people, leaked passwords and documents — without breaking any protection. The good news is that you can take the same perspective as a defender: map your own attack surface, hide what’s unnecessary, monitor leaks and keep your data hygiene. Start with a scan of your domain, and if you want to see the full picture of what’s visible about you — let’s commission professional reconnaissance. In security, the winner is the one who knows themselves as well as their adversary does.


Sources and further reading: OSINT Framework, CISA.

Share this article

Services Book a consultation