Open-Source Intelligence (OSINT) is a crucial methodology used in cybersecurity assessments to gather publicly available information about an organisation's security posture. When conducting a due diligence report or assessing a supplier, OSINT provides valuable insights into potential security weaknesses, past breaches, regulatory compliance, and overall cyber hygiene.
This knowledge base article outlines the OSINT resources used for an assessment, including key indicators analysed on the target company’s website and Google search techniques used to uncover additional information.
Key OSINT Resources for Assessments
OSINT sources can be broadly categorised into the following:
Company Websites and Public Documentation – Reviewing publicly available security policies, compliance claims, and technology disclosures.
Search Engine Queries (Google Dorking) – Using advanced search operators to discover hidden or obscure company-related information.
Publicly Reported Data Breaches and Vulnerabilities – Investigating whether the company has been involved in known security incidents.
Security Community and Threat Intelligence Feeds – Checking cybersecurity forums, social media, and industry reports for discussions or disclosures.
Regulatory Filings and Certification Registers – Validating compliance with cybersecurity standards such as ISO 27001 or SOC 2.
Information Gathered from the Target Company’s Website
The company’s official website is often a rich source of information that provides insights into its cybersecurity posture. The following elements are examined:
1. Cybersecurity Policies and Compliance Statements
Look for a dedicated cybersecurity or data protection page outlining security practices.
Search for publicly stated adherence to frameworks like ISO 27001, NIST, SOC 2, GDPR, or CCPA.
Identify mentions of incident response plans, security training programs, and encryption practices.
2. Privacy Policy and Data Protection Statements
Evaluate the privacy policy to check compliance with GDPR, CCPA, or other relevant regulations.
Look for statements regarding data retention periods, third-party data sharing, and breach notification policies.
3. Technology Stack and Security Controls
Identify mentions of security solutions such as firewalls, intrusion detection systems (IDS), antivirus software, and encryption mechanisms.
Assess if they disclose usage of cloud services like AWS, Azure, or Google Cloud, which may indicate certain security dependencies.
4. Contact Information and Domain Details
Check for email formats (e.g., security@company.com, abuse@company.com) to infer internal email structures.
Inspect domain registration details using Whois lookups to gather information about hosting providers and registration history.
5. Job Postings and Employee Information
Job listings on the company website or external job boards (e.g., LinkedIn, Indeed) may reveal internal tools, programming languages, and security strategies.
Employee profiles may provide insights into key cybersecurity personnel, software in use, and potential insider threat risks.
Google Dorking: Search Engine Queries for OSINT
Google Dorking (also known as Google hacking) uses advanced search operators to find hidden or publicly accessible documents, misconfigured pages, and other valuable cybersecurity insights.
Common Google Search Techniques for OSINT
Query | Purpose |
|---|---|
| Finds publicly available PDFs on the target website, potentially including security policies or internal documentation. |
| Uncovers unprotected directories that may contain sensitive files. |
| Identifies administrative login portals. |
| Searches for accidentally exposed confidential documents. |
| Looks for exposed passwords within the website content. |
| Checks Pastebin for any leaked credentials or internal company data. |
| Finds news articles or forum discussions about past breaches involving the company. |
| Searches GitHub for any publicly available code repositories belonging to the company that may contain secrets. |
| Gathers a list of employees to infer the company’s security team and internal structure. |
Note: Ethical and legal considerations must always be observed when performing OSINT research.
Investigating Data Breaches and Security Incidents
Understanding whether a company has been involved in past data breaches or cyber incidents is essential for assessing risk. The following public databases and sources are commonly used:
1. Have I Been Pwned (https://haveibeenpwned.com/)
Checks if employee credentials associated with the company’s domain have been exposed in known data breaches.
2. BreachForums and Dark Web Monitoring
Research forums where cybercriminals may discuss leaked company data or vulnerabilities.
3. CVE (Common Vulnerabilities and Exposures) Database (https://cve.mitre.org/)
Looks up publicly disclosed vulnerabilities affecting the company’s products or infrastructure.
4. Exploit Database (https://www.exploit-db.com/)
Checks if the company has any publicly available exploits that may indicate security weaknesses.
5. Cybersecurity News Aggregators
Search platforms like BleepingComputer, The Hacker News, and SecurityWeek for any mention of security incidents related to the target company.
Assessing Reputation in the Cybersecurity Community
A company’s security reputation can be assessed by reviewing discussions on cybersecurity forums, social media, and third-party security ratings.
1. Twitter, Reddit, and Hacker Forums
Search for discussions about the company’s security practices.
Identify any whistleblower claims or customer complaints about security weaknesses.
2. Trustpilot and Business Review Websites
Reviews may highlight security-related complaints from customers or employees.
3. SecurityScorecard and BitSight
Provides a third-party security rating for companies based on their external security posture.
Validation Through Third-Party Certifications and Compliance Registers
To confirm a company’s security posture, analysts check regulatory and certification registries, such as:
1. ISO 27001 Certified Companies
Search for official ISO 27001 certification records.
2. SOC 2 Audit Reports
Some companies publicly disclose their SOC 2 Type I or Type II audit results.
3. GDPR Data Protection Officer Registers
Some regulators maintain a list of organisations with designated Data Protection Officers (DPOs).
4. Government and Regulatory Filings
Companies in regulated industries (finance, healthcare, etc.) may have cybersecurity compliance filings available through regulatory websites.
Conclusion
OSINT is a powerful tool for cybersecurity assessments, providing valuable insights into an organisation’s security posture without requiring internal access. By leveraging publicly available data, search engine techniques, and breach databases, analysts can build a comprehensive risk profile of a target company.
For best results, OSINT findings should be cross-referenced with multiple sources to ensure accuracy and reliability. Analysts must also adhere to ethical and legal constraints to avoid unauthorised access to protected information.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article