What is OSINT?

OSINT Sources and Techniques

LinkedIn and Professional Networks

LinkedIn provides attackers with organizational charts, employee names and roles, technology stack details from job postings, and relationship maps that identify who has authority over what decisions. A targeted attacker researching a company will analyze LinkedIn to identify the CFO's name, the IT help desk structure, which employees have privileged access roles, and who has recently changed jobs or posted about projects.

Domain and Certificate Intelligence

WHOIS records, certificate transparency logs, Shodan, and similar tools reveal an organization's internet-facing infrastructure. Certificate transparency logs record every SSL/TLS certificate issued for a domain, exposing subdomains, development environments, and cloud services that organizations may not realize are discoverable. Shodan indexes internet-connected devices and their banners, revealing exposed services, software versions, and configuration details.

Code Repositories

GitHub, GitLab, and similar public repositories frequently contain accidentally committed credentials, API keys, and internal infrastructure details. Developer repositories that include configuration files, environment variables, or commented-out credentials represent one of the most consequential OSINT sources for credential theft.

Defensive OSINT

Defensive OSINT — assessing your own organization's external exposure from an attacker's perspective — is one of the most valuable and underutilized security practices. Organizations that conduct regular OSINT assessments of their own footprint discover exposed credentials in code repositories, forgotten internet-facing systems, excessive employee information on professional networks, and domain configurations that enable spoofing attacks. This discovery occurs before attackers find the same information.

OSINT in M&A Due Diligence

Cloudskope conducts OSINT-based external exposure assessments as standard components of M&A cyber due diligence. An OSINT assessment of an acquisition target requires no cooperation from the target and reveals the internet-facing exposure, credential exposure in public repositories, and organizational intelligence that attackers would use to plan a targeted attack. These findings consistently surface material security issues not documented in the target's security documentation.

Real-World Example: Uber Data Breach 2016 — Credentials Found on GitHub

In 2016, Uber experienced a breach that exposed data on 57 million riders and drivers. The attacker found Uber engineer credentials committed to a private GitHub repository, used those credentials to access Uber's AWS environment, and downloaded the data. The credentials were discoverable through OSINT because the repository, while private to public access, had been accessed by the attacker who had found the credentials elsewhere. The incident illustrated that code repositories — even private ones — represent significant credential exposure risk when developers commit secrets alongside code.