HolyGhost logoHolyGhost
← cd ..
Learn

What Is OSINT? Finding Out Almost Anything from Public Sources

Open Source Intelligence is the art of learning about a target using only publicly available information. A beginner friendly guide to what OSINT is, how it is used, and how to shrink your own footprint.

HolyGhost··7 min read

Pick a stranger's name and, without breaking a single law or touching a single one of their devices, you could probably learn a startling amount about them in an afternoon. Where they work, from a job network. What they look like and who their friends are, from social media. The technologies their employer uses, from job advertisements. Photos with the location quietly stamped in the file. None of it is hacking. All of it is just sitting there in public, waiting to be assembled. That practice of gathering and connecting public information is called OSINT, and it is one of the most powerful and underestimated skills in security.

This is a plain introduction to what OSINT is, who uses it and why, where the information comes from, and how to make yourself and your organisation a smaller target.

What OSINT actually means

OSINT stands for Open Source Intelligence. "Open source" here has nothing to do with open source software. It means openly available sources: information anyone can access without special permission or privileged access. "Intelligence" means turning scattered raw facts into a useful picture. So OSINT is the craft of collecting publicly available information and piecing it together into something meaningful.

The magic is rarely in a single dramatic find. It is in assembly. One fact is trivia. A dozen facts, cross referenced, become a detailed profile: an organisation's staff, their technologies, their suppliers, their habits, and their soft spots.

Passive by nature, which is what makes it sneaky

Most OSINT is passive, meaning you observe public sources without ever directly touching the target's own systems. You are reading a job advert, not probing a server. Because you never interact with the target, there is usually nothing for them to detect. This is why the reconnaissance phase of a real attack, and of a professional security test, leans so heavily on OSINT: it is quiet, low risk, and often astonishingly productive before anyone touches anything sensitive.

Where the information comes from

OSINT sources are everywhere once you start looking. A sampling of the classics:

  • Search engines, used cleverly. Beyond ordinary searching, "Google dorking" uses advanced operators to find very specific things, for example site: to search within one website or filetype: to find particular kinds of document. It can surface files and pages nobody meant to leave findable.
  • Social media. A rich source of names, roles, relationships, photos, locations, and habits, both personal and professional.
  • Company websites and job advertisements. Job ads are a goldmine. A posting for someone experienced in a specific firewall, database, or cloud platform quietly tells an attacker exactly what technology the company runs.
  • DNS and WHOIS records. These are public records about domains: WHOIS can show registration details, and DNS reveals the addresses and services tied to a domain. Our primer on what is DNS explains the underlying system.
  • Certificate transparency logs. Public logs of the security certificates that websites are issued. Because certificates list the exact names they cover, these logs often reveal hidden subdomains an organisation never advertised.
  • Shodan and similar. Shodan is a search engine not for web pages but for internet connected devices, letting you find servers, cameras, and other kit exposed to the internet, along with details about them.
  • Public data breaches. When old breaches are leaked publicly, the exposed email addresses and passwords become OSINT, useful for guessing who reuses credentials.
  • Document metadata. Files like documents and images often carry hidden metadata: the author's name, the software used, and sometimes the exact location a photo was taken. People publish these without realising the extras attached.

Who uses it, and why

OSINT is a genuinely double edged skill, used by both sides of every fence:

  • Attackers use it first. Before a phishing campaign or an intrusion, they research the target so their approach is convincing and their effort well aimed.
  • Penetration testers use it in the reconnaissance phase of an authorised engagement, mapping the target's footprint exactly as a real attacker would, but with permission.
  • Defenders and blue teams turn it on themselves, asking "what can an attacker easily learn about us?" so they can reduce it. You cannot shrink a footprint you have never measured.
  • Investigators and journalists use it to verify facts, trace connections, and uncover things hiding in plain sight.

OSINT is the fuel for spear phishing

The single most common use against ordinary people is targeted phishing. Those unnervingly specific emails that name your manager, reference a real project, and sound exactly right are convincing precisely because the details were harvested through OSINT. The more an attacker knows, the harder the message is to doubt. This is the direct link between your public footprint and your inbox, and it is why phishing and OSINT are two halves of one story.

The ethics and the law

Because OSINT uses genuinely public information, gathering it is generally lawful, and it is a legitimate, valued professional skill. But "generally lawful" is not "anything goes". A few honest guardrails:

  • Using public information is one thing. Acting on it to gain unauthorised access is another, and that crosses a bright legal line. Reading a public job ad is fine. Using a leaked password to log in to an account that is not yours is a crime.
  • Be mindful of privacy and local laws, which vary, especially when the subject is a person rather than an organisation.
  • Apply the skill to authorised engagements or to your own footprint, not to snooping on individuals.

The technique is neutral. The intent and the actions around it are what matter, which is a theme across all of security.

How to shrink your footprint

The flip side of understanding OSINT is using it defensively. You cannot remove yourself from the public internet entirely, but you can make yourself a smaller, less inviting target.

  1. Know what is out there. Periodically search for yourself and your organisation the way an attacker would. Awareness comes first.
  2. Mind what job ads and public pages reveal. You can describe roles without publishing a precise inventory of your security tooling.
  3. Scrub metadata from documents and images before publishing them, so you are not leaking authors and locations by accident.
  4. Coach people on oversharing. Much of the richest OSINT comes from well meaning social media posts. A little awareness goes a long way.
  5. Assume the pieces will be connected. Any single detail may seem harmless. Ask what it becomes when combined with everything else already public.

This kind of "what could someone learn and misuse" thinking is really threat modelling pointed at yourself.

The takeaway

OSINT, Open Source Intelligence, is the practice of gathering and connecting publicly available information into a meaningful picture, from search engines and social media to DNS records, certificate logs, Shodan, and document metadata. It is mostly passive and therefore quiet, which is why it opens both real attacks and authorised security tests. It is the fuel behind convincing spear phishing, a legitimate skill when used ethically and with authorisation, and a lens you should turn on yourself. Learn what the public internet says about you, reduce what it does not need to say, and always assume the scattered pieces will be assembled.