Skip to content
OSINT Attack Surface Intelligence Workflow
Threat Intelligence

OSINT Attack Surface Intelligence Workflow

A structured, ethical Open Source Intelligence (OSINT) workflow designed to map public exposure, discover shadow IT, and understand exactly what threat actors can learn about an organization before launching an attack.

Visit Official Website

Pros

  • Completely passive discovery generates zero alarms on client infrastructure
  • Maps external exposure across domains, subdomains, and shadow IT
  • Enriches asset inventories with Shodan, DNS, and Certificate Transparency data
  • Visualizes complex organizational relationships using Maltego graphing
  • Provides highly accurate scoping intelligence for subsequent penetration tests
  • Identifies historical credential breach exposure without violating privacy boundaries
  • Delivers an executive-friendly attack surface narrative

Cons

  • Public data is inherently incomplete and subject to false positives
  • Requires intensive manual validation to separate signal from noise
  • Must strictly navigate data privacy and ethical reconnaissance boundaries
  • Limited internal context requires eventual client alignment to confirm asset ownership

Adversaries do not attack blindly. They spend weeks meticulously mapping an organization’s digital footprint, searching for forgotten subdomains, exposed cloud storage buckets, and leaked developer credentials. The perimeter you are defending is rarely the perimeter the attacker sees.

The OSINT Attack Surface Intelligence Workflow replicates this adversary reconnaissance phase using entirely passive, authorized methods. Before executing a single packet against your firewall, this intelligence-gathering operation identifies the externally facing assets you forgot you owned, allowing you to close critical exposure gaps before a technical assessment or a real-world breach begins.

Ethical Boundaries and Passive Reconnaissance

This workflow is strictly governed by rules of engagement. Reconnaissance is non-intrusive. We map the terrain without touching the fence.

  • No active exploitation: We catalog open ports via Shodan; we do not execute Nmap scans against unconsenting IPs.
  • No credential weaponization: We identify the presence of compromised corporate email addresses in known data breaches; we do not extract or test passwords.
  • No active social engineering: We map organizational hierarchies and employee exposure via LinkedIn and public forums; we do not phish or interact with personnel.

Intelligence Objectives

The goal is to build a comprehensive map of the organization’s public exposure across multiple vectors:

  • Infrastructure: Discovering primary domains, subdomains, autonomous system numbers (ASNs), and forgotten IP ranges.
  • Shadow IT & Cloud: Identifying orphaned S3 buckets, exposed GCP storage, and unmonitored third-party SaaS integrations.
  • Technology Fingerprinting: Determining backend frameworks, WAF deployments (e.g., Cloudflare), and outdated CMS versions via passive HTTP headers and DNS records.
  • Cryptographic Exposure: Mapping infrastructure via Certificate Transparency (CT) logs (crt.sh) to find staging and development environments.
  • Source Code & Secrets: Searching public GitHub repositories for hardcoded API keys, exposed CI/CD configurations, or developer misconfigurations.

The Practitioner Tool Stack

To scale data collection and visualize complex relationships, we utilize an industry-standard OSINT suite:

  • Visual Link Analysis: Maltego for graphing connections between domains, IPs, and email registrants.
  • Passive Infrastructure Discovery: Amass, Subfinder, and DNSdumpster.
  • Exposed Service Enrichment: Shodan, Censys.
  • Historical & Archival OSINT: The Wayback Machine, crt.sh, WHOIS/RDAP.
  • Custom Automation: Bespoke Python scripts to aggregate threat intelligence feeds and parse raw DNS outputs.

The Intelligence Workflow

  1. Scoping & Authorization: Defining the seed domains and confirming the legal boundaries of the assessment.
  2. Passive Collection: Executing broad-spectrum data gathering across DNS, search engines, public code repositories, and breach databases.
  3. Data Enrichment: Correlating IP addresses with Shodan data to identify running services, CVE exposure, and geographic distribution.
  4. Validation & Filtering: Manually reviewing output to eliminate false positives (e.g., verifying that an exposed GitHub repository actually belongs to the client).
  5. Risk Scoring: Assigning severity based on exploitability (e.g., an exposed development API has a higher risk profile than a parked marketing domain).
  6. Integration: Passing the validated intelligence to the penetration testing or vulnerability management teams to scope their active engagements.

Integration with Offensive Operations

OSINT is the foundational phase for advanced offensive security.

  • Red Team Readiness: Identifying organizational structure, communication platforms, and employee roles directly informs targeted, highly credible spear-phishing scenarios.
  • Web & API Penetration Testing: Uncovering unlinked v1 API endpoints, staging subdomains, or forgotten developer portals ensures the penetration test covers the actual attack surface, not just the primary application.

Sample OSINT Findings Matrix

Risk LevelFinding / ExposureAttack Vector & ImplicationPriority
HighExposed .git DirectoryA forgotten development subdomain (dev.api.target.com) is exposing source code, potentially revealing backend logic and credentials.Immediate
HighGitHub Secrets LeakA developer committed an AWS Access Key ID to a public repository associated with their corporate email.Immediate
MediumExposed RDP (Shodan)An IP address registered to the organization has port 3389 open to the internet, exposing the network to brute-force and ransomware attacks.1-3 Days
LowBreached Email Exposure45 corporate email addresses found in the “Collection #1” data breach. Indicates a high risk of credential stuffing if MFA is not enforced.1-2 Weeks

Core Deliverables

The intelligence gathered is translated into actionable engineering and security deliverables:

  • Attack Surface OSINT Report: A comprehensive narrative of what an attacker can see, categorized by risk.
  • Visual Entity Graph: A Maltego chart illustrating the relationships between the organization’s domains, IPs, and third-party vendors.
  • External Asset Register: A clean CSV/Excel inventory of all discovered subdomains, IPs, and identified tech stacks, ready for import into an Asset Management system.
  • Prioritized Remediation List: Immediate actions required to remove sensitive data from public view.

30-Day Attack Surface Reduction Plan

  • Days 1-7 (Triage & Takedown): Address High-severity exposure immediately. Revoke leaked API keys discovered on GitHub. Restrict access to exposed staging environments and open RDP ports via firewall rules.
  • Days 8-15 (Asset Reconciliation): Compare the OSINT External Asset Register against internal IT asset inventories. Identify and officially adopt (or decommission) shadow IT assets, forgotten marketing sites, and legacy infrastructure.
  • Days 16-30 (Continuous Monitoring Integration): Implement automated subdomain monitoring and GitHub secret scanning. Establish a policy requiring all new infrastructure to be documented before DNS propagation.

By adopting a proactive OSINT workflow, security teams can reclaim visibility over their perimeter, forcing attackers to work significantly harder to find a foothold in the network.

Share article

Subscribe to my newsletter

Receive my case study and the latest articles on my WhatsApp Channel.

New Cyber Alert