Open-Source Intelligence โ what attackers see about you, what defenders see about themselves.
15+
Essential Tools
6
Source Categories
3
Adversary Tiers
Legal
Where it counts
The 6 source categories
HIGHEST YIELD
Public records + people-search
Property records, voter rolls, court records. Spokeo, BeenVerified, Whitepages. Data brokers aggregate it all.
DNS / WHOIS / Certs
crt.sh for cert transparency. Reveals every subdomain a target has ever published.
Mass scanners
Shodan, Censys, FOFA, ZoomEye. Index every public IP โ devices, services, banners.
Social media
Username + email pivots across platforms. Photos with EXIF or backgrounds.
Search operators
Google Dorks: site: filetype: intitle: inurl: โ surgical query power.
Breach data + dark forums
HIBP, DeHashed, IntelX. Cyber-side OSINT for stealer logs, credential reuse.
Defender's First Move
Self-audit. Search your name + email + phone in Google. Run HIBP. Check Spokeo. What you find is what an attacker finds in 5 minutes.
Legal Floor (US, broad)
Public data: generally fine. Defeating access controls: CFAA. Aggregation harm: civil/ethical, even when each piece is "public." For org work โ written authorization.
Adversary tiers
Defender playbook
Tier 1 โ opportunistic Hours. Most defenses target them.
Tier 2 โ motivated Time, specific target. Persistence.
Tier 3 โ resourced Org crime, intel agencies. Hire help.
CT log monitor (weekly) Find your shadow subdomains
Breach feed for your domain HIBP Enterprise, SpyCloud
Continuous port/service scan Shodan ID your asset, monthly