Conducting External Reconnaissance with OSINT

When to Use

• Performing the initial reconnaissance phase of a penetration test to gather intelligence before active scanning
• Mapping an organization's external attack surface to identify unknown or shadow IT assets
• Collecting employee information, email formats, and organizational structure for social engineering campaigns
• Identifying exposed credentials, leaked data, or sensitive documents published on the internet
• Scoping the breadth of an organization's digital footprint prior to a red team engagement

Do not use for stalking, harassment, or unauthorized surveillance of individuals. OSINT gathering must be conducted within the scope of an authorized engagement and comply with applicable privacy laws (GDPR, CCPA).

Prerequisites

• Written authorization to perform reconnaissance against the target organization
• Dedicated research workstation with a VPN or Tor for anonymized queries when required
• OSINT framework tools installed: Amass, theHarvester, Shodan CLI, Recon-ng, SpiderFoot
• API keys for Shodan, Censys, SecurityTrails, Hunter.io, VirusTotal, and GitHub for enhanced results
• Disposable email accounts for accessing services that require registration during research