ESENRODEFRIT
Contact

2026-07-13 · Ibida Black Level S.L.

OSINT 101: 7 things an attacker finds about your company in 30 minutes

What an external observer learns about your company using only public data, in less than 30 minutes. Honest field report, no scaremongering.

OSINT 101: 7 things an attacker finds about your company in 30 minutes

There is a reason OSINT is the cheapest tool in an offensive toolbox. It is not new, it is not subtle, and it does not require any access. It only requires that the observer knows where to look. The same fact makes OSINT defensive work cheap on our side too. The point of this article is to give you, plainly, the seven things we routinely surface about a mid-market European company in our first thirty minutes of OSINT triage. None of these require a tool you have to pay for. All of them can become an opening move in a real attack.

We have ordered them by frequency. The first one shows up almost always. The last one shows up about a third of the time, and when it does it usually changes the conversation with the client.

1 · A reasonably complete employee map (10 minutes)

We start with LinkedIn. We do not need to be connected to anyone. The free search filtered by company name, location, and current employment gives us, in the average mid-market European company with 80 to 400 employees, between 50% and 80% of the headcount. We can read titles, prior employers, languages spoken, and very often the technology stack listed in the skills section.

What an attacker does with that: a target list for spear phishing, with role-tailored pretexts. We have seen messages crafted with the exact internal title and the project the target announced two weeks earlier on LinkedIn. The open rate of those messages is not in the same league as a generic phishing wave.

What you can do about it: ask your people to keep current employer information, but to be more deliberate about announcing internal projects and tooling in detail. A sensible LinkedIn hygiene briefing for senior staff is one of the cheapest awareness wins available.

2 · The technology stack from job postings (3 minutes)

Open positions are an OSINT goldmine. A backend role asking for "PostgreSQL 14, Kafka, Vault, and Terraform on AWS eu-west-1" tells an attacker the database engine, the messaging bus, the secrets manager, the deployment region, and the orchestration tool. A security operations role asking for "Splunk Cloud, CrowdStrike Falcon, and Tines for SOAR" tells the attacker the SIEM, the EDR, and the orchestration platform.

What an attacker does with that: skips the discovery phase. The reconnaissance step jumps directly into looking for known CVEs for the named versions.

What you can do about it: do not stop publishing job offers. Strip version numbers. Speak in capabilities ("modern SIEM", "managed EDR") rather than vendor names whenever the role allows. Use a recruiter intermediary for highly specific roles.

3 · The email infrastructure and its DMARC posture (2 minutes)

Three DNS lookups give us the MX records, the SPF record, and the DMARC record of any company domain. In a typical mid-market European company, we still find more than half with DMARC either absent, set to `p=none`, or set to `p=quarantine` without `pct=100`. The same companies frequently have SPF with `~all` instead of `-all`, and three to five legacy IP ranges authorised that no one currently working at the company can explain.

What an attacker does with that: registers a lookalike domain or simply spoofs the legitimate one, depending on the DMARC posture. Spoofing of legitimate-looking sender domains was the entry vector of several high-impact BEC cases we saw in 2025.

What you can do about it: move DMARC to `p=reject` and SPF to `-all` on a documented timeline. We have a separate piece on the 24-hour version of this work.

4 · The public perimeter as Shodan and Censys see it (5 minutes)

We search the company name and the ASN. In a typical company we find: between three and twelve internet-exposed services that no one in the company expected to be exposed. The most common offenders: legacy VPN concentrators kept "for emergencies", remote management interfaces of network devices (Mikrotik, Cisco SMB, Ubiquiti), forgotten S3 buckets that were marked public for one quick test, internal portals on `:8443` thought to be hidden because they were not linked anywhere, and the IPMI interface of a server that should have been decommissioned in 2022.

What an attacker does with that: starts probing for known vulnerabilities against the discovered services. For a mid-market company, we have measured the time from public Shodan hit to first targeted probe in less than 24 hours.

What you can do about it: an external attack surface management routine, even a quarterly one done by hand, eliminates 80% of this category. The investment is two analyst-days per quarter for a typical mid-market company.

5 · Code repositories and the secrets people leak in them (4 minutes)

GitHub searches for `org:<company>` and for `"@company.com" path:.env` reveal more than they should. The most common findings: a forgotten test repository with a real database connection string, a personal GitHub of a former employee containing a config file with an API key that the company never rotated, a public gist with a webhook URL that still works.

What an attacker does with that: tries the credentials. Roughly one out of three of the credentials we surface in this category are still valid the first time we test them with the client during a diagnostic.

What you can do about it: enable GitHub secret scanning on the organisation, run a sweep of historical commits in your private repositories, and operationalise key rotation when an employee leaves. None of this requires a new product purchase for most mid-market companies.

6 · The supply chain you did not draw on a diagram (4 minutes)

We look at JavaScript loaded on your public website, at the SaaS subdomains that resolve under your domain (`status.`, `support.`, `helpdesk.`, `learn.`, `tracking.`), at certificate transparency logs, and at the favicon hashes of internal portals. In a typical mid-market European company we identify between 15 and 40 third parties touching either your data, your customers, or your brand surface, of which 5 to 10 are usually not on the procurement list.

What an attacker does with that: chooses the weakest third party as the pivot. The third-party breach pattern of 2023 to 2025 was not a coincidence; it was the easiest path against companies that had hardened their own perimeter.

What you can do about it: an OSINT-driven third-party inventory, refreshed quarterly, that you compare to the procurement list. The deltas are the work.

7 · The fragility nobody discussed: dependence on one person (2 minutes)

This is the OSINT finding clients react most strongly to. Combining LinkedIn, public conference talks, GitHub contributions, technical blog posts, and DNS WHOIS history, we frequently surface that one specific employee is the only public face of an entire technical area. If that person is unavailable for 72 hours, several systems they own have no documented successor.

What an attacker does with that: makes that person a high-value spear phishing target. In one well-documented public case (not a client of ours), a successful phish of a single SRE took down a SaaS platform for 48 hours because no other team member had the recovery credentials.

What you can do about it: an internal bus-factor review. It is not a cybersecurity exercise in the strict sense; it is a continuity exercise that has cybersecurity consequences.

How to use this list inside your company

We do not recommend running these seven steps against your own company without involving the security team and, depending on jurisdiction, the legal team. Even if the data is public, the act of compiling it under a corporate context can have implications. The simplest path is to ask a third party to do it with a clear scope and to deliver the findings to a named owner inside the company.

The point of an OSINT defensive exercise is not to be impressed by what an external observer can see. The point is to convert the findings into a remediation list with owners and dates. Findings without owners are noise.

> "We have never delivered an OSINT defensive report to a mid-market company that found zero meaningful exposure. We have delivered several where the most expensive finding was internal: a critical area owned by one person nobody had been asked to back up." — IBL internal review of 2025-2026 OSINT engagements

What we do at IBL

Our OSINT defensive engagement is a five-day fixed-scope exercise. The deliverable is a written report, signed and dated, with the findings ranked by remediation difficulty and by exposure severity. We do not include any data that we did not obtain from public sources. We include the URL and date of each finding so that your team can reproduce it.

If you want a conversation about your own footprint, write to [email protected]. We answer within one business day.

---

Ibida Black Level S.L. is a boutique cybersecurity advisory firm headquartered in Málaga, Spain, with an operational team in Romania. We focus on mid-market European companies that prefer technical honesty to vendor packaging. We were founded in 2026; we do not invent a longer history.

Related reading

Tags: osint, exposure, perimeter, supply-chain, email-security, mid-market, field-report