OSINT audit: what we deliver and how long it actually takes

This is a service description that does not read like one. We are going to walk through, in order, exactly what an OSINT defensive audit looks like at our firm, how long it takes, what the deliverable contains, what it does not contain, and what we expect from the client. The goal is to make it possible for a decision-maker to evaluate the service without a sales call, decide whether it fits, and only call us when the call is informed.

We chose this transparency for two reasons. The first is brand: we have committed publicly to operational honesty, and a service we describe vaguely contradicts that commitment. The second is operational: clients who arrive informed produce engagements that go faster and deliver more value, and we prefer those clients. The screening is mutual.

What an OSINT defensive audit is

An OSINT defensive audit is the systematic gathering and analysis of public information about your company, conducted from an external perspective with no privileged access, organised into a written report that lists exposures, ranks them by severity and remediation difficulty, and proposes specific actions.

It is not a penetration test. We do not attempt to gain access to systems. It is not a vulnerability assessment. We do not scan your infrastructure with tools that probe for weaknesses. It is not a continuous monitoring service. We deliver a point-in-time snapshot.

It is the cheapest cybersecurity exercise that consistently produces actionable findings for mid-market European companies. The cost-to-impact ratio is structurally favourable because most of the value comes from synthesis and ranking, not from expensive tooling.

Scope: what we look at

Our standard scope covers six categories. The breadth is deliberate; the depth varies by category based on what we find.

Category 1 · Personnel exposure

• LinkedIn footprint of the company and its named employees.
• Public conference talks, podcast appearances, and articles authored by employees.
• Public GitHub, GitLab, and Bitbucket activity of employees on company time.
• Personal blog or social media exposures that are professionally relevant.

Category 2 · Technical perimeter

• DNS records (A, AAAA, MX, CNAME, TXT, SOA, NS) for primary and discovered domains.
• Certificate transparency log entries for the past 24 months.
• Shodan, Censys, and ZoomEye visibility of the company's ASN and known IP ranges.
• Reverse-DNS sweeps of the known IP ranges.
• Subdomain enumeration through certificate logs, search engine indexing, and DNS brute-forcing of the most common subdomain patterns.

Category 3 · Email infrastructure

• SPF, DKIM, DMARC posture of all discovered domains and subdomains.
• BIMI presence and VMC verification status.
• Historical email security posture changes (via passive DNS) over the past 24 months.
• MX provider identification and historical changes.

Category 4 · Brand and impersonation surface

• Lookalike domains registered in the past 24 months that resemble the company's primary domains (typosquats, homoglyphs, brand suffixes).
• Social media handles on the major platforms that match or impersonate the company's brand.
• Mobile applications in major app stores that use the brand name.
• Phishing kit references mentioning the company in publicly indexed sources.

Category 5 · Supply chain visibility

• Third-party JavaScript loaded on the company's public web properties.
• SaaS subdomains hosted under the company's domain (status pages, support portals, learning platforms).
• Vendor logos visible on the company's public materials.
• Public references in customer testimonials and case studies that map company-to-vendor relationships.

Category 6 · Public credentials and code exposure

• Public code repositories under the company's organisation or recognisably tied to it.
• Public gists or paste-bin entries referencing the company's domain or branded identifiers.
• Public credential leak indices for the company's email domains (using only data that is already indexed by reputable threat intelligence sources we have licences to consult).
• Document metadata from publicly downloadable PDFs and Office files (we do not bypass any access control).

What we will not include

• Anything that required authentication, social engineering, or technical exploitation to obtain. If we cannot reach it as an external observer with no privileged access, we do not document it.
• Personal data of employees beyond what is professionally exposed by them. We will note that an employee's role is on LinkedIn. We will not enumerate their personal life from social media.
• Data subject to data protection considerations we are not authorised to process. When we identify exposure of personal data that belongs to data subjects who are not company employees, we describe the category and the magnitude without including the data itself in the report.
• Speculation about who might attack you, or attribution. The report deals with exposure, not adversary modelling.

Timeline: 5 working days, plus optional polish

A standard engagement runs 5 working days for the core work, with an optional 2-day extension if the findings volume justifies it (rare, about one in seven engagements).

• Day 1. Kick-off with the client (90 minutes, virtual). Scope confirmation, in-scope and out-of-scope domains, communication channel agreement, point of contact identification, agreement on what to do if we surface something that requires immediate action.
• Days 2 and 3. Active reconnaissance work across the six categories. Most of the depth happens here. Findings get logged in a structured internal repository as we go.
• Day 4. Triage and ranking. We score each finding on a 2-dimensional grid: severity (low, medium, high, critical) and remediation difficulty (trivial, easy, moderate, hard). We write the report draft.
• Day 5. Internal peer review of the draft by a second senior consultant. Delivery to the client (PDF report, signed and dated). Debriefing call with the client (60 minutes, virtual). Optional walk-through of each high-severity finding with the responsible engineer on the client side.

The 5-day timeline is what we commit to when we sign. We have delivered faster on request twice; we have not delivered late.

Deliverable: the report

The report is a written document, signed by the engagement lead, dated, and delivered as a PDF and a Markdown source bundle. Length varies; the median is between 25 and 45 pages for a mid-market engagement. Structure:

1. Executive summary (2 pages, written for the management body).

2. Methodology (2 pages, what we did and how).

3. Findings by category (15 to 30 pages, one section per category, each finding with severity, difficulty, evidence URL or reference, and a recommended action).

4. Top 10 priority remediations (2 pages, the ones to do first).

5. Long-tail recommendations (1 to 3 pages, the ones to do later).

6. Appendices (technical details: full subdomain list, full DNS record dump, full Shodan banner dump where relevant).

Every finding includes the URL or the technical reference that lets your team reproduce it. The report is reproducible. We make this explicit because some clients have been burned by reports they could not verify internally.

What we expect from the client

• One point of contact with authority to make scope decisions during the engagement. Not a committee.
• In-scope and out-of-scope domain list confirmed in writing before day 1.
• Permission to publish queries against your DNS and certificates during the engagement window. We do not need access to any of your systems.
• An emergency contact for the small probability that we surface something requiring immediate action (e.g. an open AWS S3 bucket containing personal data, an exposed admin interface with default credentials).
• A 60-minute window for the debrief on day 5. Without the debrief, the report's value drops by 30% in our internal estimate.

Pricing principle (not pricing)

We follow a fixed-scope, fixed-price model. The price is set in the proposal after we know the in-scope domain count, the rough employee headcount, and the rough technical footprint. We do not bill by the hour. We do not surprise-bill. If the engagement reveals more work than the scope allowed, we deliver the agreed scope at the agreed price and propose a separate follow-up if the client wants it.

We do not publish pricing publicly because it depends genuinely on scope. We will give a price range during the first conversation, before any commitment.

What happens after the report

Three paths. The client chooses.

1. The client takes the report and remediates internally. This is the most common path. The report is detailed enough to execute against. We are available for clarification questions during the 30 days following delivery at no charge.

2. The client engages us for the remediation. We offer fixed-scope remediation sprints (typically 4 to 8 weeks) for the top priority findings.

3. The client subscribes to a periodic OSINT refresh. We deliver an updated audit every 3 or 6 months, focused on what has changed since the previous report.

None of these is the right answer for every client. We discuss the three honestly during the debrief.

> "Clients who arrive with a clear sense of what an OSINT audit will and will not deliver run engagements that produce more value. The cost of writing this article in detail is the time it took. The benefit is the screening it does on both sides." — IBL service design note, 2026

What we do at IBL

We run OSINT defensive audits as a fixed 5-day engagement with a written report, a debrief, and a 30-day clarification window. We turn down engagements where the scope is genuinely too narrow (under 30 employees, single domain, no public footprint to speak of) or where the client expects a continuous monitoring service we do not yet offer.

If you want a conversation about your specific scope, write to [email protected]. We answer within one business day.

---

Ibida Black Level S.L. is a boutique cybersecurity advisory firm headquartered in Málaga, Spain, with an operational team in Romania. We focus on mid-market European companies that prefer technical honesty to vendor packaging. We were founded in 2026; we do not invent a longer history.

Related reading

• OSINT 101: 7 things an attacker finds about your company in 30 minutes (cluster Q4 pillar)
• Tier-1 vs tier-2 cybersecurity vendors: how to choose by company size
• DMARC explained: why your email is vulnerable and how to fix it in 24 hours (cluster Q3 pillar)

Tags: osint, audit, transparency, deliverables, methodology, mid-market