Corporate OSINT audit · Your real exposure as seen by an attacker | OCIRIA
What an attacker sees about your company, without touching anything. Executive and technical report, 100% legal and passive.
Corporate OSINT audit
Your organisation's real exposure, as seen by an attacker
OSINT (Open Source Intelligence) is the discipline that gathers, correlates and analyses publicly available information to build a profile of a target. It is the first thing any moderately serious attacker does before moving into action. Knowing what is in plain sight about you, before someone with worse intentions uses it, is elementary.
---
What it is
A corporate OSINT audit is intelligence work, not penetration testing. We do not probe vulnerabilities, we do not access your systems, we do not send pretexting emails. The only thing we do is collect, from open and legitimate sources exclusively, all the information a moderately motivated attacker with ten days of dedication could obtain about your organisation.
The result has two readings. The first is defensive: it shows what information is exposed without the company knowing (leaked credentials, internal documents published by mistake, infrastructure forgotten in an old vendor's cloud). The second is intelligence: it shows how an attacker would build the attack case from that information (which executive is vulnerable to social engineering, which weak supplier is the most likely path, which exposed service is the most exploitable).
The difference from an automated attack surface scan is that here there is a human analyst correlating pieces, not a script executing rules. The report is written in clear language for management and in technical language for the team, without inflating findings or hiding them behind jargon.
---
When you need it
After a merger, acquisition or significant organisational change. Each change incorporates new domains, inherited infrastructure, employees with new public profiles and inherited contracts with technology providers. The map changes fast and many things remain half-integrated. An OSINT audit after the change identifies the gaps.
Before a significant corporate operation. Public listing, major funding round, strategic contract that changes your exposure profile. The buyer's or investor's questionnaire will include questions about digital exposure. It is better to answer from a recent in-house report than from improvisation.
After an incident or suspicion of leak. If there was a ransomware attempt, fraud by impersonating the CFO, a breach at a supplier, or simply a phishing email that almost made it, an OSINT audit determines whether information about your organisation is circulating in places that justify additional alerts.
As recurring practice. We recommend repeating it annually, or after significant changes. Exposure is not static: each new employee, each new SaaS tool contracted, each document published on the web adds surface.
---
How we work
Phase 1 · Scope and authorisation (days 1-2). We agree the scope in writing: domains, brands, key executive profiles, geographies and providers in scope. We sign formal authorisation (necessary on our side for clean legal cover) and confidentiality agreement on yours.
Phase 2 · Collection (week 1-2). Field work in passive OSINT: enumeration of domains and subdomains, certificate analysis, inventory of exposed infrastructure, search in public breach databases, analysis of executive presence in professional networks and forums, identification of internal documents published by mistake, review of public repositories for credential or secret leakage, identification of active impersonations (look-alike domains, fake profiles), correlation with key technology providers.
Phase 3 · Analysis and prioritisation (week 2-3). We cross-reference findings. An isolated leaked credential is a data point; a leaked credential from the finance lead combined with a recently registered look-alike domain is an imminent fraud scenario. We prioritise by probability of exploitation and impact, not by volume.
Phase 4 · Delivery and presentation (week 3). We deliver two reports and present them: one executive to the board (what we found, what it means, what to do in the next ninety days) and one technical to the team (each finding with evidence, source, capture date and specific operational recommendation).
---
What we deliver
- Executive report (5-8 pages) for the general management and executive committee, with a summary of critical findings, estimated impact, prioritised mitigation plan and key messages to communicate internally.
- Technical report (typically 30-60 pages depending on findings) with each finding documented: captured evidence, source, date, criticality, exploitation vector, recommended countermeasure and priority.
- 90-day mitigation plan with concrete actions, suggested owner and reasonable execution order.
- Evidence repository delivered through a secure channel, with limited access and agreed retention.
- Double presentation session: one to management, one to the technical team.
- Prioritised list of suggested ongoing monitoring (look-alike domains to watch, profiles to alert on, sources to check).
---
Who it is for
Organisations with significant digital presence, visible executives or exposure to social engineering. Particularly useful for:
- Companies in corporate operation (merger, acquisition, funding round, public listing) needing recent and verifiable documentation of their exposure.
- Sectors with high regulatory or reputational risk (financial, health, energy, critical infrastructure, professional services with high-profile clients).
- Organisations with public or influential executives, where social engineering targeting people is a relevant vector.
---
FAQs
Is it legal to run an OSINT audit on our own company?
Yes, within the scope you authorise. We work exclusively with open sources and passive techniques. We do not access your systems or those of third parties, we do not impersonate anyone, we do not contact employees. The written authorisation we sign before starting covers us against misunderstandings and covers you against auditors asking why a third party was collecting data on the organisation.
How long does the work take?
Three weeks from signature of formal authorisation and kick-off. If the scope is very broad (international group with dozens of subsidiaries and brands), it is segmented in waves to maintain the quality of human analysis.
What is the difference between this and pen-testing?
Pen-testing actively probes vulnerabilities, touching your systems with authorisation. OSINT does not touch anything: it only collects and analyses what is already public. They are complementary; OSINT usually precedes pen-testing so the latter goes focused on what really matters.
What if you find something serious during the work?
We escalate immediately, without waiting for final delivery. If there are active critical leaked credentials, a look-alike domain in use for fraud, or sensitive information published by mistake, we alert you in less than 24 hours with the finding and the immediate mitigation recommendation.
Can you do it periodically as a managed service?
Yes. After the first audit we can offer ongoing monitoring that watches relevant sources and alerts you when something changes (new leaked credential, new look-alike domain, new mention of your organisation in illicit forums). We discuss at close if it makes sense.
What about personal data of employees appearing in findings?
We treat minimum necessary information, anonymise where possible and delete evidence at the end of the project except for retention agreed with you. We comply with GDPR as joint controllers during the project.
---
Typical use cases
Case 1 · The company in the middle of acquisition. Industrial company with one hundred and fifty employees in the process of being sold to an international group. The buyer demands cybersecurity due diligence as a condition for closing price. We run OSINT audit in three weeks. Main finding: three active leaked credentials of former employees with unrevoked access, an unknown look-alike domain in use and sensitive documentation published in an old IT vendor's repository. The company closes findings before the formal due diligence and delivers a clean report to the buyer.
Case 2 · The law firm after CFO fraud attempt. Professional firm suffers a fraud attempt by impersonating the CFO on a transfer. The transfer was stopped in time. OSINT audit identifies that the attacker had profiled the entire executive hierarchy from public professional networks, knew the names of key clients from press, and had registered a look-alike domain two months earlier. Mitigation plan: review of executive exposure, monitoring of look-alike domains, double verification protocol for transfers above threshold.
Case 3 · The international group with rapid expansion. Services group with presence in five countries and ten brands, growth by acquisitions. OSINT audit focused on mapping the true perimeter: forgotten domains of acquired brands, non-inventoried infrastructure, public profiles of inherited executives that were not updated. Outcome: corrected inventory with twelve domains and twenty-three assets not previously counted, subsequent consolidation plan.
---
How to start?
The first step is a free initial diagnosis of one week. We agree scope, tell you what we would typically find with a company of your profile and deliver a concrete proposal without commitment. If it is not for you, we say so.
Write to us at [[email protected]](mailto:[email protected])
---
Other services
- [Monthly vCISO · Security leadership](/en/services/vciso-detalle)
- [ISO/IEC 42001 · Responsible AI management pilot](/en/services/iso-42001-detalle)