What is OSINT (Open-source intelligence)?
Open-source intelligence (OSINT) is intelligence derived from publicly available sources rather than covert collection. In cybersecurity it serves defenders (attack-surface mapping, threat-actor investigation) and attackers (reconnaissance) alike. It’s the public-facing layer of intelligence – powerful, but it stops at the boundary of what’s openly accessible.
How OSINT fits into an attack and investigation
Attackers running targeted intrusions almost always open with OSINT, then cross-reference what they find against breach data. The main vectors:
- Professional-network enumeration – names, titles, reporting lines from LinkedIn.
- Technology-stack discovery – IdPs and tooling leaked in job posts and code repos.
- Public breach cross-referencing and domain/certificate intelligence.
Defenders and investigators use the same techniques in reverse – to understand their own exposure and surface a threat actor’s public footprint.
OSINT shows the public picture; the criminal underground holds the rest. For the layers OSINT can’t reach – closed forums, private channels, and darknet markets – see the 2026 Annual Identity Exposure Report →
Where OSINT ends and recaptured intelligence begins
OSINT’s ceiling is accessibility – it only sees what’s public. The most actionable identity-threat intelligence lives in non-public layers:
- OSINT answers “who.” Who someone is and what their public footprint looks like.
- Darknet intelligence answers “what’s stolen.” What data tied to them is in criminal hands right now.
- Fuse the two. Use an OSINT-surfaced alias as a pivot, then enrich it with non-public data.
- Pivot at scale. SpyCloud’s IDLink pivots across 65.7 billion recaptured records to connect aliases, addresses, and infrastructure public sources can’t link. See Cybercrime Investigations.
Common OSINT sources
OSINT draws on a wide range of public sources, and a few matter most for identity threats.
Professional networks give up names, titles, and reporting lines that map an org chart for targeting. Job postings and code repositories leak the identity provider, security tooling, and internal systems in use. Certificate transparency logs and DNS records expose subdomains and infrastructure that widen the visible attack surface, and public breach references confirm a target appears in known exposures – a pivot point into criminal-market data.
Attackers are already running OSINT against your org and pairing it with breach data.
Check Your Exposure to see what they’d find tied to your domain.
Frequently Asked
In reconnaissance – mapping identities, inferring org structure, finding high-value targets, and discovering infrastructure. LinkedIn yields names and hierarchy; job posts reveal IdPs and security tooling; repos expose internal tools; certificate logs surface domains. The output shapes phishing lures, stuffing target lists, and social-engineering scripts, and combines with criminal-market data for a complete pre-attack picture.
OSINT comes from publicly accessible sources. Dark web intelligence comes from non-public criminal ecosystems – closed forums, private channels, invitation-only markets. The distinction is accessibility: anyone can do OSINT, while dark web intelligence requires active infiltration. For identity threats the latter is more urgent because it surfaces specific stolen credentials tied to your people.
It provides the public layer of attribution – usernames, emails, social profiles, infrastructure registrations tied to a persona – and is most powerful when pivoted against non-public data. A forum alias found via OSINT can be matched to darknet data to reveal the same actor selling logs or running phishing kits. SpyCloud combines this pivoting with 65.7 billion recaptured records.