Understanding OSINT: the basics for brokers and businesses

Open-Source Intelligence, or OSINT, refers to the process of gathering and analysing information that’s publicly accessible. This might include anything from social media profiles and business filings to satellite imagery, press coverage, or even metadata in shared documents. Unlike traditional intelligence methods, OSINT doesn’t rely on hacking or surveillance. It’s all about using what’s already publicly accessible both intelligently and strategically to find material information. 

What makes OSINT especially powerful is its accessibility. Anyone can use it: cybercriminals, researchers, government agencies, or everyday users like you. As the volume of digital information continues to grow, so does its relevance. Within the broader security landscape, OSINT has become a frontline resource. However, it is also a growing risk if left unchecked. 

Real-World uses of OSINT – for good and for harm

OSINT has been utilised in a whole range of positive ways. Journalists use it to verify breaking news. Investigators use it to locate missing persons. In the business world, it’s used to assess competitors and gain additional insights into specific markets. Threat actors use it to their advantage as well, harvesting public information to build profiles, impersonate individuals, and abuse internal security controls. 

The 2015 breach of Ashley Madison is an early example. After a group called "Impact Team" stole user data, they released it publicly when their demands weren’t met. The fallout wasn’t just a technical breach; it became an OSINT event. Over 30 million users were exposed. Names, email addresses, and credit card data were analysed and repurposed by journalists, cybercriminals, and extortionists alike. It led to ruined reputations, job losses, and even reports of loss of life.

That same year, another group known as "CyberCaliphate" used OSINT techniques to target U.S. Central Command (CENTCOM). They harvested data from public and social channels to craft convincing phishing emails, which led to a compromise of CENTCOM’s social media accounts. While no classified systems were affected, the reputational damage was significant. It opens up a view on this type of attack path and how the compromise of a business social media account could allow hackers to post about fake results or product launches as a way to impact share prices.

A further example that shows how long these types of vulnerabilities have been around is the 2017 Equifax breach. Attackers were able to exploit an OSINT weakness through the discovery of a discussion about an unpatched software vulnerability on a public forum. Because technical support did not act fast enough to patch the system, hackers managed to access the personal data of millions of people. These incidents show how easily small fragments of public information about technical vulnerabilities can lead to large-scale consequences.

As the line between public and private blurs, we must consider: does accessibility equal permission? Where does due diligence become digital intrusion? These are ethical questions we take seriously.

What OSINT reveals about business security risks

We’ve learned that even the most technically secure organisations can have human-related blind spots. A selfie shared in the office might reveal a password on a whiteboard. A document indexed by search engines could expose sensitive numbers. A Zoom call background might inadvertently leak project names or email addresses. 

This is where OSINT becomes more than a threat, it becomes a mirror. Tools like HaveIBeenPwned can be employed to proactively check whether their company’s credentials have appeared in public breaches. It’s a simple step that can reveal vulnerabilities before attackers find them.

Businesses should also consider their digital hygiene. Common behaviours like sharing travel updates, publishing staff directories, or failing to update privacy settings can open the door to targeted attacks. By spotting these oversights early, vulnerable businesses have a chance to strengthen their posture before anything goes wrong.

Expert insight from a Cyber Risk Specialist: how businesses can use OSINT defensively

When discussing OSINT, it's often framed as a threat. But according to our Cyber Underwriting Analyst, Moaaz Mushtaq, businesses should also be thinking about how OSINT can be used defensively. "Yes, OSINT can be a threat vector," he explains. "But it can also be a powerful defence tool, if organisations are willing to look at themselves the way an attacker would." 

That means proactively mapping a business's digital footprint and assessing what’s publicly visible. In Moaaz’s words: “Every cyber-attack starts with reconnaissance. If someone’s gathering data on you, they’re already in phase one of the attack chain. So why not get there first?” Businesses' understanding their own exposure first, can close gaps before they’re exploited. 

Groups like Scattered Spider have shown how effective human-led compromise attacks can be, combining OSINT with social engineering to breach even well-protected organisations, and such incidents are becoming increasingly common. This reinforces the need for businesses to map their own digital footprint proactively and understand exactly what is visible to an attacker.

Running OSINT Campaigns Internally

One effective way to identify risk is to run internal OSINT campaigns. These simulate what an attacker might find about an organisation, particularly when it comes to high-risk individuals. That might include executive leaders, members of the IT helpdesk, or anyone in a public-facing role. 

“Think about an executive who regularly speaks at industry events or is often quoted in the press,” says Moaaz. “They’re highly visible, and that gives attackers more to work with.” Internal OSINT exercises can reveal the types of information a cybercriminal could use to tailor convincing phishing emails or impersonation attempts.

These findings can then be used to strengthen internal processes. They might inform executive briefings, trigger updates to employee training, or shape how public-facing teams engage online.

Navigating Ethical Considerations

Looking into an organisation’s risk exposure is one thing. Gathering intelligence on named individuals inside the business is another, and this brings important questions of ethics, consent, and legal compliance. 

“We’ve seen organisations anonymise or generalise the findings before sharing them with leadership,” says Moaaz. “That way, you still raise awareness without creating discomfort.” Some executives even agree to be used as real-life examples, making training feel more immediate and impactful. However, organisations need to be mindful that this approach raises considerations around privacy and data protection, as well as the broader ethics of OSINT testing. Anonymising or generalising findings can help reduce sensitivity, but it does not remove the responsibility to handle such information carefully and lawfully.

We believe OSINT should be understood, not feared. The important thing is not to avoid the topic just because it feels sensitive. As Moaaz puts it: “It is better to deal with uncomfortable truths internally than have them exploited externally.”

Culture, Social Media and Real-World Exposure

Security risk doesn't always come from a technical flaw. Often, it stems from human behaviour or what people choose to share. Photos of boarding passes. LinkedIn posts about travel plans. Instagram tags at the office. Each one may seem harmless on its own. But together, they can give an attacker everything they need to make an approach feel legitimate. “It’s never just one data point,” Moaaz explains. “It’s the combination that builds a credible attack.” 

The risk of potentially sensitive employee information being exposed in the background of photos and video is higher in organisations that want to showcase company culture or drive recruitment via social media as this increases digital exposure. That exposure becomes even more risky when combined with unchecked AI tools that make it easier to mimic writing styles or even generate deepfake video content. Impersonation and spear-phishing attacks are already common. They are also becoming more sophisticated and harder to detect.

Try it yourself: how to experience OSINT in action

If you want to consider your personal OSINT risk, start by searching your own name, workplace, or email address. Use tools like HaveIBeenPwned, Google image search, or location-based tools to see what comes up. It’s often surprising how much is visible, and how easily it can be pieced together. This hands-on approach gives you real awareness of their own digital footprint.

OSINT challenges: real-world exercises anyone can try

Image Geolocation Challenge

Choose a public image and see if you can identify its location using Google Earth or reverse image search. Architectural details, signage, shadows, and weather can all provide clues. This mirrors how cybercriminals and OSINT investigators alike use visual data to build context. It’s also the basis of the popular game GeoGuessr, where players guess real-world locations using images alone. There are even GeoGuessr world championships where players can use a simple image to identify specific locations to within a few miles within seconds!

Investigative Journalism Exercise

Pick a news story and try verifying it with publicly available data—such as satellite imagery, business filings, or social media content. This is the same method used by the Bellingcat community and other open-source investigators. It’s also increasingly supported by AI tools, which can accelerate image recognition and data cross-referencing. 

These exercises highlight the amount of information and insight that can be drawn from open data without any “hacking” involved.

2010

Chief secretary to the Treasury, Danny Alexander, was photographed with the comprehensive spending review on his lap, which forecast job cuts for 500,000 public sector workers. 

2017

Actor Tom Holland accidentally shared a poster for Avengers: Infinity War during a live stream. Though this could have been a planned publicity stunt.

2021

The Manchester United social media admin accidentally started an Instagram Live stream while making their lunch and chatting in the office. 

OSINT is everywhere, but the power
lies in how we use it

To help clients stay ahead of the OSINT risk, we have been incorporating OSINT thinking into our broader cyber risk strategy. Through the Data Safe platform, clients can access a virtual CISO (Chief Information Security Officer). 

This is not a chatbot or automated tool. It’s a real person who can advise on OSINT risk, mitigation tactics and wider cyber security planning. Internally, we also distribute a weekly threat intelligence pack to our underwriting teams. This summarises current cyber trends, tactics and activity, helping them stay informed and pass on relevant insights to broker partners.

Moaaz offers one clear takeaway. “If you can reduce what’s publicly accessible - even slightly - you’re not just shrinking your digital footprint. You’re actively reducing your attack surface.”

As a broker, this is a valuable message to bring to clients. Proactively managing exposure, reviewing internal culture, and applying the right tools can all reduce risk. Moaaz adds, “Often, organisations focus heavily on technical defences. But the human side of cyber risk is just as important as it is usually the front door into an organisation. OSINT can therefore provide important insight and allows action to be taken..” 

OSINT is not inherently malicious. It’s a tool. What matters is how it’s used. We’re committed to helping businesses and individuals understand their exposure. By using OSINT ethically and proactively, businesses can turn it into a valuable defence mechanism, giving them the insight to manage risk, protect assets, and make informed decisions. Understanding what’s out there is the first step. Managing it wisely is next, so get in touch with our cyber team today.