“The most dangerous moment isn’t when the attacker strikes. It’s the quiet hour before, when they’re just reading.”
Let me paint you a picture.
It’s Tuesday. Somewhere, there’s someone sitting with three monitors, a VPN chain running through four countries, and a cup of coffee going cold next to a keyboard. They’re not hacking anything. Not yet. They’re reading.
They’re reading your job postings. Your LinkedIn company page. The GitHub commit your junior dev pushed at 11pm last Friday. The SSL certificate your sysadmin registered six months ago that lists a subdomain nobody was supposed to know about. The conference talk your CTO gave in 2023 where they casually mentioned which SIEM you’re running.
They haven’t touched your network, they haven’t sent an email, they haven’t done a single thing that any IDS in the world would flag.
And they already know more about your infrastructure than half your internal team.
Welcome to March. We’re talking about EXPOSURE.
Why this month, and why now
There’s something in the air right now and you can feel it if you’re paying attention – well, just turn your TV on.
The global political climate, and I’m not going to get into specifics because frankly you’ve got news feeds for that, is doing that thing it does every few years where the tension dial gets cranked past eleven and everybody starts acting accordingly. Nation states get jittery and threat actors get damnly fucking opportunistic. And the groups operating in the gray space between “criminal organization” and “state-sponsored asset” start getting very busy.
Here’s what that means in practice, because I’ve watched this pattern play out enough times to recognize it on sight: when the world gets nervous, reconnaissance spikes.
Ok, let’s get it dissects the way it should: before any meaningful attack campaign (whether it’s financially motivated ransomware, espionage-flavored data exfiltration, or just someone trying to make a political point by taking down infrastructure) there’s always a quiet period. A mapping period, or if you are old school like me, it’s the reading period.
OSINT activity goes up, and passive recon goes up, and the beautiful, terrifying thing about it is that you can’t see it happening.
That’s the whole point of passive reconnaissanc.: no logs, no alerts, no anomaly detection catch. Just someone patiently building a picture of your organization using the breadcrumbs you’ve already left everywhere.
And here’s the part that should keep you up at night: most organizations leave a lot of breadcrumbs.
What OSINT actually looks like in the wild
Let me get technical for a second, because I think a lot of people hear “OSINT” and picture some sketchy guy reverse-image-searching on Google. That’s cute. That’s not what we’re talking about.
My role as a teacher in University starts with first-lesson-first to my students (they’re called $fauna): “ciao guys and gals. How was the concert Friday? And you, Shirley Temple, your date with Mr. Dread has been a waste of time, lemme tell ya!“
They generally stare at me and yell “STALKER”.
It’s not me, it’s you leaving traces. Evidences. Pictures on every mainstream social media platform.
Then, real threat-actor-grade OSINT against a corporate target is a structured, methodical, frankly beautiful process if you can appreciate tradecraft. And it breaks down into layers.
Layer 1: the Perimeter read
Before anyone goes near your infrastructure, they read the edges: certificate transparency logs are a goldmine, whooo!
Services like crt.sh expose every SSL certificate ever issued for your domain. Every subdomain, every internal-facing service that someone decided needed HTTPS. The staging environment. The dev portal. The internal dashboard that was “only temporary” (yep, this).
More?
Ok: DNS records, zone transfers if you’re misconfigured. Historical DNS through tools like SecurityTrails or Shodan‘s passive DNS – showing infrastructure that no longer exists but maybe kind of still does.
ASN lookups to map your IP ranges. BGP data. WHOIS history to track how your domain registrations have changed over time.
None of this requires authentication. None of this triggers alerts. It’s all just… there.
Layer 2: the Human map
This is where it gets personal, and this is the layer that feeds directly into phishing – applies even to $fauna.
LinkedIn is a recon paradise and we treat it like a marketing channel. Job postings are even worse: they’re basically a technical inventory list: “We’re looking for a senior engineer with experience in Palo Alto firewalls, CrowdStrike, and Splunk” is not a job posting!
It’s an attack surface document with a $$$alary range attached.
Your employees’ conference talks, published papers, GitHub profiles, Stack Overflow answers, old forum posts.. every technical person leaves a trail of what they know, what they work with, and how they think.
That trail is enormously useful to someone who wants to craft a spear phishing email that sounds like it came from a colleague.
Layer 3: the Technology stack fingerprint
Shodan. FOFA. Censys. These are search engines for internet-connected devices and services and they index your infrastructure whether you want them to or not.
Web application tech stacks fingerprinted through response headers, error messages, JavaScript files, cookie names, CMS versions, framework signatures, third-party integrations betrayed by script sources and CNAME records.
Exposed services.
Default banners.
That one Jenkins instance (hail Jenkins!) that’s internet-facing because someone needed to demo something eighteen months ago and forgot to close it off.
Layer 4: the dark Corners
This is freaking, be ready: previous breach data.
Credential dumps from historical incidents that include employee email/password combinations (you know I run ransomNews.online, so believe me when I say password reuse is still tragically common).
Also, dark web forum chatter about specific organizations, “paste” sites with accidentally committed API keys or configuration files – I would also add AI agentics launched out in the wild with access to almost each part of your machines (Moltbook anyone?) 🦞
GitHub is particularly brutal here. git log is forever ♥️
Secrets committed and then deleted still exist in the history. And there are people (and automated bots) doing nothing but scanning public repositories for exactly this.
The geopolitical variable
Here’s the thing I want you to sit with as we go into this month.
If you know me a bit, you’ll surely know about my SciFi background (wikipedia is a thing, winky winky winky winky), so don’t be too surprised if some actual situations are dramatically a doppelganger of notorius and iconic movies. Gonna cite ’em, know that.
When the global temperature rises, when alliances shift, when sanctions fly, when critical infrastructure starts making headlines for the wrong reasons, the attack pattern changes. The motivation changes. And with it, the quality and patience of the reconnaissance changes (Terminator, Wargames, The Forbin Project, ..).
Opportunistic criminals use OSINT like a blunt instrument. Grab what’s easy, move fast, monetize.
But state-adjacent actors? The groups that operate in political gray zones, motivated by something other than immediate financial return? They use OSINT like a scalpel. Months of mapping: patient, structured, invisible.
Building a complete picture before a single malicious packet hits your network.
And the techniques they use aren’t exotic. They’re not classified, they’re just the same tools available to anyone with a browser and a methodology.
Social media aggregation, forum infiltration, joining communities where your employees discuss their work, also monitoring your public infrastructure changes over time to understand your deployment patterns and roadmap. Lemme add cross-referencing personal data across platforms to map relationships and identify high-value targets.
The tradecraft isn’t magic.
It’s discipline – very polite discipline.
And it works because most organizations are sitting there, wide open, never thinking about what they look like from the outside.
Wha you don’t wanna hear: your attack surface ie en plein air
I’ve run enough simulations and recon exercises to say this with confidence: most organizations have no idea what they look like to an adversary!
Again: most organizations have no idea what they look like to an adversary!!
Not because they’re incompetent or because they don’t care. But because attack surface visibility requires you to look at your own organization the way an attacker does and that’s a fundamentally different perspective than how defenders, sysadmins, or executives think.
You think about your infrastructure from the inside: what’s connected to what, what’s supposed to work, what’s authorized.
An attacker thinks about it from the outside: what’s visible, what’s inferrable, what’s useful.
Those are completely different maps of the same territory.
And the gap between those two maps?
That’s where phishing emails get written. That’s where pretexts get built and where the social engineering campaign that eventually lands someone’s credentials starts to take shape – weeks before anyone picks up a keyboard to do anything malicious.
What we’re doing this month
Every week in March, we’re going deeper into this.
We’re going to talk about how to actually see your own organization the way a threat actor does.
We’re going to get technical with real tools, real methodology, real code.
We’re going to talk about the human layer of exposure, because your employees’ digital presence is part of your attack surface whether it’s on a company device or not.
And we’re going to talk about what you can actually do about it, because awareness without action is just expensive anxiety (save this and resell to your mates, it works!).
So, I’ve developed the editorial plan:
- Monday: #PacketHunters goes deep on tooling. The actual OSINT stack, the methodology, the Python – aka the stuff you can run yourself
- Wednesday: we’ll be showing you real data, anonymized, but real. What our simulations reveal about where organizations are actually exposed
- Friday: Decoded time! My take! The rude and uncomfortable angles. The things the vendor whitepapers won’t say plus some nerdy stuff you may find useful
And at the end of the month, The Catch, a full OSINT recon checklist.
Not the watered-down “remember to Google yourself” version: the actual thing. The methodology we use when we’re scoping a simulation engagement.
One last thing before I let you go
The scariest part of OSINT isn’t the tools.
The tools are just tools.
The scariest part is this: everything we’re going to talk about this month is legal: every technique, every data source, every methodology. All of it is sitting in the open, available to anyone with the patience to learn how to use it.
The people who want to get into your organization? They know this. They’ve known it for years.
The question is whether you know it about yourself.
This month, we find out.
🦄 you’ve been reading Decoded: Nerd Thoughts, my monthly editorial from Baited where I set the context before we get into the details.
Chief Marketing Officer • social engineer OSINT/SOC/HUMINT • cyberculture • security analyst • polymath • COBOL programmer • nerd • retrogamer
