Open Source Intelligence / OSINT
With Open Source Intelligence (OSINT), you gain a realistic assessment of your public attack surface – from the perspective of a potential attacker.
Every company leaves digital traces on the internet: domains, subdomains, servers, used technologies, metadata, or publicly accessible files. This information provides valuable starting points for attackers to prepare attacks.
OSINT analyses offer a fast and efficient way to visualize your own attack surface – without performing active attacks. With the help of our in-house mgm tool „recon me“, we combine various methods to systematically collect, correlate, and process publicly available information. The result: a transparent overview of potential risks and concrete recommendations for action.
Our Services
We conduct comprehensive OSINT analyses for you – passively or actively, depending on the desired depth. Typical components:
- Passive Scan: Querying public directory services (e.g., Whois, DNS, MX), identification of servers, subdomains, email addresses, technologies, and operators (e.g., Amazon, Akamai).
- Active Scan: Direct investigation of the target domain without attacks, e.g., to identify further services, technologies, or unintentionally publicly accessible files.
- Tool-Supported Analysis: Use of our automated OSINT tool „recon me“ for structured collection and evaluation.
- Reporting & Consulting: Preparation of all results with evaluation, problem areas, and prioritized recommendations for action.
Approach
Our OSINT audits follow a clearly structured process:
- Scoping: Definition of the target domain and desired scan depth (passive or active).
- Data Collection: Cascading application of automated tools combined with manual expertise.
- Analysis: Evaluation of the found services, technologies, operators, and metadata.
- Risk Assessment: Derivation of the potential attack surface from an attacker's perspective.
- Reporting: Delivery of a detailed report with technical findings and recommendations.
Checkpoints
We specifically audit the publicly visible elements of your infrastructure:
- Whois data, DNS and mail servers
- Subdomains and associated services
- Location and operator of external servers (e.g., cloud providers)
- Web technologies and versions in use
- Publicly accessible files and metadata
- Identified vulnerabilities and misconfigurations
Your Benefit
With OSINT analyses, you see your company through the eyes of an attacker – and can proactively reduce risks.
The results provide you with a clear assessment of your technical IT security from an external perspective. You gain transparency over your public attack surface and receive concrete recommendations for effectively closing vulnerabilities.
- Clear assessment of the public attack surface
- Choice between passive or active scan
- Structured analysis with mgm tool „recon me“
- Transparent report with findings and measures
- Detection of unintentionally published information
- Improvement of IT security from an attacker's perspective
- Basis for further security tests (e.g. pentests)
- Early warning system for digital attack surfaces
mgm DeepDive
Passive vs. Active OSINT Scan
OSINT analyses can be divided into two approaches: passive and active. Both methods provide valuable information about the attack surface but differ in approach, level of detail, and results.
| Passive Scan | Active Scan | |
|---|---|---|
| Methodology | Query of publicly available sources and directory services (e.g., Whois, DNS, MX) | Direct but careful examination of the target domain with specialized tools |
| Risk to target system | No interaction with the systems, completely inconspicuous | Low risk, no attacks, but direct queries to system resources |
| Information content | Overview of domains, subdomains, operators, and technologies | Extended database, including services, configurations, and publicly accessible files |
| Results | Determination of the public attack surface | More comprehensive picture with additional detailed information |
| Use Cases | Initial assessment when an inconspicuous approach is required | Deeper analysis when more transparency regarding configuration and services is needed |