Infrastructure & exposure
Domain relationships, DNS history, certificate transparency, exposed services, archived content.
- Subdomain & ASN discovery
- Cert transparency review
- Service & banner exposure
Open-source intelligence
Know what's exposed before someone else does.
Public-source collection, correlated and written in plain language. Infrastructure mapping, identity exposure, recon, due diligence, and investigation packages.
- 01 Collect
- 02 Correlate
- 03 Report
- 04 Brief
Collection coverage
Public-source signal, mapped and connected.
No magic, no fabricated "premium" feeds. Well-organized work over public data.
Identity & account exposure
Breach data correlation, credential exposure context, public profile mapping, reuse patterns.
- Breach-data correlation
- Public profile linking
- Reuse & pattern review
Third-party & due diligence
Background on companies, vendors, partners, or counterparties — ownership, infrastructure, history.
- Corporate & ownership records
- Tech stack & vendor links
- Reputation & history review
What you get
Deliverables that translate to action
- Executive brief with headline findings and confidence levels
- Technical artifact with sources, timestamps, evidence, and follow-up leads
- Sanitized copy suitable for sharing with leadership or counsel
- Optional debrief call to walk through findings and next moves
Built for the people who act on it
Not just a CSV of links
- Plain-language findings with context, not analyst jargon
- Confidence ratings on every claim
- Source citations so you can verify anything yourself
- Recon support that ties into pentest or investigation work
Engagement process
A disciplined process from scope to brief.
Scope, sources, authorization, and reporting are agreed up front.
01
Scope & authorization
Targets, sources, legal/ethical boundaries, deliverables, and how findings will be shared — defined before collection.
02
Passive collection & correlation
Gather public data, cross-reference it, and surface the patterns that matter — without tipping the target.
03
Brief, deliver, follow up
Executive brief, technical artifact, and the option to walk through findings and next moves.
Engagement options
Three ways to start.
Pricing scales with target count, source breadth, and depth of correlation.
Focused review
External-surface sweep
A single org, brand, or third party. Headline exposure picture without a deep correlation pass.
- Defined target list and source scope
- Executive + technical artifact
- Source citations for everything
Most common
Full-spectrum collection
Infrastructure, identity, and third-party signal cross-referenced and analyzed together.
- Multi-source collection
- Cross-reference & correlation pass
- Debrief call included
Ongoing program
Recurring intel collection
Quarterly external reviews, brand monitoring, or sustained investigation support.
- Recurring collection cadence
- Change tracking between cycles
- Long-term partner relationship
Engagements typically start at $1,800 for a focused review.
FAQ
Questions we hear before kickoff.
Is OSINT legal?
We use public sources and authorized data only. We do not bypass authentication, scrape against terms, or use illegally obtained material. Scope and source boundaries are agreed before work starts.
Will the target know you're looking?
Default posture is passive collection. We avoid noisy techniques and active probing unless the engagement explicitly calls for them and you've authorized it.
How is this different from a vulnerability scan?
Scanners look at known weaknesses on assets you point at. OSINT looks at what an attacker can learn about you, your people, and your dependencies from public sources.
Can you do investigations or recon for pentests?
Yes — OSINT often runs as the recon phase of a pentest, due diligence run, or investigation. It can stack with other services or stand alone.
Want to know what's findable about you?
Tell us what you want collected — a domain, an org, a third party, or an investigation target — and what you'd want to do with the findings.