Mastering the art of finding what's hiding in plain sight
Professional stalking with better coffee and a badge. (The badge is metaphorical.)
"Listen up, recruit. Everything you need is already out there — published, posted, or accidentally left in a public S3 bucket. Your job is knowing where to look."
By the end of this, you'll never look at a LinkedIn profile the same way again.
Open Source Intelligence (OSINT) is intelligence derived from openly available sources. That includes news articles, social media, government databases, corporate filings, academic papers, blogs, forums, podcasts, YouTube videos, and literally anything else you can access without breaking in or hacking.
Here's the kicker: 80-90% of intelligence typically comes from open sources. You don't need classified access to be a valuable intelligence analyst. You need to know where to look and how to verify what you find.
OSINT is legal when conducted properly, ethical, and incredibly powerful. It's the foundation of modern intelligence analysis.
Advanced search syntax to refine and target your queries. Google dorking, Bing, specialized search engines.
Mining profiles, metadata, connections, and behavior patterns across LinkedIn, Twitter, Facebook, Instagram, and niche platforms.
Government databases, court records, corporate filings, property records, business licenses, and regulatory documents.
WHOIS lookups, DNS records, archive.org snapshots, technology stack identification, and historical site changes.
Reverse image search, EXIF metadata extraction, geolocation analysis, facial recognition tools, and video analysis techniques.
Google dorking uses advanced search operators to refine results with surgical precision. Here are the most useful ones:
site: domain.com
Limit results to a specific domain. Example: site:tesla.com earnings
filetype: pdf
Find specific file types. Example: Company X filetype:pdf quarterly
intitle: "title text"
Search for specific text in page titles. Example: intitle:confidential internal
inurl: path/to/page
Search for text in URLs. Example: inurl:admin login
"exact phrase"
Search for exact phrases. Example: "security vulnerability" "discovered"
Just like the intelligence cycle, OSINT has its own process. Good OSINT work is systematic and documentable:
Define your objectives, identify what information you need, determine key search terms and sources.
Execute your searches across multiple sources. Document every source and search query you use.
Organize findings by source type, timeline, and relevance. Flag gaps and contradictions.
Evaluate reliability, identify patterns, connect dots, assess confidence levels, develop assessments.
Present findings with sources, methodology, confidence levels, and recommendations for further collection.
Using only publicly available information and a search engine, find 3 pieces of verifiable information about any public company (not a person).
Document your sources and the search queries you used to find them. For example:
Example Setup:
Company: Apple Inc.
Information 1: Latest quarterly revenue
Source: SEC filings (10-Q)
Search Query: site:sec.gov Apple 10-Q 2024
TL;DR: Google is your friend. But verify everything, respect boundaries, and remember — just because you CAN find it doesn't mean you SHOULD share it.
