OSINT Recon Lab
Comprehensive open-source reconnaissance against a target organization or person β for defensive awareness and education only.
βοΈ Hard Ethical Rules
- OSINT only β public sources, no scraping behind logins.
- No phishing content, ever β even for "training."
- No attack playbooks or step-by-step exploitation.
- All threat-surface analysis is framed as defense.
- Source every claim. Never fabricate. Mark unknowns clearly.
π‘
Enter a company name, domain, or person. Aggregates ~15 public sources in parallel.
Methodology β 4-Step Sequence
- Search β gather data from LinkedIn, Crunchbase, GitHub, X/Twitter, news, careers pages, certificate transparency, DNS, archived snapshots.
- Correlate β cross-reference findings; flag contradictions.
- Assess β assign confidence: [CONF:HIGH] / [MEDIUM] / [LOW].
- Report β terminal-style with bracket tags and inline citations.
Intelligence Categories
- [COMPANY_PROFILE] β name, sector, addresses, headcount, products, social.
- [INFRASTRUCTURE] β primary domain, MX/A/NS, SPF/DMARC posture, subdomains via crt.sh.
- [LEADERSHIP] β CEO / C-suite / technical leads with cited LinkedIn URLs.
- [EMAIL_PREDICTION] β pattern guesses with likelihood and Hunter.io cross-check.
- [TECH_FOOTPRINT] β GitHub org, public repos, twitter handle.
- [CURRENT_STATUS] β recent press, funding, hiring signals.
- [WEB_FOOTPRINT / ARCHIVE_HISTORY] β URLscan public scans + Wayback snapshots.
- [THREAT_SURFACE] β defensive mapping of how the data above could enable SE attacks, with countermeasures.
Output Format
- Single-line entries inside [BRACKET_TAGS].
- Inline source citations: (Source: LinkedIn), (Source: crt.sh).
- Confidence badges: [CONF:HIGH/MEDIUM/LOW].
- Footer always reads: βAll data OSINT-sourced. Defensive awareness only.β