I perform external OSINT reconnaissance assessments mapping your organization's attack surface from publicly available information — the same reconnaissance an attacker performs before engaging your systems.
Enumeration scope: domain and subdomain enumeration (passive DNS, certificate transparency, brute-force); IP range and ASN mapping; exposed service fingerprinting via Shodan and Censys; web technology stack identification; employee enumeration from LinkedIn and professional networks; breach credential exposure via HaveIBeenPwned and DeHashed; GitHub and GitLab scanning for accidentally committed API keys, tokens, and credentials; document metadata extraction; and phishing domain lookalike identification (typosquatting, homoglyphs).
Deliverables: comprehensive external footprint report with exposed asset inventory, credential exposure findings, code repository secret exposure (if found), attack surface reduction recommendations, and (Premium) dark web credential monitoring check and executive targeting assessment.
Primarily passive — I query public sources without touching your systems. Active enumeration (DNS brute-force, port scanning of discovered assets) disclosed and agreed in advance. Requires written authorization confirming you own or are authorized to assess the organization.