OSINT Assessment

An OSINT (Open Source Intelligence) assessment is a structured, passive security exercise that maps your organisation's exposure across the surface, deep, and dark web. Conducted by UK-based CREST-accredited analysts, it identifies leaked credentials, dark web monitoring targets, shadow IT assets, and publicly exposed technical details that attackers use during the passive reconnaissance phase of a breach. Unlike a penetration test, no active exploitation is performed. The assessment applies MITRE ATT&CK Reconnaissance techniques (TA0043) as its operational framework.

Dark web monitoring is the process of searching criminal forums, dark web marketplaces, paste sites, and Telegram channels for your organisation's compromised data, including leaked employee credentials, internal documents, and breach database entries. Businesses need dark web monitoring services because attackers actively buy and sell stolen credentials before using them to access corporate systems. A manual OSINT assessment goes further than automated dark web monitoring tools: we identify which credentials are actively being traded, correlate findings with your employee directory and admin accounts, and build an attack scenario showing how those credentials could be used to breach your environment. We provide UK dark web monitoring as part of every OSINT assessment from £3,000.

OSINT assessment pricing typically ranges from £3,000 to £10,000 depending on scope and complexity. Standard OSINT for a single domain (dark web monitoring, credential exposure, digital footprint) averages £3,000 to £5,000. Comprehensive assessments covering multiple domains, code repository analysis, and executive exposure profiling typically cost £5,000 to £8,000. Enterprise-scope OSINT for multi-brand organisations, M&A due diligence, or regulatory compliance requirements typically costs £8,000 to £10,000 or more. All engagements are fixed-price with no hidden charges. We provide a formal quote after understanding your scope requirements.

Dark web monitoring is one component of an OSINT assessment, and typically the most commercially valuable one. An automated dark web monitoring service continuously scans a fixed set of indexed sources for your email domains and sends alerts when credentials appear. An OSINT assessment is broader: it covers dark web monitoring, digital footprint analysis, employee exposure profiling, code repository scanning, and passive reconnaissance, all performed manually by experienced analysts who correlate findings into attack scenarios. The key difference is depth and context. A dark web monitoring alert tells you a credential was found. An OSINT assessment tells you which credential, who it belongs to, what systems they have access to, and how an attacker would use it to breach your environment.

Finding leaked credentials is a trigger event that requires immediate action. First: scope the exposure before acting. Our OSINT assessment investigates the full extent of the leak, identifying which credentials are confirmed compromised, whether they are being actively traded, and whether any other data (documents, code, personal data) was included in the same breach. Second: we provide a prioritised remediation plan that sequences password resets, account lockdowns, and dark web scan follow-up actions correctly. We can begin an urgent OSINT investigation within 48 hours of engagement.

Yes, particularly for organisations with a significant number of remote workers, SaaS dependencies, or a history of third-party data breaches. Credentials stolen in a breach are typically listed for sale within 72 hours. Without active dark web monitoring, the first indication that your credentials are compromised is often the breach itself. An OSINT assessment providing a one-time dark web intelligence snapshot is also valuable as a baseline before deploying continuous monitoring tooling, ensuring you understand your current exposure before investing in ongoing coverage.

Attack surface management (ASM) platforms continuously scan your known and discoverable external assets using automated tooling. OSINT assessments are expert-led, one-time (or periodic) exercises that go further: our analysts access human-curated underground sources, closed-access forums, and dark web marketplaces that automated tools cannot index. An OSINT assessment is also typically the recommended baseline before deploying an ASM platform, since it identifies the unknown assets the platform needs to be configured to monitor. For continuous monitoring, see our managed Attack Surface Management service.

A penetration test involves actively probing and attempting to exploit your systems. An OSINT assessment is entirely passive: we look at your organisation from the outside using only public sources, without touching your infrastructure. Most external penetration tests include a brief OSINT phase. A dedicated OSINT assessment goes significantly deeper, spending the full engagement on reconnaissance rather than treating it as a preliminary step. The two services are complementary: OSINT runs first to tighten pen test scope and surface forgotten assets.

Yes. OSINT relies entirely on publicly accessible information and open-source data sources. We do not access systems without authorisation or break any laws to obtain data. The assessment is passive reconnaissance: we find what is already visible, often in locations you were not aware to look. All work is conducted under a signed engagement agreement defining the precise scope.

Our findings typically fall into five categories: (1) Compromised credentials, including employee email and password pairs from breach databases, combolists, and stealer logs; (2) Dark web intelligence, including data for sale, IAB listings, and ransomware operator communications mentioning your organisation; (3) Shadow IT and forgotten assets, including orphaned subdomains, unapproved cloud instances, and infrastructure from past M&A activity; (4) Code repository leakage, including API keys, hardcoded secrets, and internal architecture details committed to public repositories; (5) Employee exposure, including social engineering-ready intelligence gathered from LinkedIn, technical forums, and public profiles.

We cannot directly delete data from the internet. Our report provides specific guidance on how to issue takedown requests, invalidate leaked credentials, remove sensitive information from code repositories, and configure systems to stop leaking information in future. For active credential exposures, we provide immediate remediation steps to close the risk before attackers exploit the findings.