OSINT for Due Diligence: The Investigator's Checklist (2026)
Third-party risk is growing faster than most organizations can track. In 2025, 73% of organizations experienced at least one significant disruption caused by a third party (Gartner, 2025). Traditional due diligence, built on self-reported documents and curated references, can't keep pace with that risk.
For more details, see background checks.
Journalists use our due diligence checklist to journalistic due diligence.
Open-source intelligence fills the gaps. OSINT due diligence uses publicly available data to independently verify identities, reputations, litigation records, and hidden connections. It doesn't rely on what the subject chooses to disclose. It relies on what's already public.
We've built OSINT workflows that cross-reference over 200 open sources for investigations. That hands-on work with shell companies, hidden partnerships, and fabricated credentials shaped every item in this 20-point checklist. This guide walks you through person investigation, company investigation, red flags, legal compliance, and the tools that make it practical.
Key Takeaways
- OSINT due diligence independently verifies claims using public data, covering blind spots that self-reported documents miss.
- 73% of organizations experienced third-party disruptions in 2025 (Gartner).
- This 20-item printable checklist covers person investigation, company investigation, red flags, and compliance.
- Applies to hiring, vendor screening, M&A, and investment decisions.
What Is OSINT Due Diligence?
OSINT due diligence is the practice of using publicly available information to verify the identity, reputation, and risk profile of people or companies before a business decision. The global OSINT market reached $12.7 billion in 2025, projected to grow at 26.7% annually through 2035 (Global Market Insights, 2025). That growth reflects how central open-source verification has become.
Traditional due diligence relies on documents the subject provides: financial statements, reference letters, certifications. The problem? A competent bad actor delivers exactly what you expect to see. Clean balance sheets. Spotless references. A polished website.
OSINT flips the verification model. Instead of reviewing curated materials, you collect data independently from public sources: government registries, court databases, domain records, social media profiles, breach databases, and news archives. The subject doesn't control what these sources say about them.
Think of it this way. Would you hire someone based solely on a resume they wrote themselves? Of course not. You'd verify employment dates, check references independently, and search for public records. OSINT due diligence applies that same logic to every business relationship, from vendor contracts to acquisitions.
When Should You Conduct OSINT Due Diligence?
The average cost of a data breach reached $4.88 million globally in 2024, with US breaches averaging $9.36 million (IBM Cost of a Data Breach Report, 2024). Many of those breaches originated through third-party relationships. OSINT due diligence should happen before every significant business commitment.
Hiring and recruitment
Background check OSINT goes beyond criminal record databases. You can verify claimed credentials, check for undisclosed conflicts of interest, and assess how a candidate represents themselves publicly. For executive hires, this is especially critical. A C-suite hire with undisclosed litigation history or fabricated board memberships creates existential risk.
Vendor and supplier screening
Vendor due diligence protects your supply chain. Before onboarding a new supplier, verify their actual operating history, financial stability signals, and reputation across review platforms. A vendor that claims ten years of experience but registered their domain eight weeks ago deserves scrutiny.
Mergers and acquisitions
M&A due diligence traditionally focuses on financials and legal documents. OSINT adds a digital layer: hidden subsidiaries, undisclosed related-party transactions, and reputational risks that don't appear in audited financial statements. Have you ever wondered what the target company's employees say on Glassdoor?
Investment decisions
Whether you're a venture capital firm or an angel investor, OSINT helps verify founder claims. Check if the founder's LinkedIn profile matches public records. Search for previous ventures and their outcomes. Cross-reference claimed partnerships against the partner's own public communications.
[IMAGE: Business professional reviewing digital investigation data on multiple screens - search terms: due diligence investigation digital analysis corporate]KYC and AML compliance
Financial institutions use KYC OSINT to verify customer identities, screen for Politically Exposed Persons (PEPs), and monitor sanctions lists. Regulators increasingly expect open-source verification as part of compliance programs. We'll cover this in detail in the legal compliance section.
The 20-Point OSINT Due Diligence Checklist
In 2025, over 3,300 data compromises were recorded in the US alone, a 79% increase over five years (Identity Theft Resource Center, 2026). The surface area for investigation has never been larger. This printable checklist organizes 20 verification points into four categories.
Printable OSINT Due Diligence Checklist
A. Person Investigation (Items 1-7)
- Verify full legal name against government registries and public records
- Run reverse email lookup across breach databases and social platforms
- Validate phone number ownership and carrier history
- Search username across 200+ platforms for connected accounts
- Review social media profiles for consistency with stated claims
- Check court records for civil, criminal, and regulatory filings
- Screen against sanctions lists (OFAC, EU, UN) and PEP databases
B. Company Investigation (Items 8-14)
- Confirm corporate registration, status, and filing history
- Verify domain age, WHOIS records, and SSL certificate details
- Cross-reference directors and officers against other entity filings
- Search financial records, liens, and bankruptcy filings
- Review Wayback Machine history for website consistency
- Analyze employee-facing reviews (Glassdoor, Indeed, Blind)
- Check consumer reputation platforms (BBB, Trustpilot, Google Reviews)
C. Red Flag Detection (Items 15-18)
- Flag domain registration dates that contradict claimed company age
- Identify shared addresses, phones, or registrants across entities
- Detect corporate email exposure in breach databases
- Search news archives for regulatory actions, fraud allegations, or investigations
D. Compliance and Documentation (Items 19-20)
- Document all sources, timestamps, and methodology for legal defensibility
- Verify data handling meets GDPR, LGPD, or applicable privacy regulations
Print this checklist or save it as a reference. Not every item applies to every investigation. For a vendor screening, you might prioritize items 8 through 14 and 15 through 18. For an executive hire, items 1 through 7 are your starting point. The key is systematic coverage.
How Do You Investigate a Person with OSINT?
There are 5.24 billion social media users worldwide as of early 2025, representing 63.9% of the global population (DataReportal, 2025). People leave extensive digital trails. OSINT person investigation follows those trails systematically.
Email investigation
Start with the subject's email address. A reverse email lookup can reveal linked social media accounts, breach exposure, registration history, and sometimes real names behind anonymous addresses. Check if the email appears in known data breaches. An executive whose corporate email shows up in 12 different breach databases indicates weak security hygiene.
Don't stop at the primary email. Search for variations: firstname.lastname, first initial + last name, nicknames. People often maintain separate accounts for different purposes. The professional LinkedIn email might be clean, but a personal Gmail used for forum registrations could reveal much more.
Phone number analysis
Phone numbers connect to carrier records, messaging apps, and identity verification services. A reverse phone lookup can confirm the owner's name, identify linked accounts (WhatsApp, Telegram, Signal), and reveal whether the number is a burner, VoIP line, or legitimate carrier account. VoIP numbers used as primary business contacts can signal transient operations.
Username tracing
Most people reuse usernames across platforms. If you find a subject's GitHub username, that same handle might exist on Reddit, Twitter, gaming platforms, and niche forums. Username tracing across 200+ platforms can build a comprehensive picture of someone's interests, opinions, and associations that a resume never mentions.
Social media deep review
Go beyond the profile summary. Check posting history, connections, group memberships, and interactions. Does the subject's claimed expertise match what they discuss publicly? Are they connected to individuals or organizations that create conflict-of-interest concerns? Social media consistency is a strong credibility signal.
How Do You Investigate a Company with OSINT?
Corporate fraud losses reached $3.1 billion across cases analyzed in 2024, with a median loss of $145,000 per case (Association of Certified Fraud Examiners, 2024). Company investigation through OSINT catches risks that financial audits and self-reported documents miss.
Domain and web infrastructure
The domain is your first stop. Check WHOIS records for registration date, registrant details, and name server configuration. Compare the domain age against the company's claimed founding date. A supposed 15-year-old company operating on a domain registered three months ago is a red flag you can't afford to miss.
Use the Wayback Machine to review historical snapshots of the company's website. Has the site existed continuously, or did it appear suddenly? Major unexplained changes in branding, services offered, or company description can indicate ownership changes or pivots worth investigating.
Corporate registration and directors
Verify the company's legal status through the relevant corporate registry. In the US, that's the Secretary of State for the incorporation state. In Brazil, it's the Receita Federal for CNPJ records. In the UK, Companies House provides free access. Check whether the entity is active, when it was incorporated, and who the current directors are.
Cross-reference directors and officers against other corporate filings. A director who appears on 40 different company registrations across five jurisdictions isn't necessarily fraudulent, but it demands explanation. Are they a professional nominee director? A serial entrepreneur? Or someone lending their name to shell companies?
Financial indicators and public filings
Publicly filed financial records, lien filings, and bankruptcy records provide objective financial health signals. Search for UCC filings, tax liens, and judgment records. For publicly traded companies, SEC filings (10-K, 10-Q) are available through EDGAR. For private companies, credit reporting agencies and public filing searches offer partial visibility.
Reputation and review analysis
Consumer-facing platforms tell you what the company's actual customers experience. Check the Better Business Bureau, Trustpilot, Google Reviews, and industry-specific platforms. One negative review is noise. A pattern of complaints about non-delivery, contract breaches, or billing disputes is a signal worth investigating further.
Employee reviews on Glassdoor and Indeed offer internal perspective. High turnover signals, complaints about management ethics, or reports of unpaid wages can indicate operational instability that financial documents won't reveal. What do the people who work there actually say about working there?
What Red Flags Should You Watch For?
Occupational fraud takes a median of 12 months to detect, according to the ACFE's 2024 Report to the Nations (ACFE, 2024). OSINT due diligence can compress that detection window dramatically. Here are the red flags that experienced investigators prioritize.
Identity and registration red flags
- Domain age mismatch: Company claims 10+ years of operation, but their domain was registered within the past 90 days.
- Shared registered addresses: The company's address is shared by dozens of other entities, suggesting a virtual office or mail-drop arrangement.
- Nominee directors: Directors appear on filings for 30+ unrelated companies, typical of professional nominee services used to obscure true ownership.
- Frequent corporate changes: Rapid succession of director changes, registered address moves, and business name alterations within a short period.
Digital and reputational red flags
- Breach exposure: Corporate email addresses appear in multiple data breaches, indicating poor security practices.
- Social media inconsistency: A company claiming 500 employees has 15 LinkedIn followers and no employee profiles.
- Review manipulation: Clusters of five-star reviews posted within days of each other, often with generic language patterns.
- Website history gaps: The Wayback Machine shows the domain previously hosted a completely different business or was parked.
Legal and financial red flags
- Litigation patterns: Multiple lawsuits involving fraud, breach of contract, or regulatory violations across different jurisdictions.
- Sanctions list proximity: Directors or beneficial owners connected to entities on OFAC, EU, or UN sanctions lists.
- Tax lien accumulation: Unresolved federal or state tax liens indicating financial distress or non-compliance.
- Regulatory actions: FTC enforcement actions, SEC violations, or industry-specific regulatory penalties.
Which Tools Support OSINT Due Diligence?
No single tool covers every aspect of a due diligence investigation. With over 14.6 billion records exposed in data breaches during 2024 (IT Governance, 2025), you need an ecosystem of verification tools. Here's how to organize your toolkit by function.
| Category | Tools | What They Reveal |
|---|---|---|
| Domain & Web | WHOIS, Wayback Machine, crt.sh, Shodan | Domain age, registration history, SSL certificates, exposed infrastructure |
| Breach Exposure | Have I Been Pwned, DeHashed, Espectro breach module | Compromised credentials, breach frequency, data types exposed |
| Corporate Registry | OpenCorporates, SEC EDGAR, Companies House, state SOS portals | Legal status, directors, filing history, related entities |
| Court Records | PACER, CourtListener, state court portals | Civil litigation, criminal records, regulatory actions |
| Sanctions & PEP | OFAC SDN List, EU Sanctions, UN Consolidated List | Sanctioned entities, PEP status, restricted counterparties |
| Social & Reputation | LinkedIn, Glassdoor, BBB, Trustpilot, Google Reviews | Employee sentiment, customer experience, public reputation |
| Consolidated OSINT | Espectro, Maltego, SpiderFoot | Cross-source search, entity linking, automated collection |
The challenge isn't finding tools. It's efficiency. Manually checking 15 different platforms for a single entity takes hours. This is where consolidated platforms add the most value, by automating the collection phase so analysts can focus on interpretation and judgment.
How Does Espectro Fit into Due Diligence Workflows?
Organizations that use AI extensively in security saved $2.22 million per breach compared to those that didn't (IBM, 2024). Automation doesn't replace analyst judgment. It eliminates the hours spent on manual data collection, freeing investigators to focus on what matters: interpreting findings and making decisions.
Espectro searches across 200+ open sources with a single query. Enter an email, phone number, username, domain, or company identifier. The platform returns structured results organized by source, with timestamps and direct links to original data. Items 1 through 5, 8 through 10, and 15 through 17 from the checklist above run automatically.
The remaining items, particularly red flag interpretation (items 15-18) and compliance documentation (items 19-20), require human analysis. Espectro provides the raw data. You provide the judgment. That division of labor is intentional. Automated collection with human analysis produces the most reliable outcomes.
Is OSINT Due Diligence Legal Under GDPR and LGPD?
GDPR fines totaled over 2.1 billion euros from 2018 through 2024 (GDPR Enforcement Tracker, 2025). Legal compliance isn't optional. OSINT due diligence is legal when conducted properly, but "publicly available" doesn't mean "anything goes."
GDPR considerations
Under GDPR, Article 6(1)(f) allows data processing based on legitimate interest. Due diligence for business protection qualifies. However, you must conduct a legitimate interest assessment, apply the proportionality principle (don't collect more data than needed), and be prepared to respond to data subject access requests.
Special category data under Article 9, which includes health information, political opinions, and biometric data, requires additional legal basis even when publicly available. If someone's public social media reveals health conditions or political affiliations, you need to evaluate whether processing that data is proportionate to your due diligence purpose.
LGPD considerations
Brazil's LGPD, under Article 7(IX), explicitly allows processing of data that is manifestly made public by the data subject. This provides a relatively clear legal basis for OSINT due diligence using publicly posted information. The key constraint: the processing must still respect the data subject's legitimate expectations and the original context of publication.
Best practices for legal defensibility
- Document everything: Record your methodology, the sources consulted, timestamps, and the legitimate interest justification for each investigation.
- Apply proportionality: Collect only what's relevant to your due diligence purpose. Don't build comprehensive dossiers when a targeted check will suffice.
- Secure your findings: Store investigation results with appropriate access controls and retention periods.
- Know jurisdictional rules: The subject's location determines which privacy laws apply, not yours. Investigating a European subject from the US still triggers GDPR.
- Consult legal counsel: For high-risk investigations, especially those involving special category data or cross-border subjects, get legal review before proceeding.
Frequently Asked Questions
Does OSINT due diligence replace traditional background checks?
No. OSINT complements traditional checks by adding a digital verification layer. Traditional methods examine financial statements and references provided by the subject. OSINT independently verifies identity claims, online presence, breach exposure, and hidden connections using publicly available data. The strongest due diligence programs combine both approaches.
How long does an OSINT due diligence investigation take?
A manual OSINT investigation typically takes 4 to 8 hours per entity. Automated platforms reduce the initial data collection across 200+ sources to under 2 minutes. The analysis phase, which requires human judgment, adds 1 to 3 hours depending on the volume and severity of findings. Complex M&A investigations with multiple related entities can take significantly longer.
Is OSINT due diligence legal under GDPR and LGPD?
Yes, when conducted properly. OSINT relies on publicly available information. GDPR Article 6(1)(f) permits processing under legitimate interest, and LGPD Article 7(IX) allows processing of manifestly public data. You must document your methodology, apply proportionality, and handle special category data with additional care. Consult legal counsel for cross-border investigations.
What are the most common red flags in OSINT due diligence?
Domain registration dates contradicting claimed company age, corporate emails in multiple breach databases, directors linked to dozens of unrelated entities, mismatches between declared revenue and actual digital footprint, and litigation patterns involving fraud or regulatory violations. The absence of any digital footprint for supposedly established companies is equally concerning.
Can OSINT be used for KYC and AML compliance?
Yes. Financial regulators including FinCEN and the European Banking Authority recommend open-source intelligence as part of customer due diligence. OSINT helps verify identities, screen for PEPs, check sanctions lists, and identify suspicious connections between entities that transaction monitoring alone would miss.
What tools do I need for OSINT due diligence?
A complete toolkit includes WHOIS lookup for domains, Have I Been Pwned for breach checks, court record databases (PACER, state portals), corporate registries (OpenCorporates, SEC EDGAR), sanctions databases (OFAC, EU), and social media analysis tools. Consolidated platforms like Espectro combine 200+ sources into a single search, reducing manual tool-switching.
Conclusion
Due diligence that relies solely on documents the subject provides is incomplete by design. In a landscape where global cybercrime costs $10.5 trillion annually (Statista, 2025) and third-party breaches affect 73% of organizations, independent verification isn't optional. It's a business survival skill.
The 20 items in this checklist cover four critical dimensions: who the person is (identity), what the company shows the world (digital presence), what public records reveal (legal and financial), and what's missing (red flags). No single item decides an investigation. It's the cross-referencing between them that builds the full picture.
Ready to apply this checklist? Start with a free Espectro account and search people and companies across 200+ open sources. Automated collection handles the time-intensive data gathering. You focus on interpreting the results and making decisions.