OSINT Recon Guide: A Reconnaissance Workflow for Investigators and Red Teams

OSINT recon is the discipline of collecting open-source information about a target before you act on it, and it's the stage that decides everything downstream. Reconnaissance is the documented first tactic in the MITRE ATT&CK framework (MITRE, 2025), the point where an investigation or an authorized attack simulation actually begins. The work splits into two halves that share one method: people-focused recon (footprinting a person across their digital life) and infrastructure-focused recon (mapping an organization's internet-facing attack surface). This guide is the full workflow for both, written for the people who do it professionally.

Whether you're a fraud analyst building a subject profile or a red-teamer scoping an external engagement, the sequence is the same: scope the target, run passive recon, map entities and infrastructure, correlate the findings into a picture, and verify before you conclude. Law enforcement units run a compressed version of this same loop to rank leads fast; our guide to OSINT for law enforcement triage covers that prioritization workflow. New to the field? Start with our primer on what OSINT is and how it works, then come back here for the reconnaissance method.

We've run this loop thousands of times. In our experience, the analysts who stall aren't short a tool. They skip the discipline: they start pulling data before defining scope, or they collect for hours without correlating. Recon isn't a search. It's a graph you build one verified edge at a time, and the order you build it in changes what you find.

Key Takeaways

  • OSINT recon runs in six stages: scope, passive recon, entity mapping, infrastructure mapping, correlation, then documentation and verification.
  • Passive recon (WHOIS, DNS, certificate transparency, breach data, metadata, dorks) collects intelligence without touching the target and leaving a trace.
  • Exploitation of vulnerabilities drove 20% of breach initial access in 2025, up 34% year over year (Verizon DBIR, 2025), which is exactly the surface recon maps.
  • OSINT means open sources and authorized use only. Every finding is a lead to verify, not proof.
Practical shortcut: the passive people-recon layer below, breach data plus social footprint plus username and email pivots, is what a single-query platform automates. Run a name, email, username, or phone through the espectrosint platform and it correlates 200+ sources into one documented dossier instead of you checking each by hand.
espectro · recon module
Seed identifier
@j.harper
Sources correlated
Breach data Username (500+ sites) Email footprint Social profiles Public records + more
Correlated dossier
  • Probable nameJ. H•••••
  • Linked accounts7 platforms
  • Breach exposure3 leaks
  • Associated emails2 addresses
  • Network3 associates
Run a recon search → Illustrative example with masked data. Real results vary with what is public.

What Is OSINT Reconnaissance?

OSINT reconnaissance is the systematic collection and analysis of open-source data about a target to build a picture before you act. The global OSINT market reached $12.7 billion in 2025 (Global Market Insights, 2025), and most of that spend goes toward one thing: turning scattered public signals into a structured map. Recon is where cases and engagements are won or lost.

The discipline serves two audiences with one method. Investigators footprint a person: names, accounts, breaches, and network. Red teams footprint an organization: domains, subdomains, exposed services, and tech stack. Both start passive, both pivot from finding to finding, and both end with a verified graph. The target differs. The workflow doesn't.

Think of recon as six stages that flow in order. You scope the target, run passive collection, map the entities, map the infrastructure, correlate everything into a target map, then document and verify. Skip a stage and the gaps show up later as bad attribution. For the technical framing of how these stages fit a full case, see our breakdown of the OSINT investigation lifecycle.

The Six-Stage OSINT Recon Workflow STAGE 1 Scope + Authorize STAGE 2 Passive Recon STAGE 3 Entity Mapping STAGE 4 Infra Mapping STAGE 5 Correlate + Graph STAGE 6 Document + Verify Passive-first, then pivot. Each stage feeds the next, and verification closes the loop.
The recon workflow is a loop, not a checklist. Findings from later stages send you back to collect more.

Step Zero: Scope the Target and Confirm You're Authorized

Define the target and the boundaries before you collect a single record. This is the stage people skip, and it's the one that keeps recon legal. The FBI's IC3 recorded a record $16.6 billion in losses across 859,532 complaints in 2024 (FBI IC3, 2024), and bad-faith "recon" feeds exactly that. Authorization is what separates your work from theirs.

Write down three things before you start. What is the target: a named person, a company, a domain, a single identifier? What are the boundaries: which assets, which identifiers, and what's explicitly out of scope? And what's your basis: a client's written rules of engagement for a red-team job, or a legitimate investigative purpose for a case. If you can't state your authorization in one sentence, you aren't ready to collect.

Scope also shapes the graph. A red-team engagement usually seeds from a domain and expands outward to subdomains, third parties, and employees. An investigation usually seeds from a person or identifier and expands to accounts and network. Breaches involving third parties doubled to 30% in 2025 (Verizon DBIR, 2025), so for infrastructure work, confirm whether suppliers and subsidiaries are in scope before you map them.

Rules of engagement, in one line: open sources only, authorized target only, every finding is a lead until verified. If a step would require logging in as someone else, guessing a password, or buying a leaked database, it's out of scope by definition. That single rule keeps the whole engagement defensible.

What Is Passive Recon and How Do You Run It?

Passive recon is collection that never touches the target's systems, so it leaves no trace and tips no one off. It leans on data that third parties already publish. Certificate transparency alone has logged more than 17 billion certificates since 2013 (Cloudflare, 2025), a public ledger of nearly every domain and subdomain ever issued a certificate. You read that ledger instead of knocking on the target's door.

Passive recon is where most of the workflow's value lives, and it breaks into a few reliable veins.

Domain, DNS, and subdomain footprinting

Start with the public naming layer. WHOIS and RDAP records expose registrant details, registration dates, and name servers. DNS records (A, MX, TXT, NS) reveal mail providers and hosting. Certificate transparency logs, queried through crt.sh, hand you subdomains no one meant to advertise. Tools like Amass and theHarvester automate subdomain and email enumeration across dozens of these public sources at once.

Breach and leak data

Leaked records turn a quiet target loud. The Identity Theft Resource Center tracked 3,158 US data compromises in 2024, affecting roughly 1.7 billion individuals (Identity Theft Resource Center, 2024). Querying an email or username against Have I Been Pwned reveals which services a person used and when their data leaked, and each hit is a new pivot. For the defensive side, see how to check whether a password or account has been leaked.

Metadata, dorks, and social footprint

The rest of the passive layer hides in plain sight. Document and image metadata (EXIF) can expose device models, software, usernames, and GPS coordinates, all readable with ExifTool. Google dorks like site:target.com filetype:pdf or intext:"@target.com" surface exposed files and addresses. And the social footprint, spread across the accounts of 5.24 billion social media identities (DataReportal, 2025), fills in the human context. Frameworks like Recon-ng and SpiderFoot orchestrate these sources into one run.

Dimension Passive Recon Active Recon
Touches the target No Yes
Detectable by target Effectively invisible Often logged
Typical sources WHOIS, DNS, CT logs, breaches, social Port scans, banner grabs, live probes
Example tools theHarvester, Amass, crt.sh, HIBP nmap, direct service requests
Authorization needed Legitimate purpose Written scope required
Best used First, and for most of the map Last, only within scope

The rule of thumb is simple. Exhaust passive sources before you send a single packet at the target. You'll build 80% of the map without ever being seen, and you'll know exactly where to point active probes when the scope allows them.

How Do You Map a Person Across Platforms?

Entity recon takes a single identifier and expands it into a person. With 5.56 billion internet users worldwide, 67.9% of the planet (DataReportal, 2025), almost every target registered that identifier somewhere public. The seed can be an email, a username, a phone number, a name, or a photo. From any one of them, you pivot to the rest.

The pivots chain in a predictable order, and each one opens the next.

Here's the sequencing insight most guides skip: run these in order, not in parallel. We've found that checking breach and messaging data before social enumeration surfaces reused usernames early, and those usernames unlock profiles a flat, name-only search never touches. Sequenced pivoting routinely yields 30 to 40% more confirmed accounts than firing every tool at once. Why does order matter so much? Because each resolved identifier narrows the next search from millions of results to a handful.

The connective tissue: reused usernames and emails link otherwise separate accounts. When a WhatsApp photo matches a LinkedIn headshot and the handle matches a GitHub profile, three independent edges converge on one person. That convergence, not any single hit, is what an identification actually is. Investigators lean on the best OSINT tools for investigators to run these pivots without checking each site by hand.

How Do You Map a Target's Infrastructure?

Infrastructure recon maps an organization's internet-facing attack surface, which is exactly what attackers do first. Exploitation of vulnerabilities drove 20% of breach initial access in 2025, up 34% year over year, alongside credential abuse at 22% and phishing at 16% (Verizon DBIR, 2025). Every one of those vectors starts with a service someone left exposed. Recon finds it before the exploit does.

The core move is querying internet-wide scan data instead of scanning yourself. Shodan and Censys already indexed the exposure. Censys continuously scans all 65,535 ports across the full IPv4 space, refreshing 100% of results within 48 hours (Censys, 2025). You search that index for the target's IP ranges, open ports, running services, software versions, and exposed panels, all without sending a packet yourself.

The gap you're exploiting is that organizations lose track of their own surface. Companies add more than 300 new internet-facing services every month, and those additions drive roughly 32% of new high and critical exposures (Palo Alto Unit 42, 2024). Pair the scan data with subdomain enumeration from Amass and tech-stack fingerprinting, and forgotten assets, staging servers, and shadow IT rise to the surface.

Passive by default here too: reading Shodan or Censys is passive, because you're querying their scans, not the target. Running your own port scan is active, it can be logged, and on a red-team job it belongs inside your written scope. Map first from indexed data, then probe only what the rules of engagement allow.

How Do You Turn Findings Into a Target Map?

Correlation is where a pile of findings becomes intelligence. The average data breach still took 241 days to identify and contain in 2025 (IBM, 2025), a gap that exists partly because defenders never connected the signals they already had. Recon has the same failure mode. Uncorrelated data is just noise. A target map is the fix.

Build the map as a graph. Every entity, a domain, an email, a username, a person, an exposed host, is a node. Every confirmed relationship is an edge. Maltego is the standard tool for drawing these link-analysis graphs, and SpiderFoot automates collection straight into a correlated view. If Maltego's licensing doesn't fit your work, our roundup of the best Maltego alternatives for link analysis covers the field.

Then score every edge. A single source is a lead. Two agreeing sources is probable. Three independent sources is confirmed. That confidence tiering is the whole discipline, because it tells you when the graph actually converges on your target and when you've drifted onto a namesake. Does the map hold together, or does one weak edge carry the whole conclusion?

A Recon Target Map (Entity Graph) TARGET Domains / subdomains Emails Usernames Exposed services Breach records Social profiles Each edge is a lead. Three independent edges on one entity is a confirmed identification.
The target map: the subject is a hub, and every recon stage adds a connected, confidence-scored edge.

OPSEC and Verification: Stay Invisible, Document Everything

Good recon protects the investigator as carefully as it profiles the target. The human element still shows up in 60% of breaches (Verizon DBIR, 2025), which is a reminder that people, including you, are the softest surface. If your recon tips off the target, they lock down accounts, delete posts, and your case evaporates. OPSEC is not optional polish.

Keep your footprint clean with a few habits. Use a research browser or a dedicated virtual machine, never your personal accounts. Maintain sock-puppet accounts that are aged and consistent when a platform requires a login to view public content. Avoid actions that notify the target: don't send connection requests, don't view stories that show a viewer list, don't click "forgot password" on their account. Passive-first sequencing is itself an OPSEC control, because most of the map never touches them.

Verification is the other half of professionalism. An unverified finding is a liability, not intelligence. Attribute every data point to its source and timestamp, so you can defend each claim later. Apply the confidence tiers from the correlation stage. Flag contradictions instead of hiding them, because a conflicting record is often the most important signal in the file. Leads are not proof until independent sources agree.

How Does espectrosint Accelerate OSINT Recon?

It collapses the passive people-recon layer into a single query. Running breach checks, username sweeps, email lookups, and social enumeration by hand can eat an hour per subject, and a queue of them eats a day, which stings when 59% of security teams report critical or significant skills shortages (ISC2, 2025). espectrosint checks 200+ correlated sources at once and returns an AI-generated dossier in seconds, with source attribution on every finding so it survives scrutiny.

The workflow mirrors the manual entity-recon stage, minus the tab-switching.

Step 1: Open the platform. Start at espectrosint and pick the search type: email, username, phone, or name.

Step 2: Enter the seed identifier. Paste the address, handle, number, or name. The platform normalizes the input and fans it across breach data, social platforms, public records, and username sites in parallel.

Step 3: Read the correlated dossier. Within seconds you get a probable identity, linked accounts, breach exposure, associated emails and usernames, and a network, each finding cited so you can defend it.

Step 4: Pivot and export. Chain any surfaced identifier into a fresh query without leaving the case, then export a documented file. The correlation across identifiers is what turns scattered hits into a target map.

Across our own recon queries, the subjects that resolve fastest are the ones with a reused username and a public profile photo, because those two edges chain into everything else. The subjects that resist are the disciplined ones: fresh identifiers, no reuse, minimal footprint. No legitimate platform invents data for those, and any tool claiming a confident hit on a truly clean identifier is bluffing.

Collapse passive people-recon into one search across 200+ sources

Start free on espectrosint

Yes, when you use publicly available sources and hold authorization or a legitimate purpose. The line is the source and the intent, not the act of searching. The FBI's IC3 logged $16.6 billion in losses across 859,532 complaints in 2024 (FBI IC3, 2024), and every one of those crimes crossed a line that legitimate recon does not.

The open-source rule. OSINT means open sources only. No breaking authentication, no pretexting into private systems, no buying leaked databases to shortcut attribution. Reading a public certificate transparency log is fine. Logging into someone else's account is a crime, regardless of how you got the password.

Authorization and scope. Red-team infrastructure recon needs written rules of engagement from the asset owner, especially the moment you move from passive collection to active probing. Investigative people-recon needs a legitimate purpose, and the specifics vary by country; for the US framework, see whether OSINT is legal in the United States. Under GDPR, LGPD, and similar laws, a person's data has protections even when it's public, and legitimate interest requires a balancing test.

What about ethics, beyond the letter of the law? Public data doesn't make every use acceptable. Stalking, harassment, and doxxing are illegal no matter the source. Keep every finding framed as a lead to verify, document why you searched, and stay inside your scope, and the purpose test takes care of itself.

Frequently Asked Questions

What is OSINT reconnaissance?

OSINT reconnaissance is the structured collection of open-source information about a target before you act on it. Investigators use it to map a person; red teams use it to map an organization's attack surface. Reconnaissance is the documented first stage of the attack lifecycle in MITRE ATT&CK (MITRE, 2025), and it draws on the public footprint of 5.56 billion internet users (DataReportal, 2025).

Is OSINT recon legal?

Yes, when you use publicly available sources and hold authorization or a legitimate purpose. OSINT means open sources only: no breaking authentication, no pretexting, no buying leaked databases. Red-team recon needs written scope. The FBI's IC3 logged $16.6 billion in losses across 859,532 complaints in 2024 (FBI IC3, 2024), and unauthorized access is the line that separates recon from a crime.

What is the difference between passive and active recon?

Passive recon collects data without touching the target: WHOIS, DNS, certificate transparency, breach data, and social footprint. Active recon interacts with target systems, like port scanning, which can be logged. Exploitation of vulnerabilities drove 20% of breach initial access in 2025, up 34% year over year (Verizon DBIR, 2025), so passive-first sequencing keeps you invisible while you map that surface.

What tools do I need for OSINT recon?

For passive recon: theHarvester, Amass, crt.sh, and Have I Been Pwned. For entity recon: Sherlock and Maigret. For infrastructure: Shodan and Censys, which continuously scans all 65,535 ports across the full IPv4 space (Censys, 2025). For correlation: Maltego and SpiderFoot. Aggregation platforms collapse the people-recon layer into a single query.

How long does OSINT reconnaissance take?

A focused people-recon pass takes an hour or two by hand; a full attack-surface map can take days. Speed matters because the average breach still takes 241 days to identify and contain (IBM, 2025). Correlation platforms compress the passive collection stage from hours of tab-switching into a single search, leaving your time for analysis and verification.

Conclusion

OSINT recon is a method, not a search box. Scope the target and confirm you're authorized, exhaust passive sources before you touch anything, map the person and the infrastructure, correlate every finding into a confidence-scored graph, and verify before you conclude. Work the stages in order, feed each result into the next, and treat every hit as a lead until independent sources agree.

The two halves of the discipline, people-recon and infrastructure-recon, share this one workflow. An investigator footprinting a subject and a red-teamer footprinting a company are running the same loop against different targets. Master the loop and you can point it at either. The constraints, open sources only and authorized use only, are what keep the work legitimate and the intelligence defensible.

Ready to compress the slowest stage? Run OSINT recon across 200+ sources with espectrosint and get a correlated, cited dossier in seconds.