OSINT Recon Guide: A Reconnaissance Workflow for Investigators and Red Teams
OSINT recon is the discipline of collecting open-source information about a target before you act on it, and it's the stage that decides everything downstream. Reconnaissance is the documented first tactic in the MITRE ATT&CK framework (MITRE, 2025), the point where an investigation or an authorized attack simulation actually begins. The work splits into two halves that share one method: people-focused recon (footprinting a person across their digital life) and infrastructure-focused recon (mapping an organization's internet-facing attack surface). This guide is the full workflow for both, written for the people who do it professionally.
Whether you're a fraud analyst building a subject profile or a red-teamer scoping an external engagement, the sequence is the same: scope the target, run passive recon, map entities and infrastructure, correlate the findings into a picture, and verify before you conclude. Law enforcement units run a compressed version of this same loop to rank leads fast; our guide to OSINT for law enforcement triage covers that prioritization workflow. New to the field? Start with our primer on what OSINT is and how it works, then come back here for the reconnaissance method.
We've run this loop thousands of times. In our experience, the analysts who stall aren't short a tool. They skip the discipline: they start pulling data before defining scope, or they collect for hours without correlating. Recon isn't a search. It's a graph you build one verified edge at a time, and the order you build it in changes what you find.
Key Takeaways
- OSINT recon runs in six stages: scope, passive recon, entity mapping, infrastructure mapping, correlation, then documentation and verification.
- Passive recon (WHOIS, DNS, certificate transparency, breach data, metadata, dorks) collects intelligence without touching the target and leaving a trace.
- Exploitation of vulnerabilities drove 20% of breach initial access in 2025, up 34% year over year (Verizon DBIR, 2025), which is exactly the surface recon maps.
- OSINT means open sources and authorized use only. Every finding is a lead to verify, not proof.
@j.harper
- Probable nameJ. H•••••
- Linked accounts7 platforms
- Breach exposure3 leaks
- Associated emails2 addresses
- Network3 associates
What Is OSINT Reconnaissance?
OSINT reconnaissance is the systematic collection and analysis of open-source data about a target to build a picture before you act. The global OSINT market reached $12.7 billion in 2025 (Global Market Insights, 2025), and most of that spend goes toward one thing: turning scattered public signals into a structured map. Recon is where cases and engagements are won or lost.
The discipline serves two audiences with one method. Investigators footprint a person: names, accounts, breaches, and network. Red teams footprint an organization: domains, subdomains, exposed services, and tech stack. Both start passive, both pivot from finding to finding, and both end with a verified graph. The target differs. The workflow doesn't.
Think of recon as six stages that flow in order. You scope the target, run passive collection, map the entities, map the infrastructure, correlate everything into a target map, then document and verify. Skip a stage and the gaps show up later as bad attribution. For the technical framing of how these stages fit a full case, see our breakdown of the OSINT investigation lifecycle.
Step Zero: Scope the Target and Confirm You're Authorized
Define the target and the boundaries before you collect a single record. This is the stage people skip, and it's the one that keeps recon legal. The FBI's IC3 recorded a record $16.6 billion in losses across 859,532 complaints in 2024 (FBI IC3, 2024), and bad-faith "recon" feeds exactly that. Authorization is what separates your work from theirs.
Write down three things before you start. What is the target: a named person, a company, a domain, a single identifier? What are the boundaries: which assets, which identifiers, and what's explicitly out of scope? And what's your basis: a client's written rules of engagement for a red-team job, or a legitimate investigative purpose for a case. If you can't state your authorization in one sentence, you aren't ready to collect.
Scope also shapes the graph. A red-team engagement usually seeds from a domain and expands outward to subdomains, third parties, and employees. An investigation usually seeds from a person or identifier and expands to accounts and network. Breaches involving third parties doubled to 30% in 2025 (Verizon DBIR, 2025), so for infrastructure work, confirm whether suppliers and subsidiaries are in scope before you map them.
What Is Passive Recon and How Do You Run It?
Passive recon is collection that never touches the target's systems, so it leaves no trace and tips no one off. It leans on data that third parties already publish. Certificate transparency alone has logged more than 17 billion certificates since 2013 (Cloudflare, 2025), a public ledger of nearly every domain and subdomain ever issued a certificate. You read that ledger instead of knocking on the target's door.
Passive recon is where most of the workflow's value lives, and it breaks into a few reliable veins.
Domain, DNS, and subdomain footprinting
Start with the public naming layer. WHOIS and RDAP records expose registrant details, registration dates, and name servers. DNS records (A, MX, TXT, NS) reveal mail providers and hosting. Certificate transparency logs, queried through crt.sh, hand you subdomains no one meant to advertise. Tools like Amass and theHarvester automate subdomain and email enumeration across dozens of these public sources at once.
Breach and leak data
Leaked records turn a quiet target loud. The Identity Theft Resource Center tracked 3,158 US data compromises in 2024, affecting roughly 1.7 billion individuals (Identity Theft Resource Center, 2024). Querying an email or username against Have I Been Pwned reveals which services a person used and when their data leaked, and each hit is a new pivot. For the defensive side, see how to check whether a password or account has been leaked.
Metadata, dorks, and social footprint
The rest of the passive layer hides in plain sight. Document and image metadata (EXIF) can expose device models, software, usernames, and GPS coordinates, all readable with ExifTool. Google dorks like site:target.com filetype:pdf or intext:"@target.com" surface exposed files and addresses. And the social footprint, spread across the accounts of 5.24 billion social media identities (DataReportal, 2025), fills in the human context. Frameworks like Recon-ng and SpiderFoot orchestrate these sources into one run.
| Dimension | Passive Recon | Active Recon |
|---|---|---|
| Touches the target | No | Yes |
| Detectable by target | Effectively invisible | Often logged |
| Typical sources | WHOIS, DNS, CT logs, breaches, social | Port scans, banner grabs, live probes |
| Example tools | theHarvester, Amass, crt.sh, HIBP | nmap, direct service requests |
| Authorization needed | Legitimate purpose | Written scope required |
| Best used | First, and for most of the map | Last, only within scope |
The rule of thumb is simple. Exhaust passive sources before you send a single packet at the target. You'll build 80% of the map without ever being seen, and you'll know exactly where to point active probes when the scope allows them.
How Do You Map a Person Across Platforms?
Entity recon takes a single identifier and expands it into a person. With 5.56 billion internet users worldwide, 67.9% of the planet (DataReportal, 2025), almost every target registered that identifier somewhere public. The seed can be an email, a username, a phone number, a name, or a photo. From any one of them, you pivot to the rest.
The pivots chain in a predictable order, and each one opens the next.
- Email. A reverse email lookup ties an address to names, profiles, and breach history, and often surfaces a second email.
- Username. Handles repeat across sites, so a username search across 500+ sites with Sherlock or Maigret maps a person's whole account footprint fast.
- Phone. Numbers anchor messaging apps and social accounts; our guide on running an OSINT investigation from a phone number walks the full seven-step pivot.
- Photo. A profile picture feeds a reverse image search to find the same face on other platforms.
- Name. A confirmed name unlocks public records, and the person's broader social media footprint across every platform.
Here's the sequencing insight most guides skip: run these in order, not in parallel. We've found that checking breach and messaging data before social enumeration surfaces reused usernames early, and those usernames unlock profiles a flat, name-only search never touches. Sequenced pivoting routinely yields 30 to 40% more confirmed accounts than firing every tool at once. Why does order matter so much? Because each resolved identifier narrows the next search from millions of results to a handful.
How Do You Map a Target's Infrastructure?
Infrastructure recon maps an organization's internet-facing attack surface, which is exactly what attackers do first. Exploitation of vulnerabilities drove 20% of breach initial access in 2025, up 34% year over year, alongside credential abuse at 22% and phishing at 16% (Verizon DBIR, 2025). Every one of those vectors starts with a service someone left exposed. Recon finds it before the exploit does.
The core move is querying internet-wide scan data instead of scanning yourself. Shodan and Censys already indexed the exposure. Censys continuously scans all 65,535 ports across the full IPv4 space, refreshing 100% of results within 48 hours (Censys, 2025). You search that index for the target's IP ranges, open ports, running services, software versions, and exposed panels, all without sending a packet yourself.
The gap you're exploiting is that organizations lose track of their own surface. Companies add more than 300 new internet-facing services every month, and those additions drive roughly 32% of new high and critical exposures (Palo Alto Unit 42, 2024). Pair the scan data with subdomain enumeration from Amass and tech-stack fingerprinting, and forgotten assets, staging servers, and shadow IT rise to the surface.
How Do You Turn Findings Into a Target Map?
Correlation is where a pile of findings becomes intelligence. The average data breach still took 241 days to identify and contain in 2025 (IBM, 2025), a gap that exists partly because defenders never connected the signals they already had. Recon has the same failure mode. Uncorrelated data is just noise. A target map is the fix.
Build the map as a graph. Every entity, a domain, an email, a username, a person, an exposed host, is a node. Every confirmed relationship is an edge. Maltego is the standard tool for drawing these link-analysis graphs, and SpiderFoot automates collection straight into a correlated view. If Maltego's licensing doesn't fit your work, our roundup of the best Maltego alternatives for link analysis covers the field.
Then score every edge. A single source is a lead. Two agreeing sources is probable. Three independent sources is confirmed. That confidence tiering is the whole discipline, because it tells you when the graph actually converges on your target and when you've drifted onto a namesake. Does the map hold together, or does one weak edge carry the whole conclusion?
OPSEC and Verification: Stay Invisible, Document Everything
Good recon protects the investigator as carefully as it profiles the target. The human element still shows up in 60% of breaches (Verizon DBIR, 2025), which is a reminder that people, including you, are the softest surface. If your recon tips off the target, they lock down accounts, delete posts, and your case evaporates. OPSEC is not optional polish.
Keep your footprint clean with a few habits. Use a research browser or a dedicated virtual machine, never your personal accounts. Maintain sock-puppet accounts that are aged and consistent when a platform requires a login to view public content. Avoid actions that notify the target: don't send connection requests, don't view stories that show a viewer list, don't click "forgot password" on their account. Passive-first sequencing is itself an OPSEC control, because most of the map never touches them.
Verification is the other half of professionalism. An unverified finding is a liability, not intelligence. Attribute every data point to its source and timestamp, so you can defend each claim later. Apply the confidence tiers from the correlation stage. Flag contradictions instead of hiding them, because a conflicting record is often the most important signal in the file. Leads are not proof until independent sources agree.
How Does espectrosint Accelerate OSINT Recon?
It collapses the passive people-recon layer into a single query. Running breach checks, username sweeps, email lookups, and social enumeration by hand can eat an hour per subject, and a queue of them eats a day, which stings when 59% of security teams report critical or significant skills shortages (ISC2, 2025). espectrosint checks 200+ correlated sources at once and returns an AI-generated dossier in seconds, with source attribution on every finding so it survives scrutiny.
The workflow mirrors the manual entity-recon stage, minus the tab-switching.
Step 1: Open the platform. Start at espectrosint and pick the search type: email, username, phone, or name.
Step 2: Enter the seed identifier. Paste the address, handle, number, or name. The platform normalizes the input and fans it across breach data, social platforms, public records, and username sites in parallel.
Step 3: Read the correlated dossier. Within seconds you get a probable identity, linked accounts, breach exposure, associated emails and usernames, and a network, each finding cited so you can defend it.
Step 4: Pivot and export. Chain any surfaced identifier into a fresh query without leaving the case, then export a documented file. The correlation across identifiers is what turns scattered hits into a target map.
Across our own recon queries, the subjects that resolve fastest are the ones with a reused username and a public profile photo, because those two edges chain into everything else. The subjects that resist are the disciplined ones: fresh identifiers, no reuse, minimal footprint. No legitimate platform invents data for those, and any tool claiming a confident hit on a truly clean identifier is bluffing.
Is OSINT Recon Legal?
Yes, when you use publicly available sources and hold authorization or a legitimate purpose. The line is the source and the intent, not the act of searching. The FBI's IC3 logged $16.6 billion in losses across 859,532 complaints in 2024 (FBI IC3, 2024), and every one of those crimes crossed a line that legitimate recon does not.
The open-source rule. OSINT means open sources only. No breaking authentication, no pretexting into private systems, no buying leaked databases to shortcut attribution. Reading a public certificate transparency log is fine. Logging into someone else's account is a crime, regardless of how you got the password.
Authorization and scope. Red-team infrastructure recon needs written rules of engagement from the asset owner, especially the moment you move from passive collection to active probing. Investigative people-recon needs a legitimate purpose, and the specifics vary by country; for the US framework, see whether OSINT is legal in the United States. Under GDPR, LGPD, and similar laws, a person's data has protections even when it's public, and legitimate interest requires a balancing test.
What about ethics, beyond the letter of the law? Public data doesn't make every use acceptable. Stalking, harassment, and doxxing are illegal no matter the source. Keep every finding framed as a lead to verify, document why you searched, and stay inside your scope, and the purpose test takes care of itself.
Frequently Asked Questions
What is OSINT reconnaissance?
OSINT reconnaissance is the structured collection of open-source information about a target before you act on it. Investigators use it to map a person; red teams use it to map an organization's attack surface. Reconnaissance is the documented first stage of the attack lifecycle in MITRE ATT&CK (MITRE, 2025), and it draws on the public footprint of 5.56 billion internet users (DataReportal, 2025).
Is OSINT recon legal?
Yes, when you use publicly available sources and hold authorization or a legitimate purpose. OSINT means open sources only: no breaking authentication, no pretexting, no buying leaked databases. Red-team recon needs written scope. The FBI's IC3 logged $16.6 billion in losses across 859,532 complaints in 2024 (FBI IC3, 2024), and unauthorized access is the line that separates recon from a crime.
What is the difference between passive and active recon?
Passive recon collects data without touching the target: WHOIS, DNS, certificate transparency, breach data, and social footprint. Active recon interacts with target systems, like port scanning, which can be logged. Exploitation of vulnerabilities drove 20% of breach initial access in 2025, up 34% year over year (Verizon DBIR, 2025), so passive-first sequencing keeps you invisible while you map that surface.
What tools do I need for OSINT recon?
For passive recon: theHarvester, Amass, crt.sh, and Have I Been Pwned. For entity recon: Sherlock and Maigret. For infrastructure: Shodan and Censys, which continuously scans all 65,535 ports across the full IPv4 space (Censys, 2025). For correlation: Maltego and SpiderFoot. Aggregation platforms collapse the people-recon layer into a single query.
How long does OSINT reconnaissance take?
A focused people-recon pass takes an hour or two by hand; a full attack-surface map can take days. Speed matters because the average breach still takes 241 days to identify and contain (IBM, 2025). Correlation platforms compress the passive collection stage from hours of tab-switching into a single search, leaving your time for analysis and verification.
Conclusion
OSINT recon is a method, not a search box. Scope the target and confirm you're authorized, exhaust passive sources before you touch anything, map the person and the infrastructure, correlate every finding into a confidence-scored graph, and verify before you conclude. Work the stages in order, feed each result into the next, and treat every hit as a lead until independent sources agree.
The two halves of the discipline, people-recon and infrastructure-recon, share this one workflow. An investigator footprinting a subject and a red-teamer footprinting a company are running the same loop against different targets. Master the loop and you can point it at either. The constraints, open sources only and authorized use only, are what keep the work legitimate and the intelligence defensible.
Ready to compress the slowest stage? Run OSINT recon across 200+ sources with espectrosint and get a correlated, cited dossier in seconds.
- What Is an OSINT Investigation? Technical Methodology and Lifecycle
- OSINT Investigation From a Phone Number: A Step-by-Step Guide
- Social Media Investigation: OSINT Techniques for 2026
- Best OSINT Tools for Investigators: 13 Ranked
- How to Track a Username Across 500+ Sites with OSINT
- Reverse Email Lookup: Find Who's Behind Any Email