OSINT
When OSINT Goes Wide: Why the Whole Team Matters
Gavin Watson
June 23, 2025
Summary
This blog highlights the increasing need for businesses to broaden their OSINT research beyond VIPs and include the wider employee base. Patterns in app usage, credential reuse, and shadow IT behaviour across teams can create serious risks that attackers can exploit at scale. By understanding these patterns, organisations can strengthen defences and fine-tune awareness training. EASM platforms play a crucial role in helping uncover and interpret these insights.

In a previous post, we talked about why it’s critical to monitor and research the open source intelligence (OSINT) available on your VIPs — your execs, board members, founders, and other high-profile people. That still holds true. But there’s a growing case for widening the lens.

It’s time for businesses to start paying just as much attention to the broader employee base.

Now that might sound like overkill at first. After all, not every member of staff is likely to be targeted by a highly resourced adversary, right? But here’s the thing — it’s not always about who is targeted directly. It’s about the signals that can be picked up, pieced together, and exploited across multiple people. And increasingly, attackers are getting better at doing just that.

Let’s say a company has 200 staff, and 70 of them have registered for a trendy AI tool using their work email. Maybe half of them used the same password they use on their company VPN. That might sound like a coincidence — but from an OSINT perspective, it’s a pattern. And if that tool gets breached, those reused passwords might be floating around within hours. Suddenly, you’re looking at a viable path into the network.

What’s worse is that this kind of information is rarely siloed. If a malicious actor sees that multiple employees from the same department or company are using the same service, it doesn’t take much effort to weaponise that into a believable phishing campaign. They could easily craft an email that looks like a genuine service update or breach notification from that app — and send it to every one of those employees. It’s phishing with a sharper edge. Closer to spear phishing, but scaled up.

This is exactly the sort of threat that sits in the blurry space between traditional phishing and targeted attacks. And it’s driven almost entirely by data that’s available in the open. Not on the dark web. Not behind paywalls. Just floating around in the digital ether.

The patterns that can emerge from this kind of research are often surprising. In some cases, we’ve seen the departments that appear to be the most security aware actually have the largest public digital footprints. That may be because they’re more active online — but it could also be a sign that the current awareness training just isn’t sinking in. Either way, it’s valuable insight. And it’s not something you’d catch by only focusing on VIPs.

There’s also significant overlap here with the idea of shadow IT — when employees register for online services using company credentials without formal approval or visibility from IT. That’s another risk layer entirely. These unauthorised tools often sit outside normal security monitoring and policy enforcement. But they’re not outside the reach of OSINT.

If you pull together enough OSINT on a company’s wider team — the apps they use, the social media posts they make, the patterns in their behaviour — you start to get a very clear picture of where the real risks lie. And unfortunately, so do attackers.

This is where an External Attack Surface Management (EASM) platform really shows its value. These platforms can aggregate this OSINT automatically, flag when unusual trends appear, and highlight where the patterns exist. The benefit isn’t just in knowing what’s out there — it’s in seeing how it fits together.

So by all means, keep researching your VIPs. But don’t stop there. The next breach might not come from the top. It might come from the tools your team signed up for last week. The ones no one told IT about. The ones that leaked just enough information to make the next phishing email hit home.

It’s time we stopped treating OSINT as a narrow lens. Widen it. Understand the full picture. And act on it.

Gavin Watson

Gavin Watson is an experienced cybersecurity professional with expertise in offensive security, dark web intelligence, and digital risk protection. He began his career as a penetration tester at RandomStorm in 2006, co-founded Pentest People to deliver top-tier security services, and now co-leads DarkInvader. His focus is on helping businesses identify vulnerabilities, monitor the dark web, and mitigate digital risks proactively, ensuring robust protection against evolving cyber threats. Watson's extensive background in cybersecurity drives his commitment to empowering organisations to safeguard their digital assets.

Sign Up for Your Free Account

Unlock continuous, real-time security monitoring with DarkInsight. Sign up for your free account today and start protecting your external attack surface from potential threats.

Create My Free Account

Platform Features

Asset DiscoveryAsset MonitoringDual Vulnerability ScanningDark Web MonitoringTelegram Monitoring
Leaked CredentialsOSINT MonitoringDNS MonitoringBrand MonitoringVIP MonitoringResearch Team
Website TakedownsManagement ReportsThird-Party IntegrationsClient-Facing APISupplier Risk ManagementGlobal Threat Intelligence

Company

AboutPartnersPlansContact

Resources

Privacy PolicyFAQBlog

DarkInvader, Calls Wharf, 2 The Calls, Leeds, LS2 7JU
 ©2024 DarkInvader, All Rights Reserved