🛡️ Methodology Checklist
- LinkedIn: employees at target org → tech stack, job titles, tools
- Job postings: frameworks, languages, security products mentioned
- GitHub: org page, employee repos, leaked secrets, config files
- Social media: personal accounts for security awareness clues
- Email format discovery: Hunter.io, LinkedIn email patterns
- OSINT tools: theHarvester, Maltego, Recon-ng for automated aggregation
- Document key personnel (IT/Security team) for social engineering context
🎯 Operational Context
Use when: Building target personnel profiles before password spraying, phishing simulations, or social engineering engagements. Think Dumber First: Check LinkedIn first — job titles reveal tech stack (e.g., “Azure AD Engineer” = Office 365 tenant). Then HaveIBeenPwned for breach exposure. GitHub profiles often leak internal tooling and API keys. Skip when: Rules of engagement prohibit OSINT against individuals; verify scope covers personnel recon.
⚡ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
| (Passive OSINT — no CLI commands; use LinkedIn, Xing, GitHub) |
🔬 Deep Dive & Workflow
Core Concept
Identifying employees on business networks (LinkedIn, Xing) reveals the Human Layer of infrastructure. Goal: infer technologies, programming languages, and security measures from staff skills and posts.
Employees publicly share what they are working on — unknowingly mapping the internal network.
1. Analyzing Job Postings
Job descriptions are the most accurate blueprint of a company’s tech stack:
- Programming Languages: Java, Python, C#, Go
- Frameworks: Flask, Django, React, Spring
- Databases: MySQL, Oracle, PostgreSQL
- Tools: Atlassian Suite, Git, Docker, Kubernetes
- Security Clearance: TS/SCI or specific certifications (Security+) → government contracts or high-security environments
2. Analyzing Employee Profiles
Personal profiles leak specific details:
- Skill Sections: React vs. AngularJS → narrow down vulnerability searches
- GitHub Links: Repositories may contain:
- Hardcoded secrets (JWT tokens, API keys)
- Personal email addresses
- Code style revealing structural weaknesses (e.g., misconfigured Django
settings.py)
3. Targeting Strategy
Who to focus on:
- Software Engineers → reveal the tech stack
- Security Staff → reveal defensive measures (EDR, SIEM, Firewalls) you will need to bypass
Method: Advanced search filters (Location, Current Company, Title) → build a list of key technical targets.
🛠️ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| LinkedIn returns no employees | Company name variation | Try parent company, brand name, or search "@targetdomain.com" site:linkedin.com |
| HaveIBeenPwned shows no breaches | Wrong domain variant | Check all domain variants (old domains, subsidiaries, acquired companies) |
| GitHub user search returns too many results | Common name | Filter by org:targetcompany or search their email in commit history |
| theHarvester returns no emails | Email format unknown | Cross-reference LinkedIn username + @domain.com; try hunter.io for format patterns |
| Username-anarchy generates too many variants | Default run | Filter to corporate formats only: f.last, flast, first.last — check IT job postings for format hints |
📝 Reporting Trigger
Finding Title: Employee PII and Credentials Exposed via OSINT Sources Impact: Attacker can enumerate valid usernames, identify credential breach exposure, and craft targeted spear-phishing campaigns using real organizational context. Root Cause: Insufficient monitoring of employee data exposure across public platforms (LinkedIn, GitHub, breach databases). No mandatory security awareness training on OSINT risks. Recommendation: Conduct periodic OSINT audits of employee exposure. Implement credential monitoring via HaveIBeenPwned Enterprise. Train employees on OSINT risks and enforce MFA to limit credential stuffing impact.