OSINT is a powerful tool to identify vulnerabilities in your organization. But with all the information out there, how do you zero in on the data you need quickly?

On a recent episode of the NeedleStack podcast, former White House CISO and show host Matt Ashburn took a deep dive into using open-source information to build intelligence on security weaknesses and how to remedy them. Here’s what he had to say:

Why hunt for your weaknesses and the tools to help

A critical component of an effective cybersecurity organization — be it an entire department, a standalone red team or anything in the middle — is the ability to perform in-depth analysis of your company’s weaknesses from an adversary’s point of view. Doing this allows you to gain a more holistic understanding of possible attack vectors that bad actors may exploit. 

So, what tools do you need to perform this “self-reflective” research? 

Watch the full episode, Using OSINT to identify weaknesses, here > 

First, let’s take it back to basics: you ought to know the five W’s (who, what, when, where, why) of your organization’s networks. Answering the five W’s defines foundational elements (e.g., who is on your network, what users are authorized to be there, what is on your network) and create an understanding of your organization’s device inventory, traffic flows, vulnerabilities, patch statuses and more. As such, many of the tools you need to help identify weaknesses are already sitting within your own organization.

But to begin to create an external perspective, you need to put your black hat on. Researching open-source information can give you some of the details that attackers can also access. The internet is a big place, so its helpful to have some tools to focus your search like shodan.io and DomainTools. Also continuous penetration testing like the automated SaaS offering from Horizon3 helps to identify risks in your constantly changing, unique attack surface. 


Shodan provides analysts with the resources to uncover which of their devices are connected to the internet, where they are found and who is signed into them. Comprehending the risks can help to prevent breaches and bolster your organization’s security stance.


DomainTools scans the internet to detect and forecast potential security threats. This is another great tool that allows you and your team to halt, alleviate and investigate ongoing cyberattacks.

Horizon3 NodeZero

Horizon3's NodeZero offers nonstop autonomous penetration testing via a SaaS solution. The software allows you to discover and resolve both internal and external threats before the bad actors can take action.

Researching your organization with an outsider's perspective

Organizations will usually have some sort of vulnerability scanner. This tool allows you to gain an outsider’s perspective in regards to researching your organization — at least to a degree. But certain threats or attack scenarios prove more convoluted and require more than your typical vulnerability scanner in order to understand the risk, rule out false positives and triage an incident. 

Virtual machines, cloud browsers or (ideally) managed attribution services can help take you out of the technology and attached details that may taint your perspective. Matt Ashburn provides an in-depth example below on why and how to achieve the needed third-person perspective:

On a larger scale, if you’re trying to gain a perspective from a specific region (i.e., if you’re likely to be targeted attackers from a certain country), it’s vital to use some tradecraft and manipulate your digital fingerprint. Using a local search engine, searching in the local language and searching from local IP address. This will provide you with search results that may not be available to you when Googling English-language search terms from a US IP address, for example — but that are available to potential threats within the region.

Additionally, region-specific forums, social media platforms and data breach information (largely available via the dark web) are all great tools to access and will greatly assist your investigations.

Taking the time to investigate yourself can go a long way in identifying security weaknesses and understanding how best to mitigate them. There’s no silver bullet for this type of research. It requires a curious mind, creativity and a good about of virtual leg work. But the benefits will have a real impact on protecting your organization.


The NeedleStack podcast releases new episodes on a regular basis covering all sorts of online research topics, from the dark web to OSINT shaping world events to SOC investigations and everything in between.

Check out the full episode library here to learn more about the podcast and other research tips. Happy sleuthing!

Anonymous research Cybersecurity Threat intelligence