Forem: Kyle Brennan

The Scariest Things I've Found Using OSINT (That Were Completely Legal)

Kyle Brennan — Fri, 13 Feb 2026 23:22:46 +0000

I've been practicing OSINT for a few years now. In that time, I've discovered things that made my jaw drop - and I didn't break a single law doing it.

Here are the creepiest (and completely legal) discoveries that keep me up at night.

1. Real-Time Location from Public Fitness Data

People share their running routes on Strava. Those routes show exactly where they start and end their runs - usually their home.

I once found a military base's internal layout because soldiers were logging their jogs. The Pentagon had to issue guidance about this.

Your morning jog is broadcasting your address.

2. Baby Photos with GPS Coordinates

Proud parents post photos of their newborns. Those photos often contain EXIF metadata with exact GPS coordinates.

I've seen birth announcements that accidentally revealed:

The hospital room number
The parents' home address
The grandparents' house
The daycare location

All from metadata in cute baby photos.

3. Corporate Secrets from LinkedIn

People list projects on LinkedIn before they're public. I've found:

Unannounced product launches
Acquisition targets
Upcoming layoffs (when recruiters suddenly connect with everyone)
Security vulnerabilities ("Implemented fix for...")

Your resume is intelligence gold.

4. Home Security Systems... and Their Weaknesses

People post photos of their new Ring doorbells and security cameras. Those posts reveal:

Camera blind spots
Brand and model (with known vulnerabilities)
WiFi network names
When the house is empty (posting from vacation)

You're showing burglars your security setup.

5. Medical Information from Wearables

Public health data from fitness trackers can reveal:

Sleep disorders (from sleep tracking)
Heart conditions (from heart rate data)
Pregnancy (from period tracking apps that suddenly go quiet)
Depression indicators (from activity levels)

Your watch is a medical record.

6. Financial Situations from Venmo

Venmo transactions are public by default. I've seen:

Rent amounts and landlord names
Drug transactions (people are not subtle)
Divorce proceedings in real-time
Affairs ("hotel 💕")
Gambling habits

Your payment history tells your life story.

7. Password Hints from Social Media

People answer "fun quizzes" that ask:

Your first pet's name
The street you grew up on
Your mother's maiden name
Your high school mascot

These are literally security questions. You're giving away your passwords.

What This Means for You

Every piece of data you share becomes part of a larger puzzle. Individually, these things seem harmless. Combined, they're a complete profile of your life.

Quick Protection Steps:

Strip metadata from photos before posting
Audit privacy settings on all accounts
Vary your security questions (lie creatively)
Review public fitness data and set it to private
Make Venmo transactions private
Google yourself regularly - CloudSINT can help automate this

The Uncomfortable Reality

Nothing I described is hacking. It's not illegal. It's not even particularly difficult.

It's just paying attention to what people freely share.

The scariest part? Most people have no idea how much they're revealing.

Now you do.

Want to learn more OSINT techniques? Join the CloudSINT Discord - we discuss privacy, security, and digital investigation.

I Googled Myself and Now I Can't Sleep: A Privacy Horror Story

Kyle Brennan — Fri, 13 Feb 2026 23:21:42 +0000

Last week I decided to OSINT myself. You know, just a quick Google search to see what's out there.

Three hours later, I was in the fetal position questioning every life decision I've ever made.

The Innocent Beginning

It started simple enough. I typed my full name into Google. "How bad could it be?" I thought. I'm a relatively private person. I don't post much on social media.

Oh, sweet summer child.

The First Red Flag

Page one of Google results: My address. Just... right there. On a data broker site I'd never heard of. Along with:

My age
Previous addresses going back 15 years
Names of family members
An estimated income range

I hadn't given this website permission to exist, let alone publish my life story.

Down the Rabbit Hole

Then I made a mistake. I searched my phone number.

Turns out, my number is connected to:

Three social media accounts I forgot existed
A food delivery app that exposed my order history
My WhatsApp profile photo (which I thought was private)
A comment I left on a news article in 2019

The Username Problem

I use the same username everywhere. I thought this was convenient. It is. For anyone trying to find me.

Searching my username revealed accounts on:

Gaming forums from 2012
A Reddit account I definitely want to forget
An old dating profile (sorry, spouse)
A cryptocurrency forum where I asked a very stupid question in 2017

The Photo That Haunted Me

Reverse image searching my LinkedIn photo found it on:

A website scraping professional headshots
A random slide deck on SlideShare
A cached version of a company page I left 5 years ago

What I Did About It

After the initial panic subsided, I got to work:

Opted out of data brokers - Tedious but necessary. Each site has its own removal process.
Locked down social media - Made everything private. Reviewed every app permission.
Changed usernames - Different username for different purposes now.
Set up alerts - Google Alerts for my name so I know when new stuff appears.
Regular OSINT audits - Tools like CloudSINT help automate some of this discovery process.

The Uncomfortable Truth

Here's what I learned: Privacy isn't a setting you enable once. It's an ongoing battle.

Every account you create, every photo you post, every form you fill out - it all becomes part of your digital shadow. And that shadow is way bigger than you think.

Your Turn

Before you close this tab and forget about it, I challenge you:

Google your full name (in quotes)
Search your phone number
Look up your most common username

You might be surprised. Or horrified. Probably both.

At least now you know.

Want to learn more about protecting your digital privacy? Join the CloudSINT Discord where we share OSINT techniques and privacy tools.

Phone Number OSINT: How to Investigate Any Phone Number

Kyle Brennan — Fri, 13 Feb 2026 23:20:40 +0000

Phone numbers are among the most powerful identifiers in the digital age. A single phone number can unlock a wealth of information about its owner—from their name and address to their social media profiles and online accounts.

In this guide, I'll walk you through the techniques and tools used to investigate phone numbers using Open Source Intelligence (OSINT) methods.

Why Phone Numbers Are So Revealing

Phone numbers have become the primary identifier for most online services. When you sign up for social media, banking apps, or delivery services, you're typically required to provide a phone number.

This means a single phone number can be connected to:

Social media accounts (Facebook, Instagram, WhatsApp, Telegram)
Financial services and payment apps
E-commerce accounts
Dating profiles
Data broker records

Starting Your Investigation: Basic Number Analysis

Before diving into databases, analyze the number itself:

Country and Carrier Identification

Every phone number contains geographic and carrier information:

Country code: The first digits identify the country (+1 for US/Canada, +44 for UK)
Area code: For landlines and some mobile numbers, this indicates the region
Carrier prefix: Mobile numbers often have prefixes assigned to specific carriers

Number Type Detection

Determine if the number is:

A traditional landline
A mobile number
A VoIP number (Google Voice, Skype)
A toll-free or premium number
A temporary/burner number

Social Media Reconnaissance

Social platforms are goldmines for phone number lookups:

WhatsApp is directly tied to phone numbers. You can:

Add the number to your contacts
Open WhatsApp and check if they have an account
View their profile photo, status, and "about" information

Similar to WhatsApp, Telegram accounts are phone-based:

Search for the number directly in Telegram
Check username, bio, and profile photo

Data Broker and People Search Sites

Numerous websites aggregate phone records:

Free Options

TrueCaller: Crowdsourced caller ID database
Sync.me: Similar crowdsourced data
WhoCalledMe: User-reported spam/scam numbers

Paid Services

Spokeo: Comprehensive people search
BeenVerified: Detailed background reports
WhitePages Premium: Enhanced search features

Important Note on Privacy

These data brokers also sell YOUR information. If you're concerned about your own privacy, services like CloudSINT can help you opt out from these databases and monitor for new exposures.

Checking Data Breaches

Phone numbers frequently appear in data breaches:

Have I Been Pwned: Check if the number appears in known breaches
Intelligence X: Historical breach data search

Breached data might reveal email addresses, usernames, and additional personal details associated with the number.

Advanced Techniques

Google Dorking

Use Google's advanced search operators:

"555-123-4567"
"5551234567"
"+15551234567"

Search for the number in various formats to find mentions across the web.

OSINT Frameworks

Dedicated OSINT tools can automate phone lookups:

PhoneInfoga: Specialized phone number OSINT tool
Maltego: Visual link analysis with phone transforms
SpiderFoot: Automated OSINT collection

Protecting Your Own Phone Number

Now that you understand how much can be learned from a phone number:

Use secondary numbers: Google Voice or similar for signups
Opt out of data brokers: Regularly request removal
Enable privacy settings: Hide your number on social profiles
Monitor exposures: Use tools to alert you when your number appears

Conclusion

Phone numbers are surprisingly powerful identifiers in our connected world. Understanding OSINT techniques helps you verify identities, investigate suspicious calls, and understand digital footprints.

Remember: the same techniques that reveal information about others also expose your own data. Take proactive steps to protect your privacy while using these skills responsibly.

Interested in more OSINT techniques? Join our CloudSINT Discord for regular guides on digital investigation and personal security.

Social Media OSINT: How to Find Anyone's Digital Footprint

Kyle Brennan — Wed, 11 Feb 2026 22:12:44 +0000

Social media has become a goldmine for Open Source Intelligence (OSINT). Whether you're conducting security research, investigating fraud, verifying someone's identity, or just curious about your own digital exposure, understanding how to find and analyze social media profiles is an essential skill.

In this guide, I'll share the techniques I use to discover and analyze someone's social media presence.

Why Social Media OSINT?

People share an incredible amount of personal information on social media—often more than they realize. A thorough social media investigation can reveal:

Personal details: Full name, birthday, location, workplace
Relationships: Friends, family, romantic partners, colleagues
Interests and habits: Hobbies, travel patterns, daily routines
Professional information: Job history, skills, business connections
Sentiment and opinions: Political views, attitudes, grievances

Step 1: Start with What You Know

Every investigation starts somewhere. You might have:

A name
An email address
A phone number
A username
A photo

Each of these can be a starting point for discovery.

Step 2: Username Enumeration

If you have a username from one platform, there's a good chance it's used elsewhere.

Manual checking:

Check major platforms: Twitter/X, Instagram, Facebook, LinkedIn, TikTok, Reddit
Try variations: username, username123, the_username

Automated tools:

Sherlock (GitHub) - Checks 300+ platforms
WhatsMyName - Web-based username search
Namechk - Quick availability check across platforms

# Using Sherlock
sherlock targetusername

Step 3: Reverse Email Lookup

Email addresses often link directly to social accounts.

Try these searches:

Enter the email in platform "find friends" features
Search "email@example.com" in Google
Check breach databases for associated accounts

Tools like CloudSINT let you search across multiple data sources simultaneously, revealing not just social media but also other accounts and exposed information linked to an email.

Step 4: Image-Based Discovery

A photo can reveal more than a name.

Reverse image search:

Google Images
Yandex (often better for faces)
TinEye (finds exact matches)
PimEyes (facial recognition - paid)

What to look for:

Where else the same photo appears
Related photos from the same source
EXIF metadata (location, device, timestamp)

Step 5: Google Dorking for Social Profiles

Targeted searches can uncover profiles that don't appear in normal results.

site:instagram.com "john smith" "new york"
site:linkedin.com/in "software engineer" "acme corp"
site:twitter.com "@" "email@example.com"

Step 6: Platform-Specific Techniques

Facebook

Graph Search (limited but still useful)
Check "About" for linked accounts
Friends lists reveal social circles
Events and groups show interests

Instagram

Check tagged photos for real-life connections
Location tags reveal frequented places
Saved highlights often contain personal info
Following/followers lists

Rich professional history
Endorsements reveal skill networks
"People Also Viewed" reveals related profiles
Company pages list all employees

Twitter/X

Advanced search: from:username since:2020-01-01 until:2023-01-01
Check replies and mentions for relationships
Quoted tweets show opinions
Lists membership reveals interests

Post/comment history reveals interests
Subreddit participation patterns
Often more anonymous but more honest

Step 7: Archived Content

Deleted doesn't mean gone.

Resources:

Wayback Machine - Snapshots of profiles over time
Archive.today - User-submitted archives
Google Cache - Recent cached versions
Social media archiving services

Step 8: Cross-Referencing

The real power comes from combining data points.

Example workflow:

Find email in a breach database
Email reveals old username
Username search finds abandoned Twitter account
Twitter account mentions real name
Real name + location finds LinkedIn
LinkedIn shows current employer

Ethical Considerations

Always remember:

Only access publicly available information
Don't create fake accounts to befriend targets
Respect privacy even when information is "public"
Document your methodology
Know your jurisdiction's laws on reconnaissance

Protecting Yourself

Now that you know these techniques, consider your own exposure:

Search for yourself using these same methods
Remove unnecessary personal information
Use unique usernames across platforms
Check what data has been exposed in breaches
Review privacy settings regularly

What social media OSINT techniques have worked for you? Share in the comments! For more OSINT resources, join the CloudSINT Discord community where we discuss these topics regularly.

Email OSINT: How to Investigate Any Email Address

Kyle Brennan — Wed, 11 Feb 2026 22:10:26 +0000

An email address is more than just a way to reach someone—it's often a key that unlocks a treasure trove of information about a person or organization. Whether you're doing security research, investigating fraud, or conducting due diligence, knowing how to investigate an email address is a fundamental OSINT skill.

In this guide, I'll walk you through the techniques and tools I use for email-based investigations.

Step 1: Basic Email Analysis

Before reaching for specialized tools, start with the basics.

Break down the email structure:

Local part (before @): Often contains usernames, names, or employee IDs
Domain (after @): Tells you the organization or email provider

For example: john.smith@acme-corp.com

The local part suggests the person's name
The domain tells us it's likely a corporate email for Acme Corp

Check the domain:

Is it a corporate domain or free provider (Gmail, Yahoo, etc.)?
Corporate emails are generally more trustworthy and provide organizational context
Free providers offer less verifiable identity information

Step 2: Email Validation

Before diving deep, verify the email actually exists.

MX Record Check:

dig MX acme-corp.com

This confirms the domain has mail servers configured.

SMTP Verification:
You can verify if an email address exists without sending a message:

telnet mail.acme-corp.com 25
HELO test.com
MAIL FROM:<test@test.com>
RCPT TO:<john.smith@acme-corp.com>

A 250 response typically means the address exists.

Note: Many servers now reject VRFY commands and may block repeated SMTP probes.

Step 3: Breach Database Searches

Email addresses frequently appear in data breaches. Searching breach databases can reveal:

Other accounts using the same email
Passwords (historical, possibly reused)
Personal information linked to the account
Service providers the target uses

Tools like CloudSINT let you search across multiple data sources to find exposed information linked to an email address. This is one of the fastest ways to build a profile on an unknown email.

Important: Always use this information ethically and legally.

Step 4: Social Media Discovery

Most people use their email for social media accounts. Search for the email on:

LinkedIn - Professional profiles
Facebook - Often reveals photos and connections
Twitter/X - May show interests and opinions
GitHub - Code commits often contain email addresses

Pro tip: Many platforms let you search for users by email via their "find friends" features.

Step 5: Username Pivoting

If the email has a distinctive local part (e.g., coolhacker42@gmail.com), that username might be reused elsewhere.

Tools for username searches:

Namechk.com
WhatsMyName
Sherlock (GitHub tool)

Step 6: Google Dorking

Search engines often index more than people realize.

"john.smith@acme-corp.com"

This simple search might return:

Forum posts
PDFs with contact info
Conference attendee lists
Mailing list archives
Document metadata

Step 7: Domain-Level OSINT

If dealing with a corporate email, investigate the domain:

WHOIS lookup:

whois acme-corp.com

Historical WHOIS:
Services like DomainTools show historical registration data.

Subdomain enumeration:
Tools like Subfinder or Amass can reveal the company's infrastructure:

subfinder -d acme-corp.com

Step 8: Email Header Analysis

If you have an email from the target, analyze the headers:

Received headers show the email's path
X-Originating-IP may reveal the sender's IP
Message-ID can indicate the email client used

Real-World Applications

Phishing investigation: Verify if a suspicious email is actually from who it claims

Job candidate verification: Confirm someone's professional background

Fraud investigation: Track down bad actors using fake identities

Threat intelligence: Link threat actors across multiple campaigns

Ethics and Legality

Remember:

Only access information that's publicly available or you're authorized to view
Don't attempt to access accounts without permission
Be aware of your jurisdiction's privacy laws
Document your methodology for potential legal proceedings

What email OSINT techniques do you use? Share your tips in the comments! For more OSINT resources and community discussion, check out the CloudSINT Discord.

Reverse Image Search Mastery: Find Anyone From a Photo

Kyle Brennan — Wed, 11 Feb 2026 19:39:39 +0000

A single photo can unlock someone's entire online presence. Reverse image search is one of the most powerful OSINT techniques — and most people only scratch the surface.

Here's how to go from a photo to a complete profile.

The Basics

Reverse image search finds:

Other places the same image appears
Visually similar images
Higher resolution versions
The original source

Search Engines Compared

Google Images

Best for: General searches, finding image context

How to use:

Go to images.google.com
Click camera icon
Upload or paste URL

Strengths:

Largest index
Good at finding exact matches
Finds related images

Weaknesses:

Increasingly filters results
Sometimes misses social media

Yandex

Best for: Faces, Eastern European content

How to use: yandex.com/images

Strengths:

Superior facial recognition
Often finds what Google misses
Less filtered results
Strong for Russian/Eastern European content

Weaknesses:

Interface can be confusing
Results may be in Russian

Pro tip: Yandex is often the best choice for face searches. Try it first.

TinEye

Best for: Finding exact matches, tracking image spread

How to use: tineye.com

Strengths:

Shows when image first appeared online
Tracks image modifications
Browser extensions available

Weaknesses:

Smaller index than Google
Doesn't do visual similarity well

Pro tip: Use TinEye to find the original upload date and trace image provenance.

Bing Visual Search

Best for: Product identification, supplementary searches

How to use: bing.com/visualsearch

Strengths:

Good at identifying objects
Sometimes finds results others miss
Integration with shopping

PimEyes

Best for: Facial recognition (controversial)

How to use: pimeyes.com (paid)

Strengths:

Specialized facial recognition
Finds faces across millions of images
Very powerful for investigations

Weaknesses:

Paid service
Privacy/ethical concerns
May be restricted in some jurisdictions

⚠️ Use responsibly: This tool can find almost anyone from a face photo. Don't use it to stalk people.

Advanced Techniques

Cropping Strategy

Before searching:

Crop to just the face for person searches
Crop to unique elements (logos, backgrounds, objects)
Try multiple crops of the same image

Different crops often return different results.

Search Multiple Engines

Always use at least 3 search engines:

Yandex (especially for faces)
Google Images
TinEye

Each has different indexes and algorithms.

Image Modification

If initial searches fail:

Flip horizontally — Defeats simple duplicate detection
Adjust colors/contrast — May match edited versions
Remove metadata — Strip EXIF before uploading (for privacy)

Screenshot Method

For social media profiles:

Take screenshot of profile photo
Crop tightly
Search the screenshot (avoids URL-based blocking)

Extracting Metadata

Before reverse searching, check what's embedded in the image.

EXIF Data

May contain:

GPS coordinates — Where the photo was taken
Timestamp — When it was taken
Device info — Camera model, phone type
Software — Editing tools used

Tools:

exiftool (command line)
Jeffrey's EXIF Viewer (online)
Pic2Map (for GPS visualization)

Steganography Check

Hidden data in images:

Use tools like StegOnline or zsteg
Rarely relevant but worth checking for suspicious files

Platform-Specific Tips

Finding Social Media Profiles

Instagram:

Screenshot profile photos
Search on Yandex for best results
Check for username watermarks in images

Facebook:

Profile photos often indexed by Google
Graph search can find photos "liked by" someone

LinkedIn:

Professional headshots often reused
Check company websites for same photos

Dating Apps:

Profile photos often reused from other platforms
Yandex excels at finding these connections

Geolocation from Photos

Images reveal location through:

Visual Clues

Street signs and shop names
Architecture style
Vegetation and terrain
Sun position (time/direction)
Vehicle license plates
Language on signs

Tools for Geolocation

Google Earth — Match terrain and buildings
SunCalc — Calculate sun position for timestamps
GeoGuessr skills — Practice visual geolocation

Methodology

Identify unique features
Research architectural/geographic patterns
Cross-reference with satellite imagery
Verify with street view

Verification & Debunking

Reverse image search is crucial for:

Fake Profile Detection

Stock photos in dating profiles
Stolen identity photos
AI-generated faces (check ThisPersonDoesNotExist artifacts)

News Verification

Find original context of viral images
Check if old photos are being recycled
Identify manipulated/edited images

Red Flags

Image appears on stock photo sites
Oldest result is recent (may be stolen)
Multiple identities using same photo

Operational Security

When searching images:

Don't upload sensitive images to random services
Strip metadata before uploading
Use VPN for sensitive searches
Some services retain uploaded images

📸 Practice and Learn

Reverse image search is a skill that improves with practice.

Join CloudSINT Discord: https://discord.gg/8WP5VwSS

Weekly challenges, technique sharing, and a community that geeks out on this stuff.

Part of the OSINT education series. A picture is worth a thousand data points.

How to Check If You've Been Compromised (Data Breach OSINT)

Kyle Brennan — Wed, 11 Feb 2026 19:33:01 +0000

Data breaches happen daily. Your credentials are probably already out there — the question is whether you know about it.

This guide shows you how to investigate breach exposure for yourself, your organization, or (with proper authorization) your targets.

Why This Matters

3+ billion records leaked in breaches annually
Most people reuse passwords across sites
Breached credentials fuel account takeovers, identity theft, and social engineering
Companies often don't disclose breaches for months

Free Tools for Personal Checks

Have I Been Pwned (HIBP)

The gold standard for breach checking.

URL: haveibeenpwned.com

What it shows:

Which breaches include your email
What data types were exposed (passwords, addresses, phone numbers)
When the breach occurred

Pro tip: Set up notifications to get alerts when your email appears in new breaches.

Firefox Monitor

Mozilla's breach notification service (powered by HIBP data).

URL: monitor.firefox.com

What it shows:

Same breach data as HIBP
Integrated with Firefox browser
Actionable recommendations

DeHashed

Search by email, username, IP, name, address, or phone.

URL: dehashed.com

What it shows:

Actual leaked data (passwords, hashes)
More comprehensive than HIBP
Requires paid subscription for full access

⚠️ Warning: Only search for data you own or have authorization to investigate.

For Organizations

Domain-Wide Monitoring

HIBP Domain Search:

Check if any company email appears in breaches
Requires domain verification
Free for small organizations

Commercial Options:

SpyCloud
Recorded Future
Digital Shadows

These provide real-time monitoring and credential recovery services.

What to Look For

Employee credentials in breaches
Corporate email/password combos
Third-party service credentials (could indicate shadow IT)
Patterns (same password across multiple employees = training issue)

Investigating Specific Breaches

Finding Breach Data

Legitimate Sources:

HIBP breach notifications
Security news sites (KrebsOnSecurity, BleepingComputer)
Vendor disclosure pages

Research Sources (use responsibly):

IntelX (intelligence archive)
Breach forums (for awareness, not exploitation)
Academic datasets (sanitized breach data for research)

Analyzing Breach Contents

When you have access to breach data:

Scope assessment — How many records? What data types?
Date analysis — When was data collected? Is it current?
Password patterns — Are they plaintext, hashed, or encrypted?
Correlation — Does this data appear elsewhere?

Password Hash Cracking (For Your Own Accounts)

If you find your password hash in a breach, you can check if it's been cracked:

Hash Identification

Common types:

MD5: 32 hex characters
SHA-1: 40 hex characters
SHA-256: 64 hex characters
bcrypt: Starts with $2a$ or $2b$

Lookup Services

CrackStation: crackstation.net — Free hash lookup
Hashes.org: Massive hash database
cmd5.org: MD5 specific

Note: bcrypt and properly salted hashes won't appear in lookup tables.

What to Do When You're Breached

Immediate Actions

Change the password — On the breached service AND anywhere you reused it
Enable 2FA — On all important accounts
Check for unauthorized access — Review login history
Monitor financial accounts — If payment info was exposed

Long-Term Fixes

Use a password manager (unique passwords everywhere)
Enable breach notifications
Consider a credit freeze if SSN/financial data leaked
Use email aliases to track which services leak your data

For Security Researchers

Ethical Considerations

Only access data you're authorized to investigate
Don't exploit credentials — Even if they're "already public"
Report vulnerabilities — If you find active exposures
Document your methods — Maintain clear audit trails

Building Breach Awareness

Track breach trends:

What industries are targeted?
What attack vectors are common?
How long between breach and disclosure?

This intelligence helps predict and prevent future incidents.

Red Flags in Breach Data

When analyzing breaches, watch for:

Honeypot accounts — Fake credentials that alert on use
Sanitized data — May indicate a processed/fake dataset
Duplicate entries — Common in aggregated "combo lists"
Outdated passwords — Breach data ages quickly

🔐 Stay Informed

Breach awareness is an ongoing process, not a one-time check.

Join CloudSINT Discord: https://discord.gg/8WP5VwSS

Get breach alerts, discuss findings, and learn from security researchers who track this stuff professionally.

Part of the OSINT education series. Protect yourself.

Company OSINT: How to Research Any Business

Kyle Brennan — Wed, 11 Feb 2026 19:27:42 +0000

Whether you're doing due diligence, competitive analysis, or investigating potential fraud — businesses leave massive digital footprints.

Here's how to map a company's structure, finances, technology, and vulnerabilities using public information.

Company Basics

Registration & Legal Structure

Where to look:

OpenCorporates.com: Global company database
State SOS websites: Secretary of State business filings
SEC EDGAR: Public company filings (10-K, 10-Q, 8-K)
Companies House (UK): Free company records
National registries: Most countries have searchable databases

What you'll find:

Registered address (often different from HQ)
Directors and officers
Filing history
Corporate structure
Registered agent

Domain Intelligence

Start with their website and expand:

WHOIS Lookup:

Registration date
Registrant info (often privacy-protected now)
Historical ownership

Tools:

DomainTools: Historical WHOIS, reverse lookups
SecurityTrails: DNS history, associated domains
Shodan: What's running on their servers
BuiltWith: Technology stack detection

Subdomain enumeration:

subfinder -d company.com
amass enum -d company.com

Hidden subdomains often reveal:

Internal tools (staging, dev, admin)
Acquired companies
Forgotten infrastructure

Financial Intelligence

Public Companies

SEC EDGAR: All official filings
Yahoo Finance / Google Finance: Quick overviews
Annual reports: Often more detailed than required filings
Earnings call transcripts: Management commentary

Private Companies

Harder, but not impossible:

Crunchbase: Funding rounds, investors
PitchBook: Detailed financials (paid)
LinkedIn: Employee count over time
Job postings: Hiring = growth, layoffs = trouble
Glassdoor: Employee reviews reveal internal issues

Red Flags

Watch for:

Frequent address changes
Director churn
Late filings
Related-party transactions
Multiple shell companies

People Intelligence

Leadership

LinkedIn: Career history, connections
Board memberships: Often listed in filings
News archives: Past controversies
Social media: Public statements, opinions

Employees

LinkedIn: Map the org chart
GitHub: Developer contributions (code quality, security practices)
Conference talks: Technical capabilities
Patent filings: Innovation areas

Tip: Engineers and salespeople often share more than executives. Their LinkedIn profiles reveal products, clients, and tech stack.

Technology Stack

What They're Running

BuiltWith.com: Detect CMS, analytics, frameworks
Wappalyzer: Browser extension for tech detection
Shodan: Open ports, services, vulnerabilities
Censys: SSL certificates, infrastructure

Security Posture

SecurityHeaders.com: Check header configurations
SSL Labs: Certificate and TLS configuration
Have I Been Pwned (domain search): Employee breach exposure
Dehashed: Leaked credentials (for your own domains only)

Code & Development

GitHub: Public repositories, commit history
GitLeaks: Accidentally exposed secrets
Wayback Machine: Old versions of their site

Physical Presence

Locations

Google Maps: Satellite view, street view
OpenStreetMap: Community-contributed data
Commercial real estate sites: Lease information
Property records: Ownership details

Supply Chain

Import/export records: Panjiva, ImportGenius
Supplier directories: ThomasNet, Alibaba
LinkedIn: Procurement team connections

Legal & Regulatory

Lawsuits & Disputes

PACER: Federal court records (US)
State court websites: Local litigation
Google News: Media coverage of disputes
Justia: Free case law search

Regulatory Filings

FCC: Communications equipment
FDA: Medical/pharmaceutical
EPA: Environmental
OSHA: Workplace safety violations
Patent databases: USPTO, Google Patents

Reputation & Sentiment

Reviews & Complaints

BBB: Better Business Bureau
Trustpilot: Customer reviews
Glassdoor: Employee reviews
Reddit: Unfiltered opinions
Twitter/X: Real-time complaints

News & Media

Google News: Recent coverage
LexisNexis: Historical archives (paid)
Wayback Machine: Old press releases
PR Newswire: Official announcements

Putting It Together

Create a Profile

For any target company, build:

Basic Info: Name, addresses, registration, directors
Corporate Structure: Subsidiaries, parents, related entities
Financial Health: Revenue, funding, cash position
Key People: Leadership, board, key employees
Technology: Stack, infrastructure, security posture
Reputation: Reviews, news, legal issues
Red Flags: Anything concerning

Tools for Organization

Maltego: Visual link analysis
Obsidian: Linked note-taking
Draw.io: Organizational charts
Hunchly: Automatic evidence capture

⚠️ Legal Considerations

All techniques here use public information
Don't access private systems
Don't impersonate employees
Be careful with data protection laws (GDPR, CCPA)
Document your methods

🏢 Learn More

Company research is a core skill for investigators, journalists, and security professionals.

Join CloudSINT Discord: https://discord.gg/8WP5VwSS

Get help with tricky investigations, share resources, and learn advanced techniques.

Part of the OSINT education series. Due diligence saves trouble.

OPSEC for OSINT: How to Investigate Without Getting Burned

Kyle Brennan — Wed, 11 Feb 2026 19:25:41 +0000

You're researching someone. But who's researching you?

Operational security (OPSEC) isn't paranoia — it's professional hygiene. Whether you're a journalist, security researcher, or just privacy-conscious, here's how to conduct investigations without leaving a trail back to yourself.

The Golden Rules

Assume you're being watched — act accordingly
Separate identities completely — personal and research never mix
Minimize your footprint — every click is a potential log entry
Document everything — but store it securely

Browser Hygiene

Use Dedicated Browsers

Never research from your daily browser. Options:

Tor Browser: Maximum anonymity, slower speeds
Brave (Private Window + Tor): Balance of usability and privacy
Firefox (hardened): Configure with privacy extensions
Virtual machines: Complete isolation

Essential Extensions

uBlock Origin: Block trackers and ads
Privacy Badger: Learn and block invisible trackers
Cookie AutoDelete: Wipe cookies when tabs close
User-Agent Switcher: Mask your browser fingerprint

Browser Fingerprinting

Even without cookies, you're identifiable via:

Screen resolution
Installed fonts
Browser plugins
Hardware characteristics

Check yourself: https://amiunique.org

Network Security

VPN Basics

A VPN hides your IP but:

The VPN provider sees everything
Choose carefully — many log and sell data
Paid services are generally more trustworthy

Recommended: Mullvad, ProtonVPN, IVPN (no email required, accept cash/crypto)

When to Use Tor

Accessing sensitive content
Researching individuals who might monitor incoming traffic
Protecting source communications

Limitations:

Some sites block Tor
Slower speeds
Exit nodes can be compromised

Mobile OPSEC

Your phone is a tracking device. For sensitive research:

Use a dedicated burner device
No SIM (WiFi only)
VPN always on
Airplane mode when not in use

Account Separation

Research Accounts ("Sock Puppets")

Create dedicated accounts for investigation:

Rules:

Never access from your home IP
Use a unique email (ProtonMail, Tutanota)
Different username patterns than personal accounts
Aged accounts are more trustworthy (create in advance)
Never cross-contaminate (don't follow your real accounts)

Email Compartmentalization

Personal: Your real identity
Professional: Work-related
Research: OSINT investigations
Throwaway: One-time signups

Use email aliases (SimpleLogin, AnonAddy) to track who sells your data.

Device Security

Dedicated Research Machine

Ideal setup:

Used laptop (paid cash)
Fresh OS install (Linux preferred)
Full disk encryption
No personal accounts ever logged in

Virtual Machines

Run investigations in isolated VMs:

VirtualBox or VMware: Free options
Whonix: Pre-configured for anonymity
Tails: Amnesic system, leaves no traces

Snapshot before research, revert after.

Data Handling

Secure Storage

Encrypt everything: VeraCrypt, LUKS, BitLocker
Cloud storage: Only encrypted files, or use Tresorit/Proton Drive
Local backups: Encrypted external drives

Note-Taking

Obsidian (local): Markdown files you control
Standard Notes: Encrypted sync
Avoid Google Docs/Notion for sensitive research

Evidence Preservation

Screenshots with metadata (date, URL, method)
Archive.today for permanent records
Hash files to prove they haven't been modified

Communication Security

Messaging

Signal: End-to-end encrypted, disappearing messages
Wire: No phone number required
Session: Decentralized, anonymous signup

Email

ProtonMail: Encrypted, Swiss jurisdiction
Tutanota: German alternative
Use PGP for extra security when needed

Physical OPSEC

Don't forget meatspace:

Public WiFi: Use for sensitive research (with VPN)
Webcam covers: Assume compromise
Screen privacy filters: Prevent shoulder surfing
Clean desk: Lock screens, secure documents

When Things Go Wrong

Incident Response

If you suspect you've been identified:

Stop immediately — don't try to cover tracks
Document what happened — screenshots, logs
Assess the damage — what did they learn?
Burn compromised accounts — don't reuse
Learn and adapt — update your procedures

Checklist Before Any Investigation

[ ] VPN active
[ ] Dedicated browser/VM
[ ] No personal accounts logged in
[ ] Research accounts ready
[ ] Archive tools prepared
[ ] Notes system ready
[ ] Exit strategy planned

🔐 Join the Community

OPSEC is a skill that improves with practice and peer review.

CloudSINT Discord: https://discord.gg/8WP5VwSS

Share techniques, get feedback on your setup, and learn from investigators who take security seriously.

Part of the OSINT education series. Stay safe out there.

How to Investigate Anyone's Social Media (Legally)

Kyle Brennan — Wed, 11 Feb 2026 19:22:36 +0000

Social media is an OSINT goldmine. People voluntarily share their location, relationships, daily routines, and opinions — often without realizing how much they're revealing.

Here's how investigators extract intelligence from social platforms, and how you can audit your own exposure.

The Fundamentals

Before diving into tools, understand the principles:

People are creatures of habit — same usernames, same profile photos, same posting times
Metadata tells stories — timestamps, locations, tagged accounts
Deleted doesn't mean gone — archives, screenshots, cached versions exist
Connections reveal networks — who someone follows matters as much as what they post

Platform-Specific Techniques

Twitter/X

What you can find:

Historical tweets (even deleted ones via archives)
Follower/following networks
Engagement patterns
Location data from geotagged posts

Tools:

Advanced Search: from:username since:2023-01-01 until:2023-12-31
Wayback Machine: Historical snapshots of profiles
TweetDeck: Monitor multiple accounts/keywords in real-time
Twint (GitHub): Scrape tweets without API limits

Pro tip: Check who someone replies to most frequently — it reveals their real network, not just their public follows.

Instagram

What you can find:

Location history (tagged locations, geotags)
Close relationships (tagged photos, story mentions)
Daily routines (posting times, recurring locations)
Interests and lifestyle

Tools:

Picuki.com: View profiles without an account
StorySaver: Archive stories before they disappear
InstaLoader (GitHub): Download posts, stories, metadata

Pro tip: Instagram stories often reveal more than posts — people are less careful with "temporary" content.

Facebook

What you can find:

Full relationship maps (family, coworkers, classmates)
Life timeline (education, jobs, locations)
Group memberships (interests, communities)
Check-ins and events

Tools:

Facebook Graph Search: Photos liked by [name], Places visited by [name]
StalkFace.com: Alternative interface for searching
WhoPostedWhat.com: Search public posts by keyword/date

Pro tip: Friends lists are often public even when profiles are private. Map the network.

What you can find:

Employment history
Professional connections
Skills and endorsements
Educational background

Tools:

LinkedIn Sales Navigator: Advanced search (paid)
Phantombuster: Automate profile scraping
Google Dorks: site:linkedin.com/in "target name" "company"

Pro tip: People are surprisingly honest on LinkedIn. Job changes, relocations, and professional struggles all get posted.

TikTok

What you can find:

Content interests
Engagement patterns
Sometimes location from backgrounds
Voice/face for identity correlation

Tools:

TikTok's search: Surprisingly powerful
Snaptik.app: Download videos without watermarks
Manual EXIF check: Downloaded videos may contain metadata

Cross-Platform Correlation

The real power comes from connecting dots across platforms:

Username pivoting: Same handle on multiple platforms
Profile photo matching: Reverse image search across networks
Email correlation: Use tools like Epieos to find connected accounts
Writing style analysis: Similar phrases, emoji usage, typos
Timing analysis: Posts at similar times suggest same timezone

Archive Everything

Content disappears. Always archive what you find:

Archive.today: Instant webpage snapshots
Wayback Machine: Submit URLs for archiving
Screenshots with timestamps: Document everything
Hunchly: Browser extension for automatic archiving (paid)

Privacy Implications

Everything in this guide can be done to YOU. Consider:

Audit your own profiles — search yourself like an investigator would
Review tagged photos — others expose your location
Check privacy settings — but assume they're broken
Limit cross-platform links — don't make correlation easy

⚠️ Legal & Ethical Boundaries

Only access public information — don't create fake accounts to bypass privacy settings
Don't harass or stalk — observation isn't interaction
Document your methods — maintain a clear audit trail
Know jurisdiction rules — laws vary by country

🚀 Level Up Your Skills

Want to practice these techniques with other investigators?

Join CloudSINT Discord: https://discord.gg/8WP5VwSS

Live challenges, technique sharing, and a community that takes OPSEC seriously.

Part of the OSINT education series. Follow for more investigation techniques.

15 OSINT Tools Every Investigator Should Know in 2026

Kyle Brennan — Wed, 11 Feb 2026 19:18:45 +0000

Open Source Intelligence (OSINT) isn't just for government agencies anymore. Whether you're a journalist verifying sources, a cybersecurity professional hunting threats, or just someone who wants to understand their own digital footprint — these tools are your starting point.

Here's a no-fluff breakdown of tools that actually work.

🔍 People Search & Social Media

1. Sherlock

Find usernames across 400+ social networks simultaneously.

python3 sherlock username

Best for: Mapping someone's social media presence across platforms.

GitHub: github.com/sherlock-project/sherlock

2. Maigret

Sherlock's more powerful cousin — checks 3000+ sites and builds detailed reports.

maigret username --all-sites

Best for: Deep username investigations when Sherlock isn't enough.

3. WhatsMyName

Web-based username enumeration with constant community updates.

Best for: Quick browser-based searches without installing tools.

📧 Email Intelligence

4. Hunter.io

Find email patterns for any company. Type a domain, get the email format.

Best for: B2B research, finding professional contacts.

5. Have I Been Pwned

Check if an email appeared in data breaches.

Best for: Assessing account security, finding associated accounts.

6. Epieos

Reverse email lookup — finds connected Google accounts, social profiles, and more.

Best for: Mapping the accounts tied to a single email address.

📱 Phone Number OSINT

7. PhoneInfoga

Open-source phone number scanner. Gets carrier info, line type, and attempts social media correlation.

Best for: Initial phone number reconnaissance.

8. Truecaller (with caution)

Massive crowdsourced caller ID database.

Best for: Identifying unknown numbers — but remember, your number is probably in there too.

🌐 Domain & Infrastructure

9. Shodan

The search engine for internet-connected devices. Find exposed servers, webcams, databases.

Best for: Infrastructure mapping, finding exposed assets.

10. Censys

Similar to Shodan but with better certificate transparency data.

Best for: SSL/TLS certificate investigations, finding subdomains.

11. SecurityTrails

Historical DNS data. See what a domain pointed to years ago.

Best for: Tracking infrastructure changes over time.

🗺️ Geolocation & Images

12. Google Lens / TinEye

Reverse image search to find where an image originated or was reposted.

Best for: Verifying image authenticity, finding original sources.

13. ExifTool

Extract metadata from images — including GPS coordinates if they weren't stripped.

exiftool image.jpg

Best for: Finding location data embedded in photos.

14. GeoGuessr Skills + Google Earth

Manual geolocation using visual clues. Road signs, architecture, vegetation, sun position.

Best for: Locating photos/videos when metadata isn't available.

🔐 Data Aggregators

15. IntelX (Intelligence X)

Search engine for darknet content, paste sites, and leaked data.

Best for: Finding leaked credentials, documents, historical data.

⚠️ A Note on Ethics

OSINT is powerful. With power comes responsibility.

Don't stalk people. Seriously.
Verify before you accuse. Correlation isn't proof.
Know your local laws. Some techniques may cross legal lines depending on jurisdiction.
Protect yourself. Use VPNs, separate browsers, and don't let your OSINT trail lead back to you.

🚀 Want to Go Deeper?

We're building a community of OSINT practitioners, cybersecurity researchers, and privacy enthusiasts. No gatekeeping, just skills.

Join CloudSINT Discord: https://discord.gg/8WP5VwSS

Tools, techniques, and real investigations. See you inside.

This guide is part of an ongoing series. Follow for more OSINT breakdowns.

How to Find Anyone's Digital Footprint (And Protect Your Own)

Kyle Brennan — Wed, 11 Feb 2026 19:13:32 +0000

Every click, post, and signup leaves a trace. Your digital footprint is the trail of data you leave across the internet — and most people have no idea how exposed they actually are.

This guide shows you how to map someone's digital presence using OSINT techniques, and more importantly, how to audit and minimize your own.

Part 1: Finding a Digital Footprint

Start With What You Know

Every investigation starts with a seed — a piece of information to pivot from:

Full name
Username
Email address
Phone number
Photo

One piece is enough to unravel the rest.

Step 1: Username Enumeration

Most people reuse usernames. If you find someone's Instagram handle, there's a good chance they use it elsewhere.

Tools:

Sherlock — Checks 400+ platforms
WhatsMyName.app — Browser-based, constantly updated
Maigret — Deep searches across 3000+ sites

What you'll find: Social media accounts, forum memberships, gaming profiles, dating apps, professional networks.

Step 2: Email Pivoting

An email address is a skeleton key.

What to check:

Have I Been Pwned — Breach exposure
Epieos — Connected Google services, social profiles
Hunter.io — Company email patterns
Google search: "email@example.com" (in quotes)

What you'll find: Accounts created with that email, forum posts, leaked databases, professional history.

Step 3: Phone Number OSINT

Phone numbers tie digital and physical identity together.

Tools:

PhoneInfoga — Carrier lookup, line type, OSINT correlation
Truecaller — Crowdsourced caller ID
Sync.me — Similar to Truecaller
Google search: Search the number in quotes

What you'll find: Real name (often), social media accounts, business listings, spam reports.

Step 4: Image Analysis

A face or photo can reveal more than text.

Techniques:

Reverse image search (Google Images, TinEye, Yandex)
PimEyes — Facial recognition search (paid, controversial)
ExifTool — Extract metadata including GPS coordinates

What you'll find: Other profiles using the same photo, original upload location, geolocation data.

Step 5: Historical Data

The internet never forgets — even when you delete things.

Tools:

Wayback Machine (web.archive.org) — Historical snapshots of websites
CachedView — Find Google cached pages
SecurityTrails — Historical DNS records

What you'll find: Deleted content, old bios, previous usernames, domain ownership history.

Part 2: Protecting Your Own Footprint

Now flip the script. Run these same techniques on yourself.

Audit Yourself

Google your name in quotes, with variations
Search your email — see what's public
Run your username through Sherlock/WhatsMyName
Check breach databases — Have I Been Pwned
Reverse image search your profile photos

You might be surprised what's out there.

Minimize Your Exposure

Immediate actions:

Delete unused accounts (use JustDeleteMe.xyz for guides)
Remove personal info from data brokers (opt-out links exist)
Audit privacy settings on all active accounts
Stop reusing usernames across platforms
Use unique emails per service (SimpleLogin, AnonAddy)

Long-term habits:

Use a password manager with unique passwords everywhere
Enable 2FA on everything
Be deliberate about what you post
Assume everything is permanent and public

Compartmentalization

The advanced play: separate identities for separate purposes.

Work identity — Professional, uses real name
Personal identity — Friends and family, limited exposure
Anonymous identity — For sensitive research, activism, or privacy

Different emails, different usernames, different browsers. Never let them cross.

The Bottom Line

Your digital footprint exists whether you manage it or not. The only question is whether you're in control of it.

Two choices:

Ignore it and hope for the best
Understand the techniques, audit yourself regularly, and make informed decisions

🚀 Learn More

Join a community that takes this stuff seriously.

CloudSINT Discord: https://discord.gg/8WP5VwSS

OSINT techniques, privacy strategies, and real discussions with people who actually do this work.

Part of an ongoing OSINT education series.

Forem: Kyle Brennan

The Scariest Things I've Found Using OSINT (That Were Completely Legal)

1. Real-Time Location from Public Fitness Data

2. Baby Photos with GPS Coordinates

3. Corporate Secrets from LinkedIn

4. Home Security Systems... and Their Weaknesses

5. Medical Information from Wearables

6. Financial Situations from Venmo

7. Password Hints from Social Media

What This Means for You

Quick Protection Steps:

The Uncomfortable Reality

I Googled Myself and Now I Can't Sleep: A Privacy Horror Story

The Innocent Beginning

The First Red Flag

Down the Rabbit Hole

The Username Problem

The Photo That Haunted Me

What I Did About It

The Uncomfortable Truth

Your Turn

Phone Number OSINT: How to Investigate Any Phone Number

Why Phone Numbers Are So Revealing

Starting Your Investigation: Basic Number Analysis

Country and Carrier Identification

Number Type Detection

Social Media Reconnaissance

WhatsApp

Telegram

Data Broker and People Search Sites

Free Options

Paid Services

Important Note on Privacy

Checking Data Breaches

Advanced Techniques

Google Dorking

OSINT Frameworks

Protecting Your Own Phone Number

Conclusion

Social Media OSINT: How to Find Anyone's Digital Footprint

Why Social Media OSINT?

Step 1: Start with What You Know

Step 2: Username Enumeration

Step 3: Reverse Email Lookup

Step 4: Image-Based Discovery

Step 5: Google Dorking for Social Profiles

Step 6: Platform-Specific Techniques

Facebook

Instagram

LinkedIn

Twitter/X

Reddit

Step 7: Archived Content

Step 8: Cross-Referencing

Ethical Considerations

Protecting Yourself

Email OSINT: How to Investigate Any Email Address

Step 1: Basic Email Analysis

Step 2: Email Validation

Step 3: Breach Database Searches

Step 4: Social Media Discovery

Step 5: Username Pivoting

Step 6: Google Dorking

Step 7: Domain-Level OSINT

Step 8: Email Header Analysis

Real-World Applications

Ethics and Legality

Reverse Image Search Mastery: Find Anyone From a Photo

The Basics

Search Engines Compared

Google Images

Yandex

TinEye

Bing Visual Search

PimEyes

Advanced Techniques

Cropping Strategy

Search Multiple Engines

Image Modification

Screenshot Method