BIPI
BIPI

OSINT for Red Teams: Org Mapping, Person Profiling, and Pretext Crafting

Cybersecurity

Open source intelligence drives every successful red team. This piece walks through structured org mapping with Maltego and SpiderFoot, person profiling rules of engagement, and how to translate raw OSINT into a pretext that survives a five-minute conversation with a suspicious receptionist.

By Arjun Raghavan, Security & Systems Lead, BIPI · November 17, 2023 · 11 min read

#osint#red-team#maltego#spiderfoot#social-engineering

OSINT is not search engine theatre

Good OSINT is a structured intelligence discipline. The goal is a decision-grade picture of the target, not a wall of unrelated screenshots. Treat it like a journalist would, with sources, dates, and confidence levels.

Stage 1: organisation mapping

  • theHarvester to seed email and subdomain lists.
  • SpiderFoot HX for automated multi-source enrichment.
  • Maltego to draw the relationship graph and spot single points of failure.

Identifying tier-2 systems

The crown jewels rarely face the internet. Look for HR, finance, and procurement portals, which are softer and often share SSO with the production estate. Vendor portals and supplier extranets are gold for supply chain pretext.

Stage 2: person profiling

  • LinkedIn for role, reporting line, and start date.
  • Conference speaker bios for technical specificity.
  • GitHub for code style and project leakage.
  • Twitter or Mastodon for tone and availability windows.

Stage 3: pretext crafting

A pretext is a believable story plus a believable reason to act now. Pull a real internal vocabulary from the org map, name a real team and a real project, and connect to a calendar event the target is likely aware of.

Example pretext anatomy

  1. Identity: a contractor from a named vendor with a real procurement contact.
  2. Reason: a fault ticket reference matching the ticketing format leaked on a job listing.
  3. Urgency: tied to an audit window or a real product launch.
  4. Escape route: a plausible reason to leave fast if questioned.

Document everything

  • Confidence levels on every claim, with source URL.
  • Date captured, because OSINT decays in weeks.
  • Separate folder for raw artefacts and analytical notes.

Tooling that earns its place

  • Maltego CE plus a few transforms for graph clarity.
  • Recon-ng for repeatable workflows and database backing.
  • Hunchly for evidentially sound web capture.
  • Datasette for structured analyst notes.

Detection your client should build

  1. Vendor verification process for inbound contractor calls.
  2. Out of band confirmation for any access request originating from an email.
  3. Annual job listing audit to remove internal tooling references.

Remediation

  • OSINT exposure assessment as part of major announcement risk reviews.
  • Employee guidance on public profile content for sensitive roles.
  • Procurement portal hardening and credential separation from production SSO.
78%
Targets profiled in under 1h
61%
Pretexts that beat reception
44%
Useful leakage from job ads
A pretext that names the right team and the right ticketing format buys you fifteen minutes of trust.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.