Certification Courses
Hands-On Labs
Threat Intelligence
Latest Cyber News
MITRE ATT&CK Breakdown
All Cyber Keywords
Latest News
TA0043 , Reconnaissance
T1593 , Search Open Websites/Domains
Adversaries may search freely available websites and domains for information about victims that can be used during targeting. This technique leverages publicly accessible data across the open internet to build comprehensive intelligence profiles.
MITRE ATT&CK
|
T1593 · Pre-Attack · Reconnaissance
|
OSINT
Simulation , Open Web Reconnaissance in Action
🏢 target-corp.com
📋 indeed.com
💬 reddit.com/r/careers
📰 news.target-corp.com
Target Corporation
Enterprise · Since 2002Senior AWS Cloud Engineer
Amazon EC2 · S3 · Lambda · Kubernetes
DevOps Lead , Infrastructure
Docker · Terraform · Ansible · CI/CD
Cybersecurity Analyst , SOC
Splunk · CrowdStrike · SIEM · Incident Response
Database Administrator , PostgreSQL
PostgreSQL · MongoDB · Redis · Backup Strategies
u/tech_recruiter_42
Anyone interviewing at Target Corp? Their tech stack is mostly AWS with some legacy on-prem VMware. DM me for referral.
u/sysadmin_mike
Former Target employee here. They migrated to Okta SSO last year. Still running some old Exchange servers internally though.
u/cloud_arch_sarah
Their new office in Austin is hiring like crazy. Mostly remote positions though. Heard they use GitHub Enterprise for repos.
March 15, 2025
Target Corp Announces $50M Digital Transformation Initiative
The company will migrate all remaining on-premises infrastructure to AWS by Q3 2025, including legacy ERP systems...
February 28, 2025
New Chief Information Security Officer Appointed
Former NSA cybersecurity analyst Jennifer Walsh joins as CISO to lead the company's zero-trust architecture initiative...
January 10, 2025
Target Corp Expands Austin Engineering Hub
The new 200-person engineering office will focus on cloud-native development using Kubernetes and microservices architecture...
☁️ AWS · Kubernetes · Okta SSO
🏢 Austin TX · 200 engineers
🔑 GitHub Enterprise · Splunk
📅 Migration deadline: Q3 2025
🕵️
CSS-only animation: Browser tabs cycle through corporate site, job board, tech forum, and press releases. Data extraction highlights and a cursor sweep across page content, simulating how an adversary systematically scrapes open websites for intelligence.
Why It Matters
92%
of cyberattacks begin with
open-source reconnaissance
open-source reconnaissance
$4.88M
average cost of a data breach
linked to OSINT-based attacks (2024)
linked to OSINT-based attacks (2024)
73%
of organizations have exposed
sensitive data on public websites
sensitive data on public websites
300%
increase in web-based
OSINT collection since 2020
OSINT collection since 2020
Search Open Websites/Domains (T1593) is one of the most pervasive and dangerous reconnaissance techniques because it requires zero technical exploitation. Adversaries don't need to bypass firewalls, crack passwords, or exploit vulnerabilities , they simply read what organizations have already published. Every corporate "About Us" page, every job posting listing specific technologies, every press release announcing new office locations, and every employee LinkedIn profile is a freely available intelligence source that helps attackers build detailed targeting profiles.
According to CISA, the vast majority of successful cyber incidents in 2024 involved some form of pre-attack reconnaissance using open-source intelligence. NIST guidelines emphasize that organizations must understand their "public attack surface" , the sum of all information available about them online. MITRE ATT&CK classifies this under Reconnaissance (TA0043), noting that it often serves as the initial information-gathering phase before more targeted techniques like T1596 or T1589.
The danger is compounded by the fact that most organizations are unaware of how much sensitive information they expose. Job postings reveal technology stacks. Press releases reveal organizational changes. Forum posts by employees reveal internal tools and processes. Social media profiles reveal personal connections. When combined, these scattered data points create a comprehensive intelligence dossier that costs the attacker nothing but time.
Key Terms & Concepts
| Term | Definition | Everyday Analogy |
|---|---|---|
| OSINT | Open Source Intelligence , collecting information from publicly accessible sources such as websites, social media, forums, and public records. | Reading the bulletin board at a grocery store to learn about upcoming community events. |
| Passive Reconnaissance | Gathering intelligence without directly interacting with the target's systems. The target has no way of knowing they are being observed. | Walking past someone's house and looking at their mailbox, yard signs, and car in the driveway , no trespassing required. |
| Digital Footprint | The total trace of information an organization or individual leaves on the internet , websites, social media, job posts, forums, press releases, etc. | The trail of footprints you leave in fresh snow , anyone can follow them to figure out where you've been. |
| Google Dorking | Using advanced search operators (site:, inurl:, intitle:, filetype:) to find specific, sensitive information indexed by search engines. | Using the library's card catalog system with very specific search filters to find exactly which shelf a particular book is on. |
| Web Scraping | Automated extraction of data from websites using bots or scripts that systematically collect structured information from web pages. | Having a robot read every page of a phone book and copy out all the names and addresses into a spreadsheet. |
| Public Attack Surface | The total amount of information about an organization that is publicly accessible and could potentially be used by attackers for planning. | All the windows and doors of a house that are visible from the street , a burglar surveys these before deciding how to break in. |
| Social Engineering Intelligence | Information gathered from open websites that helps craft convincing social engineering attacks like spear-phishing or pretexting. | Reading a person's social media to learn their hobbies, pet names, and vacation plans so you can impersonate a friend convincingly. |
| Technology Profiling | Identifying the software, hardware, and platforms used by a target organization through job postings, documentation, and public technical resources. | Looking at a restaurant's menu and online reviews to figure out their suppliers and kitchen equipment before opening your own competing restaurant. |
Real-World Scenario
👩💻
Victoria Chen , CISO at Pinnacle Healthcare Group
11,000 employees · 24 hospitals · $2.3B annual revenue
Before , The False Sense of Security
Victoria was confident in her security posture. Pinnacle Healthcare had invested $8 million in next-gen firewalls, endpoint detection, and a 24/7 SOC. Compliance audits were clean. Penetration tests showed no critical vulnerabilities. "We're hardened," she told the board in January 2025. "Our perimeter is solid."
What Victoria didn't realize was that Pinnacle's public internet presence was a goldmine of intelligence. The hospital system's website listed detailed department structures with employee names. Job postings on Indeed and LinkedIn explicitly mentioned they used Epic EHR software on VMware infrastructure, connected to an Azure cloud environment. Press releases from 2023 announced a new telemedicine platform built with a specific set of APIs. A Reddit thread from a former employee mentioned that the IT department still used an older version of Cisco VPN for remote access. The company's LinkedIn page showed 47 job openings, with many requiring specific certifications , revealing exactly what security tools and processes the SOC used.
The Attack , OSINT-Driven Spear-Phishing Campaign
In March 2025, a sophisticated threat group spent three weeks conducting purely passive reconnaissance. They never touched a single Pinnacle system. Instead, they scraped the hospital's website, harvested LinkedIn profiles of 200+ employees, downloaded every job posting from six different job boards, archived press releases, and monitored forum discussions.
From job postings, they learned the IT team used Splunk for SIEM, CrowdStrike for EDR, and Cisco AnyConnect for VPN. From LinkedIn, they identified 15 system administrators and their reporting structure. From a press release about a new patient portal, they found the development vendor and API documentation publicly hosted. From forum posts, they confirmed the VPN version and that some departments still used Internet Explorer for legacy applications.
Armed with this intelligence, the attackers crafted a highly targeted spear-phishing email impersonating the CEO and referencing the telemedicine platform mentioned in the press release. The email was sent to a specific system administrator whose name, role, and email format they had discovered through T1593.001 (Social Media) and T1593.002 (Search Engines). Because the email referenced real, verifiable details , project names, vendor names, internal tools , it bypassed both technical filters and human skepticism.
After , $4.2M and 380,000 Patient Records
The phishing email led to credential theft, lateral movement through the VPN, and eventual access to the patient records database. The breach exposed 380,000 patient records including Social Security numbers, medical histories, and insurance information. Total incident cost reached $4.2 million including forensic investigation, breach notification, credit monitoring services, regulatory fines, and lost business. The board asked Victoria one question: "How did they know exactly who to target and what to say?"
The answer was devastating: "They read our own website and job postings." Every piece of intelligence the attackers used was publicly available. Not a single system was compromised to gather it. The attack was planned entirely using T1593 (Search Open Websites/Domains) combined with T1589 (Gather Victim Identity Information) and T1591 (Gather Victim Org Information).
Day 1-7
Attacker scrapes corporate website, harvests 200+ employee names from LinkedIn
Day 8-14
Job postings analyzed: Splunk, CrowdStrike, Cisco VPN, Azure, Epic EHR identified
Day 15-21
Forum posts and press releases provide vendor names, API docs, and project codenames
Day 22
Precision spear-phishing email deployed , 380K records breached, $4.2M impact
Step-by-Step Protection Guide
-
Conduct a Public Footprint Audit
Systematically review every piece of information your organization has published online. Check your corporate website, social media profiles, job postings on all major platforms, press releases, employee directories, and any third-party sites where your organization is mentioned.
- Search for your organization's name, domain, and key employee names on major search engines
- Review cached and archived versions of pages using the Wayback Machine
- Check job postings on LinkedIn, Indeed, Glassdoor, and niche industry job boards
- Review Google search results for sensitive indexed content using T1593.002 techniques
-
Implement an Information Disclosure Policy
Create and enforce strict policies governing what information can be published publicly. This includes website content, social media posts by employees, job descriptions, press releases, and conference presentations.
- Establish approval workflows for all publicly published content
- Create guidelines for employees on social media mentions of the organization
- Review and sanitize job descriptions to remove unnecessary technology specifics
- Include security review as part of the marketing and communications process
-
Sanitize Job Postings and Public Documentation
Job postings are one of the richest intelligence sources for attackers. They reveal technology stacks, security tools, infrastructure platforms, and organizational structure. Review and rewrite job descriptions to share only what is absolutely necessary.
- Replace specific tool names with generic categories (e.g., "SIEM platform experience" instead of "Splunk")
- Avoid listing specific software versions, patch levels, or infrastructure configurations
- Remove internal project names, codenames, and department-specific terminology
- Coordinate with HR and recruiting teams on information security awareness
-
Monitor Code Repositories and Technical Content
Public code repositories, documentation sites, and developer forums frequently contain sensitive organizational information. Internal code snippets, configuration files, API keys, and infrastructure details can be accidentally published.
- Search GitHub, GitLab, and Bitbucket for your organization's name, domain, and internal project names
- Implement pre-commit hooks that prevent accidental credential leaks in code repositories
- Monitor developer forums like Stack Overflow for employees posting internal details
- Use tools like T1593.003 code repository search to understand what attackers can find
-
Deploy Dark Web and OSINT Monitoring
Proactively monitor where your organization's information appears online. Set up alerts for new mentions of your organization, domain, key personnel, and internal project names across the open web, social media, and dark web forums.
- Set up Google Alerts for your organization name, domain, and key executive names
- Use commercial OSINT monitoring platforms for continuous threat intelligence
- Monitor paste sites and data breach databases for leaked credentials or internal documents
- Track mentions on social media platforms (T1593.001) and industry forums
-
Train Employees on Social Engineering Awareness
Since open website reconnaissance directly enables social engineering attacks, your workforce must understand how their public online activity contributes to the organization's attack surface. Regular, realistic training is essential.
- Conduct quarterly phishing simulations using emails that reference real public information about your organization
- Educate employees on the risks of sharing work details on personal social media accounts
- Create clear reporting channels for employees who notice suspicious activity or information leaks
- Include OSINT awareness in security onboarding for all new hires, especially in IT and engineering roles
-
Establish a Continuous Exposure Reduction Program
Minimizing public exposure is not a one-time project , it requires an ongoing, systematic program. Regularly re-audit your public footprint, update policies, and adapt as new platforms and information sources emerge.
- Schedule quarterly public footprint assessments and compare results over time
- Implement automated tools that continuously scan for newly exposed sensitive information
- Create an incident response plan specifically for information disclosure events
- Correlate your findings with related techniques like T1596 and T1589 to understand the full reconnaissance picture
Common Mistakes & Best Practices
❌ Common Mistakes
Publishing detailed technology stacks in job postings. Job descriptions that list "Splunk 8.2," "Cisco ASA 5516-X," or "PostgreSQL 15" give attackers a precise map of your security infrastructure and database platforms. An attacker learning you use specific versions can immediately search for known CVEs targeting those exact products.
Leaving employee directories and org charts publicly accessible. "Meet Our Team" pages with names, titles, photos, email formats, and LinkedIn links provide everything an attacker needs for T1589 identity gathering and targeted social engineering campaigns.
Ignoring cached and archived web content. Even if you remove sensitive information from your current website, Google caches, the Wayback Machine, and third-party aggregators may retain copies indefinitely. Organizations that publish and later delete sensitive content often assume it's gone , it usually isn't.
Allowing developers to discuss internal tools on public forums. Stack Overflow questions, Reddit posts, and GitHub issues where employees ask about internal systems, configurations, or error messages can reveal infrastructure details, software versions, and security weaknesses.
Treating OSINT as a low-priority threat. Because T1593 doesn't involve any technical exploitation, organizations often underestimate its impact. In reality, it is the foundation upon which nearly all advanced attacks are built , from spear-phishing to supply chain compromise.
✅ Best Practices
Implement a public information review process. Establish a security-awareness gate for all content before it's published publicly. Marketing, HR, and communications teams should coordinate with information security to review press releases, job postings, website content, and social media strategy for sensitive disclosures.
Conduct regular "adversary view" audits. Periodically, have your security team (or a third-party assessor) compile an intelligence dossier on your organization using only publicly available information. Compare what they find against what you expect to be public. The gap between these two is your uncontrolled exposure.
Use generic technology descriptions in public-facing content. Instead of naming specific vendors and versions in job postings, use functional descriptions. "Enterprise SIEM experience" communicates the skill requirement without revealing your exact toolchain. "Cloud infrastructure management" is equally informative for candidates but useless for attackers.
Deploy automated OSINT monitoring and alerting. Use commercial threat intelligence platforms or custom solutions to continuously monitor the open web, social media, code repositories, paste sites, and dark web forums for mentions of your organization, domain, key personnel, and internal project names.
Integrate OSINT awareness into security culture. Train all employees , not just IT and security staff , on the risks of oversharing organizational information online. Make it part of onboarding, include it in annual security awareness training, and reinforce it with realistic phishing simulations that leverage real public information about your organization.
Red Team vs Blue Team
🔴 Red Team , Attacker Perspective
-
Systematic website enumeration: Begin by identifying all domains and subdomains associated with the target using search engine dorking (T1593.002) and passive DNS enumeration. Map every web property the organization operates.
-
Job posting analysis for technology profiling: Scrape job boards to identify specific software, hardware, cloud platforms, and security tools in use. Job requirements often list exact product names and versions that reveal exploitable vulnerabilities.
-
Employee identification via social media: Use T1593.001 (Social Media) to map the organizational chart, identify key personnel (C-suite, IT admins, finance), and harvest email addresses using naming conventions derived from discovered employee names.
-
Code repository reconnaissance: Search T1593.003 (Code Repositories) for leaked source code, configuration files, API keys, hardcoded credentials, and internal tooling that reveals infrastructure architecture.
-
Press release and news intelligence: Analyze press releases, news articles, and blog posts to identify recent organizational changes (new CISO, mergers, office openings), new technology initiatives, vendor relationships, and project timelines that create attack windows.
🔵 Blue Team , Defender Perspective
-
Public exposure assessments: Conduct quarterly "red team yourself" exercises where defenders compile an intelligence dossier using only open sources. Identify what information should not be publicly available and take corrective action.
-
Information classification and publishing controls: Implement strict approval workflows for all publicly published content. Ensure HR, marketing, and engineering teams understand what constitutes sensitive information that should not appear in job postings, press releases, or documentation.
-
Automated OSINT monitoring: Deploy continuous monitoring solutions that alert when new information about the organization appears online , new job postings, social media mentions, code repository commits, forum discussions, and data breach exposures.
-
Security-aware workforce training: Educate employees that their personal social media activity, conference presentations, forum posts, and even LinkedIn profiles contribute to the organization's attack surface. Train them to recognize and avoid information oversharing.
-
Cross-technique correlation: Understand that T1593 feeds into related techniques. Monitor for signs that attackers are combining web reconnaissance with T1596 (Technical Databases), T1589 (Identity Info), and T1591 (Org Info) to build comprehensive targeting profiles.
Threat Hunter's Eye
What to look for , explained in safe, legal, non-technical language. These are patterns that indicate someone may be systematically gathering intelligence about your organization from public sources.
Pattern 1
Sudden Spike in Web Traffic from Unusual Referrers
Monitor your website analytics for traffic coming from search engines with highly specific queries related to your organization. If you notice visitors arriving from searches like "site:yourcompany.com" combined with terms like "password," "internal," "admin," or "config," it may indicate someone is systematically indexing your publicly available pages for intelligence.
Example analytics filter: Referrer contains "google.com" AND Landing page contains "/admin" OR "/internal" OR "/config"
Pattern 2
Employee Social Media Profiles Receiving Unusual Attention
If multiple employees , particularly in IT, security, finance, or executive roles , report connection requests or profile views from unfamiliar accounts, especially those with generic profiles or recently created accounts, it may indicate an adversary is mapping your organizational structure through social media reconnaissance (T1593.001).
Indicators: Multiple employees report new follower/view notifications from accounts created within the last 30 days, with minimal profile information and no mutual connections.
Pattern 3
Job Posting Aggregation from Multiple Platforms
If you notice your organization's job postings being scraped and reposted on unusual job aggregator sites, or if you receive inquiries about positions from candidates who found listings on platforms where you didn't post, it may indicate automated job posting collection , a common technique for technology profiling.
Action: Search for your company name + "jobs" across lesser-known job boards. Check if postings appear on sites you didn't authorize. Look for job postings being archived on third-party sites.
Pattern 4
Code Repository Mentions of Internal Projects
Regularly search public code repositories (GitHub, GitLab, Bitbucket, Stack Overflow) for mentions of your organization's name, internal project codenames, domain names, or unique internal terminology. Developers may inadvertently push code containing credentials, API keys, configuration details, or internal architecture documentation.
Search: github.com "yourcompany" OR "your-domain.com" OR "internal-project-name" , Filter by recently updated repositories and recently posted issues/pull requests.
Pattern 5
Third-Party Data Breach Notifications
When third-party services (vendors, partners, job boards, conference platforms) suffer data breaches, your organization's information may be exposed even if you weren't directly targeted. Monitor breach notification databases and have a process to assess the impact when a third-party breach includes your employees' data.
Monitor: Have I Been Pwned (haveibeenpwned.com) for your corporate domain. Set alerts on breach notification services. Review vendor security posture as part of business relationship assessment.
Pattern 6
Competitive Intelligence Tools Indexing Your Organization
Legitimate business intelligence tools (BuiltWith, Wappalyzer, SimilarTech) publicly display the technology stacks detected on your websites. Attackers use these same tools. Regularly check what these services reveal about your organization and work to minimize unnecessary technology exposure.
Action: Visit builtwith.com/your-domain.com and similar services. Review the complete technology profile they've compiled. Identify any technologies you didn't expect to be publicly detected.
Join the Discussion
Help Strengthen Collective Defenses
Open website reconnaissance is the silent foundation of nearly every cyberattack. By understanding how adversaries use T1593 and its sub-techniques, you can significantly reduce your organization's public attack surface. Share your experiences, ask questions, and help the community build better defenses against OSINT-based threats.
🔗 Explore Related MITRE ATT&CK Techniques
📱 T1593.001 , Social Media
🔍 T1593.002 , Search Engines
💻 T1593.003 , Code Repositories
🗄️ T1596 , Search Open Technical Databases
🪪 T1589 , Gather Victim Identity Information
🏢 T1591 , Gather Victim Org Information
📡 T1595 , Active Scanning
🖥️ T1592 , Gather Victim Host Info
🌐 T1590 , Gather Victim Network Info
Search Open Websites/Domains
MITIGATIONS
DETECTION STRATEGY
DONATE · SUPPORT
ROOT::DONATE