NOTE: In this series of posts, we revisit recent presentations delivered at MU.SCL and provide additional context around the slide decks shared here. While a written post cannot fully reproduce the depth, examples, and discussion of a live session, it should help readers better understand the topic, the key messages, and the practical points behind the slides.

Most organisations still think of a cyber attack as something that starts when an attacker touches their systems. A phishing email arrives, a VPN login fails, a scanner appears in the firewall logs, or an endpoint alert is triggered. At that point, security teams start investigating and everyone agrees that something has begun.

But in many cases, the attack started earlier.

Not in a way that generated logs or triggered an alert, but in the attacker's preparation. Before the first malicious packet reaches the perimeter, the attacker may already know your domains, subdomains, email format, cloud providers, exposed services, technology stack, key employees, job openings, public documents, leaked credentials, and likely executive targets.

This is the reality of OSINT, or Open Source Intelligence. It is not hacking. It is not illegal access. It is the collection and analysis of information that is already publicly available, commercially available, indexed by search engines, leaked elsewhere, published by the organisation, or shared indirectly by employees and suppliers.

The issue is not that an organisation has a public presence. Every functioning business does. The issue is that small fragments of public information can become operational intelligence when they are collected and correlated. A LinkedIn profile is not a breach. A DNS record is not a breach. A job advert is not a breach. A public PDF is not a breach. A certificate transparency entry is not a breach. But together, they may tell an attacker where to look, who to target, what technology to prepare for, and which pretext is most likely to work.

That is your digital ghost: the version of your organisation that exists outside your control, assembled from public traces, old data, business activity, employee behaviour, supplier references, historical records, and simple mistakes.

The reconnaissance you do not see

Security teams are used to monitoring environments they control: endpoints, networks, identity platforms, cloud tenants, email gateways, firewalls, and logs. That is necessary, but it has a blind spot. Passive reconnaissance usually happens outside those environments.

An attacker can review your website, enumerate DNS records, inspect public SSL certificates, search for exposed services, read job postings, map employees on LinkedIn, examine public documents, check historical domain data, look for leaked credentials, and study suppliers without directly touching your systems.

No firewall log. No SIEM alert. No endpoint event. No incident ticket.

By the time the first detectable activity occurs, the attacker may already have selected the target, prepared the lure, validated the email format, identified likely privileged users, and chosen the most promising initial access path. This is one reason targeted attacks often feel precise. They are not always more sophisticated in tooling. Sometimes they are simply better prepared.

AI makes this worse, but not in the exaggerated way often described. It does not magically create elite attackers. It does, however, reduce the time and effort required to analyse public information. It can summarise websites, structure employee lists, infer email patterns, review job adverts for technology clues, cluster domains, and help draft credible phishing pretexts. Reconnaissance that used to require patience can now be accelerated.

That means more attackers can perform better preparation, including against organisations that do not consider themselves high-profile targets.

What your public footprint gives away

The technical layer is often the easiest to inspect. DNS records can reveal mail infrastructure, cloud services, third-party providers, forgotten domains, and naming conventions. Certificate transparency logs can expose subdomains that were never intended to be widely advertised, including development, staging, VPN, remote access, SSO, and test environments. Platforms such as Shodan and Censys can reveal internet-facing services, exposed ports, software versions, misconfigured devices, and sometimes systems that should not be reachable from the internet at all.

The people layer is just as useful. Public profiles can help reconstruct an organisation chart. Job titles identify who works in IT, finance, HR, legal, procurement, and executive leadership. LinkedIn can reveal recent hires, project responsibilities, reporting lines, technology ownership, and employees likely to hold privileged access. Conference biographies, company announcements, social media posts, and supplier case studies can add more detail.

From an attacker's perspective, this is not trivia. It helps decide who to impersonate, who to phish, who has authority, who may be under pressure, and who may have access to useful systems.

Job postings are another common source of avoidable leakage. A vacancy that lists precise versions of SIEM tools, EDR platforms, firewall products, cloud services, directory technologies, and remote access systems may help candidates understand the role, but it also gives attackers a clearer map of the environment. "Enterprise SIEM platform experience" is often enough. Naming the exact product and version is rarely necessary in a public advert.

Public documents create the same problem. PDFs, Word documents, presentations, spreadsheets, and images often contain metadata nobody intended to publish: author usernames, internal file paths, software versions, printer names, template names, old email addresses, and sometimes location data. One metadata field may not matter. Many small fields, collected over time, can reduce uncertainty for an attacker.

Small leaks become attack paths

OSINT risk is cumulative. Security teams often underestimate it because each individual finding looks minor.

An exposed subdomain may seem low risk. A job advert naming a technology stack may seem harmless. A few public PDFs with usernames may not look urgent. A leaked password from an old third-party breach may be dismissed because password policies have changed. A LinkedIn profile describing security responsibilities may look normal.

Separately, perhaps none of these are critical.

Together, they can become an attack path.

The attacker learns the email format from public addresses. They identify an IT administrator from LinkedIn. They infer the VPN product from a job advert. They discover a forgotten subdomain from certificate transparency logs. They find an old exposed service from internet-wide scan data. They locate a breached personal email address linked to the same employee. They use that information to craft a more credible phishing email or test password reuse against remote access.

At that point, the attack is no longer random. It is informed, prepared, and targeted.

This is why "we are not interesting enough to be targeted" is a weak defence. Attackers do not always begin with a fixed target. Sometimes they begin with exposed opportunity. If your organisation is easy to map, easy to impersonate, and easy to test, you have made yourself more attractive than necessary.

Reducing the digital ghost

The objective is not to disappear from the internet. That is impossible, and it would make no business sense. Organisations need websites, email, domains, certificates, recruitment, suppliers, events, staff profiles, documents, and public credibility.

The objective is to reduce what attackers can reliably use.

Start by looking at the organisation from the outside. Check your domains and subdomains. Review certificate transparency logs. Search for exposed services. Look for public PDFs and documents. Review job adverts. Check whether corporate email addresses appear in breach datasets. Look at what key staff disclose publicly. Search for lookalike domains. Review what suppliers and partners reveal about your systems and people.

Then put basic controls around the recurring leaks. Strip metadata from public documents before publication. Avoid unnecessary product and version details in job postings. Set up breach alerts for corporate email addresses. Monitor certificate transparency. Watch for exposed services and new ports. Track obvious typosquatting. Include suppliers and public references in periodic exposure reviews.

None of this requires an expensive programme to begin. Much of it can be started with free or low-cost tools and a few disciplined habits. The important point is ownership. Someone must be responsible for looking at the external footprint regularly, prioritising findings, and ensuring obvious exposures are removed before they are used.

OSINT is not a niche discipline reserved for intelligence analysts or red teams. It is part of the pre-attack layer of modern intrusion. It shapes who gets targeted, how credible the phishing email looks, which system gets tested first, and how quickly an attacker can move from research to initial access.

If your security programme only starts paying attention when the attacker touches your network, you are starting late.

Your organisation already has a digital ghost. The question is whether you have looked at it before the attacker does.