Before a threat actor picks up a phone, sends an email, or attempts a login — they research. They use the same open internet your customers, competitors, and regulators use. The information they gather is not stolen. It is publicly available, freely indexed, and sitting in plain sight.
This is passive OSINT — open-source intelligence gathered without touching a single system. And every Australian business is broadcasting it, whether they know it or not.
The six categories of OSINT exposure
Every business footprint falls into predictable categories. Understanding what is visible in each one is the starting point for any meaningful risk assessment.
Domain and infrastructure. DNS records, SSL certificate history, IP ranges, hosting providers, and subdomain enumeration. Tools like Shodan and Censys index this automatically. Your mail server configuration, for example, tells an attacker whether you are vulnerable to email spoofing.
Technology stack. Job listings, error pages, HTTP headers, and public code repositories all reveal which platforms, frameworks, and SaaS tools your business uses. Knowing your identity provider, your CRM, and your cloud host is enough to begin targeting the weakest link.
Staff identities and roles. LinkedIn, company websites, conference speaker pages, and published reports reveal who works for you, in what role, and for how long. This tells an attacker who to impersonate and who to target.
Credential exposure. Prior breach databases hold billions of email and password combinations. Your staff's work email addresses appearing in these datasets — from personal account reuse on third-party platforms — give attackers a starting point for credential stuffing and vishing attacks.
Third-party and vendor footprint. Every SaaS platform, payment processor, marketing tool, and cloud integration your business uses is potentially visible. A vendor's own breach history, combined with your known use of their platform, creates a mapped attack path.
Dark web presence. Forums, marketplaces, and Telegram channels where data is bought and sold. References to your domain, your staff, or your systems in these environments indicate active attacker interest — not just passive exposure.
Why this matters for Australian businesses right now
The OAIC's first active compliance sweeps are underway in 2026. Regulators are reviewing privacy policies and data handling practices across high-risk, data-collection businesses. At the same time, the new statutory privacy tort means Australians can now sue directly for serious privacy invasions — without going through the OAIC first.
An organisation that does not know its own OSINT footprint cannot credibly claim to have taken reasonable steps to protect personal information. The footprint is the starting point of any attacker's reconnaissance — and the starting point of any regulator's assessment of your security posture.
What a passive OSINT assessment maps across all six categories
- Domain infrastructure, open ports, and misconfigured cloud assets visible to internet indexers
- Technology stack exposure through job listings, headers, and public repositories
- Staff identities, roles, and tenure visible through open professional networks
- Credential exposure across known breach databases matched to your domain
- Third-party vendor footprint and vendor breach history
- Dark web references to your organisation, domain, or staff