Security · JAN 09, 2026
OSINT YOURSELF BEFORE THEY DO
Kishan Patel · 4 min read
Before almost any serious targeted attack comes a quiet afternoon of research. No malware, no exploits, no alarms. Just someone patiently collecting what is already public about you and arranging those pieces into a weapon. The technique has a name: OSINT, or Open-Source Intelligence, the practice of gathering freely available information and turning it into a picture of a target.
Here is the empowering part. Everything an attacker can find, you can find first. And once you have seen your own exposure the way they would, you can shrink it. This is the self-recon, done step by step, and it is one of the highest-value hours you will ever spend on your own security.
What an attacker sees in one afternoon
Start by understanding what is actually assembled about you when someone bothers to look. Your breach history, sitting in public dumps from every service that ever leaked your data. Your username, reused across fifteen platforms, quietly connecting your professional identity to accounts you thought were anonymous. Your employer, role, and manager, all neatly listed on LinkedIn. Your routines and locations, leaking from fitness apps and the metadata buried in your photos.
None of these are secrets on their own. That is the trap. Individually, each fact is harmless. Assembled together by someone patient, they become a spear-phishing script with your name on it, a convincing story that knows just enough about you to slip past your instincts.
Attackers rarely find one fatal secret. They find twelve harmless facts and weld them into one convincing lie.
The self-recon walkthrough
Now do to yourself what they would do to you. Work through this list honestly, and keep a note of everything that surprises you, because those surprises are your action items.
- Check your breach exposure. Run your email addresses through Have I Been Pwned, a free service that tells you which known breaches included your data. Every hit is an instruction: change that password, and hunt down every other place you reused it.
- Hunt your usernames. Search your common handles across platforms. Old forum accounts, gaming profiles, and abandoned social media remember the person you were at fifteen, and they often link back to the professional you are today.
- Search yourself in quotes. Put your name in quotation marks alongside your city, your employer, and your phone number. Then try a reverse image search on your profile photos, which can surface accounts you forgot existed.
- Audit your metadata. Photos can carry GPS coordinates embedded invisibly in the file. Open your social profiles in a private browser window, logged out, and see exactly what a stranger sees, because it is often more than you assume.
- Map your professional leak. What does your LinkedIn, plus your code repositories, plus your conference bio, collectively reveal about the internal tools, systems, and org chart of where you work? Attackers targeting your company will build this map. You should see it first.
Shrinking the surface
You are not going to erase yourself from the internet, and you do not need to. The goal is not invisibility, which is impossible for anyone with a normal life. The goal is raising the cost, making yourself enough of a hassle that a casual attacker moves on to an easier target.
Concretely, that means unique passwords stored in a password manager so one breach does not unlock everything. Multi-Factor Authentication, the second verification step beyond a password, switched on everywhere that offers it. Old, abandoned accounts closed. Location sharing trimmed back. And a deliberate gap kept between your public professional handles and your private personal life, so that finding one does not automatically hand over the other.
Do the full pass once, thoroughly. Then do a lighter pass every six months, because your exposure grows quietly over time as you sign up for new things and forget old ones. Fifteen minutes, twice a year, on a calendar reminder. That is the entire maintenance cost of taking yourself seriously.
Looking ahead
AI is turning OSINT from a skilled craft into a cheap commodity. Profile aggregation that once took a human analyst a full day now takes an automated script a minute. The consequence is simple and a little uncomfortable: the volume of targeted, personalized attacks is going to rise sharply, because the research step just got automated. The defense does not change, it just stops being optional.
So sit with one question before you close this tab. If a stranger spent thirty minutes researching you right now, what is the first thing you would hope they do not find? Whatever came to mind, that is exactly where your self-recon starts. Go look before they do.
Next up · Careers
YOUR DEGREE WON'T STOP A BREACH



