What Attackers See When They Google Your Company

Before an attacker touches a single system, they search.

They search Google, LinkedIn, GitHub, breach databases, and DNS records. They look through job postings, conference talks, and developer forums. They build a detailed picture of your infrastructure, your technology stack, your employees, and your security gaps, using nothing but publicly available information and tools that anyone can access for free.

This phase has a name: reconnaissance. Specifically, open-source intelligence, or OSINT. It is the first step in almost every serious attack, and it happens entirely outside your network perimeter where your firewalls, EDR tools, and monitoring systems cannot see it.

Most organizations have no idea what an attacker can learn about them before making first contact. The answer is usually more than anyone expects.

Why Reconnaissance Comes First

Reconnaissance is considered the most critical phase of a cyberattack because it lays the groundwork for everything that follows. An attacker who understands your infrastructure, your technology choices, your employee structure, and your known exposures does not need to probe blindly. They arrive with a plan.

This is not a technique reserved for sophisticated state-sponsored actors. The tools used for OSINT reconnaissance are widely available, extensively documented, and increasingly automated. An attacker with moderate technical skill can conduct a thorough reconnaissance of a mid-sized company in a matter of hours. The barrier to entry is low. The information available is often surprisingly rich.

The first step of a real attacker is usually not active scanning. It is passive information gathering. And because this phase involves no direct interaction with target systems, it generates no alerts, leaves no logs, and provides no warning to the organization being researched.

By the time an attacker moves from reconnaissance to active exploitation, they already know which systems to target, which employees to impersonate, which technologies have known vulnerabilities, and which entry points are most likely to succeed.

What Google Reveals About Your Infrastructure

A standard Google search returns what you expect. Advanced search operators return what you did not intend to make public.

Google dorking, also known as Google hacking, uses specialized search queries to surface information that has been indexed but was never meant to be found. An attacker searching for files with specific extensions on your domain can surface internal documents, configuration files, spreadsheets, and presentations that were never intended to be publicly accessible. Queries targeting directory listings can reveal folder structures and file names on improperly configured web servers. Searches for login pages, admin panels, and management interfaces can surface entry points that were assumed to be obscure.

A 2023 study found that 43% of organizations have at least one internet-facing vulnerability discoverable through these techniques. This is not a niche problem. It is a common condition that most organizations discover only when someone looks for it.

The Wayback Machine and other web archives add a historical dimension. Pages that have been taken down, subdomains that were decommissioned, and content that was removed from the live site may still be accessible through archived versions. Attackers routinely check archives for old login pages, deprecated APIs, configuration files, and internal documentation that was briefly exposed before being removed.

What Shodan Finds on Your Network

Shodan is a search engine that indexes internet-connected devices and services rather than web pages. It continuously scans the internet, recording open ports, running services, software versions, and configuration banners for every accessible IP address.

An attacker searching Shodan for your organization's IP ranges or domain can find exposed databases, remote desktop services, industrial control systems, development servers, VPN endpoints, and network devices. They can identify the specific software versions running on each service, cross-reference those versions against known CVE databases, and arrive at a prioritized list of exploitable targets before attempting a single connection.

A quick search on Shodan reveals tens of thousands of exposed MongoDB instances, many with no authentication required. Database servers, development environments, Jenkins CI/CD instances, and Elasticsearch clusters are routinely found exposed to the internet with default or no credentials, visible to anyone who runs the right query.

What makes Shodan particularly significant from a security perspective is that organizations often do not know everything that is exposed. Shadow IT, forgotten development servers, misconfigured cloud instances, and legacy systems that were never formally decommissioned all appear in Shodan results. The attacker's view of your external attack surface is sometimes more complete than the organization's own asset inventory.

What LinkedIn Tells an Attacker About Your People

LinkedIn is one of the most valuable reconnaissance sources available to attackers, and it is entirely public by design.

An attacker can find all employees, their names, job titles, locations, and email addresses from LinkedIn. It is a simple yet powerful data source often used in attack surface analysis before a penetration test.

From a company's LinkedIn profile and its employees' individual profiles, an attacker can reconstruct the organizational chart, identify which teams handle sensitive systems, find the names of IT administrators and security staff, and understand the hierarchy of decision-makers. Job titles reveal responsibilities. Connection networks reveal relationships. Endorsements and skills reveal what technologies employees work with.

This information directly enables targeted phishing. A convincing spear-phishing email sent to a finance employee referencing a specific project they mentioned on LinkedIn, appearing to come from their manager whose name and title are publicly visible, has a meaningfully higher success rate than a generic phishing attempt. Attackers retrieve personal and professional information about employees on social media to craft spear-phishing campaigns targeted at individuals who have privileged access to company resources.

Job postings add another layer. A company advertising for a senior engineer with experience in a specific firewall platform, SIEM tool, or cloud environment has publicly disclosed which technologies it uses. An attacker reading that job posting now knows which systems to research for known vulnerabilities and which skill sets to impersonate in a social engineering scenario.

What GitHub Exposes About Your Code and Infrastructure

Development teams routinely push code to public repositories. Most of the time, this is intentional and harmless. Sometimes, sensitive material is included accidentally, and it remains accessible long after it is noticed and removed, because version control systems preserve history.

API keys, database credentials, internal IP addresses, authentication tokens, configuration files with environment variables, and cloud provider access keys have all been found in public GitHub repositories belonging to organizations that had no idea they were exposed. Tools specifically designed to search GitHub for leaked credentials and secrets run continuously, and the findings feed into automated attack workflows.

Beyond credentials, GitHub reveals technology choices, infrastructure patterns, internal tooling, deployment processes, and sometimes internal documentation that was committed to a repository without considering its public visibility. An attacker reviewing a company's public repositories builds a technical profile of the organization that would take months to develop through other means.

What Breach Databases Contain About Your Organization

Credential data from historical breaches is widely available. Databases containing billions of email and password combinations from past incidents are searchable through services like Have I Been Pwned and more targeted tools used by attackers to identify usable credentials.

An employee who used their corporate email address to register for a third-party service that was later breached may have their credentials sitting in a database that attackers actively query. If that employee reused their password, or a variation of it, across other systems, the attacker has a potential entry point that requires no technical exploitation at all.

The LinkedIn breach, where millions of user credentials were compromised, demonstrated how attackers use leaked information for further attacks, including password reuse attacks across different services. Credential stuffing, the automated testing of leaked username and password combinations against login portals, is one of the most common initial access techniques precisely because it is effective and requires minimal effort.

What an OSINT Assessment Finds That You Did Not Know Was Exposed

The categories above are predictable. The specific findings for any given organization are not.

OSINT assessments conducted as part of external penetration testing engagements regularly surface exposures that the organization's internal team was not aware of: a subdomain pointing to a decommissioned server still running outdated software, a development environment accessible from the internet with credentials that match a pattern used in other systems, a job posting that reveals a specific vulnerability in the technology stack that was being evaluated for replacement, internal documents indexed by Google from a file share that was briefly misconfigured.

Obsolete IP address ranges that are officially out of service but still contain systems accessible and vulnerable to attack are a consistent finding in OSINT-led reconnaissance. Organizations carry technical debt that accumulates over time. Old infrastructure that was supposed to be retired remains reachable. Systems that were never added to the official asset inventory because they were set up informally still appear in Shodan. The external attack surface is almost always larger than the internal view suggests.

Only the combination of passive OSINT and active penetration testing provides a complete picture of the real attack surface.

Why OSINT Is the Starting Point of Every External Pentest

A penetration test that does not begin with reconnaissance is not simulating how real attackers operate. Real attackers invest significant time in the reconnaissance phase precisely because it makes every subsequent step more efficient and more likely to succeed.

When ESKA conducts an external penetration test, OSINT is the foundation. Before a single active probe is made, the engagement begins with a systematic review of what is publicly available about the target organization: infrastructure, employees, technology, credentials, historical exposures, and digital footprint across all accessible sources. What this phase uncovers shapes the entire test, directing effort toward the entry points that a real attacker would prioritize.

The output of this process is visibility into your external attack surface as an attacker sees it, not as your asset inventory describes it. Those two views are often different in ways that matter.

If your organization has not assessed what is publicly visible about its infrastructure and employees, you do not have a complete picture of your exposure. Contact ESKA to discuss an external penetration test that begins where real attacks begin.