Most organizations focus on infrastructure. Red teams target people. We explore how OSINT is used to map the human attack surface, and why mid-level employees often hold the keys attackers need.
When most organizations think about cyber risk, they picture servers, firewalls, and endpoints. But increasingly, attackers are bypassing infrastructure and going straight for people.
Red teams know that many of today’s most effective breaches don’t start with technical exploits. They begin by targeting individuals through open-source intelligence (OSINT). This includes personal data scattered across the internet, social media profiles, code repositories, and overlooked documents that reveal far more than they should.
This blog looks at how red teamers use OSINT to map the human attack surface. It reveals how attackers identify exposed individuals, understand their relationships, and develop highly believable phishing and vishing campaigns. Even low-level employees can become high-value entry points.
Most organizations still have limited visibility of this exposure. Here’s what that looks like in practice.
Scoping the Target: From Company to People
Instead of choosing targets based on job title or technical access, red teamers assess people by their online exposure. Public profiles, developer activity on forums, and even small press announcements can reveal who is most likely to fall for a tailored social engineering attack.
The goal is to build a short list of individuals whose digital footprint offers clues about their role, access level, and communication habits. Developers who post snippets of company code, employees who comment publicly about tools they use, or those listed in annual reports all become candidates.
Mid-level staff often prove riskier than expected, with high visibility and low awareness.
Once targets are identified, the red team begins assembling a picture of what they access, how they communicate, and where their vulnerabilities might lie.
This is where open-source intelligence (OSINT) becomes a force multiplier.
Information is gathered from public sources including credential reuse patterns, internal-facing content, and employee activity on professional platforms.
Leaked information often exposes usernames, system IDs, or helpdesk numbers that later support phishing or vishing campaigns.
Understanding communication habits is also key. If the target uses platforms like Microsoft Teams or Slack, these become alternative attack vectors. Knowing this helps tailor pretexts that appear natural and believable.
The goal is precision. These operations aren’t bulk attacks. They’re focused, tailored campaigns designed to fly under the radar. A short list of 10 to 30 employees is more effective than a wide net and far less likely to trigger alarms.
Once individuals are selected, the next step is to understand how they connect to others. This helps attackers exploit trust and familiarity.
Public content such as team bios, authored articles, or internal announcements often reveals reporting lines and peer connections. Out-of-office replies, where available, often disclose manager names, personal numbers, return dates, and contact numbers. These details help support convincing impersonation attempts.
The most dangerous exposures often come from innocent oversharing. One developer uploaded internal code to a public repository. Another accidentally included sensitive credentials in a personal blog post snippet. These are not rare exceptions. They happen far more often than companies realize.
Even marketing efforts can add risk. Tagging employees in welcome posts or listing authors in company content reveals internal structure and access.
Over time, this creates a clear picture of how the business operates, who works where, and who may be worth targeting.
Human-focused red teaming relies on a blend of OSINT tools, manual investigation, and attacker intuition. While some automation helps in early discovery, the real value comes from knowing what matters and what doesn’t.
Specialized OSINT platforms and lead enrichment tools can help uncover exposed infrastructure, contact details, and internal email patterns.
Breach data and stealer logs reveal patterns in reused credentials and internal naming conventions. Email validation techniques help confirm whether targets are active, increasing delivery success and reducing the chance of early detection.
What often surprises clients is who ends up being the most exposed. It’s not always IT or execs. Developers, project leads, and even new starters regularly surface in the OSINT process. Their content, whether in a personal repo, blog, or team announcement, can unintentionally provide the keys to a convincing pretext.
Many organizations still rely on endpoint detection and security awareness training. But attackers aren’t just targeting inboxes. They’re exploiting context, behaviour, and public visibility. By the time the payload is delivered, most of the groundwork has already been done.
Every red team engagement that targets people must follow clear ethical boundaries. This is where red team activity intentionally diverges from what a real adversary might attempt.
While genuine attackers may exploit highly personal or emotionally charged themes, ethical operations avoid pretexts involving sensitive areas such as mental health or protected data. The objective is to simulate credible threat behavior without crossing into unacceptable territory.
Scenarios that fall into gray areas, such as HR-themed messages or fake terminations, are only used with full client approval and a clear understanding of potential fallout.
Some clients ask to “see how far it can go,” but effective red teaming is about balancing realism with impact. The goal is to emulate credible adversaries in a way that reveals real risk without resorting to theatrical scenarios that attackers are unlikely to use in practice.
Looking ahead, AI will play a growing role in OSINT. Tools already help process breach data, organize public information, and validate targets at scale. Future risks may include deepfake voice phishing, fully automated impersonation, and synthetic content used to build trust. These threats are emerging quickly, but the core problem remains the same.
Technology helps, but people expose themselves. It’s often everyday content that gives attackers everything they need.
Want to see your organization the way an attacker does? Our red team can show you exactly where you’re exposed and how to fix it before someone else takes advantage.
Contact us to find out more.