RESOURCES // GLOSSARY
Key terms in open-source intelligence, cybersecurity, and website analysis — defined for both technical and business audiences.
Intelligence gathering that involves direct interaction with the target system — port scanning, vulnerability probing, authentication testing. Unlike passive reconnaissance, active recon can be detected by the target and may have legal implications without authorization.
See also: Passive Reconnaissance
A unique identifier assigned to a network operator (ISP, hosting provider, enterprise) for routing internet traffic. ASN lookup reveals which organization controls a given IP address, their geographic footprint, and their peering relationships — useful for understanding hosting decisions and infrastructure topology.
The total set of points where an unauthorized user could attempt to enter or extract data from a system. In website intelligence, the external attack surface includes all publicly visible endpoints, subdomains, open ports, exposed APIs, and misconfigured services. Reducing attack surface is a primary goal of security posture management.
A geographically distributed network of servers that delivers web content to users based on proximity. Common CDNs include Cloudflare, Akamai, and AWS CloudFront. CDN detection reveals infrastructure investment level and can indicate the geographic distribution of a target's audience.
A public logging system that records all SSL/TLS certificates issued by certificate authorities. Security researchers use CT logs to discover subdomains, internal project names, staging environments, and infrastructure patterns — often revealing information the organization didn't intend to make public.
In one assessment, CT logs alone revealed 520+ subdomains of a major financial platform, including internal project codenames.
Software used to build and manage website content — WordPress, Shopify, Drupal, Webflow, and others. CMS detection is a fundamental signal in website intelligence, revealing technology choices, potential vulnerabilities (version-specific), and operational maturity.
An EU regulation establishing mandatory cybersecurity requirements for products with digital elements — hardware, software, and connected devices sold in the European market. The CRA requires manufacturers and distributors to implement security-by-design principles, provide vulnerability handling processes, and report actively exploited vulnerabilities within 24 hours. Non-compliance carries penalties of up to €15 million or 2.5% of global annual turnover. Key deadline: September 2026 for full enforcement.
A standardized identifier for publicly known cybersecurity vulnerabilities (e.g., CVE-2024-2473). Each CVE has a severity score (CVSS) and description. Website intelligence cross-references detected software versions against CVE databases to identify potential exposure.
A numerical scoring system (0.0–10.0) that rates the severity of security vulnerabilities. Scores above 7.0 are considered high severity, above 9.0 critical. CVSS scores help prioritize remediation based on real-world exploitability and impact potential.
The total trail of data that an organization or individual leaves across the internet — websites, DNS records, social media profiles, code repositories, certificate registrations, and historical web archives. Passive reconnaissance maps this footprint without creating any new traces.
The system that translates human-readable domain names (example.com) into IP addresses. DNS records (A, MX, TXT, CNAME, NS) are a rich intelligence source — revealing mail providers, hosting infrastructure, third-party service integrations, and domain verification records for SaaS tools.
An email authentication protocol that tells receiving mail servers how to handle emails that fail SPF or DKIM checks. A DMARC policy of "reject" indicates mature email security; "none" means the domain can be trivially spoofed for phishing attacks.
An EU regulation applicable to financial entities — banks, insurance companies, investment firms, payment service providers, and their critical ICT third-party service providers. Active since January 2025, DORA mandates comprehensive ICT risk management frameworks, incident reporting within strict timelines, digital operational resilience testing, and third-party risk oversight. Unlike NIS2, DORA is a regulation (directly applicable) rather than a directive, and focuses specifically on operational resilience of the financial sector's digital infrastructure.
The process of investigating a company's digital presence, security posture, and technical infrastructure before a business decision — M&A, partnership, vendor selection, or investment. Website intelligence automates the technical component of digital due diligence by extracting 150+ signals from public data.
The continuous process of discovering, inventorying, classifying, and monitoring an organization's internet-facing assets — including assets the organization may not know it has. EASM goes beyond traditional vulnerability scanning by combining subdomain discovery, certificate transparency analysis, cloud infrastructure detection, exposed API enumeration, and third-party service mapping into a unified external visibility picture. Effective EASM provides the foundation for regulatory compliance under CRA, NIS2, and DORA by demonstrating continuous security monitoring.
See also: Attack Surface, CRA
The portion of an organization's attack surface that is visible from the public internet — web servers, DNS records, exposed services, subdomains, and public APIs. External attack surface management (EASM) involves continuously monitoring and reducing this exposure.
EU regulation governing personal data protection. In website intelligence, GDPR compliance signals include cookie consent mechanisms, privacy policy quality, data subject rights implementation, and data processing transparency. Missing compliance is both a legal risk and a sales opportunity indicator.
A security header that instructs browsers to only connect via HTTPS, preventing downgrade attacks. HSTS with preload and includeSubDomains indicates strong security awareness. Its absence is a negative security signal detectable through passive reconnaissance.
Malware designed to harvest credentials, cookies, and session tokens from infected devices. Infostealer logs are traded on dark web marketplaces and contain usernames, passwords, and URLs — making them a primary source for credential breach intelligence.
The structured process of producing actionable intelligence: requirements definition → collection → processing → analysis → reporting → feedback. Professional OSINT operations follow this cycle to ensure consistency, accuracy, and relevance of outputs.
See: Our Methodology
The process of identifying and documenting an organization's technical infrastructure — servers, IP ranges, hosting providers, DNS topology, CDN configuration, and service architecture. Passive infrastructure mapping uses DNS, certificates, and WHOIS data without touching target systems.
A methodology for ranking prospects based on their likelihood to convert. In website intelligence, lead scoring uses public signals — technology stack depth, security gaps, compliance status, and business indicators — to assign A-F grades that predict deal potential and recommend engagement approaches.
The practice of cross-referencing intelligence from multiple independent sources before reporting findings. A signal detected by one method is a lead; confirmed across three independent sources, it becomes intelligence. This principle reduces false positives and increases confidence in assessments.
EU regulatory framework (Regulation 2023/1114) establishing comprehensive rules for crypto-asset service providers (CASPs). MiCA covers ICT risk management (Art. 62), operational resilience (Art. 67), safeguarding of clients' crypto-assets (Art. 68), custody and administration (Art. 75), exchange services (Art. 79), and complaint handling (Art. 83). In external attack surface assessment, MiCA compliance mapping identifies security gaps relevant to organizations operating in the crypto-asset sector — from exchanges and custodial wallet providers to token issuers.
See also: DORA
The updated EU directive on cybersecurity, replacing the original NIS Directive. NIS2 is a directive — meaning EU member states must transpose it into national law — not a directly applicable regulation like DORA or CRA. It expands the scope of covered entities into two categories: "essential" (energy, transport, banking, health, water, digital infrastructure) and "important" (postal services, waste management, manufacturing, food, digital providers). NIS2 mandates risk management measures, incident reporting within 24 hours for significant incidents, supply chain security, and management body accountability. Penalties for essential entities can reach €10 million or 2% of global turnover.
A numerical rating (0-100) indicating the potential business value of engaging with a prospect, based on identified gaps and needs. High opportunity scores indicate multiple addressable issues — security weaknesses, compliance gaps, or technical debt — combined with signals of budget and organizational readiness.
Intelligence derived from publicly available sources — websites, DNS records, social media, certificate logs, code repositories, public databases, and web archives. OSINT is legal by definition because it uses only information that is accessible without authentication or authorization. It is used by security researchers, law enforcement, journalists, and businesses worldwide.
Intelligence gathering through observation of publicly accessible data without any interaction with the target system. No authentication attempts, no form submissions, no active probing. Passive recon is undetectable by the target and entirely legal — it observes the same data visible to any web browser or search engine.
The process of probing a server's network ports to identify running services (web server on 443, mail on 25, FTP on 21, etc.). Active port scanning is detectable; passive approaches use historical scan databases to identify exposed services without direct interaction.
The practice of reporting security vulnerabilities to the affected organization before publishing them, allowing time for remediation. Professional OSINT practitioners follow responsible disclosure protocols when passive reconnaissance reveals critical security issues.
HTTP response headers that instruct browsers how to handle content securely. Key headers include Content-Security-Policy (prevents XSS), X-Frame-Options (prevents clickjacking), HSTS (forces HTTPS), and Permissions-Policy (restricts browser features). Missing security headers are one of the most common findings in website intelligence assessments.
The overall security status of an organization's digital assets as observable from the outside — SSL configuration, security headers, known vulnerabilities, exposed services, and threat indicators. Security posture assessment through passive reconnaissance reveals what an attacker would see without any exploitation.
Automated security assessment of self-executing programs deployed on blockchain networks (primarily Ethereum and EVM-compatible chains). Static analysis examines contract source code for known vulnerability patterns without execution, while symbolic analysis simulates execution paths to discover exploitable states. Key vulnerability classes include reentrancy (where an external call re-enters the contract before state updates complete), access control weaknesses, integer overflow conditions, and unsafe delegatecall patterns. Analysis requires publicly verified source code — contracts without verified source on block explorers cannot be analyzed at the source level.
See also: YARA Rules
Cryptographic protocols that secure communications between web browsers and servers (the "S" in HTTPS). SSL certificate analysis reveals issuing authority, expiration dates, domain coverage (including subdomains via SAN entries), and certificate transparency log entries — all valuable intelligence signals.
A domain prefix that creates a separate address within a parent domain (e.g., mail.example.com, staging.example.com). Subdomain enumeration through DNS records and certificate transparency often reveals internal systems, staging environments, and infrastructure not intended for public discovery.
Information about the technology stack a company uses — CMS, frameworks, analytics, payment processors, CDN, hosting, and third-party integrations. Technographic data is a primary signal for sales intelligence because it reveals budget, sophistication, and specific needs that can be addressed.
The process of identifying software, frameworks, and services running on a website by analyzing HTML patterns, JavaScript libraries, HTTP headers, and other observable indicators. Modern fingerprinting databases contain 3,000+ technology signatures.
A composite numerical rating (typically 0-100) that aggregates multiple security signals into a single risk indicator. Threat scores combine findings from malware detection rules, malicious URL databases, vulnerability indicators, and security configuration analysis. Higher scores indicate greater risk.
Community-maintained detection templates covering 10,000+ known vulnerabilities, misconfigurations, and exposed services. Template-based scanning enables rapid identification of security issues across large infrastructure by matching observable patterns against a continuously updated library of known weaknesses. Templates cover missing security headers, exposed administration panels, outdated software, default credentials, and known CVEs — contributing to automated threat scoring and compliance mapping.
A security system that monitors and filters HTTP traffic between a web application and the internet. WAF detection (or its absence) is a significant security posture indicator — organizations without WAF protection expose their applications directly to attack traffic.
The practice of extracting, correlating, and scoring comprehensive data from any URL to produce structured, actionable intelligence reports. Website intelligence combines technology detection, security assessment, contact discovery, SEO analysis, compliance evaluation, and business signal extraction into a single automated process.
A protocol and database system that stores domain registration information — registrant, registrar, nameservers, creation/expiration dates. Even with privacy protection enabled, WHOIS data reveals registration patterns, nameserver choices, and domain age — all useful intelligence signals.
Pattern-matching rules used to identify and classify malware, web threats, and suspicious content. YARA rules scan HTML, JavaScript, and other web content for known malicious patterns — cryptominer scripts, phishing forms, credit card skimmers, webshells, and malicious redirects.
Submit a target URL and receive a complimentary intelligence assessment within 24 hours.