RESOURCES // GLOSSARY
Key terms in open-source intelligence, cybersecurity, and website analysis — defined for both technical and business audiences.
Intelligence gathering that involves direct interaction with the target system — port scanning, vulnerability probing, authentication testing. Unlike passive reconnaissance, active recon can be detected by the target and may have legal implications without authorization.
See also: Passive Reconnaissance
A unique identifier assigned to a network operator (ISP, hosting provider, enterprise) for routing internet traffic. ASN lookup reveals which organization controls a given IP address, their geographic footprint, and their peering relationships — useful for understanding hosting decisions and infrastructure topology.
The total set of points where an unauthorized user could attempt to enter or extract data from a system. In website intelligence, the external attack surface includes all publicly visible endpoints, subdomains, open ports, exposed APIs, and misconfigured services. Reducing attack surface is a primary goal of security posture management.
A geographically distributed network of servers that delivers web content to users based on proximity. Common CDNs include Cloudflare, Akamai, and AWS CloudFront. CDN detection reveals infrastructure investment level and can indicate the geographic distribution of a target's audience.
A public logging system that records all SSL/TLS certificates issued by certificate authorities. Security researchers use CT logs to discover subdomains, internal project names, staging environments, and infrastructure patterns — often revealing information the organization didn't intend to make public.
In one assessment, CT logs alone revealed 520+ subdomains of a major financial platform, including internal project codenames.
Software used to build and manage website content — WordPress, Shopify, Drupal, Webflow, and others. CMS detection is a fundamental signal in website intelligence, revealing technology choices, potential vulnerabilities (version-specific), and operational maturity.
A standardized identifier for publicly known cybersecurity vulnerabilities (e.g., CVE-2024-2473). Each CVE has a severity score (CVSS) and description. Website intelligence cross-references detected software versions against CVE databases to identify potential exposure.
A numerical scoring system (0.0–10.0) that rates the severity of security vulnerabilities. Scores above 7.0 are considered high severity, above 9.0 critical. CVSS scores help prioritize remediation based on real-world exploitability and impact potential.
The total trail of data that an organization or individual leaves across the internet — websites, DNS records, social media profiles, code repositories, certificate registrations, and historical web archives. Passive reconnaissance maps this footprint without creating any new traces.
The system that translates human-readable domain names (example.com) into IP addresses. DNS records (A, MX, TXT, CNAME, NS) are a rich intelligence source — revealing mail providers, hosting infrastructure, third-party service integrations, and domain verification records for SaaS tools.
An email authentication protocol that tells receiving mail servers how to handle emails that fail SPF or DKIM checks. A DMARC policy of "reject" indicates mature email security; "none" means the domain can be trivially spoofed for phishing attacks.
The process of investigating a company's digital presence, security posture, and technical infrastructure before a business decision — M&A, partnership, vendor selection, or investment. Website intelligence automates the technical component of digital due diligence by extracting 150+ signals from public data.
The portion of an organization's attack surface that is visible from the public internet — web servers, DNS records, exposed services, subdomains, and public APIs. External attack surface management (EASM) involves continuously monitoring and reducing this exposure.
EU regulation governing personal data protection. In website intelligence, GDPR compliance signals include cookie consent mechanisms, privacy policy quality, data subject rights implementation, and data processing transparency. Missing compliance is both a legal risk and a sales opportunity indicator.
A security header that instructs browsers to only connect via HTTPS, preventing downgrade attacks. HSTS with preload and includeSubDomains indicates strong security awareness. Its absence is a negative security signal detectable through passive reconnaissance.
Malware designed to harvest credentials, cookies, and session tokens from infected devices. Infostealer logs are traded on dark web marketplaces and contain usernames, passwords, and URLs — making them a primary source for credential breach intelligence.
The structured process of producing actionable intelligence: requirements definition → collection → processing → analysis → reporting → feedback. Professional OSINT operations follow this cycle to ensure consistency, accuracy, and relevance of outputs.
See: Our Methodology
The process of identifying and documenting an organization's technical infrastructure — servers, IP ranges, hosting providers, DNS topology, CDN configuration, and service architecture. Passive infrastructure mapping uses DNS, certificates, and WHOIS data without touching target systems.
A methodology for ranking prospects based on their likelihood to convert. In website intelligence, lead scoring uses public signals — technology stack depth, security gaps, compliance status, and business indicators — to assign A-F grades that predict deal potential and recommend engagement approaches.
The practice of cross-referencing intelligence from multiple independent sources before reporting findings. A signal detected by one method is a lead; confirmed across three independent sources, it becomes intelligence. This principle reduces false positives and increases confidence in assessments.
A fast, template-based vulnerability scanner with 10,000+ community-maintained detection templates. In website intelligence, Nuclei identifies missing security headers, exposed panels, outdated software, misconfigurations, and known CVEs — contributing to threat scoring.
A numerical rating (0-100) indicating the potential business value of engaging with a prospect, based on identified gaps and needs. High opportunity scores indicate multiple addressable issues — security weaknesses, compliance gaps, or technical debt — combined with signals of budget and organizational readiness.
Intelligence derived from publicly available sources — websites, DNS records, social media, certificate logs, code repositories, public databases, and web archives. OSINT is legal by definition because it uses only information that is accessible without authentication or authorization. It is used by security researchers, law enforcement, journalists, and businesses worldwide.
Intelligence gathering through observation of publicly accessible data without any interaction with the target system. No authentication attempts, no form submissions, no active probing. Passive recon is undetectable by the target and entirely legal — it observes the same data visible to any web browser or search engine.
The process of probing a server's network ports to identify running services (web server on 443, mail on 25, FTP on 21, etc.). Active port scanning is detectable; passive approaches use historical scan databases to identify exposed services without direct interaction.
The practice of reporting security vulnerabilities to the affected organization before publishing them, allowing time for remediation. Professional OSINT practitioners follow responsible disclosure protocols when passive reconnaissance reveals critical security issues.
HTTP response headers that instruct browsers how to handle content securely. Key headers include Content-Security-Policy (prevents XSS), X-Frame-Options (prevents clickjacking), HSTS (forces HTTPS), and Permissions-Policy (restricts browser features). Missing security headers are one of the most common findings in website intelligence assessments.
The overall security status of an organization's digital assets as observable from the outside — SSL configuration, security headers, known vulnerabilities, exposed services, and threat indicators. Security posture assessment through passive reconnaissance reveals what an attacker would see without any exploitation.
Cryptographic protocols that secure communications between web browsers and servers (the "S" in HTTPS). SSL certificate analysis reveals issuing authority, expiration dates, domain coverage (including subdomains via SAN entries), and certificate transparency log entries — all valuable intelligence signals.
A domain prefix that creates a separate address within a parent domain (e.g., mail.example.com, staging.example.com). Subdomain enumeration through DNS records and certificate transparency often reveals internal systems, staging environments, and infrastructure not intended for public discovery.
Information about the technology stack a company uses — CMS, frameworks, analytics, payment processors, CDN, hosting, and third-party integrations. Technographic data is a primary signal for sales intelligence because it reveals budget, sophistication, and specific needs that can be addressed.
The process of identifying software, frameworks, and services running on a website by analyzing HTML patterns, JavaScript libraries, HTTP headers, and other observable indicators. Modern fingerprinting databases contain 3,000+ technology signatures.
A composite numerical rating (typically 0-100) that aggregates multiple security signals into a single risk indicator. Threat scores combine findings from malware detection rules, malicious URL databases, vulnerability indicators, and security configuration analysis. Higher scores indicate greater risk.
A security system that monitors and filters HTTP traffic between a web application and the internet. WAF detection (or its absence) is a significant security posture indicator — organizations without WAF protection expose their applications directly to attack traffic.
The practice of extracting, correlating, and scoring comprehensive data from any URL to produce structured, actionable intelligence reports. Website intelligence combines technology detection, security assessment, contact discovery, SEO analysis, compliance evaluation, and business signal extraction into a single automated process.
A protocol and database system that stores domain registration information — registrant, registrar, nameservers, creation/expiration dates. Even with privacy protection enabled, WHOIS data reveals registration patterns, nameserver choices, and domain age — all useful intelligence signals.
Pattern-matching rules used to identify and classify malware, web threats, and suspicious content. YARA rules scan HTML, JavaScript, and other web content for known malicious patterns — cryptominer scripts, phishing forms, credit card skimmers, webshells, and malicious redirects.
Submit a target URL and receive a complimentary intelligence assessment within 24 hours.