What an OSINT Investigation Actually Looks Like

Clients hire us for OSINT in three common situations: pre-deal due diligence (verifying a counterparty before signing), locating assets or persons (judgment enforcement, missing-persons cases, beneficial-ownership tracing), and reputational threat monitoring (knowing what's circulating about an executive or a brand before it becomes a crisis). The methodology is the same; only the questions change.

Step 1: Scoping

We turn the client's intuition into answerable questions. 'I think this person is hiding something' becomes 'are there undisclosed business affiliations, judgments, liens, or active litigation in the last seven years across the following jurisdictions?' Vague scopes produce useless reports — and inflated bills.

A good scoping conversation produces three artifacts: the questions to be answered, the jurisdictions and time windows in play, and the explicit list of things we will NOT do (no hacking, no pretext calls, no purchased breach data).

Step 2: Collection

We pull from a layered set of sources, in roughly this order of authority:

• Public corporate registries (Secretary of State filings, UCC liens, foreign equivalents).
• Court records (PACER federal, state e-courts, international court databases where available).
• Sanctions and watchlists (OFAC SDN, UN Consolidated, EU Consolidated, UK HMT, sectoral lists).
• Property and real-estate records (county recorders, deed plotters, title datasets).
• Licensed data brokers (Thomson Reuters CLEAR, LexisNexis Accurint, TLOxp) — for permitted purposes only.
• Social media and web archives (current posts, Wayback Machine snapshots, deleted-tweet archives).
• Specialty datasets (corporate disclosures, lobbying filings, professional licensing, vessel and aircraft registries).

Every artifact is hashed (SHA-256) and timestamped, with the source URL or document ID captured. If the report ends up in court — and the interesting ones often do — chain of custody is what makes the evidence admissible.

Step 3: Pivoting

The craft of OSINT is in the connections. A phone number on a Craigslist ad from 2014 leads to a shell company registered in Wyoming, which leads to a shipping address in Miami, which leads to a sealed indictment that's mentioned in a Bankruptcy Court filing nobody indexed. Tools help — but trained analysts make the leaps, and the leaps are what clients pay for.

Common pivot patterns we use:

• Email → password breach datasets → reused username → social account → real name.
• Corporate filing → registered agent → other entities sharing that agent → beneficial owner.
• Image → reverse search → original posting → metadata → location, date, device.
• Phone number → CNAM history → past business listings → past employer.

Step 4: Reporting

The deliverable is a written brief, not a data dump. Each section includes:

• The question being answered, in the client's words.
• The findings, with cited sources for every factual claim.
• A confidence rating on each claim (high / medium / low) tied to source authority and corroboration.
• An explicit list of what we couldn't determine, and why.
• Recommended next steps, ranked by cost and likely yield.

Clients respect honest gaps more than oversold conclusions. The worst OSINT reports we've reviewed (after the fact, usually for opposing counsel) had high confidence on everything and footnotes on nothing.

What we won't do

• Hack. OSINT means open source. Compromising an account or system to obtain information is a different discipline and almost always illegal.
• Impersonate. Pretext calls to extract information are illegal in many US jurisdictions under the Telephone Records and Privacy Protection Act and state analogs.
• Buy stolen data. We don't purchase breach corpora from criminal marketplaces. The data is often poisoned, the provenance can't be defended in court, and the purchase itself can constitute receipt of stolen property.
• Run face-rec against social media at scale. Some commercial tools offer this; the legal and ethical posture varies sharply by jurisdiction. We do it only with client counsel signing off in writing.

What to expect when you hire an OSINT firm

• Timeline: 1–4 weeks is typical. Rush work (under a week) is possible at a premium and produces less corroboration.
• Cost: $5K–$15K for focused single-subject due diligence, $15K–$50K for complex multi-jurisdictional or asset-trace work, more for ongoing monitoring retainers.
• Engagement letter that names the scope, the prohibitions, the deliverable format, and the data-handling and retention terms.
• A debrief call to walk through findings and answer questions before the report is finalized.

Where Cybrvault fits

Our OSINT practice runs out of Miami and serves clients across the US and the Caribbean basin. Common engagements: pre-acquisition due diligence on counterparties, asset trace for judgment enforcement, beneficial-ownership tracing for compliance, and reputational monitoring for executives and high-net-worth families. If you have a question that starts with 'I want to know whether…' there's usually a defensible OSINT path to an answer.