In late 2025, attackers compromised a mid-sized SaaS company by mapping its shadow IT infrastructure entirely through public sources — no exploits needed at the initial stage. They found an exposed Jenkins instance, two forgotten subdomains, and a developer’s leaked API key on GitHub before touching a single packet. That is modern OSINT in practice.
The tooling in 2026 has matured fast. Passive reconnaissance is faster, AI-assisted correlation is real, and defenders who ignore it are flying blind. Here is how to run it like a pro.
Email and Subdomain Harvesting with theHarvester
theHarvester — an open-source tool that pulls emails, subdomains, IPs, and URLs from public sources like search engines, certificate transparency logs, and DNS datasets — is still the fastest way to map an organization’s external exposure.
Run it against a target domain and pull from multiple sources simultaneously:
theHarvester -d acmecorp.io -b google,bing,certspotter,crtsh -l 300 -f acme_recon
[*] Target: acmecorp.io
[*] Emails found:
j.harris@acmecorp.io
devops-alerts@acmecorp.io
m.chen@acmecorp.io
[*] Hosts found:
staging.acmecorp.io 192.0.2.47
legacy-api.acmecorp.io 192.0.2.88
jenkins.acmecorp.io 192.0.2.103
www.acmecorp.io 192.0.2.10
Three things jump out immediately. jenkins.acmecorp.io should never be publicly resolvable — that is a CI/CD panel with potential code execution exposure. legacy-api.acmecorp.io suggests a forgotten endpoint that likely skips modern auth controls. And the email format (firstname.lastname) gives you a template for generating a full staff list.
An attacker pivots here in two directions: fingerprint each subdomain for open ports and services, and feed the email format into a credential stuffing list from a breach corpus. A defender runs this same scan monthly and alerts on any new subdomain that appears without a corresponding change ticket.
Passive Host Fingerprinting with Shodan
Shodan — a search engine that indexes internet-facing devices and their banners, certificates, and open ports — lets you fingerprint a host without sending a single packet to it. In 2026, its data freshness has improved significantly, with most records updating within 48 hours.
Query Shodan for one of the IPs you found above:
shodan host 192.0.2.103
192.0.2.103
Hostnames: jenkins.acmecorp.io
Country: United States
Organization: Acme Corp Cloud
Updated: 2026-07-05T14:22:10.000Z
Ports:
22/tcp OpenSSH 8.9p1 Ubuntu
8080/tcp HTTP
Jenkins ver. 2.440.1
X-Jenkins: 2.440.1
Authentication: false
443/tcp nginx/1.24.0
TLS Certificate:
CN: jenkins.acmecorp.io
Issuer: Let's Encrypt
Expires: 2026-09-12
Two critical findings here. Port 8080 is serving Jenkins 2.440.1 with authentication disabled — that is a remote code execution waiting to happen via the Script Console. The TLS cert expiry is September 12, which also tells you this host has been running unattended for months without rotation.
Cross-reference the Jenkins version against the NVD. Jenkins 2.440.x carries several known CVEs including script security bypasses. An attacker with this output opens a browser, hits http://jenkins.acmecorp.io:8080/script, and runs a Groovy reverse shell. A defender seeing this output has one job: take it offline within the hour and audit what pipelines it was running.
Certificate Transparency for Asset Discovery
Certificate transparency logs are public records of every TLS cert ever issued. Tools like crt.sh and certwatch let you monitor them in real time — attackers use this to find new subdomains the moment they go live.
curl -s "https://crt.sh/?q=%25.acmecorp.io&output=json" \
| jq '.[].name_value' | sort -u
"admin-beta.acmecorp.io"
"api-v3-staging.acmecorp.io"
"jenkins.acmecorp.io"
"legacy-api.acmecorp.io"
"mail.acmecorp.io"
"vpn.acmecorp.io"
"www.acmecorp.io"
admin-beta.acmecorp.io and api-v3-staging.acmecorp.io did not show up in theHarvester output. That means they are either newer or not yet indexed by search engines. Staging environments are historically under-hardened — same codebase as production, weaker access controls, sometimes with debug endpoints enabled.
Set up a cron job or use a service like Certstream to watch for new certs issued to your domain in real time. When a cert appears for a subdomain you did not authorize, you want to know in minutes, not months.
What To Do Now
Run theHarvester against your own organization’s primary domain right now. Use -b google,crtsh,certspotter as a minimum source set. Take the subdomains it returns, feed each IP into Shodan, and note anything running without authentication or on a non-standard port. That list — completed in under 30 minutes — is exactly what an adversary builds before they ever touch your perimeter. Fix the worst finding before end of day.
