OSINT collects publicly available information — social media, job postings, DNS records, WHOIS, Shodan (internet-connected devices), LinkedIn, public code repositories.
OSINT is passive reconnaissance — no interaction with target systems. Tools: Maltego, theHarvester, Shodan, Recon-ng. Job postings reveal technology stack. LinkedIn shows employee names and org structure. DNS reveals infrastructure.