OSINT collects publicly available information — social media, job postings, DNS records, WHOIS, Shodan (internet-connected devices), public code repositories, breach databases.
OSINT is passive reconnaissance — no interaction with target systems. Tools: Maltego, theHarvester, Shodan, Recon-ng, Google Dorking. Job postings reveal tech stack. LinkedIn reveals employees and org structure. OSINT before active scanning is standard pen test methodology.