Targeted Reconnaissance Projects
Deep-dive OSINT over 2–4 weeks focused on your organization, executive team, or specific concern. You get a detailed report, an executive brief, and a prioritized remediation roadmap.
Boutique OSINT & Reconnaissance
Quiet, boutique OSINT for clients who can’t afford surprises.
Deep, human-led reconnaissance that shows you exactly how exposed you really are—before an attacker does. Clear, confidential intelligence and a concrete remediation plan.
- Discreet, engagement-based OSINT & recon
- Ideal for executives, M&A, and security-conscious organizations
- Limited monthly capacity to preserve depth & quality
Who This Is For
We’re a boutique practice. We work with a small number of clients who need clarity and discretion.
Organizations
- Mid-market companies without a dedicated threat intel team
- PE firms and investors evaluating targets
- Law firms handling sensitive or high-profile matters
- Security leaders who want an external, adversarial view
Individuals & Executive Teams
- C-suite and board members
- High-net-worth individuals
- Public-facing founders and influencers
- Families seeking quiet digital footprint reduction
What You Get From an Engagement
Every engagement is custom-scoped, but most clients come to us for one of three things:
Ongoing Intelligence Retainers
We quietly monitor your external footprint, breached data, and changing exposure over time. You get scheduled sweeps, rapid alerts for critical issues, and direct access for ad-hoc questions.
Special Situations & High-Stakes Intelligence
Pre-M&A recon, executive protection OSINT, competitor or insider risk analysis, and other complex scenarios where nuance and discretion matter more than speed.
Not sure where you fit? Book a short intro call and we’ll tell you if we’re the right partner—or not.
How We Work (In Plain Language)
01 — Scoping & Threat Model
We start with a 45–60 minute call to understand your business, concerns, and risk tolerance. We define scope, assets, and communication channels.
02 — Active Reconnaissance
Over the next 2–3 weeks, we perform deep OSINT collection and analysis across your defined scope—validating findings manually and dropping anything that’s just noise.
03 — Analysis & Reporting
We synthesize everything into a clear threat narrative: what’s exposed, how it could be used against you, and what matters most. You get both an executive summary and a technical appendix.
04 — Debrief & Support
We walk you through the findings, answer questions, and help you prioritize a 30/60/90-day remediation plan. Optional follow-up validation confirms that fixes worked.
Why Clients Choose a Boutique OSINT Partner
You’re not buying another security tool. You’re buying a clear understanding of where you’re exposed and what to do about it.
No dashboards or tickets.
We don’t sell logins. We deliver a narrative: what’s exposed, how it can be used, and the shortest path to fix it.
Human-led context
We correlate leaks, assets, executives, vendors, and history to build a coherent story an attacker could follow.
Limited client load = real depth.
We cap active engagements so every client gets senior-level attention throughout scoping, recon, analysis, and delivery.
If you want “10,000 alerts,” there are plenty of platforms. If you want three pages that actually matter, that’s what we do.
For Those Who Need Context, Not an Engagement
Not every situation requires a full reconnaissance engagement. Some individuals and teams want to better understand exposure, adversarial thinking, and defensive posture without commissioning a custom investigation.
For those cases, we offer a small number of carefully designed educational programs. They’re structured explanations of how exposure is identified, prioritized, and reduced—based on the same mental models used in our client work.
Think Like an Adversary: OSINT Psychology & Patterns
A conceptual program on adversarial reasoning, OSINT pattern recognition, and narrative construction. Designed for professionals who want to understand how exposure is interpreted—not just where data exists.
Defensive OSINT: Reducing Your Attack Surface
A practical program focused on minimizing correlation risk, passive data leakage, and unnecessary exposure—without attempting to “disappear” online.
OSINT for Small Businesses & Founders
Explains how attackers, scammers, and competitors profile organizations using publicly available data—and where most small companies unintentionally expose themselves.
OSINT for Families & Parents
A safety-focused program on how family data becomes discoverable, how children’s digital footprints form, and how to reduce exposure without fear-driven restrictions.
Educational programs are not a replacement for a reconnaissance engagement where real risk exists. In some cases, completing a program helps clients better understand why a custom engagement is necessary—and what questions to ask.
Transparent, Simple Pricing
Every scope is different, but most projects fall into these ranges.
Targeted Recon Projects
From $5,000 for small environments to $15,000+ for complex, multi-entity scopes.
Ongoing Retainers
From $3,000/month, with quarterly sweeps, ad-hoc OSINT requests, and direct access.
Specialized Intelligence Work
Pre-M&A, executive protection, and high-stakes projects are scoped individually and typically start around $10,000.
If your budget is unclear, we’ll scope around what matters most and tell you honestly if we’re not a fit.
Sample Findings Outline
A typical engagement produces a 50–100+ page report. Here’s the high-level structure:
Executive Summary
- Key findings overview
- Risk assessment summary
- Critical action items
- Business impact analysis
Technical Findings & Annexes
- External attack surface & exposed assets
- Credential and data leakage
- Social engineering vectors
- Supply chain and third-party exposure
- Remediation roadmap (30/60/90 days)
Want to see a redacted example? Mention it on your consult call and we’ll share a sanitized outline.
Questions We’re Often Asked
What exactly do you look at during an engagement?
We focus on your external attack surface: domains, subdomains, cloud exposure, leaked credentials, code repositories, vendor relationships, executive OSINT, and social engineering vectors. We don’t run intrusive scans against your systems without explicit permission.
Will this create risk or draw attention to us?
Our work is strictly reconnaissance and open-source intelligence. We behave like a careful adversary would—but without crossing legal or ethical lines. We do not disrupt systems or attempt exploitation as part of standard engagements.
What do I actually receive at the end?
You get a written report, an executive summary, and a live debrief call. The report includes evidence, context, risk ratings, and prioritized remediation recommendations. Your internal team, MSP, or vCISO can work directly from our findings.
Do you work with our existing security team or MSP?
Yes. Many clients bring us in to complement their existing providers. We’re happy to brief your internal team, MSP, or vCISO and help them translate findings into action.
How confidential is this?
Extremely. We sign NDAs, restrict access to your data, and use encrypted channels for sensitive communication. We don’t reuse your data in other contexts.
What’s the first step if I’m interested?
Start with a short, confidential call. We’ll ask a few questions about your goals, make a recommendation, and only suggest an engagement if it clearly makes sense.
See Yourself the Way an Adversary Would—Before They Get There
If you’re responsible for protecting an organization, an executive team, or a sensitive transaction, you deserve a clear picture of your exposure.
Book a confidential consultNo hard sell. If we’re not the right fit, we’ll tell you and point you somewhere better.