원클릭으로 Manus에서 모든 스킬 실행

$pwd:

osint-methodology

Name: Osint Methodology
Author: elementalsouls

// Comprehensive OSINT methodology for external red-team operations and authorized attack-surface assessments. Covers the 5-stage recon pipeline, asset-graph discipline, severity rubric, confidence upgrade workflows, time budgeting, identity-fabric mapping, breach×identity correlation, detectability tagging, detection-aware probing, WAF/CDN bypass, vulnerability prioritization, phishing infrastructure planning, bug bounty submission, and client deliverable templates. Use when planning or executing reconnaissance against authorized targets, mapping an organization's external attack surface, investigating a person/entity, or producing client deliverables.

Manus에서 실행

$ git log --oneline --stat

stars:1,587

forks:303

updated:2026년 5월 20일 02:51

파일 탐색기

2 개 파일

SKILL.md

readonly

related-skills.json

같은 저장소

offensive-osint.md

from "elementalsouls/Claude-OSINT"

Operational arsenal for external red-team and bug-bounty reconnaissance. Concrete wordlists (28 Swagger paths, 13 GraphQL paths, 35 high-risk ports, 6 missing-header findings, 15 always-on HTTP checks, 5 SAML paths, cloud bucket permutations, JS guess-paths, vendor product fingerprints for Citrix/F5/Pulse/Fortinet/Cisco/PaloAlto/VMware/Exchange, cloud-native service fingerprints, container/K8s exposure paths, CI/CD platform paths, documentation/wiki leak paths, WHOIS/RDAP, DNS record catalog, Wayback CDX recipes), 43+-pattern secret-regex catalog (incl. modern AI API keys: Anthropic/OpenAI/HuggingFace/Cloudflare/DigitalOcean/npm/PyPI/Docker Hub/Atlassian/DataDog/Sentry/ngrok), 80+ dork corpus across 9 categories, GitHub code-search dorks, copy-paste curl/httpie probes for every check, post-discovery enumeration workflows (AWS/GitHub/Slack/JWT/PMAK/Anthropic/OpenAI), endpoint interest scoring rubric (0–100), mobile app ownership confidence, identity-fabric endpoints (Entra/Okta/ADFS/Google/SAML/M365 Teams+Shar

2026-05-201.6k

package.json

"author": "elementalsouls"

"repository": "elementalsouls/Claude-OSINT"

GitHub 저장소 열기 Creator 저장소 보기

$ install --global

$ download --local

Manus에서 실행

$ useful --forSOC

정보 보안 분석가컴퓨터 및 수학직15-1212L4

원클릭으로 모든 스킬 실행

name	osint-methodology
description	Comprehensive OSINT methodology for external red-team operations and authorized attack-surface assessments. Covers the 5-stage recon pipeline, asset-graph discipline, severity rubric, confidence upgrade workflows, time budgeting, identity-fabric mapping, breach×identity correlation, detectability tagging, detection-aware probing, WAF/CDN bypass, vulnerability prioritization, phishing infrastructure planning, bug bounty submission, and client deliverable templates. Use when planning or executing reconnaissance against authorized targets, mapping an organization's external attack surface, investigating a person/entity, or producing client deliverables.
version	2.2
triggers	["external recon","external red team","red team external","attack surface management","attack surface mapping","ASM","perimeter recon","target reconnaissance","bug bounty recon","asset discovery","footprint","attack path","identity fabric","SSO discovery","IdP fingerprinting","tenant fingerprinting","M365 enumeration","Microsoft 365 recon","API discovery","GraphQL introspection","mobile recon","APK analysis","cloud bucket enumeration","breach correlation","secret leak hunt","origin discovery","CDN bypass","WAF bypass","vulnerability prioritization","CVE prioritization","EPSS","CISA KEV","phishing infrastructure","pretext development","bug bounty submission","responsible disclosure","client report","exec summary","risk translation","confidence upgrade","time budget","engagement profile","asset triage","detection-aware probing","back-off strategy","OSINT methodology","open source intelligence","target profiling","OSINT workflow","recon methodology","threat actor investigation","attribution"]

OSINT Methodology — External Red-Team Edition

0. When to Use / When NOT

Use this skill when: planning or executing authorized external recon (red team, bug bounty, ASM); mapping an org's attack surface; investigating a person/entity/threat-actor; producing client deliverables.

Do NOT use this skill when: the user needs active exploitation, post-exploitation, or malware dev; blue-team/detection content; or the target's authorization is unclear — surface the scope question first.

1. Authorization & Legal Posture

Intended for assets the operator owns or has written authorization to assess.

Soft scope check — when authorization isn't established, ask once:

"Quick scope check: is this a target you own or have written authorization to assess? I want to make sure we stay on the right side of the engagement boundary."

Once asserted, don't re-ask. If the engagement type is stated ("pentest of acme.com under contract"), proceed.

Always-on guardrails:

Never weaken auth, rate limits, or safety controls on the target side.
No destructive probes (SYN scans at line-rate, masscan, fuzzing) outside explicit --aggressive mode.
Never paste real PII, credentials, session tokens, or API keys into cloud-hosted LLMs.
Never act against assets outside documented scope, even "obviously related" ones.

2. Confidence Levels

Every assertion carries a confidence level.

Level	Meaning
TENTATIVE	Plausible from indirect evidence; unverified. Snippet-only dork match, email pattern inferred from name, single passive-source subdomain.
FIRM	Directly observed, uncorroborated. Subdomain resolves; Shodan banner returned; CT-log entry.
CONFIRMED	Multiple independent corroborations OR directly verified. Live-validated token; bucket listable; three-source subdomain convergence.

Rule of three for attribution: 3 independent weak signals, OR 1 strong + 1 weak. Never single-source attribute.

2.1 Confidence Upgrade Workflows

Asset type	TENTATIVE → FIRM	FIRM → CONFIRMED
Subdomain	≥2 passive sources OR DNS resolves	Serves on a standard port AND banner/cert returned
IP	≥2 sources (passive DNS, ASN, Shodan)	TCP SYN-ACK or ICMP reply
WebApp	URL extracted but not yet hit	HTTP returns 2xx/3xx/4xx AND content-length > 0
Email	Name-pattern inferred OR snippet-only	Listed in Hunter/IntelX/breach, OR SMTP 250 (abort at DATA)
Bucket	Permutation candidate + HEAD returns 200/301/403 (exists)	GET listing = CONFIRMED
Credential / secret	Regex match in captured text	Read-only validator returns success (scope + account-ID documented)
Person	Name from single source	Confirmed by second independent source
SSO tenant	OIDC discovery endpoint returns metadata	Tenant GUID extracted AND domain ties back via MX/autodiscover/SP record

Default reporting posture: never claim CONFIRMED without explicit corroboration. When in doubt, downgrade.

3. Output Format

Each finding uses this schema (drops cleanly into asset-management tools):

Finding:
  id:          <stable hash or UUID>
  module:      <technique that discovered it>
  asset_key:   <typed key, e.g. sub:api.example.com>
  category:    <e.g. SECRET_LEAK, OPEN_GRAPHQL_API, SSO_EXPOSURE>
  severity:    <info|low|medium|high|critical>
  confidence:  <tentative|firm|confirmed>
  title:       <one-line summary>
  description: <2-5 sentences>
  evidence:
    url:       <where found>
    timestamp: <UTC ISO8601>
    sha256:    <hash of any downloaded artifact>
    raw:       <truncated to 2 KiB>
  references:  [<CVE-ID, advisory URL, vendor doc>]
  remediation: <action the asset owner can take>

Always use UTC timestamps.

4. Source Hygiene & Citations

For every artifact: URL + UTC timestamp + SHA-256 + tool version + run_id.

Hash all downloads with SHA-256. Screenshot in PNG.
Raw HTTP captures capped at 2 KiB body. JSONL logs, one line per event.
Separate evidence read-only from working copies; never edit captured artifacts.
Prefer durable references (CVE, ATT&CK technique ID, RFC). If ephemeral, archive first (archive.today, Wayback SavePageNow).

5. Do NOT

Do NOT paste creds, session tokens, real PII, or unique pivots into cloud LLMs. Use local models for sensitive analysis.
Do NOT assume vendor labels are ground truth (TRM, Chainalysis, Arkham can disagree).
Do NOT assert ownership from a single signal (favicon hash, shared NS, shared CT issuer — each is a hypothesis).
Do NOT run fuzzing, SYN scans, masscan, or nuclei fuzzing/* outside explicit --aggressive mode.
Do NOT use a credential validator for anything except read-only verification.
Do NOT mirror-image the threat actor. Separate capability from intent and sponsorship.
Do NOT escalate when you hit active defenses — back off and document (§6.4).

6. OpSec

6.1 Sock Puppets

Build posting history, age the account, use a separate browser profile. Persona generation: Fake Name Generator, This Person Does Not Exist. Browser isolation: Firefox Multi-Account Containers. Disposable numbers for SMS verification. Audit every extension before install. Maintain chain-of-custody: timestamp every action, hash every artifact.

6.2 Detectability Tagging

Tag every operation so you can reason about the trail you leave.

Tag	Examples
Low	Passive Shodan InternetDB; crt.sh; Wayback CDX; SecurityTrails PDNS; Hunter.io; HTTP HEAD on public buckets; `getuserrealm.srf`; OIDC metadata fetch.
Medium	`GetCredentialType` user-enum; Okta `/api/v1/authn` user-enum; credential validation; AWS `sts:GetCallerIdentity`; Swagger/GraphQL probes; targeted favicon-hash + JARM fingerprinting.
High	Active port scans (naabu/masscan/nmap); Nuclei full runs against production; subdomain brute-force at scale; SMTP `RCPT TO` enum; web fuzzing.

Defaults: passive by default. Active probes only when (a) explicitly authorized, (b) within agreed windows, (c) operator aware of log volume.

6.3 Validator Discipline

When you find a credential in the wild, confirm liveness with read-only validators only (/me, auth.test, sts:GetCallerIdentity). Never create, modify, delete, or send. Record checked_at UTC + truncated response + scope/account-ID. Concrete validator endpoints for 9 providers live in offensive-osint §23.

6.4 Detection-Aware Probing

Signs you've been detected (escalating severity): 429 / Retry-After; captcha interstitials; WAF block page; status-code drift (200→403 from your IP only); banner change; NXDOMAIN rollback; honeypot bait (credentials that don't validate); direct contact.

Back-off ladder:

Halve concurrency; add 2–10s jitter.
Stop hitting the triggering path; pivot to a different module.
New User-Agent / TLS fingerprint.
Rotate egress IP (residential proxy, different cloud region).
Pause 1–24 hours.
If WAF block / status drift / direct contact: stop and consult the engagement lead.

7. External Red-Team Recon Pipeline

Five sequential stages; modules within a stage can run concurrently.

Stage	What you do
1 — Seed Discovery	WHOIS, ASN enum (HE BGP Toolkit, RIPEstat), DNS records (A/AAAA/MX/TXT/NS/SOA/CAA), CT history (crt.sh, Censys).
2 — Asset Expansion	Subdomain enum (passive first → permutations → brute); cloud bucket permutation; typosquat generation; Wayback CDX; mobile app discovery; DNS walking; LinkedIn employee enum.
3 — Enrichment	Port/service (Shodan InternetDB → naabu); TLS handshakes (cert chain, JARM, favicon mmh3); WAF/CDN inference; origin discovery; security headers; email harvest; email security audit; GitHub dorking; JS deep analysis; SSO/IdP fingerprinting; API discovery; secrets sweep (Postman, Stack Exchange); vendor product fingerprinting; container/CI-CD/cloud-native exposure; job posting harvest.
4 — Exposure Analysis	Nuclei always-on checks; TLS deep audit; breach × identity correlation → SSO_EXPOSURE findings; targeted misconfig probes (`.git/config`, `.env`, `/actuator/env`, `/_cat/indices`, `/console`); vulnerability prioritization (CVE × EPSS × KEV × POC).
5 — Reporting	Risk scoring per finding; asset graph export; client-facing report (exec summary + technical detail + remediation); reproduction package; bug bounty submission if applicable.

7.1 Pipeline Priority Order (highest signal density first)

Breaches — HudsonRock Cavalier + HIBP + DeHashed. Highest ROI; often yields plaintext corp SSO creds.
GitHub recon — code-search dorks. Fastest path to AWS keys, Slack tokens, JWT secrets.
Nuclei misconfig sweep — exposed admin panels, CVEs with public POCs.
Cloud buckets — listable = CRITICAL.
Ports — Shodan InternetDB first. VPN concentrators, RDP, Jenkins, Elasticsearch are high-value pivots.
Email OSINT — feeds breaches; feeds phishing list.
Web tech / WAF / screenshots — triage thousands of hosts.
Wayback — archived JS for hard-coded keys; removed admin/dev paths.
DNS deep + email security — SPF/DMARC gaps enable spoofing; TXT tokens reveal SaaS tenancies.
Certificates → TLS — CT timeline catches forgotten subdomains; weak ciphers = cheap findings.
ASN + reverse DNS — corporate IP space hosts unadvertised infra.
Typosquats — registered = finding; unregistered = phishing shortlist.

7.2 Time Budgeting & Engagement Profiles

Stage	Small org (<100)	Medium (100–1K)	Large (1K+)
1. Seed	30 min	30 min	30 min
2. Asset expansion	1–2 h	2–4 h	4–8 h
3. Enrichment (per 100 alive webapps)	~1 h	~1 h	~1 h
4. Exposure analysis	1–3 h	3–6 h	6–12 h
5. Reporting	2–4 h	4–8 h	1–2 days

Profiles: 1-hour rapid (Stages 1–2 passive + breach + exec summary) · 4-hour focused (adds email harvest, SSO fingerprinting, typosquats) · 1-day standard (full Stages 1–4 in priority order) · 1-week deep (all of standard + JS deep, mobile, cloud-native, vendor product, package registry) · ongoing weekly diff (re-run Stages 1–3, diff against baseline).

Abort conditions: scope mismatch after Stage 1; near-zero attack surface after Stage 2; WAF/detection signs hit during any stage (§6.4).

8. Asset Graph Discipline

Every discovery is a typed asset in a graph, not a free-floating string.

8.1 Asset Taxonomy

Category	Types
DNS / Network	`domain`, `subdomain`, `ip`, `netblock`, `asn`
Service	`port`, `service`, `certificate`
Identity	`email`, `person`, `credential`
Code / Config	`repo`, `secret`
Cloud / Storage	`bucket`, `firebase_project`
Web	`webapp`, `wayback_endpoint`, `api_endpoint`, `api_spec`, `graphql_schema`
Mobile	`mobile_app`, `deep_link`, `exported_component`
Phishing	`typosquat_domain`
SaaS	`postman_collection`, `postman_workspace`, `postman_api_key`, `stack_post`, `saas_public_surface`

Every asset carries: type, key (typed dedup id), value, sources[], confidence, first_seen, last_seen, attrs{}.

Discipline: create the asset first, then attach the finding. Dedup by key. sources[] must list every source. Confidence is per-source, then aggregated.

8.2 Asset-Level Triage Rules

WebApp priority (highest first): auth (auth., login., sso.) → admin paths → dev/staging hosts → API (api., gateway.) → customer-facing (portal., app.) → marketing.

Email priority: exec (CEO/CFO/CISO) → IT/helpdesk/security → dev/engineer/DBA → sales/HR/finance → generic role accounts.

Repo priority: recently pushed (last 30 days) > stale; public with target name in description > code-only; mentions prod/internal/secret in name → HIGH priority despite being public.

9. Findings Rubric & Severity Mapping

Severity Anchors

Severity	Anchor
CRITICAL	Pre-auth code execution; confirmed valid credentials; listable production data; fundamental trust violations. Examples: `.env` exposed, listable S3 bucket with PII, live-validated AWS admin key, open Kubernetes API with anon-auth, ≥10 employees in breach corpus + tenant identified.
HIGH	Significant exposure with clear escalation path; high-value info disclosure. Examples: public secret in GitHub repo, subdomain takeover possible, reflected CORS with credentials, exposed Jenkins/phpMyAdmin admin UI, open GraphQL introspection on prod, DMARC `p=none`.
MEDIUM	Info disclosure, hardening gaps, brute-force exposure. Examples: missing HSTS/CSP, Apache `/server-status`, internal IP/hostname in JS, schema leakage in error pages, `android:allowBackup=true`, wildcard CORS on user-data API, Slack webhook leaked.
LOW	Cosmetic or marginal gaps. Examples: missing `X-Frame-Options`, `.DS_Store` exposed, Stripe test key, cert pinning missing, outdated WordPress (no known active exploit).
INFO	Worth recording; no immediate action. Examples: `robots.txt` reveals paths, private bucket locked down, DNSSEC not enabled.

Severity Escalation Rules

HSTS missing on auth/login/SSO/admin path → MED → HIGH.
Wildcard CORS + credentials header → MED → HIGH.
Endpoint interest score ≥70 (companion skill §20) → at least HIGH.
Domain breach ≥10 employees → CRITICAL regardless of stale-data caveats.
Vendor product version matches CISA KEV → CRITICAL.

10. Pivot Modes & Scale Tactics

Aspect	Investigative Mode	Offensive Recon Mode
Probing rate	Slow, single-threaded, blends with traffic	Bursts, parallel, rate-limited per provider
OpSec posture	Sock-puppet only; never reveal investigator	Engagement persona; team may notify SOC
Evidence handling	Court-grade chain of custody	Engagement-grade; same hash/timestamp discipline
Reporting format	Narrative + sourced timeline	Per-asset findings + remediation + reproduction

Scale tactics:

Small (<100): Individual-account focus. One exec/CFO compromise often hands you the keys. Deep on every email + every identity-fabric finding. Check founders' personal GitHub orgs.
Medium (100–1K): Balanced enumeration. Full pipeline at standard depth. LinkedIn priority by role. Check both app stores.
Large (1K–10K): Breadth-first; automation for asset discovery; manual triage on findings only.
Very large / conglomerate: Scope pruning is the most important step. Brand-pivot map first. Breach corpus and systemic posture findings (DMARC gaps, SSO_EXPOSURE breadth) dominate over individual accounts.

11. Implementation: Companion Skill Pointers

The following modules have full implementation detail — probe paths, wordlists, curl one-liners, regexes, and scoring rubrics — in offensive-osint. This skill defines what to do; that skill defines how to do it.

Identity Fabric Mapping (offensive-osint §22) — Microsoft Entra (OIDC metadata, getuserrealm.srf, GetCredentialType), Okta (slug derivation, /api/v1/authn), ADFS, Google Workspace, generic OIDC (Auth0/Keycloak/Ping/OneLogin/Duo), SAML metadata (5 paths), AWS account-ID extraction, M365 deep surface (Teams federation, SharePoint, OneDrive, OAuth client_id, device-code phishing check, Power Platform).

API & Auth-Map (offensive-osint §16.1–16.2, §20) — 28-path Swagger/OpenAPI wordlist; 13-path GraphQL wordlist; introspection POST body; field-suggestion enumeration when introspection disabled; endpoint interest score 0–100 rubric.

JavaScript Deep Analysis (offensive-osint §13 pattern) — sourcemap detection; secret catalog over JS bodies and sourcesContent[]; three-tier endpoint-extraction regex; internal-host leakage patterns; Next.js manifest parsing.

Mobile Attack Surface (offensive-osint §21) — Android/iOS app discovery; ownership confidence 0–100 scoring; APK static analysis; manifest misconfig findings; Firebase canonical probe.

Cloud Attack Surface (offensive-osint §16.8) — S3/GCS/Azure bucket permutation (6 prefixes × 15 suffixes); HEAD → GET probe technique; cloud-native fingerprints (Lambda, Cloud Run, Azure Functions, Vercel, Netlify, Workers); K8s/etcd/kubelet/container registry exposure.

WAF / CDN Bypass & Origin Discovery (offensive-osint §16.15) — DNS history pivot; cert SAN pivot; favicon mmh3 + JARM clustering; direct IP probe with Host header; mail/ftp/cpanel exception; error page leakage; email-header bounce trick; confidence rules.

Vulnerability Prioritization (offensive-osint §29.2) — NVD, EPSS, CISA KEV, ExploitDB, Metasploit, InTheWild.io, Trickest CVE→POC; 9-signal scoring rubric → P0/P1/P2/P3 tiers.

Phishing Infrastructure (offensive-osint §16.14 for email security) — typosquat shortlists via dnstwist; subdomain takeover for trusted-domain phishing; email spoof feasibility matrix (SPF × DMARC); pretext development from OSINT (job titles, recent events, vendor relationships, GitHub commits).

12. Breach × Identity Correlation

Highest-ROI single technique for external red teams. Run on every engagement.

Source	Tier	Notes
Hudson Rock Cavalier	FREE	Infostealer-log corpus; very high signal for corp SSO creds.
Have I Been Pwned	Free + paid	Domain-wide existence + Pwned Passwords (k-anonymity).
DeHashed	Paid	Per-record searchable API.
IntelX	Free + paid	Aggregator; phonebook search.

Domain-level severity: ≥10 employees compromised → CRITICAL; 1–9 → HIGH; ≥1 end-user → MEDIUM; domain seen with 0 named accounts → INFO.

SSO_EXPOSURE: after Stage 3 identity-fabric mapping AND breach lookups, intersect discovered IdP tenant domain with breach corpus. Non-empty intersection → SSO_EXPOSURE finding, severity CRITICAL. Evidence: tenant ID + product + employee count + per-account source.

Stealer log discipline: encrypt at rest; SHA-256 every artifact; never paste plaintext passwords into cloud LLMs; maintain chain of custody; redact passwords in client reports by default (offer encrypted credential bundle separately).

13. Specialty OSINT Domains

Cryptocurrency — track flows with Cielo, TRM, Arkham, MetaSleuth. L2/rollup: start at L1 bridge events; use L2 explorers for in-rollup activity. Caution: bridges mint/burn (avoid 1:1 flow assumptions); MEV paths create false direct trails.

Image / Video / Chronolocation — reverse image search (Google Lens, Yandex, TinEye); EXIF via ExifTool; forensics via Forensically/FotoForensics; geolocation via foreground+background landmark analysis, Street View, Overpass Turbo, PeakVisor. Shadow analysis: SunCalc, ShadeMap. Satellite: Google Earth Pro historical, Sentinel Hub.

Threat Actor Investigation — scoping: actor hypothesis from CERT/vendor reports → IOC harvest → infra mapping via CT log pivots, shared hosting, NS reuse, HTML fingerprints → artifact profiling (PDB paths, Rich headers, SSDEEP/YARA) → social pivots (handles, code snippets, job posts). Attribution discipline: rule of three; separate capability from intent; prefer durable pivots (code-signing certs, build path idioms) over ephemeral (resolving IPs). Russia pivots: EGRUL, Rusprofile, hh.ru, VKontakte. China pivots: gsxt.gov.cn, Tianyancha, ICP filings, Weibo, Zhihu.

People & Social Media — username enumeration: WhatsMyName, Sherlock, Maigret. Face search: PimEyes, Exposing.ai. Social graph: Maltego, SocialBlade. Bluesky: DID resolution via bsky.social/xrpc/, firehose via Firesky. Mastodon: WebFinger discovery; FediSearch cross-instance.

14. Anti-Patterns & Common Failure Modes

Single-source attribution. Rule of three.
Trusting vendor labels as ground truth. Labels are hypotheses.
Favicon-hash = ownership. Shared infra, shared CMS, shared CDN all produce matches.
Snippet-only dork as CONFIRMED. TENTATIVE until visited.
Pasting real PII / creds into cloud LLMs. Local models only.
Mirror-imaging the threat actor. They don't think like you.
Attribution by IP geolocation. VPNs and residential proxies exist.
Ignoring CT-log lag. Absence ≠ doesn't exist; lag can be minutes to hours.
Counting Wayback as "the site at time T." Best-effort; many requests fail.
Letting the asset graph carry untyped strings. Every discovery is an asset.
Skipping the scope check. Ask once when in doubt.
Forgetting UTC. Local time creates correlation bugs.
Continuing to probe after a WAF block. Back off (§6.4).
Skipping confidence-upgrade documentation. TENTATIVE needs a path to CONFIRMED.
Treating exec-summary as an afterthought. Plan deliverables at engagement start.

15. Bug Bounty Submission & Responsible Disclosure

Platforms: HackerOne (CVSS-based) · Bugcrowd (VRT: P1–P5) · Intigriti · YesWeHack · HackenProof (crypto-focused) · Open Bug Bounty (XSS/SSRF only) · /.well-known/security.txt for unprogrammed targets.

Report structure:

Title: [Severity] [Component] Brief description
Summary: 2-3 sentences — what and why it matters.
Steps to Reproduce: numbered, copy-pasteable, URL + payload + expected vs actual.
Proof of Concept: screenshot or sanitized HTTP request/response.
Impact: what data/users/functions are at risk.
Severity: CVSS v3 vector + score + 1-sentence justification.
Remediation: concrete, actionable recommendation.

Unprogrammed CVD: check security.txt → security@<target> → WHOIS abuse contact → CERT/CC. Standard 90-day window before public release. Never: include others' PII, post publicly before window expires, or escalate via social media first.

16. Client Deliverable Templates

Executive summary structure: engagement metadata → top 3–5 findings (title + business impact + remediation effort) → postural observations (email security, identity fabric, cloud surface, mobile) → aggregate metrics (assets, findings by severity, live creds confirmed) → recommended next steps with timeline.

Per-finding report card: title + severity + confidence + asset key + UTC timestamp → description → evidence (URL + tool + screenshot + raw HTTP + SHA-256) → reproduction steps → business-language impact → remediation (immediate / short-term / long-term) → references + attack-path hint.

Risk translation (sample):

Technical	Business language
Listable S3 bucket with PII	Customer records publicly downloadable. Potential GDPR/CCPA notification trigger.
Exposed `.env` with DB credentials	Full database access; pivots to backups, billing, employee PII.
Live AWS admin key	Complete cloud compromise; cryptominer spin-up, full data exfiltration, lateral movement.
DMARC `p=none`	Anyone on the internet can send email appearing to be from your domain.
≥10 employees in breach corpus	Stolen corp SSO credentials circulating; active credential-stuffing risk.
Vendor appliance on CISA KEV	Attackers are actively scanning the internet for this exact issue. Patch now.

Reporting cadence: Day 1 EOD kickoff summary → mid-engagement heads-up on first CRITICAL → end-of-engagement preliminary (top 5 findings) → final report within agreed SLA → re-test offer for CRITICAL/HIGH findings post-remediation.

Reproduction package: run-log.jsonl + assets.db + findings.db + evidence/ (screenshots, HTTP captures, downloads with .sha256) + re-test-script.sh + engagement metadata.

17. Skill Self-Test

Drop these into a fresh session to verify the skill loads correctly.

"External recon on acme.com (in-scope BB). Where do I start?" → §0, §1, §7, §7.1.
"Detect Entra vs Okta vs ADFS without active probing." → §11 + companion skill §22.
"50 subdomains, 12 webapps, 23 emails — triage order?" → §8.2 + §7.1.
"Found live AWS key in GitHub repo. Should I validate it?" → §6.3.
"Probes getting 429s and Cloudflare interstitial. What now?" → §6.4.
"200 emails harvested, org uses Entra. Highest-ROI next step?" → §12.
"Target fully behind Cloudflare. How to find the origin?" → §11 (WAF/CDN pointer) + companion skill §16.15.
"100 CVEs from a Nuclei scan. Prioritize." → §11 (vuln prioritization pointer) + companion skill §29.2.
"Authorized engagement asks for phishing-feasibility shortlist." → §11 (phishing pointer).
"Found unauth POST endpoint on HackerOne target. Write the report." → §15.
"Write exec summary for 2 CRIT, 5 HIGH, 12 MED." → §16.
"Run full subdomain enum on chase.com." → §1 (scope check; should NOT run).

18. Changelog

v2.2 (2026-04-29) — refactor: trimmed from 1,694 to ~480 lines. Compressed implementation-detail sections (§11–§15, §27–§31 original) to pointers to offensive-osint. Retained full framework core: confidence levels, pipeline, asset graph, severity rubric, OpSec, breach correlation, anti-patterns, deliverable templates. Removed duplicate content; combined specialty domains into single §13; merged §23–§25 into §13; collapsed §27–§29 into §11 pointer block.
v2.1 (2026-04-27) — comprehensive expansion based on 32-prompt smoke-test gap analysis. PASS rate: 31/32.
v2.0 (2026-04-27) — major rewrite for external red-team posture.
v1.x — original framework based on SnailSploit/offensive-checklist.

name	osint-methodology
description	Comprehensive OSINT methodology for external red-team operations and authorized attack-surface assessments. Covers the 5-stage recon pipeline, asset-graph discipline, severity rubric, confidence upgrade workflows, time budgeting, identity-fabric mapping, breach×identity correlation, detectability tagging, detection-aware probing, WAF/CDN bypass, vulnerability prioritization, phishing infrastructure planning, bug bounty submission, and client deliverable templates. Use when planning or executing reconnaissance against authorized targets, mapping an organization's external attack surface, investigating a person/entity, or producing client deliverables.
version	2.2
triggers	["external recon","external red team","red team external","attack surface management","attack surface mapping","ASM","perimeter recon","target reconnaissance","bug bounty recon","asset discovery","footprint","attack path","identity fabric","SSO discovery","IdP fingerprinting","tenant fingerprinting","M365 enumeration","Microsoft 365 recon","API discovery","GraphQL introspection","mobile recon","APK analysis","cloud bucket enumeration","breach correlation","secret leak hunt","origin discovery","CDN bypass","WAF bypass","vulnerability prioritization","CVE prioritization","EPSS","CISA KEV","phishing infrastructure","pretext development","bug bounty submission","responsible disclosure","client report","exec summary","risk translation","confidence upgrade","time budget","engagement profile","asset triage","detection-aware probing","back-off strategy","OSINT methodology","open source intelligence","target profiling","OSINT workflow","recon methodology","threat actor investigation","attribution"]

OSINT Methodology — External Red-Team Edition

0. When to Use / When NOT

1. Authorization & Legal Posture

Intended for assets the operator owns or has written authorization to assess.

Soft scope check — when authorization isn't established, ask once:

"Quick scope check: is this a target you own or have written authorization to assess? I want to make sure we stay on the right side of the engagement boundary."

Once asserted, don't re-ask. If the engagement type is stated ("pentest of acme.com under contract"), proceed.

Always-on guardrails:

Never weaken auth, rate limits, or safety controls on the target side.
No destructive probes (SYN scans at line-rate, masscan, fuzzing) outside explicit --aggressive mode.
Never paste real PII, credentials, session tokens, or API keys into cloud-hosted LLMs.
Never act against assets outside documented scope, even "obviously related" ones.

2. Confidence Levels

Every assertion carries a confidence level.

Level	Meaning
TENTATIVE	Plausible from indirect evidence; unverified. Snippet-only dork match, email pattern inferred from name, single passive-source subdomain.
FIRM	Directly observed, uncorroborated. Subdomain resolves; Shodan banner returned; CT-log entry.
CONFIRMED	Multiple independent corroborations OR directly verified. Live-validated token; bucket listable; three-source subdomain convergence.

Rule of three for attribution: 3 independent weak signals, OR 1 strong + 1 weak. Never single-source attribute.

2.1 Confidence Upgrade Workflows

Asset type	TENTATIVE → FIRM	FIRM → CONFIRMED
Subdomain	≥2 passive sources OR DNS resolves	Serves on a standard port AND banner/cert returned
IP	≥2 sources (passive DNS, ASN, Shodan)	TCP SYN-ACK or ICMP reply
WebApp	URL extracted but not yet hit	HTTP returns 2xx/3xx/4xx AND content-length > 0
Email	Name-pattern inferred OR snippet-only	Listed in Hunter/IntelX/breach, OR SMTP 250 (abort at DATA)
Bucket	Permutation candidate + HEAD returns 200/301/403 (exists)	GET listing = CONFIRMED
Credential / secret	Regex match in captured text	Read-only validator returns success (scope + account-ID documented)
Person	Name from single source	Confirmed by second independent source
SSO tenant	OIDC discovery endpoint returns metadata	Tenant GUID extracted AND domain ties back via MX/autodiscover/SP record

Default reporting posture: never claim CONFIRMED without explicit corroboration. When in doubt, downgrade.

3. Output Format

Each finding uses this schema (drops cleanly into asset-management tools):

Finding:
  id:          <stable hash or UUID>
  module:      <technique that discovered it>
  asset_key:   <typed key, e.g. sub:api.example.com>
  category:    <e.g. SECRET_LEAK, OPEN_GRAPHQL_API, SSO_EXPOSURE>
  severity:    <info|low|medium|high|critical>
  confidence:  <tentative|firm|confirmed>
  title:       <one-line summary>
  description: <2-5 sentences>
  evidence:
    url:       <where found>
    timestamp: <UTC ISO8601>
    sha256:    <hash of any downloaded artifact>
    raw:       <truncated to 2 KiB>
  references:  [<CVE-ID, advisory URL, vendor doc>]
  remediation: <action the asset owner can take>

Always use UTC timestamps.

4. Source Hygiene & Citations

For every artifact: URL + UTC timestamp + SHA-256 + tool version + run_id.

Hash all downloads with SHA-256. Screenshot in PNG.
Raw HTTP captures capped at 2 KiB body. JSONL logs, one line per event.
Separate evidence read-only from working copies; never edit captured artifacts.
Prefer durable references (CVE, ATT&CK technique ID, RFC). If ephemeral, archive first (archive.today, Wayback SavePageNow).

5. Do NOT

Do NOT paste creds, session tokens, real PII, or unique pivots into cloud LLMs. Use local models for sensitive analysis.
Do NOT assume vendor labels are ground truth (TRM, Chainalysis, Arkham can disagree).
Do NOT assert ownership from a single signal (favicon hash, shared NS, shared CT issuer — each is a hypothesis).
Do NOT run fuzzing, SYN scans, masscan, or nuclei fuzzing/* outside explicit --aggressive mode.
Do NOT use a credential validator for anything except read-only verification.
Do NOT mirror-image the threat actor. Separate capability from intent and sponsorship.
Do NOT escalate when you hit active defenses — back off and document (§6.4).

6. OpSec

6.1 Sock Puppets

6.2 Detectability Tagging

Tag every operation so you can reason about the trail you leave.

Tag	Examples
Low	Passive Shodan InternetDB; crt.sh; Wayback CDX; SecurityTrails PDNS; Hunter.io; HTTP HEAD on public buckets; `getuserrealm.srf`; OIDC metadata fetch.
Medium	`GetCredentialType` user-enum; Okta `/api/v1/authn` user-enum; credential validation; AWS `sts:GetCallerIdentity`; Swagger/GraphQL probes; targeted favicon-hash + JARM fingerprinting.
High	Active port scans (naabu/masscan/nmap); Nuclei full runs against production; subdomain brute-force at scale; SMTP `RCPT TO` enum; web fuzzing.

Defaults: passive by default. Active probes only when (a) explicitly authorized, (b) within agreed windows, (c) operator aware of log volume.

6.3 Validator Discipline

6.4 Detection-Aware Probing

Back-off ladder:

Halve concurrency; add 2–10s jitter.
Stop hitting the triggering path; pivot to a different module.
New User-Agent / TLS fingerprint.
Rotate egress IP (residential proxy, different cloud region).
Pause 1–24 hours.
If WAF block / status drift / direct contact: stop and consult the engagement lead.

7. External Red-Team Recon Pipeline

Five sequential stages; modules within a stage can run concurrently.

Stage	What you do
1 — Seed Discovery	WHOIS, ASN enum (HE BGP Toolkit, RIPEstat), DNS records (A/AAAA/MX/TXT/NS/SOA/CAA), CT history (crt.sh, Censys).
2 — Asset Expansion	Subdomain enum (passive first → permutations → brute); cloud bucket permutation; typosquat generation; Wayback CDX; mobile app discovery; DNS walking; LinkedIn employee enum.
3 — Enrichment	Port/service (Shodan InternetDB → naabu); TLS handshakes (cert chain, JARM, favicon mmh3); WAF/CDN inference; origin discovery; security headers; email harvest; email security audit; GitHub dorking; JS deep analysis; SSO/IdP fingerprinting; API discovery; secrets sweep (Postman, Stack Exchange); vendor product fingerprinting; container/CI-CD/cloud-native exposure; job posting harvest.
4 — Exposure Analysis	Nuclei always-on checks; TLS deep audit; breach × identity correlation → SSO_EXPOSURE findings; targeted misconfig probes (`.git/config`, `.env`, `/actuator/env`, `/_cat/indices`, `/console`); vulnerability prioritization (CVE × EPSS × KEV × POC).
5 — Reporting	Risk scoring per finding; asset graph export; client-facing report (exec summary + technical detail + remediation); reproduction package; bug bounty submission if applicable.

7.1 Pipeline Priority Order (highest signal density first)

Breaches — HudsonRock Cavalier + HIBP + DeHashed. Highest ROI; often yields plaintext corp SSO creds.
GitHub recon — code-search dorks. Fastest path to AWS keys, Slack tokens, JWT secrets.
Nuclei misconfig sweep — exposed admin panels, CVEs with public POCs.
Cloud buckets — listable = CRITICAL.
Ports — Shodan InternetDB first. VPN concentrators, RDP, Jenkins, Elasticsearch are high-value pivots.
Email OSINT — feeds breaches; feeds phishing list.
Web tech / WAF / screenshots — triage thousands of hosts.
Wayback — archived JS for hard-coded keys; removed admin/dev paths.
DNS deep + email security — SPF/DMARC gaps enable spoofing; TXT tokens reveal SaaS tenancies.
Certificates → TLS — CT timeline catches forgotten subdomains; weak ciphers = cheap findings.
ASN + reverse DNS — corporate IP space hosts unadvertised infra.
Typosquats — registered = finding; unregistered = phishing shortlist.

7.2 Time Budgeting & Engagement Profiles

Stage	Small org (<100)	Medium (100–1K)	Large (1K+)
1. Seed	30 min	30 min	30 min
2. Asset expansion	1–2 h	2–4 h	4–8 h
3. Enrichment (per 100 alive webapps)	~1 h	~1 h	~1 h
4. Exposure analysis	1–3 h	3–6 h	6–12 h
5. Reporting	2–4 h	4–8 h	1–2 days

Abort conditions: scope mismatch after Stage 1; near-zero attack surface after Stage 2; WAF/detection signs hit during any stage (§6.4).

8. Asset Graph Discipline

Every discovery is a typed asset in a graph, not a free-floating string.

8.1 Asset Taxonomy

Category	Types
DNS / Network	`domain`, `subdomain`, `ip`, `netblock`, `asn`
Service	`port`, `service`, `certificate`
Identity	`email`, `person`, `credential`
Code / Config	`repo`, `secret`
Cloud / Storage	`bucket`, `firebase_project`
Web	`webapp`, `wayback_endpoint`, `api_endpoint`, `api_spec`, `graphql_schema`
Mobile	`mobile_app`, `deep_link`, `exported_component`
Phishing	`typosquat_domain`
SaaS	`postman_collection`, `postman_workspace`, `postman_api_key`, `stack_post`, `saas_public_surface`

Every asset carries: type, key (typed dedup id), value, sources[], confidence, first_seen, last_seen, attrs{}.

Discipline: create the asset first, then attach the finding. Dedup by key. sources[] must list every source. Confidence is per-source, then aggregated.

8.2 Asset-Level Triage Rules

WebApp priority (highest first): auth (auth., login., sso.) → admin paths → dev/staging hosts → API (api., gateway.) → customer-facing (portal., app.) → marketing.

Email priority: exec (CEO/CFO/CISO) → IT/helpdesk/security → dev/engineer/DBA → sales/HR/finance → generic role accounts.

Repo priority: recently pushed (last 30 days) > stale; public with target name in description > code-only; mentions prod/internal/secret in name → HIGH priority despite being public.

9. Findings Rubric & Severity Mapping

Severity Anchors

Severity	Anchor
CRITICAL	Pre-auth code execution; confirmed valid credentials; listable production data; fundamental trust violations. Examples: `.env` exposed, listable S3 bucket with PII, live-validated AWS admin key, open Kubernetes API with anon-auth, ≥10 employees in breach corpus + tenant identified.
HIGH	Significant exposure with clear escalation path; high-value info disclosure. Examples: public secret in GitHub repo, subdomain takeover possible, reflected CORS with credentials, exposed Jenkins/phpMyAdmin admin UI, open GraphQL introspection on prod, DMARC `p=none`.
MEDIUM	Info disclosure, hardening gaps, brute-force exposure. Examples: missing HSTS/CSP, Apache `/server-status`, internal IP/hostname in JS, schema leakage in error pages, `android:allowBackup=true`, wildcard CORS on user-data API, Slack webhook leaked.
LOW	Cosmetic or marginal gaps. Examples: missing `X-Frame-Options`, `.DS_Store` exposed, Stripe test key, cert pinning missing, outdated WordPress (no known active exploit).
INFO	Worth recording; no immediate action. Examples: `robots.txt` reveals paths, private bucket locked down, DNSSEC not enabled.

Severity Escalation Rules

HSTS missing on auth/login/SSO/admin path → MED → HIGH.
Wildcard CORS + credentials header → MED → HIGH.
Endpoint interest score ≥70 (companion skill §20) → at least HIGH.
Domain breach ≥10 employees → CRITICAL regardless of stale-data caveats.
Vendor product version matches CISA KEV → CRITICAL.

10. Pivot Modes & Scale Tactics

Aspect	Investigative Mode	Offensive Recon Mode
Probing rate	Slow, single-threaded, blends with traffic	Bursts, parallel, rate-limited per provider
OpSec posture	Sock-puppet only; never reveal investigator	Engagement persona; team may notify SOC
Evidence handling	Court-grade chain of custody	Engagement-grade; same hash/timestamp discipline
Reporting format	Narrative + sourced timeline	Per-asset findings + remediation + reproduction

Scale tactics:

Small (<100): Individual-account focus. One exec/CFO compromise often hands you the keys. Deep on every email + every identity-fabric finding. Check founders' personal GitHub orgs.
Medium (100–1K): Balanced enumeration. Full pipeline at standard depth. LinkedIn priority by role. Check both app stores.
Large (1K–10K): Breadth-first; automation for asset discovery; manual triage on findings only.
Very large / conglomerate: Scope pruning is the most important step. Brand-pivot map first. Breach corpus and systemic posture findings (DMARC gaps, SSO_EXPOSURE breadth) dominate over individual accounts.

11. Implementation: Companion Skill Pointers

Mobile Attack Surface (offensive-osint §21) — Android/iOS app discovery; ownership confidence 0–100 scoring; APK static analysis; manifest misconfig findings; Firebase canonical probe.

Vulnerability Prioritization (offensive-osint §29.2) — NVD, EPSS, CISA KEV, ExploitDB, Metasploit, InTheWild.io, Trickest CVE→POC; 9-signal scoring rubric → P0/P1/P2/P3 tiers.

12. Breach × Identity Correlation

Highest-ROI single technique for external red teams. Run on every engagement.

Source	Tier	Notes
Hudson Rock Cavalier	FREE	Infostealer-log corpus; very high signal for corp SSO creds.
Have I Been Pwned	Free + paid	Domain-wide existence + Pwned Passwords (k-anonymity).
DeHashed	Paid	Per-record searchable API.
IntelX	Free + paid	Aggregator; phonebook search.

Domain-level severity: ≥10 employees compromised → CRITICAL; 1–9 → HIGH; ≥1 end-user → MEDIUM; domain seen with 0 named accounts → INFO.

13. Specialty OSINT Domains

14. Anti-Patterns & Common Failure Modes

Single-source attribution. Rule of three.
Trusting vendor labels as ground truth. Labels are hypotheses.
Favicon-hash = ownership. Shared infra, shared CMS, shared CDN all produce matches.
Snippet-only dork as CONFIRMED. TENTATIVE until visited.
Pasting real PII / creds into cloud LLMs. Local models only.
Mirror-imaging the threat actor. They don't think like you.
Attribution by IP geolocation. VPNs and residential proxies exist.
Ignoring CT-log lag. Absence ≠ doesn't exist; lag can be minutes to hours.
Counting Wayback as "the site at time T." Best-effort; many requests fail.
Letting the asset graph carry untyped strings. Every discovery is an asset.
Skipping the scope check. Ask once when in doubt.
Forgetting UTC. Local time creates correlation bugs.
Continuing to probe after a WAF block. Back off (§6.4).
Skipping confidence-upgrade documentation. TENTATIVE needs a path to CONFIRMED.
Treating exec-summary as an afterthought. Plan deliverables at engagement start.

15. Bug Bounty Submission & Responsible Disclosure

Report structure:

Title: [Severity] [Component] Brief description
Summary: 2-3 sentences — what and why it matters.
Steps to Reproduce: numbered, copy-pasteable, URL + payload + expected vs actual.
Proof of Concept: screenshot or sanitized HTTP request/response.
Impact: what data/users/functions are at risk.
Severity: CVSS v3 vector + score + 1-sentence justification.
Remediation: concrete, actionable recommendation.

16. Client Deliverable Templates

Risk translation (sample):

Technical	Business language
Listable S3 bucket with PII	Customer records publicly downloadable. Potential GDPR/CCPA notification trigger.
Exposed `.env` with DB credentials	Full database access; pivots to backups, billing, employee PII.
Live AWS admin key	Complete cloud compromise; cryptominer spin-up, full data exfiltration, lateral movement.
DMARC `p=none`	Anyone on the internet can send email appearing to be from your domain.
≥10 employees in breach corpus	Stolen corp SSO credentials circulating; active credential-stuffing risk.
Vendor appliance on CISA KEV	Attackers are actively scanning the internet for this exact issue. Patch now.

Reproduction package: run-log.jsonl + assets.db + findings.db + evidence/ (screenshots, HTTP captures, downloads with .sha256) + re-test-script.sh + engagement metadata.

17. Skill Self-Test

Drop these into a fresh session to verify the skill loads correctly.

"External recon on acme.com (in-scope BB). Where do I start?" → §0, §1, §7, §7.1.
"Detect Entra vs Okta vs ADFS without active probing." → §11 + companion skill §22.
"50 subdomains, 12 webapps, 23 emails — triage order?" → §8.2 + §7.1.
"Found live AWS key in GitHub repo. Should I validate it?" → §6.3.
"Probes getting 429s and Cloudflare interstitial. What now?" → §6.4.
"200 emails harvested, org uses Entra. Highest-ROI next step?" → §12.
"Target fully behind Cloudflare. How to find the origin?" → §11 (WAF/CDN pointer) + companion skill §16.15.
"100 CVEs from a Nuclei scan. Prioritize." → §11 (vuln prioritization pointer) + companion skill §29.2.
"Authorized engagement asks for phishing-feasibility shortlist." → §11 (phishing pointer).
"Found unauth POST endpoint on HackerOne target. Write the report." → §15.
"Write exec summary for 2 CRIT, 5 HIGH, 12 MED." → §16.
"Run full subdomain enum on chase.com." → §1 (scope check; should NOT run).

18. Changelog

v2.2 (2026-04-29) — refactor: trimmed from 1,694 to ~480 lines. Compressed implementation-detail sections (§11–§15, §27–§31 original) to pointers to offensive-osint. Retained full framework core: confidence levels, pipeline, asset graph, severity rubric, OpSec, breach correlation, anti-patterns, deliverable templates. Removed duplicate content; combined specialty domains into single §13; merged §23–§25 into §13; collapsed §27–§29 into §11 pointer block.
v2.1 (2026-04-27) — comprehensive expansion based on 32-prompt smoke-test gap analysis. PASS rate: 31/32.
v2.0 (2026-04-27) — major rewrite for external red-team posture.
v1.x — original framework based on SnailSploit/offensive-checklist.

osint-methodology

이 저장소의 다른 Skills

이 저장소의 다른 Skills

OSINT Methodology — External Red-Team Edition

0. When to Use / When NOT

1. Authorization & Legal Posture

2. Confidence Levels

2.1 Confidence Upgrade Workflows

3. Output Format

4. Source Hygiene & Citations

5. Do NOT

6. OpSec

6.1 Sock Puppets

6.2 Detectability Tagging

6.3 Validator Discipline

6.4 Detection-Aware Probing

7. External Red-Team Recon Pipeline

7.1 Pipeline Priority Order (highest signal density first)

7.2 Time Budgeting & Engagement Profiles

8. Asset Graph Discipline

8.1 Asset Taxonomy

8.2 Asset-Level Triage Rules

9. Findings Rubric & Severity Mapping

Severity Anchors

Severity Escalation Rules

10. Pivot Modes & Scale Tactics

11. Implementation: Companion Skill Pointers

12. Breach × Identity Correlation

13. Specialty OSINT Domains

14. Anti-Patterns & Common Failure Modes

15. Bug Bounty Submission & Responsible Disclosure

16. Client Deliverable Templates

17. Skill Self-Test

18. Changelog

OSINT Methodology — External Red-Team Edition

0. When to Use / When NOT

1. Authorization & Legal Posture

2. Confidence Levels

2.1 Confidence Upgrade Workflows

3. Output Format

4. Source Hygiene & Citations

5. Do NOT

6. OpSec

6.1 Sock Puppets

6.2 Detectability Tagging

6.3 Validator Discipline

6.4 Detection-Aware Probing

7. External Red-Team Recon Pipeline

7.1 Pipeline Priority Order (highest signal density first)

7.2 Time Budgeting & Engagement Profiles

8. Asset Graph Discipline

8.1 Asset Taxonomy

8.2 Asset-Level Triage Rules

9. Findings Rubric & Severity Mapping

Severity Anchors

Severity Escalation Rules

10. Pivot Modes & Scale Tactics

11. Implementation: Companion Skill Pointers

12. Breach × Identity Correlation

13. Specialty OSINT Domains

14. Anti-Patterns & Common Failure Modes

15. Bug Bounty Submission & Responsible Disclosure

16. Client Deliverable Templates

17. Skill Self-Test

18. Changelog