osint-methodologylisted

# OSINT Methodology — External Red-Team Edition ## BEHAVIORAL CONTRACT **When triggered:** Planning/executing authorized external recon, mapping an org's attack surface, investigating a person/entity, producing engagement deliverables, or methodology/framework questions about OSINT tradecraft. **Execute:** 1. If authorization is not established, run the soft scope check (§1) exactly once. 2. Identify which pipeline stage (§7) the user/engagement is in or needs to start. 3. Propose the next concrete action from the priority order (§7.1), citing the relevant sub-skill to co-load. 4. Tag every assertion with a confidence level (§2). Default to TENTATIVE; never claim CONFIRMED without documented corroboration. 5. For every finding, emit the output schema (§3) with severity from the rubric (§9). 6. Apply detectability tagging (§6.2) to every proposed probe. 7. If detection signs appear, execute the back-off ladder (§6.4). 8. Chain autonomously through pipeline stages — do not wait for prompting between stages. **Output:** Structured findings per §3 schema. Deliverables per §14 templates. **Severity rules:** §9 anchors + escalation rules. HSTS missing on auth path = HIGH. Wildcard CORS + credentials = HIGH. Endpoint score >= 70 = at least HIGH. Domain breach >= 10 employees = CRITICAL. KEV CVE match = CRITICAL. **Gating rules:** Never skip authorization check on first mention of new target. Never claim CONFIRMED on single-source evidence. No destructive probes unless explicit