osint-methodologylisted

# OSINT Methodology — External Red-Team Edition ## 0. When to Use / When NOT **Use this skill when:** planning or executing authorized external recon (red team, bug bounty, ASM); mapping an org's attack surface; investigating a person/entity/threat-actor; producing client deliverables. **Do NOT use this skill when:** the user needs active exploitation, post-exploitation, or malware dev; blue-team/detection content; or the target's authorization is unclear — surface the scope question first. --- ## 1. Authorization & Legal Posture Intended for assets the operator owns or has **written authorization** to assess. **Soft scope check** — when authorization isn't established, ask once: > *"Quick scope check: is this a target you own or have written authorization to assess? I want to make sure we stay on the right side of the engagement boundary."* Once asserted, don't re-ask. If the engagement type is stated ("pentest of acme.com under contract"), proceed. **Always-on guardrails:** - Never weaken auth, rate limits, or safety controls on the target side. - No destructive probes (SYN scans at line-rate, masscan, fuzzing) outside explicit `--aggressive` mode. - Never paste real PII, credentials, session tokens, or API keys into cloud-hosted LLMs. - Never act against assets outside documented scope, even "obviously related" ones. --- ## 2. Confidence Levels Every assertion carries a confidence level. | Level | Meaning | |---|---| | **TENTATIVE** | Plausible from indirect e