Skip to content
Back to work
Enterprise SecurityExpanded

57 critical findings. One authorized OSINT engagement.

A Fortune 100 technology company asked us to find everything a threat actor could find about their senior leadership team. The answer changed their executive protection program.

57

Findings documented

9

Critical severity

2

Executives assessed

The challenge

A Fortune 100 technology company's Director of Global Protective Services had a straightforward question: how much does the internet know about our senior executives?

The answer wasn't theoretical. The company had specific concerns about a board-level governance situation that was receiving media attention. They needed to know what was publicly accessible — not to hide it, but to understand their exposure and close the gaps.

Authorization was granted via email from the Director of Global Protective Services. All testing was external, black-box OSINT only. No credentials. No active system exploitation. Just what any motivated threat actor could find using public sources.

The engagement

We run executive protection assessments under the PurviewX Pressure Test framework. The methodology follows PTES and OWASP Testing Guide v4.2, with findings scored using CVSS v3.1. Everything is documented before the engagement begins: who authorized it, what's in scope, and what the minimum extraction principle requires.

For each executive, we build a parallel investigation across nine attack surfaces:

Personal biography and digital footprint — Social media profiles, speaking history, publication history, archived websites, professional profiles, and any personal content that creates predictability.

Financial exposure — Property records, business filings, publicly recorded instruments, and any financial data that could be leveraged for social engineering or identify patterns of behavior.

Contact and identity exposure — Email addresses, phone numbers, physical addresses, and any credentials that appear in public data breach databases.

Infrastructure reconnaissance — Technology stack exposure, domain history, certificate transparency logs, and any technical surface that reveals organizational or personal infrastructure.

Family and social engineering vectors — Publicly accessible family connections that could serve as approach vectors or pressure points.

Network and governance analysis — Board connections, professional relationships, and organizational affiliations that create influence maps.

Property and physical profile — Property ownership records, vehicle registrations, and any physical-world data that enables location prediction.

Litigation and court record analysis — Civil and criminal court records, regulatory filings, and enforcement actions that provide both intelligence and potential leverage points.

What we found

For the first executive, the assessment returned a HIGH exposure rating across nine evidence categories. The findings included multiple critical-severity issues: PII exposed in breach databases including email credentials, complete home address and property record chains, family member social media profiles that were public and used predictable location tagging, and professional contact information available through aggregator sites that had never been claimed or removed.

For the second executive, the assessment returned a CRITICAL exposure rating with 57 documented findings across 14 evidence files. In addition to the expected PII and financial exposure, the litigation analysis produced material that was independently significant — court records documenting prior civil litigation that connected to current governance questions. These findings were delivered as a separate litigation and court record report.

The litigation findings weren't in scope for the original engagement. They emerged from the OSINT process and were documented separately because they crossed from executive protection territory into governance territory. We delivered them with appropriate context and recommended that legal counsel review before any action.

The response

The engagement did not end at report delivery.

The initial scope covered two executives. Based on the findings, the client expanded the engagement to cover additional senior leadership and requested a methodology review for their existing executive protection program. They also asked us to assess a third-party vendor that was handling sensitive internal communications — that assessment became a separate engagement under the same framework.

The expansion wasn't because the report was alarming. It was because the report was credible. Every finding had evidence. Every severity rating had a justification. Every recommendation had a remediation path.

When an executive protection team can hand a report to legal, HR, and external counsel and have all three engage with it seriously, the engagement succeeded.

The methodology

The PurviewX Pressure Test framework is designed for authorized security assessments commissioned by business owners, executives, or boards. It is not intelligence gathering — it is a structured process for understanding and closing exposure gaps before a threat actor finds them first.

The engagement rules are explicit:

  • Written authorization before any work begins
  • Minimum extraction principle — prove the finding exists, do not exfiltrate bulk data
  • Proof-of-concept only for every finding
  • Every finding documented with CVSS v3.1 scoring
  • Immutable evidence files — nothing deleted or modified after creation

We deliver two outputs for every engagement: a technical report with full evidence chains and CVSS scoring, and an executive briefing written for the CEO or board — no jargon, no acronyms, plain language that drives decisions.

Lessons

  • Exposure accumulates faster than awareness. Most executives are surprised by how much is accessible. Property records, breach databases, family social media, and professional aggregator sites collectively paint a detailed picture. The picture doesn't require any single dramatic leak.
  • Litigation records are underused intelligence. Public court records are fully searchable and contain financial, personal, and behavioral information that doesn't appear in any other public source. They're the last place most executive protection programs look and often the most consequential.
  • Authorization structure is the methodology. An assessment without documented authorization isn't a security assessment — it's a liability. Every engagement starts with a signed document specifying who authorized it, what's in scope, and what constraints apply.
  • The most valuable deliverable is the one they can act on. A technically thorough report that can't be handed to legal counsel is incomplete. Every finding needs a remediation path and a responsible party.

PurviewX delivers authorized security assessments for organizations that need to understand their exposure before an adversary does. Start a conversation.

Want results like these?

Start with an honest conversation about your data.

Start a conversation
Back to work