Varonis debuts trailblazing features for securing Salesforce. Learn More

Varonis announces strategic partnership with Microsoft to acclerate the secure adoption of Copilot.

Learn more

How Hackers Use OSINT to Find Business Data

8 min read
Last updated October 22, 2021

Hackers do their homework when picking a target, often relying on information left publically exposed to make decisions about how to attack. Whether an OSINT researcher is a hacker looking for vulnerabilities to exploit or an analyst assessing exposure, their core task is to combine public data into an intimate understanding of a business target.

There is more open-source data out there than ever before, the sheer amount of which can be difficult to sift through and organize during an investigation. When researching businesses, this can be especially true when a simple search yields an overwhelming amount of results without much context.

Get the Free Pen Testing Active Directory Environments EBook

“This really opened my eyes to AD security in a way defensive work never did.”

Knowing where to find the most reliable information on businesses usually means digging through state, federal, and local databases. In 2019, many of these documents are now available and free to access, provided you know where to find them.

What You Can Find

By nature of interactions with state, local, and federal governments, businesses generate a lot of paperwork to comply with laws and stay open. For a researcher, data from public entities provides an advantage because most government-produced data is available free of charge. Much of this will be filing documents and other paperwork required to start or maintain a business in one or multiple states.

Aside from articles of incorporation and statements, information on officers, employees, and outside company relationships can easily be found. Documents related to officers being appointed, stock being offered, and even political contributions of executives all can be retrieved with the right search. This even includes immigration records like visas obtained for skilled employees.

If you’re searching for individuals, the names and occupations of officers, their stock options, and any court documents they appear in is easy to discover in tools like LittleSis and Unicourt. Digging up corporate records, prior business names, and the names of third-party contractors responsible for filings can also be done with OpenCorporates and various secretary of state databases.

Access The Data

So how do you access all this amazing data? First, by asking the right questions. The problem in an OSINT investigation is rarely whether or not the data exists, but finding the right data in a sea of information to answer a specific question.

First, we want to nail down the details about a business that lets us identify it and increase the scope of our search, like addresses, entity numbers, and officers. Once we have details tied to the business from primary source data, like filings and other types of legal documents, it’s easier to search through less structured data for other leads based on those clues.

Ultimately, this blend of sources is a roadmap to the fastest methods of gathering public data on a target business by blending privately assembled and public database research. By using these resources, you can start at the best public databases and move onto private databases that can locate and point you towards additional public resources. The use of many of these private databases is often to point you to which free database the information was originally scraped from.

Below, you’ll find some of the best sources to nail down primary source data about a business. Several of these are public databases, but nowadays, private companies have created vast databases of information scraped from public entities. This makes searching between public databases less necessary, and while this information isn’t always accurate, it is a lot easier to find.

California Secretary of State Business Search

With the equivalent of the fifth-largest economy in the world, California is the biggest economic engine in the United States. Most medium or large organizations that do interstate business simply cannot afford to lose out on a piece of the 2.4 trillion dollar GDP, but doing business in the state requires several documents to be filed.

For many of the businesses I research, the paper trail begins in California. If a business is operating in California, they are required to file documents with the Secretary of State, who maintains an excellent searchable database of past and present businesses operating in the state.

How to use it?

Go to the website and decide which kind of search to run. You can search for an LLC or a corporation. Once you find it, you can view images of original filing documents including signatures.

What can you find?

Original filing documents with signatures listing executives and founders, external relationships with third-party filing services, the current status of the business in California.

Nevada SilverFlume Business Search

Businesses need to pick somewhere to call their home, and that somewhere matters when it’s tax time. This is important information to a researcher, as it’s the next likely place to look for businesses that don’t have a presence in California. Even if a corporation is actually based in California, it’s extremely likely it won’t be incorporated there for tax reasons. In fact, you may have seen many businesses listed as foreign entities from the neighboring state of Nevada in the California Secretary of State database.

So why are so many businesses incorporating in Nevada? Well, if you’ve decided to make your business structure a corporation, Nevada doesn’t collect corporate tax. This can reduce the tax burden to a business owner by a third, making Nevada an attractive place to incorporate and pay taxes. This also makes the Nevada Secretary of State database a treasure-trove of information.

For searching through filings in Nevada, the state uses the SilverPlume system, which is a lot more detailed and easy to use than the upcoming Delaware business entity search. Results can contain either images or text information on the business filings in the state, including the branch of the home office.

How to use it?

Go to the SilverFlume website and run a “contains” search for the officer or business you are searching for. Select the entity you’re interested in, and then to go to the “filing history” section to see past filings for the business.

What can you find?

Officers and third party companies responsible for business filings. Addresses of corporate headquarters and local branches. A complete history of filings in the state.

Delaware Secretary of State Business Search

It may seem odd to look to the state of Delaware for help tracking down documents on a large business. Similar to Nevada, many major companies will register themselves in Delaware, despite having no physical presence or business in the state. While Delaware also boasts no corporate tax, the primary reason a business would choose to incorporate in Delaware is the favorable legal climate.

Larger businesses will often strategically file in Delaware to protect themselves from the risk of potential lawsuits, relying on business-friendly local courts to provide an advantage over filing in their home states. As a result, the Delaware Secretary of State database is a great first stop to dig for information on large US businesses, with many filings from out of state companies.

Out of the top three online secretary of state databases, Delaware has by far the worst search and least valuable results. The captcha is nearly impossible without using the audio option, and the results are mostly useful for identifying the officers of a company or the home branch.

What can you find?

Legal addresses, third party companies managing filings, and officer information for businesses registered in Delaware. Entity numbers for further research.

How to use it?

Submit a search on Delaware’s business seach website, but make sure to use the audio captcha as the visual ones are nearly impossible to understand.


When it comes to learning about a business or business owner, Unicourt can uncover the court cases that business people inevitably find themselves involved in. For a hacker or OSINT researcher, the first benefit is finding the relationship between the target business and which attorneys they employ.

This alone can provide a plausible pretext to send phishing emails under, but even more interesting is the people and businesses named in any lawsuits. Even legitimate businesses will encounter lawsuits, but if the business you’re researching is less than legitimate, it may become apparent through the presence of many lawsuits.

While a certain number of searches are free, Unicourt itself is not. If you have a VPN, you can continue to do searches from new locations. The results are somewhat limited but all derived from publicly available records. By knowing a record exists, who is named it in, and where it’s from, you can do often the legwork of finding the original documents yourself.

What can you find?

Service providers the target has used before, attorneys the target employs, open and past court cases involving statements of fact about the operations of a company. The names of key officers named in complaints related to lawsuits against the company.

How to use it?

Go to Unicort’s main website and submit a search. After a few searches, you’ll be asked to sign up. Change your VPN location to get around this restriction, and use in an incognito window.


OpenCorporates takes the next step in organizing the information in public databases, discovering and organizing data in business filings and linking them together to show relationships. By providing a top-level view of organizations as told by the public documents gathered on each subject, OpenCorporates brings fragmented sources of data together into a single search.

While you won’t find all the data in secretary of state databases on OpenCorporates, you can search for documents across all the SOC databases that OpenCorporates has indexed. This means that while you’ll see more results by searching in OpenCorporates thanks to searching all states at once, you could still discover more documents by searching each individual state’s database.

What can you find?

Relationships between subsidiaries and parent companies, official filings from multiple states, trademarks and copyright filings. Officer information, share documents, information related to tax reporting, and public trading. Yearly reports and shareholder information.

How to use it?

On the main site, you can run searches for either business entities or officers.


LilSis describes itself as the unwanted Facebook of the 1%, with a mission to document the activities of the rich and powerful. It should come as no surprise that the database is an excellent place to research business officers, once they’ve been identified in filings from OpenCorporates or an SOC database.

While OpenCorporates focuses on finding relationships between businesses, like branches owned by one entity, LilSis focuses on relationships between people. That means drilling down on owners of multiple businesses, officers with titles at other companies, and even public donations an officer has made.

What can you find?

Relationships between subsidiaries and parent companies, official filings from multiple states, trademarks and copyright filings. Officer information, share documents, information related to tax reporting, and public trading. Yearly reports and shareholder information.

How to use it?

After locating officers on Unicourt or another data source, run a search through the main portal for the officer’s name to identify any paperwork they are mentioned in. Useful for discovering other business relationships an officer may have.


CorporationWiki is a constantly updated clearinghouse of information mostly gleaned from public sources, linked together to show relationships between different businesses and officers. By selecting a search result, you can also see helpful information like a network map of officers linked by public records to the business.

This resource can display not only the other business entanglements of senior officers but also the relationships of businesses to each other. The wiki-style interface and helpful visualizations of public data make this resource easy to understand and useful finding details to base further research on.

What can you find?

Officers connected to a company, filing documents and data sources. Visualized data on the business relationships between officers. Critical details like business address, phone number, and states where filing documents exist.

How to use it?

Run a search for the target on the homepage and select the entity that best matches to explore network visualizations and data sources.


Public.Enigma can find public data outside Secretary of State databases that is linked to businesses, indexing and building out relationships between data points it discovers. It pulls data from many interesting sources including SOC and immigration databases across the country, showing an incredible amount of curated public data about any organization that often can’t be found elsewhere.

One interesting type of data that public.enigma is good at finding is immigration data, specifically tied to the high skilled visas companies often get to recruit foreign workers. By analyzing the type of workers hired and where they’re hired from, a researcher can learn a lot about the hiring practices and priorities of a company hiring foreign workers.

What can you find?

Public.Enigma digs deeper into correlating data from state and federal governments, uncovering relationships that other services may miss, including detailed information about hiring foreign workers and visa applications for employees. It also shines at identifying tax filings, copyright and trademark applications, and the political contributions of the members of an organization.

How to use it?

Run a “public data” search on the main website, and check out the view on the left to show public data sources with entries matching your target.

Data Makes a Difference

Using the data sources above, hackers and researchers have everything they need to track down reliable, primary source information about a target business. While the sources in this list are a great start, you can often find even more information from sources like the Secretary of State database of Wyoming, for the same reason tax and liability reasons businesses like to incorporate in Delaware and Nevada.

Good OSINT research provides the foundation for a thorough investigation by building up a solid core of primary source information to start from. After nailing down the verifiable facts about a business, tracking down any harder to find details through subsequent searches becomes substantially easier to do.

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.
Try Varonis free.
Get a detailed data risk report based on your company’s data.
Deploys in minutes.
Keep reading
Varonis joins Marsh McLennan Agency’s Cyber Resiliency Network
Varonis is teaming up with Marsh McLennan Agency. Together, we'll help organizations improve their cyber resilience with industry-leading DSPM solutions.
DSPM Report Highlights Risks That Lead to Significant Data Breaches  
Varonis' new DSPM report reveals that typical companies are widening their blast radius by oversharing permissions, excess ghost users, lack of MFA, and more.
Speed Data: Thinking From a Cyberattacker's Perspective With Dalal Alharthi
Dr. Dalal Alharthi talks about the importance of organizations anticipating a breach and seeing the world through the eyes of an attacker.
Behind the Varonis Rebrand
Discover the strategy behind Varonis' rebrand that involved a full transition to a hero archetype and the introduction of Protector 22814.