"OSINT" sounds like a government term, and it started as one. But strip the acronym away and open-source intelligence is something every business already half-does: looking people and companies up before trusting them. The difference between half-doing it and doing it properly is the difference between a search engine session and an intelligence product, and that difference is what this article is about. It is written for the people who actually order this work: owners deciding whether to trust a vendor, counsel building a file, and HR teams trying to screen without creating the lawsuit they were screening against.
What actually counts as open-source intelligence?
Open-source intelligence is publicly available information, collected and connected systematically until it produces something no single source shows on its own. In business investigations the sources that matter most are unglamorous:
- Court and tribunal records. Civil litigation history, small claims patterns, past judgments: the paper trail of how a person or company behaves when things go wrong. In Canada that includes published decisions on databases like CanLII, tribunal rulings, and dockets that show a pattern of suing or being sued.
- Corporate and business filings. Registrations, directorships, dissolved companies, and the overlaps between them; the numbered company at a familiar address is a recurring character in fraud files. Ontario and federal registries both matter, because the company that disappears provincially often reappears federally under a cousin of its old name.
- Property and land records. What someone owns, when they bought it, and whether the holdings fit the story being told; in Ontario, the land registry’s history of transfers and charges tells its own story about timing and pressure.
- Media and archives. News coverage, trade press, archived versions of pages that have since been edited or deleted.
- Social platforms. Not just what a person posts, but the network around them: associates, employers, locations, timelines, and the contradictions between accounts. The network is usually more honest than the profile.
The skill is not access. Nearly all of this is technically available to anyone. The skill is knowing where to look, how to verify what you find, and how to connect points that do not look related until they are. And underneath the skill sits a question, because collection without a question produces volume, not answers. "Does this vendor exist as claimed?" turns the same five source categories into a yes, a no, or a specific reason to keep digging. That is the difference between research and intelligence. The question also disciplines cost: an afternoon spent against a defined question routinely settles what an open-ended trawl never would.
Deep web, dark web: what’s the difference?
These two get conflated constantly, and the difference matters for understanding what OSINT actually involves. The deep web is simply everything search engines do not index: court databases, corporate registries, land records, library archives, paywalled news, and most of the systems I query on any working day. It is where the majority of genuinely useful material lives, and there is nothing shadowy about it; you reach it through the front door, with an account and a search form, one database at a time.
The dark web is a much smaller, deliberately hidden layer requiring special software to reach, where anonymity is the point. It has legitimate uses and a well-earned reputation for the other kind. It occasionally matters in business investigations (checking whether an organization’s credentials are circulating after a breach, for instance), but the popular image of investigators spending their nights there is backwards. Most of the work happens in databases with government logos on them.
On breach checking specifically, honesty serves better than marketing. When I run one, I query known breach corpora for an organization’s domains and credentials and report what appears, when it leaked, and what to rotate. That is useful, modest work. The dramatic version sold as "dark web monitoring by elite operatives" is mostly the same query with a better logo. If a provider cannot tell you which breach corpus a claim came from, treat the claim as decoration. There is a reason investigators prefer the deep web’s registries and court databases: material from a source with provenance can be verified, cited, and defended, which is what separates evidence from rumour.
Where OSINT shows up in corporate work
A few patterns from real files, details altered, that show where the discipline earns its keep. Each began as a one-hour question, and two of them ended engagements before they began, which is the cheapest outcome an investigation can buy.
Pre-employment due diligence. A candidate for a role with signing authority looks flawless on paper. Registry work surfaces a directorship in a dissolved company, under a name spelled one letter differently, and the litigation search attached to that spelling shows two unpaid judgments from suppliers. Nothing about the candidate’s resume was false, exactly; it was curated. Structured background work exists for exactly this: the file the resume was built to avoid.
Vendor due diligence. A new supplier’s "head office" resolves to a mail drop above a shipping store, its two directors overlap with a company your procurement manager ran before he joined you, and the "ten years serving Ontario" on its website belongs to a domain registered eighteen months ago. Every one of those facts sat in a public record before the contract was signed. Ten minutes of registry work beats ten months of litigation, every time it is actually spent.
Insurance claim verification. A claimant describes a limitation; their own public posts describe a tournament weekend, timestamped, geotagged, and shared voluntarily with the world. Public material a claimant published themselves is among the cleanest evidence there is, which is why insurers ask for this work early, before positions harden. The same discipline runs the other direction too: sometimes the public record supports the claim, and documenting that honestly is equally part of the job.
Fraud corroboration. An owner suspects a manager but cannot say why out loud yet. Before anything becomes a formal investigation, open sources either corroborate or deflate the suspicion: a side company registered at the manager’s home address in the same industry, or nothing at all. Both answers are valuable, and the second one is cheaper than the accusation would have been.
Reputational risk monitoring. Someone is impersonating an executive to the company’s clients, or a storefront in another country is selling under the company’s name. Monitoring finds it while it is small, documents it with provenance, and builds the file the takedown request or the lawyer will need.
Is it legal to research a job candidate’s social media in Ontario?
Legal, yes, in the sense that looking at public information breaks no law. Risk-free, no, and the risk lands on the employer doing it casually. Two problems arrive together. First, privacy law: where PIPEDA or equivalent rules apply, collecting personal information needs a legitimate purpose and appropriate limits, and "we googled everything about them" is not a purpose. Second, and sharper in practice: the Ontario Human Rights Code. An unstructured scroll through a candidate’s profiles surfaces exactly the things an employer must not consider: age, religion, family status, disability, and every other protected ground. Once a hiring manager has seen it, they cannot unsee it, and a rejected candidate’s lawyer only needs to argue it played a part. The line I give HR teams: the risk is not looking, it is looking without structure.
This is the actual reason structured third-party screening exists. A properly run check works from consent, collects to a defined scope tied to the role, filters out protected-ground material before anything reaches the decision-maker, and documents the process. The employer gets the relevant signal; the file shows the irrelevant noise never entered the decision.
What a compliant screen looks like when I run one:
- Written candidate consent, obtained before anything is collected.
- A scope tied to the role: financial history checks for financial authority, licence verification for licensed work, not "everything we can find."
- A filter between collector and decision-maker, so protected-ground material is removed before the hiring manager sees anything.
- Documented sources for every reported fact, so any disputed item can be traced and re-verified.
- A chance for the candidate to respond to adverse findings, because databases contain errors and namesakes.
Why OSINT is cost-effective
Open-source collection typically costs a fraction of closed-source alternatives while producing evidence that is often more directly usable, because it is already public, independently verifiable, and free of the legal complications that can follow other collection methods. It also compounds: the same discipline that vets one vendor builds the map that vets the next three, and an early OSINT pass routinely narrows an investigation enough to cut the expensive fieldwork in half. The engagement model matters as much as the method: a phased scope, where the open-source pass reports back before any fieldwork is authorized, keeps spend proportionate to what the findings justify, and it is how most of our corporate files run. It is where most of our corporate files begin, whatever they grow into. The honest boundary: when the question can only be answered by testimony, by private records lawfully obtained, or by someone physically watching a location, OSINT informs the fieldwork; it does not replace it.
What OSINT can’t do
I would rather tell you the limits up front than have you discover them mid-case. Open sources cannot see inside private accounts, sealed records, or anyone’s head. Absence of evidence is not evidence: a person with no online footprint is not automatically hiding something, and a company with a clean public record has merely not been caught in public. Misattribution is the constant occupational hazard; same-name confusion has embarrassed more than one DIY researcher into a defamation problem. Coverage is uneven too: not every decision is published, not every record is digitized, and absence from a database is not a clean record. And public information goes stale: the address, the job, the relationship status may all be three years old. Deleted does not always mean gone, but it can, which is why capture happens the day something is found, not the week the report is due. Professionals also work within platform rules and the law while doing it; the methods that ignore both produce material you cannot use and problems you did not have. OSINT narrows questions and arms the next investigative step. On anything that matters, it should not be the only step.
How professionals verify what they find
Verification is where DIY research most often fails, not in finding material but in trusting it. The finding is not the product; the verified finding is. Before anything reaches a client report, it gets corroborated across independent sources: the social media claim against the registry record, the registry record against the property file, the timeline against the archive. Provenance is documented while the material still exists, because posts get deleted and pages get edited, and a screenshot with no capture record is just a picture. Identity gets confirmed rather than assumed. A concrete example of the habit: a subject’s profile says "regional manager at a named firm." Verification is the registry showing the firm exists and is active, a press item or filing placing the subject there inside the claimed window, and a check that the profile’s own timeline does not contradict itself. Three sources, one fact, and only then does it go in the report. The result lands in a document built for the way it will actually be used: sources cited, methods stated, written so counsel can rely on it without wondering what is underneath.
Further reading
PIPEDA in brief, Office of the Privacy Commissioner of Canada
Ontario licensing for private investigators, Ministry of the Solicitor General
For how this works as a service, from a single verification question to standing due-diligence support, see our OSINT and Social Media Investigations page. If you are holding a specific question right now, a vendor, a candidate, a claim that does not sit right, that page also explains how a scoped engagement starts.

