Overview
I ran an independent security assessment of an e-commerce company's infrastructure using only passive OSINT โ Certificate Transparency logs, DNS records, and other publicly accessible data. No unauthorized access, ever. The goal was to see what an attacker could learn about the company before touching anything, then turn that into findings the business could act on, with the risk translated into dollars rather than jargon.
Method & ethics
Everything came from non-invasive reconnaissance: dig and DNS history for enumeration and SPF analysis, crt.sh and Censys for certificate forensics, Shodan and SecurityTrails for fingerprinting, and the NVD/MITRE databases for CVE research. I scoped it deliberately to mirror real threat-actor reconnaissance while staying entirely within public information โ the line that separates legitimate security research from intrusion.
Results
Abandoned infrastructure still running and billing after migration.
Findings, risk quantification, and a phased remediation roadmap.
Infrastructure, credential, and compliance exposures.
What I Found
Ghost infrastructure
Certificate Transparency logs showed live SSL certificates for servers the company believed were decommissioned. Those "ghost" systems were still running outdated, unpatched software, still had DNS pointing at them, and were still costing roughly $15โ20K a year โ an attack surface nobody was watching and nobody meant to keep.
Credential exposure
Patterns in migration artifacts pointed to hardcoded API credentials with no expiration โ the kind of long-lived, admin-level token that turns one leaked file into full access. The fix is a secrets-management platform with rotation and enforced token lifetimes.
Compliance posture (NY SHIELD Act)
Gaps against SHIELD's required safeguards โ data handling, breach notification, technical controls. I modeled the potential financial exposure using IBM's breach-cost benchmarking so the recommendation came with a number attached, not just a checkbox.
Remediation
I didn't stop at findings. I laid out a phased plan โ immediate cleanup (inventory and decommission legacy systems, kill dangling DNS, rotate credentials), then proactive controls (audit logging, infrastructure monitoring, secrets management), then the processes to keep it that way. For the access-logging gap specifically, I built a working prototype rather than just recommending one โ that became the Access Control & Audit System project.
Confidentiality
Sanitized here to protect the client. The full methodology and findings are shared under NDA โ handling sensitive material discreetly is part of the work, not a footnote. emiliano.carrizosa@proton.me
What I Took From It
Two things. First, how much an outsider can reconstruct from public data alone if they look systematically โ Certificate Transparency and DNS history are a paper trail of every change a company forgets it made. Second, that a finding only matters once it's tied to business risk; a CVE means nothing to a decision-maker until it's "$20K a year and a SHIELD Act exposure."