Empower your M&A activity with Open Source Intelligence (OSINT) techniques

M&A follows a well-defined process that starts with potential target identification, due-diligence, synergies identification, and valuation eventually translating into the Sales Purchase Agreement (SPA) followed by the post-merger integration or separation execution activities.
In overall effort distribution, a relatively minor effort is typically put over a very short period of time on the pre-deal side up until the SPA is finalized, whereas most of the impact of it is realized during execution.

Illustrative M&A activities (not exhaustive)

One of the important part of the process is the due-diligence concerns with research and identification of the key risks associated with the given transaction. Often it is a rigid process that follows agreed protocol and includes analysis and review activities on a specific target. The traditional scope of due-diligence includes financial, TAX, operations, HR, and IT due diligence. Due to its nature and quick pace it has barely experienced much innovation in the past, and almost blind when it comes to addressing recent trends and development that provides greater information availability and potentially can improve one’s negotiation position.

Some of the trends that M&A due-diligence activity should factor are:

  • Brand equity in Digital space
  • Social networks, media, instant feedback
  • Penetration of smart/mobile devices and IoT (telemetry)
  • Exponential growth of the data accumulated and exchanged
  • Dark web and anonymous access network (e.g. ToR, IP2P)

Open Source Intelligence (OSINT) as an intelligence collection method has existed for more than 60 years and can be traced back to World War II. The key idea is that up to 80% of the information required to make a decision can be collected using open or public sources. See more detail about the history of OSINT here (Bellingcat).

I was keen to test this and here is what I came out. Assuming little/no information available around the target, when approaching due-diligence using OSINT method the following information is nearly on your fingertips:

InformationPotential impact/insightTechnique (illustrative)
Commercial and customers informationMarket reputation impact Leaked information (e.g. customer base) Past rates and/commercial information Potential lawsuitsSweep over public AWS S3 and Azure blobs
Aggregators of the compromising evidence
Darknet search
Supply chain information and commercialIdentification of the key suppliers and reliance on key suppliers Each can be further assessed for associated risksPublic maritime and logistics hub information (open data)
Misconfigured internet exposed public services and portalsCurrent cyber posture Likelihood of already being compromised Geography and hosting location of the key infrastructure and associated cyber-threats Leaked access credentialsOpen or free to use threat intelligence resources
Darknet lookup  
Query open-leaking databases based on Elasticsearch, Kibana, MongoDB
Brand digital presenceCustomer service perception Promise to customers and market (vs achievement) Effectiveness of the marketing campaignsNews aggregators and analytics agencies Web cache
Social media sweeps
Petitions aggregators
Organization structure and relatedOrganization structure Overall organization site and geographical distribution Employees information Approximate attrition informationSocial media analytics Employees feedback aggregation services
Organization ownership structure and executive managementInformation about associated parent company and sister companies Potential conflicts of interestPublic KYC aggregators
Involvement of the organization in illegal or shady activityLong-term reputation impact Potential illegal activity Potential lawsuitsPublic leaks lookups and document sweep (covering entity legal names, and key management personnel)

It appears that OSINT provides unprecedented insight into the M&A due-diligence process (needless to say that it subject to agreement between parties involved in the transaction and adherence to the set protocol). In case you are interested in any of the tools that might be leveraged to illustrate above happy to share and/or discuss your views on the OSINT and M&A use cases.

For additional information and my points of view related to M&A check-out in my blog here.