How to Vet a Business Partner, Employer, or Candidate Using Open Sources
By Soren Vega ·
- osint
- vetting
- due-diligence
- background-check
A practical OSINT checklist for vetting a new business partner, a job offer, or a person you met online. Seven categories of public records that catch the most common problems before you sign, transfer money, or share personal data.
How to Vet a Business Partner, Employer, or Candidate Using Open Sources
A practical OSINT checklist for vetting a new business partner, a job offer, or a person you met online. Seven categories of public records that catch the most common problems before you sign a contract, transfer money, or share personal data. The whole pass takes about two hours for a low-stakes check and a day for a high-stakes one.
This is not a substitute for a professional background check WarningOSINT vetting is a useful first pass, especially for low-stakes situations, and a useful supplement to a professional background check for high-stakes ones. A professional background check has access to credit records, criminal records, and reference checks that open sources do not. For a hiring decision, a tenancy, or a major financial commitment, pay for the professional version.
Category 1: Corporate registrations
For a business, the first stop is the corporate registry in the jurisdiction where the company is registered. In the US, that is the Secretary of State in the state of incorporation. In the UK, that is Companies House. In most other countries, it is the equivalent national registry.
What to look for:
- The legal entity name and registration number. A company that is reluctant to share these is a yellow flag.
- The directors and officers. A company whose directors are shell entities in offshore jurisdictions is a different risk profile from one whose directors are named individuals.
- The registered address. A registered address that is a residential address, a coworking space, or a known virtual office is a yellow flag.
- The filing history. A company that has not filed in years, or that has changed its name frequently, is a yellow flag.
- The capital structure. A company with very low paid-in capital is a yellow flag for a financial commitment.
OpenCorporates is the largest open database of companies and officers, covering most jurisdictions. It is a useful first stop; the local registry is the authoritative one.
Category 2: Court records
Court records are public in most jurisdictions. They are also the most reliable source for the kind of disputes you actually want to know about — fraud, breach of contract, employment claims, regulatory actions.
What to look for:
- Federal court records (US). PACER is the official source. It costs a small fee per page, but it covers all federal civil and criminal cases.
- State court records. Most US states have online databases. Coverage is uneven; the larger the case, the more likely it is to be online.
- Other jurisdictions. Most countries have online court records; the URLs change frequently. A useful search is "[country] court records online" plus the case type.
- Bankruptcy records. The US has Bankruptcy Court records searchable through PACER and other databases.
A small number of cases is not a red flag — anyone can be sued. A pattern of cases (multiple fraud claims, multiple employment claims, multiple breach-of-contract claims against the same person) is a red flag. The pattern is the finding, not any individual case.
Category 3: Sanctions and watchlists
A person or company on a sanctions list is, by definition, not a person or company you want to do business with. The major lists are public:
- OFAC (US). The Office of Foreign Assets Control maintains the SDN list of sanctioned individuals and entities. Searching is free.
- UN, EU, UK. The UN, EU, and UK each maintain their own sanctions lists. The major aggregators (like OpenSanctions) combine them.
- PEP (Politically Exposed Persons). A separate kind of list. A PEP is not, by definition, a risk; the relationship with a PEP is what carries the risk.
A name match on a sanctions list is a hard stop until the match is resolved. A name match on a PEP list is a yellow flag that requires more work.
Category 4: Regulatory actions
For a business, the regulators in the industry are the most important public source. A company that has been sanctioned by its regulator is a different risk profile from one that has not.
- SEC (US). The SEC's EDGAR is the authoritative source for filings. The SEC Enforcement Releases database is the authoritative source for actions.
- FTC (US). The FTC Enforcement database covers consumer-protection actions.
- Industry regulators. Banking, insurance, telecommunications, energy, pharmaceuticals — each has its own regulator and its own database. The list is long; the principle is short.
- Other jurisdictions. Most countries have equivalents. The principle is the same: the regulator in the relevant industry is the most important public source for that industry.
A single enforcement action is not a red flag. A pattern (multiple actions against the same company, multiple actions against the same individual in different roles) is a red flag.
Category 5: News coverage
A person or company that has been in the news for the wrong reasons will usually have a public record. The challenge is to find it without paying for a database.
- Google News. Free, broad, and usually current. A search for the name plus the company (or the relevant context) is the first pass.
- Free newspaper archives. Many US newspapers have free archives going back 20+ years. The New York Times archive, the Washington Post archive, and many local papers are free to search.
- Specialized archives. Trade publications, industry-specific news, regional press. A search for the name plus the industry is a useful second pass.
- The Wayback Machine. News pages that have been deleted are often still in the archive. A search of the relevant URLs is a useful third pass.
A single bad-news story is not a red flag. A pattern of bad-news stories, especially stories that recur across many outlets, is a red flag.
Category 6: Social media
A person's own social media is public, and a useful source for the kind of information that does not make it into news coverage. The point is not to stalk — it is to see what the person chooses to put on their own public profile.
- The person's own accounts. Twitter / X, LinkedIn, Facebook, Instagram, TikTok, a personal blog. The accounts the person maintains are the accounts the person wants the world to see.
- The account's history. A long, consistent history is a different signal from a brand-new account with no history. A sudden change in tone or topic is a finding.
- The account's network. Who the person follows, who follows them, who they re-share, who they engage with. The network is a structural tell.
- The account's reach. How often their posts go viral, how often their replies are amplified, how often they are cited by other accounts.
A small number of posts is not a red flag. A pattern of behavior — a long history of inflammatory posts, a long history of misleading claims, a long history of harassment — is a red flag.
Category 7: The person's own writing
For an academic, a writer, a researcher, or anyone with a public body of work, the person's own writing is the most useful single source. The writing is the most direct evidence of how the person thinks, what they care about, and how they argue.
- Academic papers. Google Scholar, Semantic Scholar, arXiv for pre-prints, and the major publisher databases. The papers themselves, not just the abstracts.
- Personal site and blog. A personal site that has been maintained for years is a different signal from a personal site that was set up last month.
- Books and book reviews. A book is a long-arc argument; it tells you more about the author than a single post.
- Op-eds and articles. The person's op-eds in major outlets are public and citable.
A small body of work is not a red flag. A body of work that is consistent with the public persona is a different signal from a body of work that contradicts it.
How to put it together
A two-hour pass through all seven categories, for a low-stakes check, looks like:
- 10 minutes on the corporate registry
- 10 minutes on the court records
- 5 minutes on the sanctions lists
- 15 minutes on the regulatory actions
- 30 minutes on the news coverage
- 30 minutes on the social media
- 20 minutes on the person's own writing
A high-stakes pass, for a major financial commitment or a senior hire, takes a day or two and includes a professional background check. The OSINT pass is the first layer, not the only layer.
The output is a short memo, structured like an OSINT brief, that names the signals you found, the patterns you saw, and the limits of the data. The memo is for you, the decision-maker. The memo is the artifact that survives the decision.
Frequently Asked Questions
How do I do a background check on a business partner or employer?
Seven categories of public records cover most of what matters: corporate registrations (OpenCorporates and the relevant company registry), court records (PACER for US federal courts, the equivalent for your jurisdiction), sanctions lists (OFAC, UN, EU), regulatory actions (SEC, FTC, industry regulators), news coverage (Google News, LexisNexis, free archives), social media (the person's own accounts, not third-party scrapers), and the person's own writing (LinkedIn, personal site, published papers). A two-hour pass through all seven catches most of the common problems.
Is OSINT vetting legal?
Mostly yes, because it works from public material. The legal floor varies by country, but the working rule is universal: stay on the open web, do not bypass technical access controls, do not aggregate in a way that re-identifies private individuals, and do not publish the dataset in a way that puts people at risk. If your vetting is for a hiring decision, also check the local laws on background checks and the platform's terms of service.
Related Guide
Open Source Intelligence