2026-05-07 –, Workshops and Stage - Gernsback (C1.05.02)
This talk explores a DNS-based OSINT technique that uncovers hidden services and technology dependencies through large-scale TXT record analysis. Attendees will learn how these overlooked records can reveal valuable insights for both offensive and defensive security, and how to integrate this methodology into existing reconnaissance workflows using tools like Nuclei and OWASP Amass.
I will present a DNS-based OSINT methodology for uncovering products and services through large-scale TXT record scanning. This previously unpublished approach shows how certain TXT records reveal more than domain ownership or validation details, exposing the presence of third-party services and platforms. For example, entries like google-site-verification, MS=msXXXX, or vendor-specific SPF includes can highlight dependencies on Google Workspace, Microsoft 365, or other cloud services.
By analysing these records programmatically across large DNS zones, security teams can create detailed maps of an organisation’s technology stack and supply chain affiliations. This intelligence is invaluable for identifying weaknesses and understanding attack paths, providing defenders actionable context while showing the scale of information accessible to attackers.
I integrated this scanning technique into open-source tools including Nuclei and OWASP Amass. These enhancements let security professionals incorporate TXT record reconnaissance into broader asset discovery workflows, improving the depth and precision of enumeration efforts.
This talk features a real-world case study from the August–September 2025 Salesloft breach, where this method identified the Drift service across infrastructure. Attendees will gain practical tactics, reproducible methods, and tooling to strengthen assessments and apply actionable insights in real-world engagements.
Rishi is a London-based security researcher with experience in vulnerability research, threat intelligence, and enterprise risk analysis. His work focuses on identifying zero-day vulnerabilities and emerging CVEs, with a particular interest in building detection logic before threats are publicly weaponised.
He works across both offensive and defensive disciplines, developing threat models grounded in real-world TTPs, writing detection rules, and automating reconnaissance to uncover exposed assets at scale. Attack surface management and OSINT are areas he keeps coming back to, specifically the challenge of mapping exposure that organisations often don't know exists.
Outside of his day job, Rishi contributes to open source security tooling through Project Discovery and OWASP, part of the leadership team of the UK OSINT Community, and occasionally speaks at community events including DEF CON and BSides.