A company can look real before it is reliable.
It may have a polished website, a convincing sales deck, a professional email signature, a LinkedIn page, a few positive reviews and a simple promise: fast delivery, preferential terms, a limited-time discount, access to a market, a supplier relationship, a dataset, a service, or a partnership.
Before you send money, share data, sign a contract, onboard a vendor, quote the company in a report, or treat it as a credible source, one question matters:
Do the public records, online traces and commercial claims describe the same company?
This is not a request for invasive investigation.
It is a basic OSINT discipline.
The goal is not to know everything about a company. The goal is to answer a narrower question before making a decision:
What can be verified from public sources, what is only suggested, and what remains unknown?
That distinction is where many company checks fail.
A company registry entry can confirm that a legal entity exists. It does not prove that the company is financially healthy, operationally capable, compliant, honest, or safe to trust.
A website can show how the company presents itself. It does not prove that the company has the team, clients, history or infrastructure it claims to have.
A sanctions search can show whether a name appears in a specific list at a specific time. It does not prove that every related risk has been resolved.
OSINT work begins when these sources are placed in relation to each other.
Start With the Legal Identity
Do not start with the brand name.
Start with the legal identity.
The first task is to identify the entity precisely enough that you can search for the same object across different sources.
Collect:
- legal name;
- jurisdiction;
- registration number or company number;
- tax or business identifier when relevant;
- registered address;
- directors, officers or authorized representatives;
- status;
- incorporation date;
- official filings;
- previous names, if available;
- parent company or subsidiaries, if relevant.
This matters because commercial names are unstable.
A company may trade under a brand name that is different from its legal name. Different companies may use similar names. A domain may be operated by a marketing entity rather than the contracting entity. A sales representative may use the name of a group while the contract is signed by a small subsidiary.
If you do not identify the legal entity, every later search becomes weaker.
Use the Right Registry for the Jurisdiction
There is no single global company register.
Company records are jurisdictional.
In the United Kingdom, Companies House is the starting point for registered companies. It lets users search by company name, number or officer name, and view company data and document images. It also carries an important limitation: Companies House itself warns that it does not check the accuracy of the information filed.
That limitation is not a reason to ignore the register.
It is a reason to use it correctly.
In the United States, the SEC’s EDGAR system is essential for publicly traded companies and other filers. EDGAR provides public access to filings such as registration statements, periodic reports, ownership forms and other disclosure documents. But EDGAR will not cover every private company a researcher may encounter.
In the European Union, the European e-Justice Portal provides access to business register search functions connected to national registers. The practical details still depend on the country, language, available data and fees.
For other jurisdictions, the correct source may be a national corporate registry, commercial register, securities regulator, tax authority lookup, beneficial ownership register, procurement database, insolvency register, court database or licensed registry provider.
The workflow should begin with a simple question:
Which jurisdiction created the legal entity, and which public authority maintains its record?
Do not assume that a global search engine result is the registry.
Find the official register first.
Then record what the register shows and what it does not show.
Check Status, Not Just Existence
Existence is not enough.
A company can exist but be dissolved, inactive, in liquidation, recently incorporated, under administration, late in filing accounts, or registered in one jurisdiction while operating in another.
The first registry check should answer:
- Is the company active?
- When was it incorporated?
- Has it changed name?
- Has it changed registered address?
- Are filings current?
- Are there overdue accounts or confirmation statements?
- Are there insolvency or dissolution signals?
- Who are the current officers or directors?
- Are there significant recent changes?
None of these signals proves risk by itself.
A young company may be legitimate. A change of address may be ordinary. A director change may be routine. A late filing may have a simple administrative explanation.
The analytical question is coherence:
Does the official record fit the company's commercial claim?
If a company claims a decade of operational history but was incorporated three months ago, the explanation may be a rebrand, a new subsidiary, an asset transfer, or a misleading statement.
You do not need to jump to the worst conclusion.
You need to ask the next question.
Compare the Website With the Register
The company website is not an official record.
But it is useful evidence of how the company presents itself.
Compare the website against the registry:
- Does the legal name appear on the site?
- Does the registered address match?
- Does the company disclose a registration number, VAT number, tax ID or equivalent identifier?
- Does the contract use the same legal entity as the website?
- Do email domains match the company domain?
- Are contact addresses generic, temporary or inconsistent?
- Does the site name people who match officers, executives or staff visible elsewhere?
- Does the claimed location match the legal or operational footprint?
Look especially at the gap between presentation and records.
A polished website can be built quickly.
A corporate record, filing history, domain history, procurement record, litigation trace, client proof and independent media footprint are harder to fabricate consistently across time.
The key is not whether the website looks good.
The key is whether it remains consistent when checked against independent sources.
Check the Domain and Infrastructure Signals
Domain records are not company records.
But they can help test a story.
Use domain lookup tools carefully. Privacy protection, redaction and proxy registration are common. A hidden registrant is not automatically suspicious.
Useful questions include:
- When was the domain created?
- Does the domain age fit the claimed company history?
- Has the domain changed nameservers recently?
- Is the website new while claiming long operational continuity?
- Are email domains aligned with the brand?
- Are there lookalike domains that could confuse users?
- Does the site use copied text, stock-heavy case studies or unverifiable client logos?
- Do archived versions show major changes in identity, location, services or ownership claims?
This layer is especially useful in fraud, procurement, vendor and scam research.
But it should not be overread.
A new domain can belong to a legitimate new product. A private WHOIS record can be normal. A changed website can reflect a rebrand.
Domain evidence is a signal.
It is not the conclusion.
Look for Filings, Accounts and Financial Disclosures
If the company is public, regulated, or required to file accounts, read the filings.
For public companies in the United States, EDGAR can provide annual reports, quarterly reports, current reports, registration statements and ownership disclosures. These filings can contain risk factors, business descriptions, legal proceedings, related-party transactions, revenue concentration, debt, auditor notes and management discussion.
For private companies, available financial data varies widely by jurisdiction.
In some countries, accounts are public. In others, they are limited, delayed, paid, partial, or unavailable.
When records exist, ask:
- Are accounts current?
- Is the company filing on time?
- Does revenue match the scale of claims?
- Are losses, debt or going-concern language visible?
- Are there repeated changes in auditors, directors or registered offices?
- Are subsidiaries or parent entities disclosed?
- Are related-party transactions relevant?
- Does the company claim large operations but file as a very small entity?
Do not pretend to perform a full financial audit from public filings.
The OSINT purpose is narrower:
Do the available records support, complicate or contradict the operational story?
Search Sanctions, Exclusions and Regulatory Sources
For some decisions, company existence is not the main risk.
Eligibility is.
Depending on the context, a researcher may need to check sanctions lists, procurement exclusions, regulatory warnings, licensing registers, financial services registers, export-control notices, enforcement actions or sector-specific blacklists.
Examples include:
- OFAC sanctions search for U.S.-related sanctions exposure;
- EU and national sanctions resources for European contexts;
- SAM.gov exclusions for U.S. federal procurement;
- financial regulator registers for investment, insurance, banking or crypto-related claims;
- professional licensing databases for regulated services;
- court, enforcement or administrative action databases where available.
Use these sources with precision.
Name matching is not enough.
Common names create false positives. Transliteration, aliases, previous names, subsidiaries, address differences and ownership rules can complicate the analysis. A negative search result is not a universal clearance.
Record:
- list searched;
- date searched;
- exact name searched;
- identifiers used;
- possible matches;
- why a match was accepted or rejected;
- limitation of the search.
Sanctions and regulatory checks are high-stakes. Treat them as leads for a documented review, not as casual search results.
Check People, Authority and Signing Power
A company is not only a website.
It is also people with authority to act for it.
When a transaction matters, verify whether the person communicating with you can actually represent the company.
Ask:
- Does the person use a company domain?
- Are they listed on the company website, filings, registry, LinkedIn, regulator record or credible third-party source?
- Does the registry show officers, directors or authorized signatories?
- Does the person signing a contract match the authority required?
- Are there recent changes in directors or officers?
- Is the person using a private email account for a corporate transaction?
- Can the company confirm the representative through an official channel?
This is not a reason to collect unnecessary personal information.
Keep the check proportional.
The legitimate question is not “What can I find about this person?”
It is:
Can this person credibly act for the company in this transaction?
Search Litigation, Procurement and Media Footprints
Depending on the country and risk level, useful traces may appear outside company registries.
Look for:
- court records;
- bankruptcy or insolvency databases;
- procurement awards;
- debarment or exclusion records;
- regulator warnings;
- local media coverage;
- trade press;
- tender documents;
- public contracts;
- import/export records where legally available;
- academic, NGO or investigative reporting;
- archived websites;
- job postings;
- conference speaker pages;
- patents, trademarks or product registrations.
The goal is not to collect every mention.
The goal is to test the company’s story from different angles.
If a cybersecurity vendor claims government clients, procurement databases may show contracts or awards.
If a supplier claims a manufacturing footprint, trade records, certifications, address checks, job posts and local sources may support or complicate the claim.
If a consultancy claims senior expertise, conference records, publications, regulator records, previous employment and corporate filings may help verify the people behind it.
Again, the method is not suspicion.
It is source alignment.
Build an Evidence Table
Company OSINT becomes messy when every finding is treated as equally important.
Use a simple evidence table.
| Question | Source Checked | What It Shows | Limitation | Next Step |
|---|---|---|---|---|
| Does the entity exist? | Official company register | Legal entity active in stated jurisdiction | Does not prove operational capacity | Check filings, address, website and people |
| Does the website match the legal entity? | Website, footer, contract, registry | Same legal name and address appear | Website can be self-published | Preserve screenshots and compare with filings |
| Is the domain consistent with the history? | ICANN/domain lookup, web archive | Domain created recently | New domains can be legitimate | Ask for explanation if company claims long continuity |
| Are filings current? | Registry or securities filings | Accounts or reports available | Filing requirements vary by jurisdiction | Read recent filings and note gaps |
| Are there sanctions or exclusions? | OFAC, EU/national lists, SAM.gov where relevant | No exact match found / possible match found | Negative search is not global clearance | Document search terms and identifiers |
| Can the person sign? | Registry, contract, official email confirmation | Name appears as officer / not found | Authority may require additional documents | Request confirmation through official channel |
| Is the public footprint coherent? | Media, procurement, reviews, archived pages | Claims partly supported | Reviews and press may be promotional | Separate independent sources from self-published material |
This table does three important things.
It separates verified data from interpretation.
It shows the limitation of each source.
It makes the next action clear.
Without that structure, a company check can easily become a pile of screenshots and impressions.
Common Mistakes
Treating a registry entry as a trust certificate
Registration proves that a record exists in a registry.
It does not prove reliability, solvency, quality, compliance or intent.
Some registers are filing systems, not investigative conclusions.
Searching only the brand name
Always search the legal name, previous names, registration number, domain, officers, key addresses and known aliases.
Brand names are not stable enough.
Ignoring jurisdiction
The same company group may operate through entities in several jurisdictions.
Each jurisdiction has different records, disclosure rules and search tools.
Overreading domain privacy
Privacy-protected WHOIS data is common.
It becomes more useful when combined with domain age, website claims, email behavior, archived pages and infrastructure patterns.
Treating no result as no risk
No sanctions match, no media result or no litigation trace is not the same as clearance.
It means only that the searched source did not show the result under the terms and identifiers used.
Turning a red flag into a conclusion too quickly
One inconsistency may have a simple explanation.
Several inconsistencies across independent sources deserve more caution.
The pattern matters.
A Practical Company OSINT Workflow
Use this sequence when the risk is moderate and the decision matters:
1. Identify the legal entity.
2. Find the official registry for the jurisdiction.
3. Record status, registration number, address, officers and filing history.
4. Compare the registry with the website, contract and email domain.
5. Check domain age, archived pages and infrastructure clues.
6. Read available filings, accounts or securities disclosures.
7. Search sanctions, exclusions and regulatory databases where relevant.
8. Verify the authority of the person you are dealing with.
9. Search independent media, procurement, litigation and sector sources.
10. Build an evidence table with findings, limits and next steps.
The output should not be a binary label.
It should be a documented assessment:
Verified:
What the public records support.
Unclear:
What remains unverified or inconsistent.
Risk signals:
What requires explanation before proceeding.
Next action:
What to ask, preserve, escalate or verify independently.
That is more useful than a yes/no answer.
The Takeaway
Checking a company with public records is not about proving trust.
It is about reducing avoidable blindness.
The company may still be legitimate if some records are incomplete. It may still be risky even if the website looks professional. It may appear in a registry and still be the wrong entity for the transaction. It may have no sanctions match and still require sector-specific due diligence.
OSINT does not replace legal, financial, compliance or procurement review.
It makes the first layer of review more disciplined.
Before trusting a company, build the source chain:
- legal entity;
- jurisdiction;
- registry record;
- filings;
- domain and website;
- people and authority;
- sanctions or exclusion checks;
- public footprint;
- limitations;
- next verification step.
The question is not whether one source looks reassuring.
The question is whether the records, claims and traces hold together.
Project Osint
Join the community
