All processing happens locally in your browser. No data is sent to any server.
[01] IDENTITY EXPOSURE
max 25 pts
[02] JOB DETAIL GRANULARITY
max 25 pts
[03] NETWORK OPENNESS
max 20 pts
[04] CROSS-PLATFORM LINKS
max 15 pts
[05] POSTING BEHAVIOR
max 15 pts
0
LOW EXPOSURE
Attacker Use Cases
Hardening Recommendations
Audit Fingerprint (SHA-256)
LinkedIn Hardening Best Practices
[01] PROFILE VISIBILITY SETTINGS
- Set profile visibility to "Connections only" or "2nd degree" — not public
- Disable "LinkedIn members" from seeing your activity feed
- Turn off "Share profile updates with your network" when making changes
- Disable profile viewing by search engines (Settings → Visibility → Search engine indexing)
- Review and revoke all third-party app permissions annually
[02] IDENTITY MINIMIZATION
- Apply the minimum necessary principle: share only what a recruiter needs to contact you
- Never list certifications that reveal privileged access (e.g. "CyberArk Vault Admin certified")
- Use a role-generic title for public-facing profiles in sensitive positions
- Avoid listing languages if they reveal nationality or origin in a sensitive context
- Do not list hobbies, volunteer work, or causes that create exploitable personal context
[03] NETWORK DISCIPLINE
- Accept connection requests only from people you can verify
- Periodically audit your connections — remove unknowns
- Never connect with accounts that have no mutual connections, no photo, and no post history
- Be aware that your connections list, even if hidden, is partially inferrable through LinkedIn's "People Also Viewed" and mutual connection features
- Do not join open groups that signal your employer, role, or political/professional affiliations
[04] CONTENT OPERATIONAL SECURITY
- Treat every LinkedIn post as permanently public and attributable
- Never post from inside an office, conference room, or secure area — background metadata matters
- Strip EXIF data from any photo before uploading (use ExifTool or similar)
- Never post about incidents, outages, audits, or regulatory events — even obliquely
- Avoid congratulating colleagues on promotions that reveal internal org structure
- Do not tag your employer's account in posts — it cross-indexes you
[05] ACCOUNT SECURITY
- Enable two-factor authentication (authenticator app, not SMS)
- Use a dedicated email address for LinkedIn not linked to your real identity or employer domain
- Review active sessions monthly (Settings → Security → Where you're logged in)
- Enable login notifications
- Use a strong, unique password — LinkedIn has been breached before (2012, 2021 scrape)
[06] HIGH-RISK ROLE GUIDANCE
For SOC analysts, CISOs, fraud investigators, pen testers, and compliance officers:
- Consider maintaining a deliberately sparse "decoy" profile with minimal operational detail
- Never list current investigations, active projects, or ongoing certifications
- Coordinate with your employer's communications/security team on what is acceptable to disclose
- Be aware that your LinkedIn activity (likes, comments, follows) is partially visible even on private profiles
- Assume nation-state and advanced threat actors actively monitor LinkedIn for target development
[07] PERIODIC REVIEW CHECKLIST
Run this checklist every 90 days:
- Search your own name on Google — what surfaces?
- Review your post history for operational leakage
- Audit third-party app permissions
- Check for fake profiles impersonating you or your colleagues
- Verify your email address is not in HaveIBeenPwned
- Review who viewed your profile — flag unknown corporate accounts