The Ultimate Beginner's Guide to OSINT

OSINT is intelligence derived from publicly available information. The "open source" in the name refers to open sources of data, not necessarily open-source software (though many OSINT tools are open source as well). It contrasts with classified intelligence types like SIGINT (signals intelligence), HUMINT (human intelligence), and others.

OSINT serves many purposes. In cybersecurity, it supports threat intelligence, attack surface management, incident investigation, social engineering simulations, and due diligence. It also supports journalism, law enforcement, fraud investigation, corporate security, and humanitarian work.

The OSINT process typically follows a structured cycle: requirements (defining what you need to learn), collection (gathering data from sources), processing (cleaning and structuring), analysis (deriving insight), and dissemination (sharing findings appropriately). Each step matters; raw data without analysis is just noise.

The principle of "open source" does not mean "free of ethical or legal constraints." OSINT practitioners must respect terms of service, privacy laws, and ethical norms. Aggregating innocent-looking data can produce dossiers that feel invasive even if every individual piece was technically public.

People-focused OSINT includes social media profiles, professional networks, public records, leaked databases, and academic publications. LinkedIn, X (formerly Twitter), Facebook, Instagram, TikTok, Reddit, GitHub, and personal blogs all contribute. Tools like Sherlock, Maigret, and WhatsMyName check whether a username appears across many platforms.

Organizational OSINT covers corporate websites, regulatory filings (SEC EDGAR, Companies House, etc.), business directories, news media, and patent databases. For technical attack surface mapping, certificate transparency logs (crt.sh, Censys), DNS history (SecurityTrails, DNSDumpster), passive DNS, and Shodan and Censys searches reveal infrastructure exposed to the internet.

Geographic OSINT, sometimes called GEOINT, leverages satellite imagery (Google Earth, Sentinel Hub, Planet Labs), street-level imagery, mapping platforms (OpenStreetMap), and crowd-sourced data. Geolocation challenges have become a popular OSINT exercise, with the Bellingcat group setting a high standard.

Image and video OSINT extracts metadata (EXIF data), reverse image searches (Google Lens, Yandex, TinEye), identifies objects and locations, and analyzes video frames for clues. Aletheia and InVID help analyze and verify video content.

Cyber-specific OSINT explores breach data (Have I Been Pwned), dark web forums (using specialized search engines), threat intelligence reports, malware repositories, and vulnerability databases. Specialized platforms like Recorded Future, Flashpoint, and IntelX aggregate this data for professional use.

Each category requires different tools, mental models, and ethical considerations.

Maltego is a graph-based OSINT platform that lets analysts visualize relationships between entities. With its rich library of "transforms," users can chain queries from one data type to another (for example, from a domain to its DNS records, then to associated IPs, then to certificates, and on).

The TheHarvester tool aggregates emails, subdomains, IPs, and other data from many sources. SpiderFoot and Recon-ng provide modular reconnaissance frameworks with dozens of integrated modules.

For attack surface management, Amass, Subfinder, and Assetfinder enumerate subdomains. nuclei and httpx automate scanning the discovered surface. Shodan and Censys deliver search engines over internet-exposed systems.

Social network analysis tools include Twint (X) and various scrapers (always check current terms of service before using them). Maltego, Hunchly, and Spiderfoot all support social investigations as well.

For person-focused investigation, the IntelTechniques toolkit by Michael Bazzell is a respected starting point. Browser extensions like Wayback Machine, Hunchly (case capture), and various translators add daily usefulness.

OSINT framework websites (osintframework.com, start.me/p/OSINT) curate organized lists of free tools. As tools change quickly, these curated resources are essential for staying current.

Bellingcat, an investigative journalism outlet, has used OSINT to identify Russian intelligence officers involved in the 2018 Salisbury poisoning by cross-referencing leaked databases, flight manifests, and social media. Their work has become a template for modern open-source investigation.

The shoot-down of Malaysia Airlines Flight 17 in 2014 was attributed largely through OSINT-driven analysis of social media posts, satellite imagery, and photographs showing the BUK missile system involved. The case demonstrated how distributed analysts using public data could match the analytical power of intelligence agencies.

In cybersecurity, OSINT regularly powers attack surface management. Organizations routinely discover forgotten servers, exposed admin panels, and credentials in public code repositories. Programs like Internet-wide scans by Shadowserver alert defenders to these issues, but proactive OSINT often finds them first.

Penetration testers use OSINT to prepare engagements. Reviewing target employees on LinkedIn, finding email patterns, discovering exposed code on GitHub, and identifying technologies in use can dramatically increase a test's effectiveness.

Fraud investigators use OSINT to track scams. Cryptocurrency tracing (using tools like Chainalysis and free explorers) combined with OSINT into social profiles, exchange interactions, and forum posts has helped recover stolen funds and identify operators.

Attackers use OSINT too. Spear phishing campaigns rely on OSINT to craft believable lures. A targeted email referencing a specific project, a real colleague, and a current vendor is far more effective than a generic phish. Tools like Hunter.io and Skrapp help attackers build target lists from corporate domains.

Reconnaissance for intrusions often begins with subdomain enumeration, DNS history checks, and service discovery. A forgotten admin panel, an exposed staging environment, or an outdated VPN appliance often becomes the initial foothold. Defenders who think like attackers and run OSINT against themselves are best positioned to close these gaps.

Insider research, due diligence, and supplier risk assessments also use OSINT. Understanding what is publicly visible about your organization is the first step in deciding what should be hidden.

The "publicly available" nature of OSINT can mislead beginners into thinking anything goes. In practice, ethical and legal lines matter.

Respect terms of service. Many platforms forbid automated scraping or bulk data collection. Violations can lead to bans, legal action, or invalidated investigations. Use official APIs where possible.

Be careful with personal data. Privacy laws like GDPR, CCPA, and similar regimes apply to the processing of personal data, even when the data came from public sources. Aggregating, storing, or sharing such data may require lawful basis, consent, or proper purpose.

Avoid intrusive activity. Brute-forcing accounts, exploiting vulnerabilities, or accessing systems you do not have permission to access is not OSINT; it crosses into computer crime. Stay in the open.

Document carefully. Use tools like Hunchly to capture findings with timestamps and provenance. Preserving evidence properly matters whether your destination is a report, a court of law, or a journalistic publication.

Reflect on your impact. OSINT can expose individuals to harm, harassment, or wrongful accusation. Ethical investigators consider the potential consequences before publishing or sharing findings. When in doubt, minimize data, redact identities, and consult colleagues or legal counsel.

Define clear requirements. The most common mistake in OSINT is starting with tools instead of questions. A specific, well-defined question (such as "Which subdomains of our company are reachable from the internet and run outdated software?") makes collection efficient.

Use disposable infrastructure. Conduct sensitive investigations from clean browsers, dedicated VMs, or sock-puppet accounts. Avoid accidentally signaling your identity to the target by logging in with personal accounts or revealing internal IPs.

Adopt a defensive OSINT program. Routinely scan your own organization for exposed assets, employee oversharing on social media, leaked credentials, and signs of impersonation. Many organizations partner with external attack surface management providers to maintain continuous visibility.

Combine sources. A single data point is fragile. Triangulating across multiple independent sources increases confidence and reveals deeper patterns.

Build a workflow. Use case capture tools, structured note-taking, and clear file naming. Investigations that span days or weeks can lose evidence quickly without discipline.

Stay current. Tools, platforms, and policies change. Subscribe to OSINT newsletters (osintcurio.us, IntelTechniques, Bellingcat), follow practitioners on social platforms, and revisit your toolkit regularly.

Take online courses. SANS OSINT courses (SEC487, SEC587), the Open Source Intelligence Techniques training by Michael Bazzell, and Maltego's official training program are well respected. Free resources like SANS cheat sheets and Bellingcat's open guides are excellent starting points.

Practice with capture-the-flag (CTF) events. TraceLabs runs OSINT CTFs focused on missing persons investigations under careful guidelines. CyberDefenders, OSINT Dojo, and the Sourcing Games provide structured challenges.

Build a personal lab. Create a few VMs and accounts, run reconnaissance against them, and observe what is visible externally. This builds intuition for what you would want to lock down on real systems.

Document your methodology. Future-you will thank present-you. Templates for investigation notes, source tracking, and reporting save time and improve quality.