Skip to content
Breachfolio
CYBERSECURITY · OSINT

What is OSINT? Tools and workflow.

OSINT turns open, public sources into intelligence — not hacking. The intelligence cycle, -INT disciplines, legal limits, OPSEC, a workflow and real tools.

July 16, 202614 min read

OSINT sounds like a hacking discipline and mostly is not. Open-Source Intelligence is the craft of turning information that is already public — a domain registration, a certificate transparency log, a job posting, the metadata baked into a photo — into an answer to a specific question. No exploits. No logins you were not given. No touching systems you have no right to touch. This article is the front door to a whole cluster of investigation guides, so we will keep it broad but concrete: what OSINT is, the process behind it, where the legal line sits, how to protect yourself while you work, and the real tools that do the collecting.

DirectionCollectionProcessingAnalysisDissemination
The intelligence cycle applied to OSINT — it loops back to Direction.

What OSINT is — and what it is not

The word "intelligence" is doing the heavy lifting. OSINT is not "stuff you found on Google." It is the disciplined process of collecting open information, verifying it, connecting it, and producing an assessment someone can act on. A raw list of subdomains is data. "This organisation exposes a forgotten staging server on an outdated CMS, and here is the evidence" is intelligence.

"Open source" here has nothing to do with open-source software. It means the source is openly available to anyone: public websites, DNS records, court filings, company registries, social media, image and video, leaked-and-now-public breach data, satellite imagery. If you need a password, an exploit, or a court order to see it, it is not open source, and collecting it is not OSINT.

Just as important is what OSINT is not:

  • It is not intrusion. Reading a public page is OSINT. Logging into an account that is not yours, brute-forcing a form, or probing for vulnerabilities is not — that crosses into unauthorised access, which is a crime in most jurisdictions.
  • It is not "hacking." There is no exploitation of a flaw. You are reading what the target chose (or forgot) to publish.
  • It is not automatically anonymous or consequence-free. Some collection touches the target's servers and can be logged. More on that below.

The intelligence cycle, applied to OSINT

Professional intelligence work follows a loop, and OSINT is no exception. Naming the stages keeps you honest — it stops "poke around until something turns up" from masquerading as an investigation.

  1. Direction. Define the question. "Is this domain impersonating our brand?" is answerable. "Tell me everything about this company" is not. A sharp question decides which sources matter and when you are done.
  2. Collection. Gather raw material from open sources — WHOIS records, certificates, archived pages, social profiles, images. This is where the tools live, and where most beginners spend all their time.
  3. Processing. Turn the pile into something workable: normalise formats, de-duplicate, translate, extract entities (names, domains, IPs, emails), timestamp everything. Screenshot and hash what you find, because pages change and get deleted.
  4. Analysis. Connect the dots, weigh source reliability, look for corroboration, and separate what you know from what you infer. One source is a lead; two independent sources is a finding.
  5. Dissemination. Report it to whoever needs to act — in a form they can use, with the evidence attached and the confidence level stated plainly.

It is a cycle because dissemination usually raises new questions, which feed back into direction. Good investigators go around the loop many times on small, tight questions rather than once on a vague one.

Where OSINT sits among the -INT disciplines

Intelligence is traditionally split into "collection disciplines," each abbreviated with an -INT suffix. OSINT is one of several, and knowing the neighbours helps you see its edges:

  • OSINT — Open-Source Intelligence. From publicly available sources. The subject of this article.
  • HUMINT — Human Intelligence. From people, through conversation, interviews, or social engineering. Talking a receptionist into revealing a schedule is HUMINT, not OSINT.
  • SIGINT — Signals Intelligence. From intercepted communications and electronic signals. The domain of intelligence agencies, not open investigators.
  • GEOINT — Geospatial Intelligence. From imagery and geographic data — satellite photos, maps, the location clues inside a picture. OSINT and GEOINT overlap heavily when you geolocate a photo.
  • SOCMINT — Social Media Intelligence. From social platforms specifically. Usually treated as a sub-branch of OSINT because the data is public, but distinct enough to have its own name and its own privacy pitfalls.

OSINT is the broad, mostly-legal umbrella most defenders and researchers work under, borrowing GEOINT and SOCMINT techniques along the way. A dedicated article on the intelligence disciplines is coming; for now, remember OSINT is the one built entirely from what is already open.

The legal and ethical line

This is the part beginners skip and professionals obsess over. "Publicly accessible" and "legal to collect, store, and act on" are not the same statement, and getting this wrong turns research into liability.

Passive vs active collection

Passive collection reads data from third parties without touching the target — querying WHOIS, browsing certificate transparency logs, reading an archived page from the Wayback Machine. The target has no way to know you looked. Active collection touches the target's own infrastructure — visiting its site, resolving its subdomains against it, port-scanning. It can be logged, and heavy active collection starts to look like reconnaissance for an attack. Know which mode you are in at every step. When in doubt, prefer the passive path and third-party datasets.

Terms of service, robots, and the law

  • Respect Terms of Service and robots directives. Automated scraping of a platform often breaches its ToS even when the data is public. That can get your accounts banned and, in some jurisdictions, carry legal weight.
  • Privacy law applies to open data. Under the GDPR (and similar regimes), a person's name, email, IP, or photo is personal data even if you found it on a public page. Collecting and storing it needs a lawful basis, a purpose, and retention limits. "It was public" is not, by itself, a defence.
  • Never cross into intrusion. The moment you try a credential, submit a form to see what breaks, or access something behind authentication, you have left OSINT and likely broken the law (for example the US Computer Fraud and Abuse Act, or the UK Computer Misuse Act).

The rule of thumb: observe, do not interact; document, do not exploit; and only collect what your question actually needs. If you are doing this professionally, get authorisation in writing and stay inside its scope.

Investigator OPSEC

Operational security here means protecting yourself and not tipping off the subject. Investigations leak in both directions — a careless click can reveal who is looking, and it can pollute your own findings.

  • Use dedicated "sock puppet" accounts. Never research from your real social profiles. Maintain separate, plausible research identities with their own email addresses, and keep them consistent so platforms do not lock them. Never use them to deceive in ways that cross into fraud or HUMINT you are not authorised for.
  • Isolate the browser and machine. Work from a virtual machine or a separate browser profile so cookies, extensions, and logins from your real life never bleed into the investigation. A snapshot you can roll back is ideal if you might touch sketchy links.
  • Route traffic through a VPN. Do not expose your home or corporate IP to a target's logs. A VPN (or, for sensitive work, Tor) keeps your origin out of the picture.
  • Do not alert the target. Avoid liking, following, connecting, or logging in with a real account. Prefer passive datasets over hitting the target directly. Every direct interaction is a potential tripwire.
  • Practise data hygiene. Timestamp, screenshot, and hash evidence as you collect it. Store it securely, minimise personal data, and delete what you no longer need. Your case file is itself sensitive data.

The OSINT workflow

Every solid investigation, whatever the target, walks roughly the same path:

  1. Scope and seed. Write the question. Note your starting "seed" — a domain, an email, a username, an image, a company name.
  2. Pivot outward. Use each artefact to find the next. A domain reveals an IP and certificates; a certificate reveals more subdomains; a subdomain reveals a new server; an email reveals accounts. This pivoting is the heart of OSINT.
  3. Corroborate. Confirm each important fact from a second, independent source before you rely on it.
  4. Document as you go. Capture evidence at the moment you see it — URLs, timestamps, screenshots, hashes. Undocumented findings do not exist.
  5. Analyse and report. Assemble the picture, state your confidence, and hand it to whoever acts on it.

The toolbox, by category

OSINT tooling is enormous, so it helps to group it by what job it does. Everything below is free to start with unless noted; the paid tiers mostly buy you volume and history.

Frameworks and collection

  • OSINT Framework — a giant, categorised directory of OSINT resources. A map, not a scanner: use it to find the right tool for a data type.
  • Maltego — link-analysis and graphing. Pulls data from "transforms" and draws the relationships between entities. The industry standard for visual pivoting.
  • SpiderFoot — automates collection across hundreds of sources from a single seed (domain, IP, email, name) and correlates the results.
  • Recon-ng — a modular, command-line reconnaissance framework with a Metasploit-style workflow. Great for scripted, repeatable collection.
  • start.me collections — curated dashboards of OSINT links maintained by the community; an easy way to keep your bookmarks organised by investigation type.
  • IntelTechniques — Michael Bazzell's hub of search tools, workflows, and reference material, long a staple of the OSINT community.

Domains, DNS and infrastructure

  • WHOIS (ICANN lookup) — who registered a domain, when, and through which registrar. Often privacy-masked now, but registration dates and registrars are still telling. (We cover reading it in What is WHOIS and how to read it.)
  • crt.sh — searches Certificate Transparency logs. Because every TLS certificate is logged publicly, this quietly reveals subdomains an organisation never meant to expose.
  • DNSDumpster — free DNS recon that maps a domain's hosts, records, and network in one view.
  • SecurityTrails — historical DNS and WHOIS data. See what an IP or nameserver used to point to, which is gold for tracking infrastructure over time.
  • ViewDNS — a grab-bag of DNS utilities, including reverse-IP lookup to find other domains sharing a server.
  • dnstwist — generates and checks look-alike (typosquat) domains. Essential for brand protection and spotting phishing infrastructure before it is used.
  • Amass (OWASP) — deep subdomain enumeration and network mapping, combining passive datasets with active resolution.
  • subfinder — fast, passive subdomain discovery from ProjectDiscovery. Pairs well with Amass.

Attack surface and exposed devices

  • Shodan — the "search engine for devices." Indexes internet-facing services and their banners, so you can see what software and ports an IP exposes without touching it yourself.
  • Censys — similar internet-wide scanning with strong certificate and host data. Shodan and Censys are the two you learn first (compared in Shodan and Censys explained).
  • ZoomEye — a device and service search engine, strong on assets in Asia.
  • FOFA — another internet asset search engine with powerful fingerprint queries.
  • Netlas — searchable internet scan data covering hosts, certificates, and DNS.
  • GreyNoise — tells you whether an IP is mass-scanning "background noise" or something targeted. Cuts false positives when you are triaging an address.

Website and technology stack

  • urlscan.io — visits a URL in a sandbox and reports the screenshot, resources, redirects, and contacted domains — safely, without you loading it.
  • web-check.xyz — a one-page dashboard of a site's DNS, headers, certificates, tech, and more.
  • Wayback Machine — the Internet Archive's history of a page. See what a site said before it was changed or taken down.
  • BuiltWith — profiles the technologies a site runs: CMS, analytics, frameworks, hosting.
  • Wappalyzer — fingerprints a site's tech stack, available as a browser extension for quick checks.
  • securityheaders.com — grades a site's HTTP security headers; a fast read on how carefully it is configured.

Reputation and malware

  • VirusTotal — checks files, URLs, domains, and IPs against dozens of engines and shows related indicators. A first stop for "is this malicious?"
  • AbuseIPDB — a community database of IPs reported for abuse, with a confidence score.
  • URLhaus, ThreatFox and MalwareBazaar — the abuse.ch family: malicious URLs, indicators of compromise, and malware samples respectively. Free, high-quality threat intelligence.

People and SOCMINT

This category needs the sharpest ethics — you are handling real people's data. Have a lawful purpose and collect the minimum.

  • Sherlock — hunts a username across hundreds of sites from the command line.
  • WhatsMyName — a web-based username enumeration tool covering a large, curated site list.
  • Have I Been Pwned — tells you whether an email appears in known data breaches. Useful for defence and for understanding exposure.
  • holehe — checks whether an email is registered on various sites using their password-reset behaviour, without alerting the owner.
  • Reverse image search — Google Lens, TinEye, and Yandex Images find where a photo appears elsewhere. Yandex is often strongest on faces and places; run all three, as they index different corners of the web.

Email

  • Hunter.io — finds and verifies email addresses associated with a domain and reveals the address pattern an organisation uses.
  • EmailRep — a reputation summary for an email address, drawing on where it appears online.

Geolocation and GEOINT

  • EXIF metadata — photos can embed the camera, timestamp, and even GPS coordinates. A tool like ExifTool reads it. (Most social platforms strip EXIF on upload, so absence of data is normal.)
  • SunCalc — shows the sun's position for any place and time. Combined with shadows in a photo, it helps confirm or estimate when and where it was taken.
  • Google Earth — satellite and street imagery for verifying locations, matching landmarks, and reconstructing a scene.

A worked mini-example: one suspicious domain, end to end

Say a customer forwards you an email from secure-login-yourbank.example and you need to judge it — passively, without ever logging in or attacking anything. The high-level path:

1) WHOIS       -> registrar + creation date
2) crt.sh      -> certificates & sibling subdomains
3) urlscan.io  -> safe render: screenshot, redirects, resources
4) web-check   -> DNS, headers, hosting, tech stack
5) VirusTotal  -> is the domain/URL flagged?
6) GreyNoise   -> is the hosting IP just noise, or targeted?

Reading it in order: a domain registered three days ago through a bulk registrar is already suspicious. crt.sh shows a certificate minted the same day and sibling hostnames reusing the "yourbank" string — a pattern, not a coincidence. urlscan.io renders a pixel-perfect clone of the login page and shows the form posting to an unrelated host. web-check confirms cheap throwaway hosting and missing security headers. VirusTotal already flags the URL; AbuseIPDB and GreyNoise round out the IP's reputation. None of that touched the attacker's server beyond a sandbox — and you have a documented, evidence-backed verdict.

That is the shape of it. We go deep on this exact process in How to investigate a suspicious domain, and on the quick "is this fake?" version in How to check if a domain is fake or suspicious.

Where OSINT gets used

  • Threat intelligence. Mapping attacker infrastructure, tracking campaigns, and enriching indicators of compromise.
  • Brand protection. Catching typosquats, fake profiles, and phishing sites impersonating an organisation — often before customers are hit.
  • Phishing investigation. Attributing a lure, unmasking the infrastructure behind it, and feeding takedowns.
  • Penetration-test reconnaissance. The authorised, passive first phase of an engagement — mapping the target's public footprint before any active testing, inside a signed scope.
  • Investigative journalism and research. Verifying images, geolocating events, and following public records to hold power to account.

Pick a tool by what you want

Beginners drown because they memorise tools instead of jobs. Start from the outcome you need and work back:

What you wantReach for
Subdomains of a targetcrt.sh, Amass, subfinder, DNSDumpster
Who registered a domain / whenWHOIS, SecurityTrails, ViewDNS
What software / ports an IP exposesShodan, Censys, Netlas, FOFA
What tech a website runsBuiltWith, Wappalyzer, web-check.xyz
Safely see what a URL doesurlscan.io
A page's history / a deleted pageWayback Machine
Is this file / URL / IP maliciousVirusTotal, abuse.ch, AbuseIPDB, GreyNoise
Look-alike / typosquat domainsdnstwist
Where a username appearsSherlock, WhatsMyName
Is an email breached / registered somewhereHave I Been Pwned, holehe, EmailRep
Emails for a domainHunter.io
Where a photo appears / where it was takenTinEye, Yandex, Google Lens, ExifTool, SunCalc, Google Earth
Automate collection from one seedSpiderFoot, Recon-ng, Maltego

OSINT is less about any single site than about a habit of mind: ask a tight question, collect only from open sources, pivot from one artefact to the next, corroborate, document, and stay on the legal side of the line. Master that loop and the tools become interchangeable — which is what the rest of this cluster will help you do.

Frequently asked questions

Is OSINT legal?
Collecting information from genuinely open, public sources is legal in most places, and OSINT never involves breaking into systems. But "public" does not mean "unrestricted": scraping can breach a platform's terms of service, and privacy laws like the GDPR still apply to personal data even when you found it on a public page — you need a lawful purpose, and you should collect only what your question requires. The line you must never cross is intrusion: the moment you use a credential that is not yours, submit a form to probe for flaws, or touch anything behind authentication, you have left OSINT and likely broken computer-misuse law.
What is the difference between OSINT and reconnaissance?
They overlap but are not the same. OSINT is passive by default — you read what third parties and the target have already published, without necessarily touching the target. Reconnaissance, in a pentest sense, is a phase of an authorised security engagement that starts passive (often using OSINT) and then goes active: resolving subdomains against the target, port-scanning, fingerprinting live services. OSINT is a technique; reconnaissance is a phase that uses OSINT and then goes further, only ever inside a signed scope.
What are the best free OSINT tools to start with?
For infrastructure, learn crt.sh for subdomains, WHOIS for registration, and the Wayback Machine for history. For exposed devices, Shodan and Censys both have free tiers. For safe URL analysis, urlscan.io and web-check.xyz. For reputation, VirusTotal, the abuse.ch family, and GreyNoise. For people and usernames, Have I Been Pwned, Sherlock, and WhatsMyName. Use the OSINT Framework as a directory to find the right tool for any data type, and SpiderFoot to automate collection once you understand the pieces.
What is SOCMINT?
SOCMINT — Social Media Intelligence — is the branch of OSINT focused specifically on social platforms: profiles, posts, connections, and the metadata around them. It is usually treated as part of OSINT because the data is public, but it gets its own name because it carries distinct privacy and ethical risks — you are handling real people's data — and demands extra care around lawful basis, data minimisation, and not deceiving people in ways that stray into other disciplines. We will cover the -INT disciplines, including SOCMINT, in a dedicated article.
How do OSINT investigators stay anonymous?
Through OPSEC. They research from dedicated "sock puppet" accounts rather than their real profiles, work inside an isolated virtual machine or a separate browser profile so their real cookies and logins never leak, and route traffic through a VPN (or Tor for sensitive work) so their real IP never lands in a target's logs. Crucially, they avoid interacting with the target at all — no likes, follows, or logins — preferring passive third-party datasets, and they document evidence carefully while minimising the personal data they retain.
Is OSINT the same as the OSINT Framework?
No. OSINT is the discipline — the whole practice of turning open sources into intelligence. The OSINT Framework (osintframework.com) is just one specific resource: a categorised directory that points you to tools and sites for different data types. It is a map of the landscape, not the landscape itself, and it does not collect anything on its own. Think of OSINT as the craft and the OSINT Framework as one reference you keep bookmarked while practising it.