What is OSINT? Tools and workflow.
OSINT turns open, public sources into intelligence — not hacking. The intelligence cycle, -INT disciplines, legal limits, OPSEC, a workflow and real tools.
OSINT sounds like a hacking discipline and mostly is not. Open-Source Intelligence is the craft of turning information that is already public — a domain registration, a certificate transparency log, a job posting, the metadata baked into a photo — into an answer to a specific question. No exploits. No logins you were not given. No touching systems you have no right to touch. This article is the front door to a whole cluster of investigation guides, so we will keep it broad but concrete: what OSINT is, the process behind it, where the legal line sits, how to protect yourself while you work, and the real tools that do the collecting.
What OSINT is — and what it is not
The word "intelligence" is doing the heavy lifting. OSINT is not "stuff you found on Google." It is the disciplined process of collecting open information, verifying it, connecting it, and producing an assessment someone can act on. A raw list of subdomains is data. "This organisation exposes a forgotten staging server on an outdated CMS, and here is the evidence" is intelligence.
"Open source" here has nothing to do with open-source software. It means the source is openly available to anyone: public websites, DNS records, court filings, company registries, social media, image and video, leaked-and-now-public breach data, satellite imagery. If you need a password, an exploit, or a court order to see it, it is not open source, and collecting it is not OSINT.
Just as important is what OSINT is not:
- It is not intrusion. Reading a public page is OSINT. Logging into an account that is not yours, brute-forcing a form, or probing for vulnerabilities is not — that crosses into unauthorised access, which is a crime in most jurisdictions.
- It is not "hacking." There is no exploitation of a flaw. You are reading what the target chose (or forgot) to publish.
- It is not automatically anonymous or consequence-free. Some collection touches the target's servers and can be logged. More on that below.
The intelligence cycle, applied to OSINT
Professional intelligence work follows a loop, and OSINT is no exception. Naming the stages keeps you honest — it stops "poke around until something turns up" from masquerading as an investigation.
- Direction. Define the question. "Is this domain impersonating our brand?" is answerable. "Tell me everything about this company" is not. A sharp question decides which sources matter and when you are done.
- Collection. Gather raw material from open sources — WHOIS records, certificates, archived pages, social profiles, images. This is where the tools live, and where most beginners spend all their time.
- Processing. Turn the pile into something workable: normalise formats, de-duplicate, translate, extract entities (names, domains, IPs, emails), timestamp everything. Screenshot and hash what you find, because pages change and get deleted.
- Analysis. Connect the dots, weigh source reliability, look for corroboration, and separate what you know from what you infer. One source is a lead; two independent sources is a finding.
- Dissemination. Report it to whoever needs to act — in a form they can use, with the evidence attached and the confidence level stated plainly.
It is a cycle because dissemination usually raises new questions, which feed back into direction. Good investigators go around the loop many times on small, tight questions rather than once on a vague one.
Where OSINT sits among the -INT disciplines
Intelligence is traditionally split into "collection disciplines," each abbreviated with an -INT suffix. OSINT is one of several, and knowing the neighbours helps you see its edges:
- OSINT — Open-Source Intelligence. From publicly available sources. The subject of this article.
- HUMINT — Human Intelligence. From people, through conversation, interviews, or social engineering. Talking a receptionist into revealing a schedule is HUMINT, not OSINT.
- SIGINT — Signals Intelligence. From intercepted communications and electronic signals. The domain of intelligence agencies, not open investigators.
- GEOINT — Geospatial Intelligence. From imagery and geographic data — satellite photos, maps, the location clues inside a picture. OSINT and GEOINT overlap heavily when you geolocate a photo.
- SOCMINT — Social Media Intelligence. From social platforms specifically. Usually treated as a sub-branch of OSINT because the data is public, but distinct enough to have its own name and its own privacy pitfalls.
OSINT is the broad, mostly-legal umbrella most defenders and researchers work under, borrowing GEOINT and SOCMINT techniques along the way. A dedicated article on the intelligence disciplines is coming; for now, remember OSINT is the one built entirely from what is already open.
The legal and ethical line
This is the part beginners skip and professionals obsess over. "Publicly accessible" and "legal to collect, store, and act on" are not the same statement, and getting this wrong turns research into liability.
Passive vs active collection
Passive collection reads data from third parties without touching the target — querying WHOIS, browsing certificate transparency logs, reading an archived page from the Wayback Machine. The target has no way to know you looked. Active collection touches the target's own infrastructure — visiting its site, resolving its subdomains against it, port-scanning. It can be logged, and heavy active collection starts to look like reconnaissance for an attack. Know which mode you are in at every step. When in doubt, prefer the passive path and third-party datasets.
Terms of service, robots, and the law
- Respect Terms of Service and robots directives. Automated scraping of a platform often breaches its ToS even when the data is public. That can get your accounts banned and, in some jurisdictions, carry legal weight.
- Privacy law applies to open data. Under the GDPR (and similar regimes), a person's name, email, IP, or photo is personal data even if you found it on a public page. Collecting and storing it needs a lawful basis, a purpose, and retention limits. "It was public" is not, by itself, a defence.
- Never cross into intrusion. The moment you try a credential, submit a form to see what breaks, or access something behind authentication, you have left OSINT and likely broken the law (for example the US Computer Fraud and Abuse Act, or the UK Computer Misuse Act).
The rule of thumb: observe, do not interact; document, do not exploit; and only collect what your question actually needs. If you are doing this professionally, get authorisation in writing and stay inside its scope.
Investigator OPSEC
Operational security here means protecting yourself and not tipping off the subject. Investigations leak in both directions — a careless click can reveal who is looking, and it can pollute your own findings.
- Use dedicated "sock puppet" accounts. Never research from your real social profiles. Maintain separate, plausible research identities with their own email addresses, and keep them consistent so platforms do not lock them. Never use them to deceive in ways that cross into fraud or HUMINT you are not authorised for.
- Isolate the browser and machine. Work from a virtual machine or a separate browser profile so cookies, extensions, and logins from your real life never bleed into the investigation. A snapshot you can roll back is ideal if you might touch sketchy links.
- Route traffic through a VPN. Do not expose your home or corporate IP to a target's logs. A VPN (or, for sensitive work, Tor) keeps your origin out of the picture.
- Do not alert the target. Avoid liking, following, connecting, or logging in with a real account. Prefer passive datasets over hitting the target directly. Every direct interaction is a potential tripwire.
- Practise data hygiene. Timestamp, screenshot, and hash evidence as you collect it. Store it securely, minimise personal data, and delete what you no longer need. Your case file is itself sensitive data.
The OSINT workflow
Every solid investigation, whatever the target, walks roughly the same path:
- Scope and seed. Write the question. Note your starting "seed" — a domain, an email, a username, an image, a company name.
- Pivot outward. Use each artefact to find the next. A domain reveals an IP and certificates; a certificate reveals more subdomains; a subdomain reveals a new server; an email reveals accounts. This pivoting is the heart of OSINT.
- Corroborate. Confirm each important fact from a second, independent source before you rely on it.
- Document as you go. Capture evidence at the moment you see it — URLs, timestamps, screenshots, hashes. Undocumented findings do not exist.
- Analyse and report. Assemble the picture, state your confidence, and hand it to whoever acts on it.
The toolbox, by category
OSINT tooling is enormous, so it helps to group it by what job it does. Everything below is free to start with unless noted; the paid tiers mostly buy you volume and history.
Frameworks and collection
- OSINT Framework — a giant, categorised directory of OSINT resources. A map, not a scanner: use it to find the right tool for a data type.
- Maltego — link-analysis and graphing. Pulls data from "transforms" and draws the relationships between entities. The industry standard for visual pivoting.
- SpiderFoot — automates collection across hundreds of sources from a single seed (domain, IP, email, name) and correlates the results.
- Recon-ng — a modular, command-line reconnaissance framework with a Metasploit-style workflow. Great for scripted, repeatable collection.
- start.me collections — curated dashboards of OSINT links maintained by the community; an easy way to keep your bookmarks organised by investigation type.
- IntelTechniques — Michael Bazzell's hub of search tools, workflows, and reference material, long a staple of the OSINT community.
Domains, DNS and infrastructure
- WHOIS (ICANN lookup) — who registered a domain, when, and through which registrar. Often privacy-masked now, but registration dates and registrars are still telling. (We cover reading it in What is WHOIS and how to read it.)
- crt.sh — searches Certificate Transparency logs. Because every TLS certificate is logged publicly, this quietly reveals subdomains an organisation never meant to expose.
- DNSDumpster — free DNS recon that maps a domain's hosts, records, and network in one view.
- SecurityTrails — historical DNS and WHOIS data. See what an IP or nameserver used to point to, which is gold for tracking infrastructure over time.
- ViewDNS — a grab-bag of DNS utilities, including reverse-IP lookup to find other domains sharing a server.
- dnstwist — generates and checks look-alike (typosquat) domains. Essential for brand protection and spotting phishing infrastructure before it is used.
- Amass (OWASP) — deep subdomain enumeration and network mapping, combining passive datasets with active resolution.
- subfinder — fast, passive subdomain discovery from ProjectDiscovery. Pairs well with Amass.
Attack surface and exposed devices
- Shodan — the "search engine for devices." Indexes internet-facing services and their banners, so you can see what software and ports an IP exposes without touching it yourself.
- Censys — similar internet-wide scanning with strong certificate and host data. Shodan and Censys are the two you learn first (compared in Shodan and Censys explained).
- ZoomEye — a device and service search engine, strong on assets in Asia.
- FOFA — another internet asset search engine with powerful fingerprint queries.
- Netlas — searchable internet scan data covering hosts, certificates, and DNS.
- GreyNoise — tells you whether an IP is mass-scanning "background noise" or something targeted. Cuts false positives when you are triaging an address.
Website and technology stack
- urlscan.io — visits a URL in a sandbox and reports the screenshot, resources, redirects, and contacted domains — safely, without you loading it.
- web-check.xyz — a one-page dashboard of a site's DNS, headers, certificates, tech, and more.
- Wayback Machine — the Internet Archive's history of a page. See what a site said before it was changed or taken down.
- BuiltWith — profiles the technologies a site runs: CMS, analytics, frameworks, hosting.
- Wappalyzer — fingerprints a site's tech stack, available as a browser extension for quick checks.
- securityheaders.com — grades a site's HTTP security headers; a fast read on how carefully it is configured.
Reputation and malware
- VirusTotal — checks files, URLs, domains, and IPs against dozens of engines and shows related indicators. A first stop for "is this malicious?"
- AbuseIPDB — a community database of IPs reported for abuse, with a confidence score.
- URLhaus, ThreatFox and MalwareBazaar — the abuse.ch family: malicious URLs, indicators of compromise, and malware samples respectively. Free, high-quality threat intelligence.
People and SOCMINT
This category needs the sharpest ethics — you are handling real people's data. Have a lawful purpose and collect the minimum.
- Sherlock — hunts a username across hundreds of sites from the command line.
- WhatsMyName — a web-based username enumeration tool covering a large, curated site list.
- Have I Been Pwned — tells you whether an email appears in known data breaches. Useful for defence and for understanding exposure.
- holehe — checks whether an email is registered on various sites using their password-reset behaviour, without alerting the owner.
- Reverse image search — Google Lens, TinEye, and Yandex Images find where a photo appears elsewhere. Yandex is often strongest on faces and places; run all three, as they index different corners of the web.
- Hunter.io — finds and verifies email addresses associated with a domain and reveals the address pattern an organisation uses.
- EmailRep — a reputation summary for an email address, drawing on where it appears online.
Geolocation and GEOINT
- EXIF metadata — photos can embed the camera, timestamp, and even GPS coordinates. A tool like ExifTool reads it. (Most social platforms strip EXIF on upload, so absence of data is normal.)
- SunCalc — shows the sun's position for any place and time. Combined with shadows in a photo, it helps confirm or estimate when and where it was taken.
- Google Earth — satellite and street imagery for verifying locations, matching landmarks, and reconstructing a scene.
A worked mini-example: one suspicious domain, end to end
Say a customer forwards you an email from secure-login-yourbank.example and you need to judge it — passively, without ever logging in or attacking anything. The high-level path:
1) WHOIS -> registrar + creation date
2) crt.sh -> certificates & sibling subdomains
3) urlscan.io -> safe render: screenshot, redirects, resources
4) web-check -> DNS, headers, hosting, tech stack
5) VirusTotal -> is the domain/URL flagged?
6) GreyNoise -> is the hosting IP just noise, or targeted?
Reading it in order: a domain registered three days ago through a bulk registrar is already suspicious. crt.sh shows a certificate minted the same day and sibling hostnames reusing the "yourbank" string — a pattern, not a coincidence. urlscan.io renders a pixel-perfect clone of the login page and shows the form posting to an unrelated host. web-check confirms cheap throwaway hosting and missing security headers. VirusTotal already flags the URL; AbuseIPDB and GreyNoise round out the IP's reputation. None of that touched the attacker's server beyond a sandbox — and you have a documented, evidence-backed verdict.
That is the shape of it. We go deep on this exact process in How to investigate a suspicious domain, and on the quick "is this fake?" version in How to check if a domain is fake or suspicious.
Where OSINT gets used
- Threat intelligence. Mapping attacker infrastructure, tracking campaigns, and enriching indicators of compromise.
- Brand protection. Catching typosquats, fake profiles, and phishing sites impersonating an organisation — often before customers are hit.
- Phishing investigation. Attributing a lure, unmasking the infrastructure behind it, and feeding takedowns.
- Penetration-test reconnaissance. The authorised, passive first phase of an engagement — mapping the target's public footprint before any active testing, inside a signed scope.
- Investigative journalism and research. Verifying images, geolocating events, and following public records to hold power to account.
Pick a tool by what you want
Beginners drown because they memorise tools instead of jobs. Start from the outcome you need and work back:
| What you want | Reach for |
|---|---|
| Subdomains of a target | crt.sh, Amass, subfinder, DNSDumpster |
| Who registered a domain / when | WHOIS, SecurityTrails, ViewDNS |
| What software / ports an IP exposes | Shodan, Censys, Netlas, FOFA |
| What tech a website runs | BuiltWith, Wappalyzer, web-check.xyz |
| Safely see what a URL does | urlscan.io |
| A page's history / a deleted page | Wayback Machine |
| Is this file / URL / IP malicious | VirusTotal, abuse.ch, AbuseIPDB, GreyNoise |
| Look-alike / typosquat domains | dnstwist |
| Where a username appears | Sherlock, WhatsMyName |
| Is an email breached / registered somewhere | Have I Been Pwned, holehe, EmailRep |
| Emails for a domain | Hunter.io |
| Where a photo appears / where it was taken | TinEye, Yandex, Google Lens, ExifTool, SunCalc, Google Earth |
| Automate collection from one seed | SpiderFoot, Recon-ng, Maltego |
OSINT is less about any single site than about a habit of mind: ask a tight question, collect only from open sources, pivot from one artefact to the next, corroborate, document, and stay on the legal side of the line. Master that loop and the tools become interchangeable — which is what the rest of this cluster will help you do.
