Open-source intelligence (OSINT) has become a cornerstone of modern threat intelligence operations. Whether you are mapping an adversary's infrastructure, performing a red team reconnaissance phase, or investigating a phishing campaign, OSINT provides the foundational data layer that informs every subsequent decision. This article covers professional OSINT techniques, tooling, and workflows for cybersecurity practitioners who already understand the basics and need to operationalise intelligence gathering at scale.
OSINT Methodology: Passive vs Active
Understanding the distinction between passive and active OSINT is critical for operational security and legal compliance.
Passive OSINT
Passive techniques gather information without directly interacting with the target's systems. You rely on publicly available data, third-party sources, and cached records. Passive collection leaves no logs on the target infrastructure and is generally lower risk from both a detection and legal standpoint.
- Search engine dorking — Google, Bing, and Shodan
- Certificate transparency logs — crt.sh, CertSpotter
- DNS records — Historical and current via SecurityTrails, PassiveTotal
- Social media scraping — Public profiles and posts
- Data breaches — Dehashed, Have I Been Pwned
Active OSINT
Active techniques involve direct interaction with the target — port scanning, banner grabbing, or probing web servers. These actions generate logs and may trigger defensive alerts. Active OSINT should only be conducted with explicit authorisation or against your own infrastructure.
- Port scanning — Nmap, Masscan
- Web directory enumeration — Gobuster, FFuF
- DNS zone transfers — dig, host
- Service fingerprinting — Nmap scripts, WhatWeb
Operational Note: For threat intelligence operations, begin with passive techniques to build a baseline. Only move to active techniques when passive data is insufficient, and always use infrastructure that is not attributable to you or your organisation.
Essential OSINT Tools
The OSINT tool landscape is vast, but a handful of tools form the core of any professional workflow.
theHarvester
theHarvester is an essential tool for email, subdomain, and IP enumeration. It pulls data from search engines, PGP key servers, and SHODAN.
bash$ theHarvester -d example.com -b google,linkedin,yahoo,bing,crtsh $ theHarvester -d example.com -b shodan -l 500 $ theHarvester -d example.com -b dnsdumpster -s
The -b flag specifies data sources. Combining multiple sources yields a more complete picture. Use -l to limit results and -s to enable Shodan results when using the Shodan source.
Shodan CLI
Shodan indexes internet-connected devices and services. The CLI allows programmatic querying of the Shodan database.
bash$ shodan init YOUR_API_KEY $ shodan search --fields ip_str,port,org,hostnames "org:ExampleCorp" $ shodan host 203.0.113.42 $ shodan stats --facets port,country "product:Apache"
Note: A Shodan API key is required for CLI usage. The free tier provides limited results. For operational threat intelligence, consider a paid account for API access without rate limiting.
Recon-ng
Recon-ng is a modular reconnaissance framework with a Metasploit-like interface. It supports dozens of modules for DNS, contacts, geolocation, and vulnerability discovery.
bash$ recon-ng [recon-ng][default] > marketplace install all [recon-ng][default] > workspaces create target_acme [recon-ng][default] > db insert domains [recon-ng][default][target_acme] > use recon/domains-hosts/certificate_transparency [recon-ng][default][target_acme] > run
Recon-ng's strength lies in its workflow automation. Modules can be chained together, and results are stored in a local database for cross-referencing.
Maltego
Maltego provides graphical link analysis for OSINT data. It transforms raw data points into relationship graphs, revealing connections between domains, email addresses, social media accounts, and infrastructure.
bash$ Maltego transforms: DNS to IP, Email to Social Media, Domain to Email $ Use Paterva's Transform Hub for commercial data sources $ Export graphs as CSV or PDF for reporting
Maltego CE (Community Edition) is free with limited transforms. The commercial version unlocks full data sources including passive DNS and breach data.
SpiderFoot
SpiderFoot is an automated OSINT reconnaissance tool that scans over 200 data sources. It is ideal for initial broad-scope intelligence gathering.
bash$ python3 sf.py -m all -s example.com -o html -q $ python3 sf.py -m "sfp_shodan,sfp_censys,sfp_crtsh" -s 203.0.113.0/24 -o csv $ docker run -p 5001:5001 -d foxfoster/spiderfoot
Pro Tip: Use SpiderFoot's correlation engine to identify false positives. The -q flag enables quiet mode for headless operation. Schedule regular scans against your own attack surface for continuous monitoring.
Google Dorking for Threat Intelligence
Google dorking (or Google hacking) uses advanced search operators to find exposed information that standard searches miss. For threat intelligence, dorks help identify exposed admin panels, configuration files, and leaked credentials.
bash$ site:example.com intitle:"index of" "backup" $ site:example.com inurl:wp-config.php $ site:example.com filetype:sql "INSERT INTO" "password" $ site:example.com intext:"password" filetype:log $ site:example.com intitle:"webcam" inurl:view.shtml
Common dork categories for threat intelligence:
- Exposed documents —
filetype:xls inurl:emailorfiletype:pdf confidential - Configuration files —
filetype:env "DB_PASSWORD"orfiletype:yml "aws_secret" - Login portals —
intitle:"login" inurl:/adminorinurl:/wp-admin - Directory listings —
intitle:"index of /" "parent directory"
Warning: Google may block automated dorking requests. Use rate limiting, rotate user agents, and consider commercial OSINT platforms for large-scale operations. Never use dorking to access data you are not authorised to view.
The OSINT Framework
The OSINT Framework is a curated directory of OSINT tools organised by category. While the web-based version is convenient, experienced analysts build their own local workflow based on the framework's taxonomy.
A professional OSINT framework should cover these categories:
- Identity Intelligence — Username search, email lookup, people search engines (Pipl, Spokeo, Dehashed)
- Infrastructure Intelligence — DNS, IP geolocation, certificate transparency, WHOIS history (Shodan, Censys, SecurityTrails)
- Document Intelligence — Metadata extraction, document search (ExifTool, FOCA, Google Dorks)
- Social Media Intelligence (SOCMINT) — Profile analysis, network mapping, sentiment analysis
- Dark Web Intelligence — Tor hidden services, forums, breach marketplaces
Recommended Workflow: Start with passive DNS and certificate logs (crt.sh), then pivot to Shodan for exposed services, followed by theHarvester for email patterns, and finally Maltego for relationship mapping. Document every finding with timestamps and source URLs for evidentiary integrity.
Social Media Intelligence (SOCMINT)
Social media platforms are rich sources of threat intelligence. Adversaries often leak operational details through social media — sometimes inadvertently, sometimes through bravado.
Twitter Intelligence
Twitter's search API and third-party tools like Twint allow extensive data collection:
bash$ twint -u target_user --since 2025-01-01 --until 2026-06-01 -o tweets.csv --csv $ twint -u target_user --followers -o followers.csv --csv $ twint -s "ransomware" --location --near "Moscow" -o geo_tweets.csv --csv
LinkedIn Intelligence
LinkedIn provides organisational structure and technology stack insights:
- Identify employees with specific job titles (security, DevOps, etc.)
- Cross-reference email formats discovered via theHarvester
- Monitor job postings for technology stack disclosure
- Map organisational hierarchies for spear-phishing target selection
Telegram Intelligence
Telegram has become a primary communication channel for threat actors. Monitoring public channels and groups provides real-time threat intelligence:
bash$ telegram-analyzer --channel "channel_name" --export json $ python3 telethon_scraper.py --api-id YOUR_ID --api-hash YOUR_HASH
Note: SOCMINT collection must comply with platform terms of service and relevant privacy regulations (GDPR, CCPA). Automated scraping may violate ToS and result in account suspension or legal action. Use dedicated research accounts with appropriate protections.
Dark Web Monitoring Basics
Dark web monitoring is a specialised subset of OSINT focused on Tor hidden services, I2P networks, and encrypted messaging platforms. For threat intelligence teams, the primary objectives are:
- Identify leaked credentials or proprietary data
- Monitor threat actor forums for discussions targeting your organisation
- Track ransomware group leak sites
- Discover zero-day vulnerability sales or exploit trading
Setting Up a Monitoring Environment
bash$ # Install Tor and configure SOCKS proxy $ apt install tor torsocks $ systemctl start tor $ # Test connectivity $ torsocks curl https://check.torproject.org/api/ip $ # Browse via Tor $ torsocks python3 darkweb_monitor.py --config config.yaml
Key Dark Web Sources
- Ransomware leak sites — Monitor known ransomware group blogs for victim disclosures
- Breach forums — Exploit.in, RaidForums (via archived mirrors), XSS.is
- Telegram channels — Many threat actors maintain public Telegram channels for data leaks
- Paste sites — Monitor Pastebin, Ghostbin, and Rentry for credential dumps
Warning: Dark web monitoring carries inherent risks. Malicious content, CSAM, and active exploits may be encountered. Always use isolated virtual machines with no connectivity to production networks. Never interact with threat actors without explicit authorisation and legal counsel.
Case Study: Tracking an Infrastructure Campaign
In March 2026, the FoxFoster Research Team tracked a credential-harvesting campaign targeting financial services. The investigation demonstrates OSINT techniques in practice.
Phase 1 — Initial Discovery: A suspicious domain resembling a major bank's login portal was identified via certificate transparency monitoring. The domain used a typosquatting variant with an expired Let's Encrypt certificate.
bash$ curl -s "https://crt.sh/?q=%25bankofamerica-secure%25&output=json" | jq '.[].name_value'
Phase 2 — Infrastructure Mapping: Shodan revealed the phishing server was hosted on a known bulletproof hosting provider. Historical DNS data showed the IP had been associated with three other banking-themed domains over the previous 90 days.
bash$ shodan search "ssl.cert.subject.CN:bankofamerica-secure" --fields ip_str,port $ curl -s "https://api.securitytrails.com/v1/history/203.0.113.42/dns/a" -H "APIKEY: $ST_KEY"
Phase 3 — Attribution: Passive DNS pivoting uncovered a Telegram channel where the threat actor advertised phishing kits. The channel handle was cross-referenced with theHarvester results to identify associated email addresses. A publicly exposed Git repository contained identical phishing kit source code with developer comments in Russian.
Phase 4 — Reporting: The findings were documented with full chain-of-custody, timestamps, and source URLs. The takedown request was filed with the hosting provider and domain registrar. The campaign infrastructure was offline within 48 hours.
Key Takeaway: The most effective OSINT investigations chain multiple data sources together. No single tool provides the full picture. Automated collection combined with human analysis — particularly language analysis and cultural context — is what separates actionable intelligence from raw data.
Building Your OSINT Workflow
An effective OSINT workflow balances automation with manual analysis:
- Step 1: Define intelligence requirements (what are you looking for and why)
- Step 2: Passive data collection (crt.sh, SecurityTrails, theHarvester, Google Dorks)
- Step 3: Active validation (nmap, Shodan, direct HTTP probing)
- Step 4: Cross-referencing and correlation (Maltego, custom scripts)
- Step 5: Reporting and dissemination (structured intelligence reports with source attribution)
For continuous monitoring, schedule passive scans weekly and deep-dive investigations as intelligence requirements evolve. FoxFoster Labs provides a safe environment to practice these techniques against authorised targets.