Open-Source Intelligence (OSINT)

What is OSINT?

Open-Source Intelligence (OSINT) is the practice of collecting, analysing, and reporting on information that is legally and publicly available. Sources include the open web, social media, news, government publications, company filings, forums, academic papers, geospatial data, and more. OSINT turns scattered public data into actionable insight for security, due diligence, investigations, and decision-making.

Why OSINT matters

Risk reduction: Identify threats, data leaks, impersonation, and fraud before they escalate.
Faster decisions: Answer hard questions without costly fieldwork or intrusive tactics.
Transparency & verifiability: Work with sources anyone can check.
Ethical by design: Properly conducted OSINT respects laws and privacy, using only public/permissioned data.

Typical use cases

Security & threat intelligence: monitoring leak sites, breach chatter, phishing domains, malware indicators (IOCs), and TTPs.
Brand protection: spotting fake profiles, infringements, or counterfeit listings.
Fraud & due diligence: validating claims about people, companies, assets, and supply chains.
Geospatial verification: locating images/videos, validating events with satellite imagery and weather.
People & network mapping: public profiles, organisational links, historic posts, and contact surfaces.
Incident response support: quickly building timelines and context from public sources.

The OSINT lifecycle (intelligence cycle)

Define the question: What decision will this answer? What’s in-scope/out-of-scope?
Plan & legal check: Ethics, consent, and legal boundaries; collection plan & timebox.
Collect: Targeted, repeatable collection from identified sources.
Process & enrich: Clean, normalise, deduplicate; extract entities (names, emails, domains, locations).
Analyse: Correlate, pivot, and test alternative hypotheses; document caveats.
Report: Clear findings, sources, confidence levels, and next steps.
Review: What worked? What to automate? What to avoid next time?

Sources of OSINT (the “where”)

Web & search engines: websites, blogs, press releases, code repositories, cached/archived pages.
Social platforms: X/Twitter, LinkedIn, Facebook, Reddit, TikTok, Instagram, YouTube comments/metadata.
Domain & network: WHOIS/RDAP, passive DNS, certificate transparency logs, subdomain discovery, ASN data.
Documents & datasets: PDFs, spreadsheets, public tenders, FOI publications, gazettes, court listings.
Company & NGO: Companies House, charity registers, sanctions lists, procurement portals, international orgs.
Academic & patents: Google Scholar, CORE, arXiv, patents (WIPO, EPO).
Geospatial: Satellite imagery, OpenStreetMap, Strava heatmaps, shipping/aviation trackers (subject to ToS).
Dark web/closed forums: Only if allowed and safe; typically via vetted, legal threat-intel feeds.

Note: Always follow each source’s Terms of Service and applicable law.

Core techniques (the “how”)

Advanced search operators: site:, filetype:pdf, “exact phrase”, -exclude, OR, intitle:, cache:
Entity correlation: link people ↔ emails ↔ usernames ↔ domains ↔ crypto wallets ↔ locations.
Time-boxing: filter by date to track narrative changes and first appearances of claims.
Geolocation & chronolocation: landmarks, shadows, weather, transport timetables, vegetation cycles.
Metadata checks: EXIF (when present), document properties, commit history, certificate issuers.
Archive pivots: Wayback Machine, Mementos, historical WHOIS, old social usernames.
Confidence scoring: rate findings (High/Medium/Low) based on source credibility and corroboration.

Validating information (trust, but verify)

Corroborate across unrelated sources. Two independent confirmations beat ten reposts.
Distinguish primary vs. secondary evidence. Prefer original footage/data over screenshots of screenshots.
Check manipulation. Reverse image search; frame-by-frame video review; look for splices/AI artefacts.
Bias & deception awareness. Consider incentives: propaganda, marketing, trolling, or SEO farms.
Record your trail. Preserve URLs, timestamps, hashes, and screenshots so others can verify.

Example workflows

1) Company due diligence (UK)
1.Define scope (ownership, financial health, sanctions, litigation).

2. Companies House → directors, filings; Gazette notices → insolvency events.
3. Sanctions & PEP lists; charity register if relevant.
4. News & trade press timeline; social presence; job posts to infer capabilities.
5. Correlate addresses, domains, emails; CT logs for hidden sub-brands.
6. Report with findings + confidence, and list unresolved questions.

2) Incident/claim verification

1. Collect original media (not reposts); retrieve via archive if deleted.
2. Reverse image/video search; identify landmarks.
3. Map likely coordinates (OSM/Google/Bing), confirm camera angles.
4. Check weather/time of day vs. shadows; verify traffic patterns.
5. Cross-check with local news, official statements, and sensor data (if any).
6. Conclude with a likelihood assessment and uncertainties.

Quick reference: search operator cheatsheet

Narrow by site: site:gov.uk “consultation”
File types: filetype:xls site:nhs.uk “procurement”
Exclude noise: “product name” -review -price -buy
Find PDFs mentioning a phrase: “confidential” filetype:pdf
Explore subpages: inurl:/careers “remote”
Timeline view: filter by date range in search tools and news portals.

Tools & categories (non-exhaustive, principles first)

Discovery & search: general search engines, academic search, people search, code search.
Domain & network: WHOIS/RDAP, CT logs, DNS history, IP/ASN lookups.
Media analysis: reverse image/video search, EXIF readers, frame extractors.
Geospatial: mapping platforms, elevation/shadow tools, satellite browsers.
Archiving: Wayback, perma.cc, local evidence capture (screenshots + hashing).
Automation: Python scripts/notebooks, scheduled queries, alerting (respect ToS).

Our approach is tool-agnostic: we choose methods that best fit your question, budget, and legal constraints.

Legal & ethical considerations (UK-focused, not legal advice)

Computer Misuse Act 1990: no unauthorised access; OSINT uses public/permissioned data only.
Data Protection Act 2018 / UK GDPR: process personal data lawfully, fairly, and minimally; define a purpose and retention period.
Copyright & database rights: respect licences and “fair dealing”; avoid bulk scraping that violates ToS or IP rights.
Terms of Service: many platforms prohibit automated collection; obtain proper permissions or use compliant feeds.
Safety: avoid engaging with criminal marketplaces; prioritise analyst wellbeing and operational security.

Our OSINT ethos

Lawful: strict compliance with UK law and platform rules.
Transparent: clear sources, timestamps, and confidence ratings.
Proportionate: collect only what’s needed; minimise personal data.
Reproducible: results others can check and repeat.
Secure: protect collected data at rest and in transit; clear retention & deletion policies.

What you receive (typical deliverables)

Executive summary: key findings and recommendations in plain English.
Detailed report: sources, evidence, pivots, and reasoning.
Evidence pack: URLs, captures, hashes, and timelines.
Risk ratings: likelihood, impact, and mitigations.
Follow-ups: monitoring plans or automation options.

Frequently asked questions

Is OSINT “hacking”?
No. OSINT uses public/permissioned information only and avoids unauthorised access.

Can you guarantee truth?
No single source is infallible. We provide evidence, context, and confidence levels so you can make informed decisions.

Will you collect personal data?
Only when necessary, proportionate, and lawful for the stated purpose—handled under UK GDPR/DPA 2018.

Do you monitor the dark web?
Where appropriate and lawful, we use reputable, compliant intelligence feeds rather than unsafe direct access.

How current is the information?
We time-box searches, log timestamps, and—if required—offer ongoing monitoring with alerts.

Disclaimer: This page is for information only and is not legal advice. Always consult legal counsel for compliance questions.