OSINT Glossary

109 terms across 9 categories — from intelligence disciplines to investigation tradecraft, technical infrastructure, and legal frameworks.

Intelligence Disciplines

OSINT (Open Source Intelligence): Intelligence derived from publicly available sources including websites, social media, public records, and media. The foundation discipline for most modern investigative and security work.
HUMINT (Human Intelligence): Intelligence gathered through interpersonal contact — interviews, informants, elicitation. Often complementary to OSINT when public data alone is insufficient.
SIGINT (Signals Intelligence): Intelligence collected by intercepting electronic signals and communications. Traditionally a government capability, though commercial SIGINT-adjacent tools exist for network analysis.
GEOINT (Geospatial Intelligence): Intelligence derived from imagery, mapping data, and geospatial information. Includes satellite imagery analysis, terrain mapping, and location-based pattern analysis.
IMINT (Imagery Intelligence): Intelligence extracted from visual imagery — satellite photos, aerial surveillance, drone footage. A subset of GEOINT focused specifically on image interpretation.
SOCMINT (Social Media Intelligence): Intelligence gathered from social media platforms. Covers profile analysis, network mapping, sentiment tracking, and content monitoring across platforms like X, Facebook, LinkedIn, and Telegram.
FININT (Financial Intelligence): Intelligence derived from financial data — transaction records, corporate filings, sanctions lists, and beneficial ownership databases. Critical for fraud investigation and AML compliance.
CYBINT (Cyber Intelligence): Intelligence about threats, vulnerabilities, and actors in the cyber domain. Overlaps heavily with threat intelligence and often involves monitoring dark web forums and breach data.
MASINT (Measurement and Signature Intelligence): Intelligence obtained from detecting and analyzing signatures from sensors — radar, nuclear, chemical, biological. Primarily a military/government discipline with limited OSINT crossover.
TECHINT (Technical Intelligence): Intelligence derived from analysis of foreign equipment, technology, and weapons systems. Mostly relevant in defense and state-level contexts.
COMINT (Communications Intelligence): Intelligence from intercepted communications between people. A subcategory of SIGINT focused on message content rather than signals metadata.
ELINT (Electronic Intelligence): Intelligence from non-communication electronic signals such as radar emissions. Another SIGINT subcategory, primarily military.

Core OSINT Concepts & Techniques

Passive Reconnaissance: Gathering intelligence without directly interacting with the target. Examples: reading public social media profiles, searching cached pages, querying WHOIS databases. Leaves no trace with the target.
Active Reconnaissance: Gathering intelligence through direct interaction with the target — port scanning, probing web applications, sending test emails. Riskier because the target may detect the activity.
Pivot Analysis: Using one piece of discovered data (an email, username, phone number) to find additional related data across different platforms and sources. The fundamental OSINT workflow.
Digital Footprint: The totality of data traces a person or organization leaves online — social accounts, forum posts, metadata, DNS records, public filings. Reducing this is the goal of operational security.
Attribution: The process of identifying the real person, group, or entity behind online activity. Often the end goal of an OSINT investigation.
Sock Puppet: A fake online identity created for investigative purposes — to access closed groups, interact with targets, or avoid revealing the investigator's real identity. Requires careful construction to be credible.
Operational Security (OPSEC): Practices to protect the investigator's identity, methods, and intentions during research. Includes using VPNs, burner accounts, VMs, and avoiding patterns that could identify you.
Deniable Infrastructure: Systems (VPNs, VMs, burner devices, temporary email addresses) set up so that investigative activity cannot be easily traced back to the analyst or their organization.
Collection Management: The process of planning, prioritizing, and organizing intelligence collection to avoid duplication and ensure completeness. Especially important in team investigations.
Intelligence Cycle: The iterative process of direction, collection, processing, analysis, and dissemination. OSINT follows the same cycle used in traditional intelligence work.
Indicator of Compromise (IOC): A piece of forensic data (IP address, file hash, domain name, email address) that indicates a system may have been breached. A core input to threat intelligence workflows.
Link Analysis: Mapping relationships between entities — people, organizations, accounts, phone numbers, addresses — to reveal hidden connections. Often visualized as network graphs.
Pattern of Life Analysis: Studying a target's habitual behaviors — posting times, travel patterns, communication frequency — to build a behavioral profile or predict future activity.
Selectors: Specific data points used to identify or track a target — email addresses, phone numbers, usernames, IP addresses. The starting inputs for most OSINT investigations.
Correlation: Connecting data from multiple independent sources to build a more complete picture. Stronger conclusions come from corroborating across different data types.
Data Enrichment: Augmenting raw data with additional context from other sources. Example: taking an IP address and enriching it with geolocation, ASN, hosting provider, and threat reputation data.
Target Development: The iterative process of building a comprehensive profile of a subject using progressively deeper research across multiple data sources.
Threat Modeling: Identifying what assets need protection, who the likely adversaries are, and what attack vectors they might use. Shapes the scope and priorities of intelligence collection.

Search Techniques & Tradecraft

Google Dorking: Using advanced search operators (site:, filetype:, inurl:, intitle:) to find specific content indexed by Google that wouldn't appear in normal searches. Powerful for finding exposed files, login pages, and sensitive documents.
Boolean Search: Using AND, OR, NOT, and parentheses to build precise search queries. Essential for effective searching across search engines, databases, and social media platforms.
Reverse Image Search: Uploading an image to find where else it appears online, identify its origin, or find visually similar images. Google Images, TinEye, and Yandex each have different strengths.
EXIF Data: Metadata embedded in photos by cameras and phones — GPS coordinates, device model, timestamp, camera settings. A valuable intelligence source when not stripped by the platform.
Metadata Analysis: Examining the hidden data embedded in files (documents, images, PDFs) that can reveal author names, software versions, creation dates, GPS coordinates, and edit history.
Geolocation: Determining the real-world location where a photo or video was taken by analyzing visual clues (landmarks, signage, vegetation, shadows, architecture) and cross-referencing with maps and street-level imagery.
Chronolocation: Determining when a photo or video was taken by analyzing shadows, sun position, lighting conditions, and contextual clues like weather or seasonal indicators.
Username Enumeration: Systematically searching for a specific username across hundreds of platforms to map a person's online presence. Tools like Sherlock and Maigret automate this.
Email Permutation: Generating likely email address variations (firstname.lastname@, f.lastname@, firstnamelastname@) for a target and testing them against known services or breach databases.
Domain Footprinting: Mapping all assets associated with a domain — subdomains, DNS records, mail servers, IP ranges, SSL certificates, and associated domains.
Certificate Transparency Logs: Publicly accessible logs of all SSL/TLS certificates issued by certificate authorities. Useful for discovering subdomains, associated domains, and infrastructure changes.
Cached Pages: Saved snapshots of web pages stored by search engines or archival services. Critical for accessing content that has been deleted or modified since the original visit.
Wayback Machine: The Internet Archive's web archiving service that stores historical snapshots of websites. Invaluable for viewing deleted content, tracking changes over time, and finding old site versions.
Google Cache: Google's stored copy of a web page from its last crawl. Useful for quickly viewing recently changed or removed content before it falls out of the index.

Technical & Infrastructure Terms

WHOIS: A protocol and database system for querying the registered owners of domain names and IP address blocks. Privacy services and GDPR have reduced its usefulness, but it remains a fundamental lookup tool.
DNS (Domain Name System): The system that translates domain names to IP addresses. DNS records (A, MX, TXT, CNAME, NS) are a rich source of infrastructure intelligence.
DNS Enumeration: Systematically discovering DNS records associated with a domain — subdomains, mail servers, name servers, TXT records. Reveals infrastructure that may not be publicly linked.
Subdomain Enumeration: Discovering all subdomains associated with a root domain using DNS brute-forcing, certificate transparency logs, search engines, and passive DNS databases.
Passive DNS: Historical records of DNS resolutions collected by sensors across the internet. Shows what domains pointed to which IPs over time, even after records change.
ASN (Autonomous System Number): A unique identifier assigned to a network operator (ISP, cloud provider, enterprise). Useful for mapping all IP ranges and domains associated with an organization.
IP Geolocation: Mapping an IP address to an approximate physical location. Accuracy varies from city-level to country-level depending on the IP type and database quality.
Web Scraping: Automated extraction of data from websites. A core OSINT technique used to collect structured data from pages that don't offer APIs or downloadable datasets.
API Enumeration: Discovering and probing application programming interfaces to find accessible endpoints that may expose data — user lookups, search functionality, or internal records.
Shodan: A search engine that indexes internet-connected devices (servers, IoT, industrial controls, webcams). Frequently used to find exposed infrastructure and assess an organization's attack surface.
Censys: A search engine for internet-connected devices and infrastructure, similar to Shodan but with stronger focus on certificate and protocol data.
Web Application Fingerprinting: Identifying the technologies, frameworks, CMS platforms, and server software a website runs on. Reveals potential vulnerabilities and organizational technology choices.
TLS/SSL Certificate: Cryptographic certificates that enable encrypted web connections. The data in certificates (issuer, subject, SANs, validity dates) provides valuable infrastructure intelligence.
Hash (File Hash): A unique digital fingerprint generated from a file's contents (MD5, SHA-1, SHA-256). Used in threat intelligence to identify malicious files without needing the file itself.
VPN (Virtual Private Network): Encrypts internet traffic and routes it through a remote server, masking the user's real IP address. Essential OPSEC tool for investigators.
Tor (The Onion Router): An anonymity network that routes traffic through multiple encrypted relays. Used both for investigator anonymity and as the infrastructure layer for .onion dark web sites.

Data Sources & Databases

Public Records: Government-maintained records available to the public — court filings, property deeds, business registrations, voter rolls, UCC filings, and bankruptcy records.
Breach Data: Leaked databases from security breaches containing usernames, passwords, emails, and personal data. Used in threat intelligence and credential monitoring, but possession may have legal implications.
Paste Sites: Platforms like Pastebin where users anonymously post text. Frequently used to dump stolen credentials, share exploits, or publish leaked information.
Dark Web: Websites accessible only through overlay networks like Tor (.onion sites). Hosts marketplaces, forums, and leak sites relevant to threat intelligence and criminal investigations.
Deep Web: Web content not indexed by standard search engines — password-protected sites, databases, private forums, and paywalled content. Often confused with the dark web, but far larger and mostly mundane.
Court Records: Legal filings, case documents, judgments, and dockets available through systems like PACER (US federal) or state court portals. Rich source for due diligence and background research.
Corporate Registries: Government databases listing registered companies, directors, registered agents, and filings. Examples: SEC EDGAR (US), Companies House (UK), OpenCorporates (aggregator).
Beneficial Ownership Registry: Databases disclosing the real individuals who ultimately own or control legal entities. Increasingly mandated by anti-money-laundering regulations globally.
Sanctions Lists: Government-maintained lists of individuals, entities, and countries subject to trade restrictions or asset freezes. Key sources: OFAC (US), EU Consolidated List, UN Security Council.
Data Broker: Companies that aggregate and sell personal information — addresses, phone numbers, employment history, relatives, property records. People-search sites are consumer-facing data brokers.
Public Datasets: Open data published by governments, NGOs, and researchers — census data, environmental monitoring, transportation records, procurement databases.
Leaked Documents: Documents released without authorization, whether through whistleblowers, hackers, or accidental exposure. Sources include WikiLeaks, ICIJ, and various journalistic investigations.

Practitioner Roles & Contexts

Threat Intelligence Analyst: Monitors, analyzes, and reports on cyber threats — malware campaigns, threat actors, and vulnerabilities. Heavy user of OSINT, dark web monitoring, and IOC analysis.
Due Diligence Investigator: Conducts background research on individuals and companies for business transactions — M&A, investments, partnerships. Relies heavily on corporate records, litigation searches, and media analysis.
Red Team: Offensive security professionals who simulate real-world attacks against an organization to test its defenses. Uses OSINT in the reconnaissance phase to identify targets and attack vectors.
Blue Team: Defensive security professionals responsible for detecting and responding to threats. Consumes OSINT-derived threat intelligence to inform monitoring and incident response.
Purple Team: A collaborative approach combining red team (offensive) and blue team (defensive) functions to improve security through shared findings and continuous feedback.
Penetration Tester: Security professional authorized to probe systems for vulnerabilities. OSINT reconnaissance is typically the first phase of any penetration test.
OSINT Analyst: Specialist in collecting and analyzing publicly available information. Works across sectors — government intelligence, corporate security, journalism, law enforcement, and private investigation.
Investigative Journalist: Reporter who uses OSINT techniques to research stories — following money trails, identifying sources, verifying claims, and mapping networks.
Fraud Investigator: Examines financial transactions, identity records, and behavioral patterns to detect and document fraudulent activity. FININT and OSINT are primary toolkits.
Competitive Intelligence Analyst: Gathers and analyzes publicly available information about competitors — pricing, hiring patterns, patent filings, product launches — to inform business strategy.
Bug Bounty Hunter: Independent security researcher who finds and reports vulnerabilities in exchange for rewards. OSINT reconnaissance is a critical first step for identifying in-scope targets and attack surface.

Frameworks & Methodologies

Intelligence Requirements: Specific questions that an investigation needs to answer. Defining these upfront prevents scope creep and ensures collection efforts stay focused.
OSINT Framework: Either the methodology for conducting OSINT investigations or, specifically, osintframework.com — a categorized directory of OSINT tools and resources organized by data type.
Cyber Kill Chain: Lockheed Martin's model of attack stages: reconnaissance, weaponization, delivery, exploitation, installation, command & control, actions on objectives. OSINT maps primarily to the reconnaissance stage.
MITRE ATT&CK: A knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations. The standard reference framework for threat intelligence analysis.
Diamond Model: An intrusion analysis framework that maps incidents across four vertices: adversary, capability, infrastructure, and victim. Used to structure threat intelligence analysis.
Traffic Light Protocol (TLP): A standard for classifying information sharing sensitivity: TLP:RED (named recipients only), TLP:AMBER (limited sharing), TLP:GREEN (community), TLP:CLEAR (public).
Admiralty Code: A system for rating intelligence reliability using two scales: source reliability (A–F) and information confidence (1–6). Helps consumers assess intelligence quality.
Structured Analytic Techniques (SATs): Methods designed to reduce cognitive bias in analysis — Analysis of Competing Hypotheses (ACH), key assumptions check, red hat analysis, devil's advocacy.
Analysis of Competing Hypotheses (ACH): A structured analytic technique that systematically evaluates evidence against multiple hypotheses to reduce confirmation bias. Particularly useful when evidence is ambiguous.

Legal, Ethical & Privacy

PII (Personally Identifiable Information): Any data that can identify a specific individual — name, SSN, email, phone number, biometric data. Handling PII triggers legal obligations in most jurisdictions.
GDPR (General Data Protection Regulation): EU regulation governing the collection, processing, and storage of personal data. Affects OSINT practitioners worldwide when researching EU residents or using EU-based services.
CCPA (California Consumer Privacy Act): California law giving residents rights over their personal data, including the right to know what's collected and request deletion. Similar to GDPR in intent.
Terms of Service (ToS): The legal agreement between a platform and its users. Scraping, fake accounts, and automated access typically violate ToS, which can result in bans and, in some jurisdictions, legal liability.
Computer Fraud and Abuse Act (CFAA): US federal law criminalizing unauthorized computer access. Relevant to OSINT practitioners because "unauthorized access" boundaries are still being defined by courts.
Right to Be Forgotten: GDPR provision allowing individuals to request removal of personal data from search engines and databases. Complicates long-term OSINT investigations on EU subjects.
Duty of Care: The ethical obligation to avoid causing unnecessary harm to subjects of investigation. Even when data is public, publishing or aggregating it can put people at risk.
Proportionality: The principle that investigative methods should be proportionate to the objective. Collecting everything possible about a subject when only one question needs answering violates this principle.
Data Minimization: The principle of collecting only the data necessary for a specific purpose, rather than hoovering up everything available. A GDPR requirement and ethical best practice.

Operational Terms

Burnt: When an investigative account, IP address, or tool has been detected and blocked by the target or platform. Requires switching to fresh infrastructure.
Persona Management: Creating, maintaining, and managing fake online identities for investigative purposes. Includes backstory development, consistent activity patterns, and platform-specific credibility building.
Sanitization: Removing metadata, identifying information, or sensitive details from files or reports before sharing. Prevents accidental exposure of sources, methods, or analyst identity.
OpSec Failure: A mistake that exposes the investigator's identity, methods, or intentions to the target. Common examples: using a personal account, clicking a link that reveals your IP, or consistent timing patterns.
Rabbit Hole: An investigative tangent that consumes time without producing actionable intelligence. Recognizing and avoiding rabbit holes is a key analyst skill.
Breadcrumbs: Small, seemingly insignificant data points that, when followed sequentially, lead to significant findings. The trail an investigation follows during pivot analysis.
Footprinting: The initial phase of reconnaissance where an analyst maps out a target's online presence, infrastructure, and digital footprint before deeper investigation.
Enumeration: Systematically extracting detailed information from a target — usernames, email formats, subdomains, open ports, employee lists. More structured and exhaustive than general reconnaissance.

A

Active Reconnaissance: Gathering intelligence through direct interaction with the target — port scanning, probing web applications, sending test emails. Riskier because the target may detect the activity. — Core OSINT Concepts & Techniques
Admiralty Code: A system for rating intelligence reliability using two scales: source reliability (A–F) and information confidence (1–6). Helps consumers assess intelligence quality. — Frameworks & Methodologies
Analysis of Competing Hypotheses (ACH): A structured analytic technique that systematically evaluates evidence against multiple hypotheses to reduce confirmation bias. Particularly useful when evidence is ambiguous. — Frameworks & Methodologies
API Enumeration: Discovering and probing application programming interfaces to find accessible endpoints that may expose data — user lookups, search functionality, or internal records. — Technical & Infrastructure Terms
ASN (Autonomous System Number): A unique identifier assigned to a network operator (ISP, cloud provider, enterprise). Useful for mapping all IP ranges and domains associated with an organization. — Technical & Infrastructure Terms
Attribution: The process of identifying the real person, group, or entity behind online activity. Often the end goal of an OSINT investigation. — Core OSINT Concepts & Techniques

B

Beneficial Ownership Registry: Databases disclosing the real individuals who ultimately own or control legal entities. Increasingly mandated by anti-money-laundering regulations globally. — Data Sources & Databases
Blue Team: Defensive security professionals responsible for detecting and responding to threats. Consumes OSINT-derived threat intelligence to inform monitoring and incident response. — Practitioner Roles & Contexts
Boolean Search: Using AND, OR, NOT, and parentheses to build precise search queries. Essential for effective searching across search engines, databases, and social media platforms. — Search Techniques & Tradecraft
Breach Data: Leaked databases from security breaches containing usernames, passwords, emails, and personal data. Used in threat intelligence and credential monitoring, but possession may have legal implications. — Data Sources & Databases
Breadcrumbs: Small, seemingly insignificant data points that, when followed sequentially, lead to significant findings. The trail an investigation follows during pivot analysis. — Operational Terms
Bug Bounty Hunter: Independent security researcher who finds and reports vulnerabilities in exchange for rewards. OSINT reconnaissance is a critical first step for identifying in-scope targets and attack surface. — Practitioner Roles & Contexts
Burnt: When an investigative account, IP address, or tool has been detected and blocked by the target or platform. Requires switching to fresh infrastructure. — Operational Terms

C

Cached Pages: Saved snapshots of web pages stored by search engines or archival services. Critical for accessing content that has been deleted or modified since the original visit. — Search Techniques & Tradecraft
CCPA (California Consumer Privacy Act): California law giving residents rights over their personal data, including the right to know what's collected and request deletion. Similar to GDPR in intent. — Legal, Ethical & Privacy
Censys: A search engine for internet-connected devices and infrastructure, similar to Shodan but with stronger focus on certificate and protocol data. — Technical & Infrastructure Terms
Certificate Transparency Logs: Publicly accessible logs of all SSL/TLS certificates issued by certificate authorities. Useful for discovering subdomains, associated domains, and infrastructure changes. — Search Techniques & Tradecraft
Chronolocation: Determining when a photo or video was taken by analyzing shadows, sun position, lighting conditions, and contextual clues like weather or seasonal indicators. — Search Techniques & Tradecraft
Collection Management: The process of planning, prioritizing, and organizing intelligence collection to avoid duplication and ensure completeness. Especially important in team investigations. — Core OSINT Concepts & Techniques
COMINT (Communications Intelligence): Intelligence from intercepted communications between people. A subcategory of SIGINT focused on message content rather than signals metadata. — Intelligence Disciplines
Competitive Intelligence Analyst: Gathers and analyzes publicly available information about competitors — pricing, hiring patterns, patent filings, product launches — to inform business strategy. — Practitioner Roles & Contexts
Computer Fraud and Abuse Act (CFAA): US federal law criminalizing unauthorized computer access. Relevant to OSINT practitioners because "unauthorized access" boundaries are still being defined by courts. — Legal, Ethical & Privacy
Corporate Registries: Government databases listing registered companies, directors, registered agents, and filings. Examples: SEC EDGAR (US), Companies House (UK), OpenCorporates (aggregator). — Data Sources & Databases
Correlation: Connecting data from multiple independent sources to build a more complete picture. Stronger conclusions come from corroborating across different data types. — Core OSINT Concepts & Techniques
Court Records: Legal filings, case documents, judgments, and dockets available through systems like PACER (US federal) or state court portals. Rich source for due diligence and background research. — Data Sources & Databases
Cyber Kill Chain: Lockheed Martin's model of attack stages: reconnaissance, weaponization, delivery, exploitation, installation, command & control, actions on objectives. OSINT maps primarily to the reconnaissance stage. — Frameworks & Methodologies
CYBINT (Cyber Intelligence): Intelligence about threats, vulnerabilities, and actors in the cyber domain. Overlaps heavily with threat intelligence and often involves monitoring dark web forums and breach data. — Intelligence Disciplines

D

Dark Web: Websites accessible only through overlay networks like Tor (.onion sites). Hosts marketplaces, forums, and leak sites relevant to threat intelligence and criminal investigations. — Data Sources & Databases
Data Broker: Companies that aggregate and sell personal information — addresses, phone numbers, employment history, relatives, property records. People-search sites are consumer-facing data brokers. — Data Sources & Databases
Data Enrichment: Augmenting raw data with additional context from other sources. Example: taking an IP address and enriching it with geolocation, ASN, hosting provider, and threat reputation data. — Core OSINT Concepts & Techniques
Data Minimization: The principle of collecting only the data necessary for a specific purpose, rather than hoovering up everything available. A GDPR requirement and ethical best practice. — Legal, Ethical & Privacy
Deep Web: Web content not indexed by standard search engines — password-protected sites, databases, private forums, and paywalled content. Often confused with the dark web, but far larger and mostly mundane. — Data Sources & Databases
Deniable Infrastructure: Systems (VPNs, VMs, burner devices, temporary email addresses) set up so that investigative activity cannot be easily traced back to the analyst or their organization. — Core OSINT Concepts & Techniques
Diamond Model: An intrusion analysis framework that maps incidents across four vertices: adversary, capability, infrastructure, and victim. Used to structure threat intelligence analysis. — Frameworks & Methodologies
Digital Footprint: The totality of data traces a person or organization leaves online — social accounts, forum posts, metadata, DNS records, public filings. Reducing this is the goal of operational security. — Core OSINT Concepts & Techniques
DNS (Domain Name System): The system that translates domain names to IP addresses. DNS records (A, MX, TXT, CNAME, NS) are a rich source of infrastructure intelligence. — Technical & Infrastructure Terms
DNS Enumeration: Systematically discovering DNS records associated with a domain — subdomains, mail servers, name servers, TXT records. Reveals infrastructure that may not be publicly linked. — Technical & Infrastructure Terms
Domain Footprinting: Mapping all assets associated with a domain — subdomains, DNS records, mail servers, IP ranges, SSL certificates, and associated domains. — Search Techniques & Tradecraft
Due Diligence Investigator: Conducts background research on individuals and companies for business transactions — M&A, investments, partnerships. Relies heavily on corporate records, litigation searches, and media analysis. — Practitioner Roles & Contexts
Duty of Care: The ethical obligation to avoid causing unnecessary harm to subjects of investigation. Even when data is public, publishing or aggregating it can put people at risk. — Legal, Ethical & Privacy

E

ELINT (Electronic Intelligence): Intelligence from non-communication electronic signals such as radar emissions. Another SIGINT subcategory, primarily military. — Intelligence Disciplines
Email Permutation: Generating likely email address variations (firstname.lastname@, f.lastname@, firstnamelastname@) for a target and testing them against known services or breach databases. — Search Techniques & Tradecraft
Enumeration: Systematically extracting detailed information from a target — usernames, email formats, subdomains, open ports, employee lists. More structured and exhaustive than general reconnaissance. — Operational Terms
EXIF Data: Metadata embedded in photos by cameras and phones — GPS coordinates, device model, timestamp, camera settings. A valuable intelligence source when not stripped by the platform. — Search Techniques & Tradecraft

F

FININT (Financial Intelligence): Intelligence derived from financial data — transaction records, corporate filings, sanctions lists, and beneficial ownership databases. Critical for fraud investigation and AML compliance. — Intelligence Disciplines
Footprinting: The initial phase of reconnaissance where an analyst maps out a target's online presence, infrastructure, and digital footprint before deeper investigation. — Operational Terms
Fraud Investigator: Examines financial transactions, identity records, and behavioral patterns to detect and document fraudulent activity. FININT and OSINT are primary toolkits. — Practitioner Roles & Contexts

G

GDPR (General Data Protection Regulation): EU regulation governing the collection, processing, and storage of personal data. Affects OSINT practitioners worldwide when researching EU residents or using EU-based services. — Legal, Ethical & Privacy
GEOINT (Geospatial Intelligence): Intelligence derived from imagery, mapping data, and geospatial information. Includes satellite imagery analysis, terrain mapping, and location-based pattern analysis. — Intelligence Disciplines
Geolocation: Determining the real-world location where a photo or video was taken by analyzing visual clues (landmarks, signage, vegetation, shadows, architecture) and cross-referencing with maps and street-level imagery. — Search Techniques & Tradecraft
Google Cache: Google's stored copy of a web page from its last crawl. Useful for quickly viewing recently changed or removed content before it falls out of the index. — Search Techniques & Tradecraft
Google Dorking: Using advanced search operators (site:, filetype:, inurl:, intitle:) to find specific content indexed by Google that wouldn't appear in normal searches. Powerful for finding exposed files, login pages, and sensitive documents. — Search Techniques & Tradecraft

H

Hash (File Hash): A unique digital fingerprint generated from a file's contents (MD5, SHA-1, SHA-256). Used in threat intelligence to identify malicious files without needing the file itself. — Technical & Infrastructure Terms
HUMINT (Human Intelligence): Intelligence gathered through interpersonal contact — interviews, informants, elicitation. Often complementary to OSINT when public data alone is insufficient. — Intelligence Disciplines

I

IMINT (Imagery Intelligence): Intelligence extracted from visual imagery — satellite photos, aerial surveillance, drone footage. A subset of GEOINT focused specifically on image interpretation. — Intelligence Disciplines
Indicator of Compromise (IOC): A piece of forensic data (IP address, file hash, domain name, email address) that indicates a system may have been breached. A core input to threat intelligence workflows. — Core OSINT Concepts & Techniques
Intelligence Cycle: The iterative process of direction, collection, processing, analysis, and dissemination. OSINT follows the same cycle used in traditional intelligence work. — Core OSINT Concepts & Techniques
Intelligence Requirements: Specific questions that an investigation needs to answer. Defining these upfront prevents scope creep and ensures collection efforts stay focused. — Frameworks & Methodologies
Investigative Journalist: Reporter who uses OSINT techniques to research stories — following money trails, identifying sources, verifying claims, and mapping networks. — Practitioner Roles & Contexts
IP Geolocation: Mapping an IP address to an approximate physical location. Accuracy varies from city-level to country-level depending on the IP type and database quality. — Technical & Infrastructure Terms

L

Leaked Documents: Documents released without authorization, whether through whistleblowers, hackers, or accidental exposure. Sources include WikiLeaks, ICIJ, and various journalistic investigations. — Data Sources & Databases
Link Analysis: Mapping relationships between entities — people, organizations, accounts, phone numbers, addresses — to reveal hidden connections. Often visualized as network graphs. — Core OSINT Concepts & Techniques

M

MASINT (Measurement and Signature Intelligence): Intelligence obtained from detecting and analyzing signatures from sensors — radar, nuclear, chemical, biological. Primarily a military/government discipline with limited OSINT crossover. — Intelligence Disciplines
Metadata Analysis: Examining the hidden data embedded in files (documents, images, PDFs) that can reveal author names, software versions, creation dates, GPS coordinates, and edit history. — Search Techniques & Tradecraft
MITRE ATT&CK: A knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations. The standard reference framework for threat intelligence analysis. — Frameworks & Methodologies

O

Operational Security (OPSEC): Practices to protect the investigator's identity, methods, and intentions during research. Includes using VPNs, burner accounts, VMs, and avoiding patterns that could identify you. — Core OSINT Concepts & Techniques
OpSec Failure: A mistake that exposes the investigator's identity, methods, or intentions to the target. Common examples: using a personal account, clicking a link that reveals your IP, or consistent timing patterns. — Operational Terms
OSINT (Open Source Intelligence): Intelligence derived from publicly available sources including websites, social media, public records, and media. The foundation discipline for most modern investigative and security work. — Intelligence Disciplines
OSINT Analyst: Specialist in collecting and analyzing publicly available information. Works across sectors — government intelligence, corporate security, journalism, law enforcement, and private investigation. — Practitioner Roles & Contexts
OSINT Framework: Either the methodology for conducting OSINT investigations or, specifically, osintframework.com — a categorized directory of OSINT tools and resources organized by data type. — Frameworks & Methodologies

P

Passive DNS: Historical records of DNS resolutions collected by sensors across the internet. Shows what domains pointed to which IPs over time, even after records change. — Technical & Infrastructure Terms
Passive Reconnaissance: Gathering intelligence without directly interacting with the target. Examples: reading public social media profiles, searching cached pages, querying WHOIS databases. Leaves no trace with the target. — Core OSINT Concepts & Techniques
Paste Sites: Platforms like Pastebin where users anonymously post text. Frequently used to dump stolen credentials, share exploits, or publish leaked information. — Data Sources & Databases
Pattern of Life Analysis: Studying a target's habitual behaviors — posting times, travel patterns, communication frequency — to build a behavioral profile or predict future activity. — Core OSINT Concepts & Techniques
Penetration Tester: Security professional authorized to probe systems for vulnerabilities. OSINT reconnaissance is typically the first phase of any penetration test. — Practitioner Roles & Contexts
Persona Management: Creating, maintaining, and managing fake online identities for investigative purposes. Includes backstory development, consistent activity patterns, and platform-specific credibility building. — Operational Terms
PII (Personally Identifiable Information): Any data that can identify a specific individual — name, SSN, email, phone number, biometric data. Handling PII triggers legal obligations in most jurisdictions. — Legal, Ethical & Privacy
Pivot Analysis: Using one piece of discovered data (an email, username, phone number) to find additional related data across different platforms and sources. The fundamental OSINT workflow. — Core OSINT Concepts & Techniques
Proportionality: The principle that investigative methods should be proportionate to the objective. Collecting everything possible about a subject when only one question needs answering violates this principle. — Legal, Ethical & Privacy
Public Datasets: Open data published by governments, NGOs, and researchers — census data, environmental monitoring, transportation records, procurement databases. — Data Sources & Databases
Public Records: Government-maintained records available to the public — court filings, property deeds, business registrations, voter rolls, UCC filings, and bankruptcy records. — Data Sources & Databases
Purple Team: A collaborative approach combining red team (offensive) and blue team (defensive) functions to improve security through shared findings and continuous feedback. — Practitioner Roles & Contexts

R

Rabbit Hole: An investigative tangent that consumes time without producing actionable intelligence. Recognizing and avoiding rabbit holes is a key analyst skill. — Operational Terms
Red Team: Offensive security professionals who simulate real-world attacks against an organization to test its defenses. Uses OSINT in the reconnaissance phase to identify targets and attack vectors. — Practitioner Roles & Contexts
Reverse Image Search: Uploading an image to find where else it appears online, identify its origin, or find visually similar images. Google Images, TinEye, and Yandex each have different strengths. — Search Techniques & Tradecraft
Right to Be Forgotten: GDPR provision allowing individuals to request removal of personal data from search engines and databases. Complicates long-term OSINT investigations on EU subjects. — Legal, Ethical & Privacy

S

Sanctions Lists: Government-maintained lists of individuals, entities, and countries subject to trade restrictions or asset freezes. Key sources: OFAC (US), EU Consolidated List, UN Security Council. — Data Sources & Databases
Sanitization: Removing metadata, identifying information, or sensitive details from files or reports before sharing. Prevents accidental exposure of sources, methods, or analyst identity. — Operational Terms
Selectors: Specific data points used to identify or track a target — email addresses, phone numbers, usernames, IP addresses. The starting inputs for most OSINT investigations. — Core OSINT Concepts & Techniques
Shodan: A search engine that indexes internet-connected devices (servers, IoT, industrial controls, webcams). Frequently used to find exposed infrastructure and assess an organization's attack surface. — Technical & Infrastructure Terms
SIGINT (Signals Intelligence): Intelligence collected by intercepting electronic signals and communications. Traditionally a government capability, though commercial SIGINT-adjacent tools exist for network analysis. — Intelligence Disciplines
Sock Puppet: A fake online identity created for investigative purposes — to access closed groups, interact with targets, or avoid revealing the investigator's real identity. Requires careful construction to be credible. — Core OSINT Concepts & Techniques
SOCMINT (Social Media Intelligence): Intelligence gathered from social media platforms. Covers profile analysis, network mapping, sentiment tracking, and content monitoring across platforms like X, Facebook, LinkedIn, and Telegram. — Intelligence Disciplines
Structured Analytic Techniques (SATs): Methods designed to reduce cognitive bias in analysis — Analysis of Competing Hypotheses (ACH), key assumptions check, red hat analysis, devil's advocacy. — Frameworks & Methodologies
Subdomain Enumeration: Discovering all subdomains associated with a root domain using DNS brute-forcing, certificate transparency logs, search engines, and passive DNS databases. — Technical & Infrastructure Terms

T

Target Development: The iterative process of building a comprehensive profile of a subject using progressively deeper research across multiple data sources. — Core OSINT Concepts & Techniques
TECHINT (Technical Intelligence): Intelligence derived from analysis of foreign equipment, technology, and weapons systems. Mostly relevant in defense and state-level contexts. — Intelligence Disciplines
Terms of Service (ToS): The legal agreement between a platform and its users. Scraping, fake accounts, and automated access typically violate ToS, which can result in bans and, in some jurisdictions, legal liability. — Legal, Ethical & Privacy
Threat Intelligence Analyst: Monitors, analyzes, and reports on cyber threats — malware campaigns, threat actors, and vulnerabilities. Heavy user of OSINT, dark web monitoring, and IOC analysis. — Practitioner Roles & Contexts
Threat Modeling: Identifying what assets need protection, who the likely adversaries are, and what attack vectors they might use. Shapes the scope and priorities of intelligence collection. — Core OSINT Concepts & Techniques
TLS/SSL Certificate: Cryptographic certificates that enable encrypted web connections. The data in certificates (issuer, subject, SANs, validity dates) provides valuable infrastructure intelligence. — Technical & Infrastructure Terms
Tor (The Onion Router): An anonymity network that routes traffic through multiple encrypted relays. Used both for investigator anonymity and as the infrastructure layer for .onion dark web sites. — Technical & Infrastructure Terms
Traffic Light Protocol (TLP): A standard for classifying information sharing sensitivity: TLP:RED (named recipients only), TLP:AMBER (limited sharing), TLP:GREEN (community), TLP:CLEAR (public). — Frameworks & Methodologies

U

Username Enumeration: Systematically searching for a specific username across hundreds of platforms to map a person's online presence. Tools like Sherlock and Maigret automate this. — Search Techniques & Tradecraft

V

VPN (Virtual Private Network): Encrypts internet traffic and routes it through a remote server, masking the user's real IP address. Essential OPSEC tool for investigators. — Technical & Infrastructure Terms

W

Wayback Machine: The Internet Archive's web archiving service that stores historical snapshots of websites. Invaluable for viewing deleted content, tracking changes over time, and finding old site versions. — Search Techniques & Tradecraft
Web Application Fingerprinting: Identifying the technologies, frameworks, CMS platforms, and server software a website runs on. Reveals potential vulnerabilities and organizational technology choices. — Technical & Infrastructure Terms
Web Scraping: Automated extraction of data from websites. A core OSINT technique used to collect structured data from pages that don't offer APIs or downloadable datasets. — Technical & Infrastructure Terms
WHOIS: A protocol and database system for querying the registered owners of domain names and IP address blocks. Privacy services and GDPR have reduced its usefulness, but it remains a fundamental lookup tool. — Technical & Infrastructure Terms

↑ Back to top