OSINT Guides
Practical techniques and workflows for open source intelligence practitioners.
AIS Marine Tracking with SDR: Build Your Own Ship Receiver
How to set up an AIS ship tracking receiver using an RTL-SDR dongle — decoding vessel positions, receiving AIS messages, and contributing to tracking networks.
Best OSINT Accounts to Follow on X (Twitter) in 2026
The 25 X accounts that professional OSINT analysts actually follow — practitioners, investigative journalism orgs, threat intelligence researchers, and training resources.
Best OSINT GitHub Repositories in 2026
The top GitHub repositories for OSINT — curated lists, automation frameworks, username lookup, email investigation, phone OSINT, and threat intelligence tools. Stars verified April 2026.
Best OSINT Newsletters: Staying Current in Open Source Intelligence
The newsletters worth subscribing to if you want to stay current on OSINT techniques, tools, and investigations — from practitioner-focused weeklies to threat intelligence briefings.
best-backpacks-for-osint-field-investigators
This buyer's guide helps newer OSINT field investigators compare backpacks based on protection, organization, comfort, and covert carry features rather than hype. It also explains where separate Faraday pouches fit into a practical field setup, so readers can build a budget-conscious kit around real operating needs.
best-usb-drives-for-osint-secure-boot-drives-and-encrypted-storage
USB drives are still one of the simplest ways to build a portable, compartmentalized OSINT setup, but not all flash media is fit for live booting, persistence, or sensitive evidence storage. This guide explains what actually matters when choosing USB drives for Tails, Kali, and encrypted field data, then turns that into practical buying criteria and setup recommendations.
BioRxiv and PubMed as Intelligence Sources
PubMed and bioRxiv give investigators a structured, searchable view into the biomedical research ecosystem. Used together with ORCID, OpenAlex, NIH iSearch, and patent and securities databases, they help map expertise, affiliations, grants, and commercialization pathways with far more precision than ordinary web search.
Business and Corporate OSINT: Corporate Structures, Shell Companies, and Directors
Business and corporate OSINT is the process of moving from a company name to a defensible picture of directors, ownership, subsidiaries, and related entities using registry records and filings. Its value is not just finding a company entry, but linking official records across jurisdictions so control patterns, shell-company indicators, and real-world activity can be assessed without drifting into speculation.
Corporate and Financial OSINT: Investigating Companies, Ownership, and Money Flows
How to investigate corporations, beneficial ownership, financial relationships, and asset structures using open source tools — from SEC filings to corporate registry searches.
Dark Web Monitoring: How It Works and What to Watch For
A complete guide to dark web monitoring — what's actually on the dark web, how monitoring tools work, what they detect, and how to choose the right approach for your organization.
Data Visualization for OSINT: How to Present Findings
OSINT investigations often fail at the final step: communicating what the data means. This guide explains how investigators can use network graphs, timelines, maps, and charts to transform raw findings into actionable intelligence while maintaining source traceability and operational security.
Domain and IP Investigation with OSINT: A Complete Guide
A practical guide to investigating domains and IP addresses using open source tools — covering WHOIS, DNS history, IP geolocation, ASN analysis, and infrastructure pivoting.
Email OSINT: Find Anyone's Digital Footprint From an Email Address
A complete guide to email OSINT — breach lookup, service discovery, header analysis, and username derivation. Techniques used by professional investigators.
GEOINT and Satellite Imagery for OSINT Investigators
How to use satellite imagery, geolocation techniques, and geospatial intelligence tools for open source investigations. Covers free and commercial sources, change detection, and landmark methodology.
Geolocation via Sun and Shadow Analysis with SunCalc
Geolocation via sun and shadow analysis uses visible lighting, shadow direction, and solar position modeling to test whether a photo or video matches a claimed place and time. Its value is not in solving imagery from scratch, but in giving investigators a disciplined way to confirm or challenge geolocation hypotheses with SunCalc and supporting evidence.
Geospatial Data Visualization Tools for OSINT Analysts
This guide covers the most useful geospatial OSINT tools mapping analysts can use to visualize coordinates, routes, infrastructure, and imagery in one workflow. It explains where each tool fits, what it does best, and how to combine them for stronger location-based investigations.
Google Dorking Methodology: Advanced Search Operators for OSINT
Google dorking methodology is the disciplined use of advanced Google operators to surface documents, portals, directories, and other indexed web artifacts relevant to an investigation. Its real value is not in memorizing flashy queries, but in building targeted searches, reducing noise, and validating what the search result actually means before treating it as evidence.
hidden-data-layer-ai-augmented-osint-public-databases
This guide shows experienced investigators how to move beyond search-engine discovery into structured public datasets that reveal ownership, funding, affiliations, and operational patterns. It explains where AI genuinely helps, where it creates risk, and how to build publication-ready findings from source records rather than summaries.
hidden-data-layer-ai-osint
Public databases like EDGAR, the NPI registry, and IRS Form 990 have always been open — but functionally inaccessible to most investigators without deep domain expertise. This guide shows how to use AI tools to query, extract, and synthesize records across these sources while maintaining the source validation standards that real investigations require.
How to Protect Your Digital Footprint (What OSINT Reveals About You)
Most people don't know how much information is publicly available about them. This guide shows you what OSINT investigators can find — and what you can do to reduce your exposure.
How to Read Statistical Maps Like an OSINT Analyst
Statistical maps are not just visual aids; they are compressed intelligence products that reveal how quantitative patterns behave across space. This guide shows OSINT analysts how to read choropleths, heat maps, and dot density maps critically so they can extract signal, detect manipulation, and apply public data maps to live investigations.
How to Use an AI Agent to Audit and Lock Down Your Digital Footprint
AI agents can dramatically accelerate a personal privacy audit — drafting opt-out requests, tracking data broker removals, and guiding you through the process step by step. Here's how to use them safely.
How to Use Shodan: A Beginner's Guide
A practical introduction to Shodan — what it is, how to search it, and how OSINT investigators and security practitioners use it to research internet-facing infrastructure.
How to Use SpiderFoot for Automated OSINT Reconnaissance
Step-by-step guide to running SpiderFoot scans, configuring modules, and reading results without alerting your target.
Image Verification and Fake Media Detection Workflow
Image verification and fake media detection is the process of combining reverse search, metadata analysis, visual inspection, and AI-forensics signals to assess suspicious media. Its real value is not in any one detection tool, but in a sequence of corroborating checks that separate confirmed manipulation from misleading captions, recycled media, and unresolved anomalies.
irs-form-990-intelligence-guide
IRS Form 990 filings are one of the richest public sources for investigating US nonprofits, foundations, and their cross-border relationships. For OSINT investigators, they expose governance, compensation, grants, related-party transactions, and structural links that rarely appear as clearly in a single public record.
irs-form-990-osint-guide
IRS Form 990 is one of the most useful public records for investigating nonprofit organizations and the people around them. For OSINT investigators, it provides structured disclosures on governance, compensation, grants, contractors, and related entities that can be turned into repeatable research workflows.
npi-registry-osint-guide
The NPI Registry is a public lookup tool for U.S. healthcare provider identifiers, basic practice information, and organizational records. For OSINT work, it is most useful as a starting point: it helps confirm who a provider or healthcare entity says they are, where they operate, and how to pivot into licensing, sanctions, corporate, and facility-level research.
npi-registry-osint-healthcare-provider-intelligence
The NPI Registry is CMS's public lookup and bulk dataset for every US healthcare provider and covered organization with a National Provider Identifier. For investigators, it is a high-value source for linking clinicians to clinics, surfacing shared control signals, and tracing healthcare network expansion across states.
OSINT Companies Directory: Professional Intelligence and Investigation Firms
A directory of professional OSINT, threat intelligence, and investigation companies — from enterprise threat intelligence vendors to boutique investigation firms.
OSINT for Corporate Due Diligence
This guide explains how investigators use open-source intelligence to strengthen corporate due diligence across M&A, third-party risk, and investment research. It covers practical sources for ownership mapping, regulatory screening, adverse media review, and market context so teams can spot hidden risk before decisions are made.
OSINT for Financial Traders
This guide shows financial traders and investment analysts how to use open-source intelligence in a compliant, repeatable way. It focuses on SEC filings, alternative data, supply chain signals, and monitoring workflows that can sharpen fundamental research without crossing into material non-public information.
OSINT for HR Background Screening
This guide explains how HR teams and background screening professionals can use open-source intelligence to verify identities, credentials, litigation history, and adverse media without crossing into consumer-report territory. It focuses on legally defensible workflows, public records research, and practical techniques for consistent candidate screening.
OSINT for Legal Researchers
This guide explains how legal researchers and litigators can use publicly available information to investigate parties, witnesses, and business entities while staying within ethical limits. It also covers court records, social media preservation, and the special risks involved in juror research.
OSINT for Network Administrators
This guide shows network administrators how to use OSINT techniques to monitor their own external footprint across infrastructure, DNS, credentials, and third-party dependencies. It focuses on defensive visibility, helping teams identify exposed assets, leaked data, and misconfigurations early enough to fix them.
OSINT Training Platforms and Practice Resources
Where to actually learn OSINT — the courses, platforms, CTFs, and practice environments worth your time, from free beginner resources to professional certifications.
osint-for-cybersecurity-analysts
This guide shows cybersecurity analysts how to turn passive open source intelligence into practical threat intelligence for hunting, response, and vulnerability prioritization. It focuses on safe, non-intrusive collection methods and highlights tools, workflows, and integration points that fit modern security operations.
osint-for-forensic-accountants
This guide shows forensic accountants how to use public data to support financial investigations, from corporate ownership research to property records, securities filings, and lifestyle evidence. It focuses on practical workflows and investigator-relevant sources that help corroborate documents, expose inconsistencies, and map connections across entities and assets.
osint-for-insurance-fraud-investigators
This guide shows insurance fraud investigators how to use open-source intelligence to verify claimant activity, validate business entities, and uncover cross-claim patterns. It focuses on practical, defensible workflows that help SIU teams prioritize surveillance resources and document findings for reports.
osint-for-journalists
This guide walks investigative journalists and general reporters through practical OSINT workflows for source verification, image authentication, corporate research, and geolocation confirmation. It covers the core tools and methods used in modern newsrooms, with a focus on documentation discipline and operational security. Designed for reporters with no prior OSINT background who need a reliable starting framework.
osint-for-law-enforcement
This guide explains how law enforcement can use open source intelligence in investigations, from suspect identification and social media research to location verification and dark web monitoring. It focuses on practical workflows, evidentiary discipline, and operational security considerations that matter in real investigative environments.
osint-for-penetration-testers
Recon-ng is an open source reconnaissance framework that helps penetration testers collect, correlate, and export OSINT from public sources before any active testing begins. It is especially useful for organizing domains, infrastructure, people, leaks, and technology findings into a client-ready handoff.
osint-for-private-investigators
This guide shows how private investigators can use open-source intelligence to verify identities, trace locations, research assets, and document digital evidence. It also covers the legal boundaries that matter most in PI work, including DPPA, FCRA, licensing, and evidence preservation standards.
Passive OSINT Investigation
Passive OSINT investigation collects intelligence entirely from public and third-party sources without direct contact with the target or their infrastructure. This guide covers the full workflow — from setting up an isolated investigation environment through seed data, core source categories, and documentation discipline. Intended for investigators who need results that hold up legally and leave no trace.
Phone Number OSINT: How to Research a Number Without Calling It
A workflow for extracting carrier data, owner identity, and social account linkage from a phone number using free and paid tools.
Reddit OSINT: Investigating Users, Communities, and Deleted Content
Reddit OSINT combines native Reddit review, archive-based recovery, and behavioral analysis to investigate users, subreddits, and deleted discussions. Its real value is not just finding old posts, but building a structured timeline of visible activity, recovered content, moderation patterns, and identity clues without overstating what third-party archives can prove.
sam-gov-usaspending-federal-contractor-networks
SAM.gov and USASpending.gov are complementary federal data sources that help investigators verify contractor identities, trace award histories, and map agency relationships. Used together, they support disciplined OSINT workflows for identifying related entities, spotting anomalies, and building evidence-backed network assessments around federal vendors.
SAM.gov and USASpending: Federal Contractor OSINT
SAM.gov and USASpending are complementary public data sources for investigating who does business with the US government, how much they are paid, and how their corporate identities are represented in official systems. Used together, they help analysts trace ownership clues, exclusions, award histories, and network patterns across prime contractors, subsidiaries, and potential shell entities.
SEC EDGAR Deep Dive: An OSINT Guide
SEC EDGAR is far more than a repository for annual and quarterly reports. For OSINT investigators, it is a free, primary-source intelligence platform that exposes ownership changes, insider transactions, proxy battles, executive turnover, and narrative disclosures that rarely appear in standard equity research workflows.
Social Media OSINT by Platform: A Practical Investigation Guide
Platform-by-platform guide to OSINT investigation on social media — techniques, tools, and search methods for Twitter/X, Instagram, Facebook, LinkedIn, TikTok, Telegram, and Reddit.
The Bellingcat Online Investigation Toolkit: What's In It and How to Use It
A breakdown of the Bellingcat Online Investigation Toolkit — the tools serious investigators actually use, with reviews of the paid options worth your budget.
US Government Records OSINT: Property, Court, Vital, License, and Campaign Finance
US government records OSINT is the practice of working directly from official federal, state, county, and city sources to build defensible profiles of people, businesses, and relationships. Its value is not just finding a name in a database, but linking records across jurisdictions so property ownership, legal activity, occupational history, family events, and political ties form a verifiable timeline.
Username Enumeration Techniques Across Platforms
Username enumeration techniques help investigators locate accounts tied to a handle across social, professional, gaming, and niche platforms. The real value is not just collecting profile URLs, but validating which accounts actually belong to the same person through systematic comparison, confidence scoring, and cross-platform corroboration.
Using OSINT for Prediction Market Research
How open-source intelligence techniques give prediction market traders an edge — tracking geopolitical events, sanctions, flight data, and public records to inform smarter bets.
Video Investigation and OSINT: How to Analyze, Geolocate, and Verify Video Evidence
A practical guide to OSINT techniques for video analysis — extracting metadata, geolocating footage, verifying authenticity, and using open source tools to investigate video evidence.
Web Archiving for OSINT: Wayback Machine, Archive.today, and CachedView
Web archiving for OSINT is the process of using archival sources and caches to recover deleted content, compare historical versions of pages, and preserve volatile material for later review. Its value is not just finding old copies of a page, but documenting what changed, when it changed, and how to support the archived evidence with timestamps, source URLs, and corroborating context.
Website Footprinting Methodology: WHOIS, Subdomains, and Certificate Transparency
Website footprinting methodology is the step-by-step process of expanding from a known domain into subdomains, certificates, IPs, and related internet-facing infrastructure. Its value is not in any one tool, but in the sequence: each stage creates the next pivot, helping investigators build a repeatable map of a target's external presence without confusing raw leads with validated assets.
What is OSINT? Open Source Intelligence Explained
A complete guide to open source intelligence — what OSINT is, how it's used, who uses it, and the tools and techniques that drive modern investigations.
No guides at this level yet.