Open-Source Intelligence is one of those disciplines that has existed for decades inside government and military contexts and become widely practiced, and widely abused, in the past fifteen years on the open internet. The term covers a real methodology, a real set of skills, and a small body of professional ethics. It also covers a great deal of casual web searching that is sometimes mistaken for OSINT and a fair amount of stalking that is sometimes called OSINT by people who should know better.
Understanding what the discipline actually is, where its boundaries are, and how to do it well is the foundation for any of the topic-specific posts that follow.
A working definition
OSINT is the structured collection, analysis, and verification of information that is publicly available, in service of producing intelligence, that is, conclusions actionable for some specific decision or audience. Three components matter:
Public availability. The data is accessible without unauthorised access, illegal collection, or breach of legitimate access controls. "Public" is not the same as "indexed by Google"; it includes academic papers, court records, satellite imagery, social media, archives, business filings, government data, and much more. It does not include private correspondence, leaked data sets of dubious provenance, or material obtained by accessing systems beyond authorisation.
Structured methodology. OSINT is not "I found this on Google." It is a systematic process of source identification, collection, evaluation for reliability, cross-corroboration, and synthesis. The discipline distinguishes itself from casual searching by the rigour of its provenance tracking and corroboration.
Intelligence purpose. The output supports decision-making, who to interview, what to publish, where to look next, what to ask. OSINT that is not in service of a question is closer to information collecting than to intelligence work.
The US Director of National Intelligence’s IC OSINT Strategy at dni.gov/files/ODNI/documents/National_Open_Source_Strategy.pdf and NATO’s OSINT Handbook are the canonical doctrinal references.
What OSINT is not
A few common confusions:
OSINT is not espionage. Collecting from public sources is not the same as collecting from non-public sources. The ethical and legal frameworks differ.
OSINT is not stalking. The same techniques that produce useful investigative findings can produce stalking material. The difference is intent, target selection, and what is done with the output. A professional OSINT practitioner working on disinformation or organised crime operates within a defined ethical framework; a person aggregating personal data on a private individual to harass them does not, regardless of which tools they use.
OSINT is not just for security and journalism. The discipline is used in due diligence, recruitment screening, M&A research, fraud investigation, missing-persons cases, and many other applications. The methodology generalises.
OSINT is not free of legal constraints. Even publicly available data is subject to privacy regulations (GDPR notably), terms of service of platforms being scraped, and various jurisdiction-specific limitations.
The professional ethical floor
The professional OSINT community has converged on a small set of ethical norms:
Operate within legal authority. Whatever the practitioner’s role, they should not be doing anything that would not survive disclosure to a court or regulator.
Distinguish facts from inferences. The output should make clear what is observed, what is inferred, and what is uncertain.
Verify before publishing. The Bellingcat methodology of multi-source corroboration is the standard reference (covered separately in this category).
Protect bystanders. People who appear incidentally in source material, a friend in a Facebook photo of the actual subject, a face in the background of a video, deserve to not become collateral damage of an investigation that did not concern them.
Respect platforms’ terms of service. Mass scraping in violation of ToS is sometimes done legitimately by researchers; doing it casually is unprofessional.
Protect the practitioner. Operational security for the investigator matters; aggressive subjects retaliate.
The Belligent Project’s Code of Ethics, the Society of Professional Journalists’ guidelines, and the OSINT Foundation’s principles all approach this from different angles and converge on similar principles.
The toolkit
The OSINT tool ecosystem is enormous. A representative sample of categories and current standards:
Search engines. Google, Bing, Yandex (notable for image search and Russian-language sources), DuckDuckGo, Marginalia, Kagi for paid search. Each has different indexing biases.
Search operators. Advanced query syntax (site:, inurl:, filetype:, exact-phrase quotes, exclusion). The "Google Hacking Database" at exploit-db.com/google-hacking-database catalogues thousands of operator-driven discovery patterns.
Domain and infrastructure. WhoisXML, SecurityTrails, DNSDumpster, Certificate Transparency logs (crt.sh), Censys, Shodan. Covered in detail in separate posts in this category.
Social media. Twitter/X analysis (the API restrictions of 2023-2024 changed this category significantly; tools like Snscrape are still used; native search remains useful), Telegram channel and group enumeration, LinkedIn, Discord, Reddit. Each platform has its own affordances.
Image analysis. Reverse image search (Google, Yandex, TinEye), EXIF inspection (ExifTool), facial-recognition tools (these come with significant ethical questions; PimEyes, FaceCheck.id, etc., exist but are contested), forensic-analysis tools (FotoForensics, FotoVerifier).
Geolocation. Manual analysis of visual cues, sun angles, vegetation, road signs; tools like Sentinel Hub for satellite imagery, Google Earth, Mapillary, KartaView for street-level imagery, the SunCalc website for shadow-based time/location estimation.
Public records. Court records (PACER in the US, similar in other jurisdictions), business registries, property records, voter rolls (where available), regulatory filings (SEC EDGAR, Companies House UK, EU’s BRIS).
Archive and preservation. Wayback Machine, archive.today, Memento Project. Snapshot-driven research and verification.
Specialised aggregators. Maltego (link analysis), SpiderFoot (automated reconnaissance), Recon-ng (modular framework), OSINT Framework (curated tool index at osintframework.com).
Data leak sets. Have I Been Pwned, IntelX, DeHashed, BreachDirectory. Ethical and legal complexity here is real; what is appropriate use depends on context.
The set of tools changes constantly. The methodology, find sources, evaluate them, cross-reference, document, stays the same.
Verification methodology
The bedrock skill is verification. A useful framework, drawing on Bellingcat and the work of First Draft / Trusted News:
Source. Who or what is publishing this information? What is their track record? What incentives do they have?
Date. When was this published? When was the depicted event? Imagery and reports get recycled and re-contextualised constantly.
Location. Where was this captured? Geolocation through visible cues; cross-reference with known imagery and maps.
Motivation. Who benefits from this being widely accepted as true? Who benefits from it being widely accepted as false?
Corroboration. What other independent sources can confirm or refute? Independent means not derived from the same original.
Original. Can you trace this back to the source? Many "facts" circulating online are tertiary or worse derivations of original material.
A finding that has not been through this process is provisional at best.
OPSEC for the investigator
A few habits separate professional from amateur:
Use a dedicated OSINT environment. Browser profile, virtual machine, or separate device that does not share authentication with personal accounts.
Use a non-attributable network presence where the investigation warrants. Tor, VPN, residential proxy depending on circumstances.
Maintain separate personas for active engagement (sock puppets) where the investigation requires interaction. The ethics and legality of using sock puppets vary; understand the rules in your context.
Document everything. The investigative trail is part of the deliverable. Screenshots with timestamps, source URLs, data of preservation.
Respect operational silence. Some investigations require not tipping off the subject. Information about what you are searching for, even in casual conversation, can leak.
Recognise that you are observable. Tools like Shodan and other scanning platforms log queries; opaque OSINT tools sometimes report user activity to the tool providers; proxy services have varying logging practices.
What good OSINT looks like
A useful output:
Has a clear question or hypothesis it answers.
Distinguishes observation from inference, confidence levels explicit.
Lists primary and secondary sources.
Includes the verification methodology, what was done, what was not done, what could not be confirmed.
Identifies what is unknown alongside what is known.
Survives review by skeptical peers.
The Bellingcat investigations into MH17, the Skripal poisoning, and various Russian intelligence operations are the most-read public examples of this standard. They are aspirational but not unreachable; the techniques are documented, the methodology is teachable, and the work is mostly patience.
The next posts in this category cover specific subspecialties, geolocation, infrastructure reconnaissance, ransomware leak-site tracking, social media OSINT, building on the foundation here. The practice is consequential; doing it well is one of the more useful skills any security or journalism professional can develop.