Journalists use it to investigate war crimes. Penetration testers use it to profile targets before an engagement. Law enforcement uses it to track down criminals. And security researchers use it to expose data leaks before attackers do. OSINT β open source intelligence β is the art of gathering and analyzing information from publicly available sources. Here's how it works.
Bottom line up front: OSINT is intelligence gathering using only public information β no hacking, no unauthorized access. If it's on the internet and accessible to anyone, it's fair game. The skill is knowing where to look and how to connect the dots.
The "open source" in OSINT doesn't mean open source software β it means publicly available information. That includes a lot more than most people realize:
Legal and ethical boundaries: OSINT only covers publicly accessible information. Accessing private accounts, bypassing authentication, or aggregating data to stalk or harass individuals is illegal regardless of whether the data is technically "public." Always use OSINT skills ethically and legally β know the purpose before you start digging.
The recon phase of every professional pentest starts with OSINT. Testers map out an organization's external attack surface β subdomains, employee names and emails, technology in use, exposed services β before touching a single system. The more they know, the more targeted and convincing their attack can be.
Blue teamers use OSINT to investigate suspicious IPs and domains, attribute attacks to known threat groups, and proactively monitor for leaked credentials or mentions of their organization on dark web forums. Threat intel feeds are largely OSINT at scale.
Groups like Bellingcat have used OSINT to geolocate photos from conflict zones, identify war crimes, and track the movements of state actors using only satellite imagery, social media posts, and public flight data. OSINT journalism has become a recognized discipline.
Companies use OSINT to monitor their own external exposure β finding leaked API keys on GitHub, identifying rogue subdomains, checking if employee credentials appear in breach databases, and tracking what competitors are revealing through job postings.
Attackers use OSINT extensively before launching social engineering attacks. The more they know about a target β their job, their colleagues, their recent activities β the more convincing their phishing email or phone call will be. Understanding how attackers use OSINT is essential for defenders.
Effective OSINT isn't random Googling β it follows a structured process:
Advanced search operators that find things Google indexes but hides from normal searches. site:, filetype:, inurl:, and intitle: can surface exposed login pages, leaked documents, and sensitive files.
A search engine for internet-connected devices. Find exposed cameras, servers, industrial control systems, and misconfigured services by IP range, country, or technology. Essential for infrastructure recon.
Gathers email addresses, subdomains, IPs, and employee names from public sources for a target domain. Included in Kali Linux. One of the first tools run during a pentest recon phase.
A graphical link analysis tool that visualizes relationships between people, domains, IP addresses, and organizations. Extremely powerful for mapping out complex networks of connections.
Extracts metadata from images and documents β GPS coordinates, camera model, software used, author names, and timestamps. A single photo posted online can reveal the exact location it was taken.
A modular web reconnaissance framework built in Python. Works like Metasploit but for OSINT β modules for harvesting emails, finding subdomains, looking up breach data, and more.
Archive.org's snapshot database of the web. Find deleted pages, old versions of websites, removed job postings, and exposed files that no longer exist on the live site.
Check if an email address appears in known data breaches. Security teams use it to monitor employee credentials. Also available as an API for automated monitoring.
Google dorking is the most accessible OSINT technique and requires zero tools beyond a browser. Here are some operators and what they find:
| Dork | What It Finds |
|---|---|
site:example.com filetype:pdf |
All PDFs indexed from a specific domain β often includes internal documents. |
site:github.com "example.com" "api_key" |
GitHub commits or repos containing API keys for a specific domain. |
inurl:admin site:example.com |
Admin panels exposed on a target domain. |
intitle:"index of" site:example.com |
Open directory listings β servers with no index file exposing raw file trees. |
filetype:env "DB_PASSWORD" |
Exposed .env configuration files containing database credentials. |
"@example.com" site:linkedin.com |
Employees at a company indexed on LinkedIn β useful for building a target list. |
Use dorking responsibly. Finding exposed files is one thing β downloading or using credentials you find is another. In a professional pentest context, you document and report findings. Outside of authorized testing, accessing systems using discovered credentials is unauthorized access regardless of how you found them.
One of the most valuable exercises you can do is run OSINT on yourself. You might be surprised what's publicly visible:
Tools like Sherlock (searches for a username across hundreds of platforms) and Have I Been Pwned are good starting points for a personal OSINT audit.
OSINT challenges are a staple of Capture The Flag competitions and are great for beginners because they require no hacking β just research skills. Common CTF OSINT challenges include:
TryHackMe has a dedicated OSINT learning path, and platforms like CTFtime list competitions that regularly include OSINT categories. It's one of the best ways to build practical skills fast.
OSINT is relevant across almost every security role. Penetration testers use it during the recon phase of every engagement. SOC Analysts and threat intelligence analysts use it to investigate alerts and track threat actors. Bug bounty hunters use it to map out the attack surface of their targets. And it's increasingly valued in law enforcement, journalism, and corporate security.
The career path you're targeting determines how deep you need to go β a penetration tester will use OSINT daily while a cloud security engineer might use it occasionally. Either way, understanding OSINT makes you a more well-rounded security professional.
OSINT is one of the most accessible entry points into practical security work. You don't need a lab, special hardware, or even Kali Linux β just a browser, curiosity, and a structured approach. The skills transfer directly to real-world pentesting, threat intelligence, incident response, and CTFs.
Start by running OSINT on yourself. Then try a TryHackMe OSINT room. Then pick a public target β your university, a bug bounty program, or a CTF challenge β and practice mapping out what's publicly visible. The best OSINT investigators aren't the ones with the fanciest tools. They're the ones who are most systematic.
Your next step: Search your own name, email address, and primary username on Google and Have I Been Pwned. Then install Sherlock (pip install sherlock-project) and run it against your username to see where you show up across the web. What you find might surprise you.