Beyond the Surface: What is OSINT Open Source Intelligence?

Open-Source Intelligence (OSINT) has become an indispensable part of cybersecurity, journalism, law enforcement, and even competitive business intelligence. OSINT refers to the practice of collecting and analysing information from publicly available sources. These sources could be anything from social media posts and news articles to public databases and satellite imagery. In fact, analysts estimate that 80–90% of all strategic intelligence derives from open-source information emphasising its critical role in modern intelligence operations.

There are so many kinds of intelligence that if we do not categorise it, we might as well go as mad as the Hatter from Alice in Wonderland.

Social Media Intelligence (SOCMINT)

SOCMINT focuses on scraping intelligence from social media platforms like X, Facebook, Instagram, TikTok, and LinkedIn as well as other platforms. It aims to reveal an individual's social circle, habits, locations, interests, and affiliations.

In law enforcement for example, identifying persons network or movement patterns can aid in crime prevention, suspect tracking, or even generating leads on active missing person cases. In business, this data is used to identify competitor behaviours, optimise marketing strategies, or enhance customer segmentation for targeted advertising.

Platforms like “Maltego”, and tools like “Sherlock” used for username enumeration, and “Twint” used for passive twitter (X) posts enumeration are some examples of tools used for SOCMINT. These tools can be applied in real-world scenarios like the Capitol Riots (2021) case, where investigators and journalists used Twitter and Parler posts, livestreams, and images to identify rioters.

Geospatial Intelligence (GEOINT)

GEOINT is a specific of OSINT that revolves around collecting and analysing footage and geospatial data, including satellite images, maps, drone footage, and metadata from photos. This branch of OSINT helps pinpoint locations, monitor troop movements for the military, or track environmental changes/natural disasters.

Tools used in GEOINT include:

• Google Earth: Satellite imagery and 3D terrain.
• Sentinel Hub: Grants access to high-res satellite data from ESA’s Sentinel missions.
• EXIFTool: Used to Pull metadata (including GPS) from images.
• Mapillary: A crowdsourced street-level imagery platform.

During the 2022 Russian invasion of Ukraine, where the OSINT initiative “Eyes on Russia”, run by the Centre for Information Resilience (CIR), tracked troop movements using satellite imagery, TikTok videos, and other open-source content. This project helped was created to help reveal military routes, vehicle types, and staging areas before official confirmations.

Domain and Network Intelligence

This type of intelligence focuses on exploring digital infrastructure such as domain names, IP addresses, servers, and subdomains. It’s especially relevant in cybersecurity, helping researchers daily in their attempts to uncover malware infrastructure and identify phishing campaigns.

Popular tools include:

• Shodan: A search engine for internet-connected devices.
• WHOIS Lookup: Reveals ownership and registration data for domains.
• DNSdumpster: Maps domain and subdomain infrastructure.
• Censys: Provides visibility into SSL certificates, open ports, and devices on the internet.

When researchers investigating Iranian APT group APT33 used WHOIS data and passive DNS records to trace back to a command-and-control servers, linking them back to known threat actors and exposing broader espionage operations targeting the aviation and energy sector, for more details on this case read below.

People and Entity Search

This type of open-source intelligence targets humans and organisations, often to uncover personal histories, contact info, affiliations, or digital footprints. It’s useful for background checks, fraud investigations, threat assessments, and identifying social engineering vectors.

Common tools include:

• LinkedIn: Employment history and professional affiliations.
• Spokeo / Whitepages: Aggregate publicly available personal info.
• HaveIBeenPwned: Checks if email addresses were involved in data breaches.

The Lazarus Group impersonated recruiters on LinkedIn, sending malware-laced job offers to IT professionals. These phishing campaigns were designed to breach networks by exploiting trust in professional platforms.

Dark Web Intelligence

While the dark web isn't always "open," analysts can still legally monitor it for actionable intelligence. Dark Web OSINT focuses on tracking threat actors, leaked data, illegal trade, and criminal forums hidden on Tor or similar networks.

Tools that are useful for gathering dark web intelligence include:

• DarkOwl Vision: Searches and indexes dark web content.
• Ahmia: A search engine for Tor hidden services.
• Tor Browser: Grants access to .onion domains (used for monitoring, not just access).

After the 2020 MGM Resorts data breach, the personal information of over 10 million customers appeared on dark web forums. Security teams used dark web monitoring to trace the leaked data and assess the scale of the breach. Many antivirus and cybersecurity platforms now include dark web monitoring features that alert users if their credentials have been exposed similar to how the platform HaveIBeenPwned lets users check if their email addresses has appeared in a known data breach. Read more information about the 2020 MGM incident below.

Image and Video Intelligence

Image and video OSINT focuses on analysing audio-visual content for clues like location, timestamp, camera type, or signs of manipulation. This is especially helpful for verifying breaking news or geolocating people and events.

Google Reverse Image Search, “Yandex”, “InVID”, and “FotoForensics” are common tools used. In the MH17 crash investigation, Bellingcat analysts pieced together social media photos and video evidence to track a Russian missile system across the Ukrainian border matching backgrounds and shadows to map the exact route it took.

свидетель скинул фотку момента пуска ракеты.На горизонте канатная дорога между Лутугина и Цоф #Торез граница #Снежное pic.twitter.com/Z3mBtLjWfa

— Мізоруϟϟія крокує планетою 🇺🇦|🇪🇺| (@WowihaY) July 17, 2014

These are many different aspects of OSINT, but in the digital gold rush of artificial intelligence, a new form is slowly making an appearance…

AI-Enhanced OSINT (AI OSINT)

AI OSINT leverages machine learning, natural language processing (NLP), and computer vision to accelerate and automate open-source intelligence collection and analysis. Rather than manually searching through search engines and sifting through databases, AI tools can process text, images, audio, and video at scale surfacing patterns, anomalies, and insights in real-time.

AI is increasingly being used across all OSINT domains:

• NLP for Text Analysis: AI models can analyse vast volumes of social media posts, forums, or news articles to detect sentiment shifts, keyword clusters, or potential threats. Tools like GPT-based models and IBM Watson NLP can identify intent, emotion, and connections between entities.
• Image & Video Recognition: AI-powered computer vision tools (e.g., Clearview AI, Amazon Rekognition) can automate facial recognition, licence plate reading, and object detection. These models are also used to detect deepfakes and manipulated media — a key defence against misinformation.
• Automated Translation & Transcription: Tools like Whisper or Google Cloud Translation allow investigators to process multilingual sources, such as Telegram groups or foreign news broadcasts, without language barriers.
• Behavioural Analysis: AI can predict behavioural patterns from digital footprints. For instance, analysing browsing history, post frequency, or even emoji usage can hint at a person’s psychological profile or potential radicalisation.

In the Ukraine conflict, AI models trained on satellite imagery and social media content were used to automatically detect tank types, estimate troop numbers, and track destruction patterns in near real-time. AI helped fuse inputs from GEOINT, SOCMINT, and IMINT, enabling rapid situational awareness for both journalists and defence analysts.

Conclusion

OSINT is no longer just about checking social media, reading blogs, or browsing forums and databases. It has evolved into a sophisticated, multi-domain field. When data intelligence is combined with artificial intelligence, the possibilities multiply. The future of intelligence gathering is not just open. it’s intelligent.

Resources & References

• MH17 – The Open Source Evidence (Bellingcat)
• Lazarus Group LinkedIn Recruiting Scam (Bitdefender)
• APT33 Iranian Cyber Espionage Insights (Google Cloud)
• Cybersecurity: BBC Technology News Article