Guide

What is OSINT?

Open-source intelligence is the discipline of building intelligence from information anyone can legally access. This is what it is, who uses it, how it works, and the tools that shape it.

Summary

OSINT (Open-Source Intelligence) is the systematic collection, analysis, and synthesis of information from publicly available sources to produce actionable intelligence. It spans sub-disciplines including SOCMINT (social media), GEOINT (geospatial), and IMINT (imagery), and is practiced by investigators, law enforcement, journalists, recruiters, fraud analysts, and corporate security teams. The methodology rests on pivot-and-verify — start with a single identifier, follow it across independent public sources, cross-reference findings for attribution. Tools range from free (HaveIBeenPwned, Sherlock, Maltego Community Edition, Companies House) to paid platforms that automate synthesis across sources. OSINT is lawful where public data is concerned, but processing the data downstream triggers UK GDPR obligations that rest on the processor’s lawful basis.

A working definition

OSINT — Open-Source Intelligence — is the practice of building intelligence from information anyone can legally access. That covers social media, public records, news archives, academic papers, commercial filings, historical data-breach archives already in public circulation, and the open web.

The important part of that definition is intelligence. OSINT isn’t just research, and it isn’t just data collection. Intelligence implies analysis, synthesis, and a conclusion that a decision can be taken on. Raw data from breach records is not intelligence. That same data, cross-referenced with social-media evidence and corporate filings, producing a verified identity attribution — that is.

OSINT has military and diplomatic roots — the discipline emerged from signals and human intelligence communities as a formal counterpart. It has since become a mainstream civilian methodology, transformed by the growth of public digital footprints and the falling cost of cross-source correlation. The investigative reporting of Bellingcat, the open-source war-crimes documentation of the Centre for Information Resilience, and the commercial due-diligence work of every major corporate-intelligence firm all rest on OSINT techniques.

The sub-disciplines of OSINT

OSINT is not one thing — it is a family of related disciplines, each with its own tools, methods, and specialists.

SOCMINT — Social Media Intelligence

Analysis of public social platforms — posts, profiles, activity patterns, network relationships, sentiment. The largest and fastest-growing OSINT discipline.

GEOINT — Geospatial Intelligence

Location-based intelligence drawn from satellite imagery, mapping data, geotagged content, and photographic location cues. Used heavily in journalism and conflict reporting.

IMINT — Imagery Intelligence

Analysis of photos and video to identify locations, objects, and timing. Reverse image search, metadata extraction, and visual comparison sit here.

MASINT & HUMINT (open) — Measurement, Signatures, and Open Source Human Intelligence

Broader disciplines in the intelligence world. At the OSINT level, open-source variants include academic-research tracking, expert-citation analysis, and forum monitoring.

Corporate OSINT — Commercial and Financial Intelligence

Directorships, corporate filings, beneficial-ownership investigation, adverse-filing analysis, and supply-chain mapping through public registries.

Cyber-threat OSINT — Threat-Intelligence and Attack-Surface Research

Breach research, dark-web monitoring, attack-surface mapping, and threat-actor attribution — the OSINT workstream inside security operations.

Who actually uses OSINT?

A generation ago, OSINT was the preserve of intelligence and military functions. Today, it’s a mainstream methodology across many sectors.

Investigators and analysts

Private investigators, fraud analysts, and investigative journalists use OSINT as the foundation layer of any modern case. The Bellingcat model — verification through public data — has transformed investigative journalism.

Law enforcement

Police, counter-terror, and financial crime units all have OSINT functions. UK Counter-Terrorism Policing publishes OSINT capability-building resources. Cases are increasingly built with public-data foundations.

Recruiters and HR

Pre-employment screening increasingly includes digital OSINT alongside DBS and Right to Work checks. Large screening providers now offer OSINT as a service line.

Insurance fraud teams

SIU (Special Investigations Units) use OSINT to identify undisclosed identities, contradictory social evidence, and repeat-claimant patterns.

Corporate security

Executive-protection teams, due-diligence functions, and in-house legal run OSINT for travel security, M&A due diligence, and insider-risk programmes.

Researchers and academics

Political-violence researchers, human-rights investigators, and election-monitoring bodies use OSINT to document events that would otherwise be unverifiable.

Core techniques

OSINT is more about method than tools. A handful of core principles separate serious investigative work from ad-hoc Googling.

Pivot, don’t widen

Start with one strong identifier (an email, a username, a phone number) and follow it outwards through independent sources. Each pivot point should link back to a prior finding — you’re building a graph, not running searches.

Cross-reference for verification

No single-source finding is trusted. A name found in a breach record is a lead. The same name found in a breach record, on Companies House, AND on a social profile — now it’s a verified identity.

Record every source

Every claim in a report should cite where it came from. This is non-negotiable for defensibility. If a finding can’t be sourced, it doesn’t go in.

Build a hypothesis, try to break it

The Bellingcat model. State clearly what you believe about the subject. Then actively search for evidence that contradicts it. If the hypothesis survives contradiction, it’s stronger.

Maintain operational security

Use dedicated research accounts, avoid signed-in Google searches, VPN where appropriate, and never use real identifiers during research. Subjects sometimes have the means to look back.

The OSINT toolkit

A practitioner’s view of the tools in regular use. Grouped by source category, with a line on each about its sweet spot.

Email and identity

HaveIBeenPwned — Free breach-only checker — tells you which breaches an email is in, nothing else
Epieos — Google account profile disclosure and linked services
Sherlock — Username check across hundreds of platforms
WhatsMyName — Alternative username-enumeration tool
Hunter.io — Work-email discovery by domain
EmailRep — Email reputation and risk scoring

Social and web

Maltego — Graph-based investigation platform
SpiderFoot — Automated multi-source OSINT agent
theHarvester — Email, subdomain, and host reconnaissance
Social Catfish — Reverse-image-led people search
Wayback Machine — Historical web archive

Geospatial and visual

Google Earth — Satellite imagery and historical timeline
GeoGuessr — Location-guess training environment
ExifTool — Photo metadata extraction
TinEye — Reverse image search
Yandex Images — Strongest reverse image for non-Western content

Corporate and financial

Companies House — UK official company register — free
Open Corporates — International company data aggregator
SEC EDGAR — US company filings and disclosures
OCCRP Aleph — Cross-border corporate-network investigation

Threat and breach

DeHashed — Breach-data search for investigators
Intelligence X — Broad dark-web and leak archive
Shodan — Internet-connected device search
Censys — Certificate and attack-surface intelligence

Platforms and directories

OSINT Framework — Curated directory — starting point for specific source types
Bellingcat’s Online Investigation Toolkit — Practitioner-curated open tool list
IntelTechniques — Michael Bazzell’s training and toolset
BLACKEYES — Automated email-input investigation platform with synthesis layer

Law and ethics

OSINT is lawful in principle. But intelligence practice lives at the intersection of data protection, surveillance law, and professional ethics. Five things worth knowing.

Access versus processing

Accessing public data is not the legal question. Processing personal data — combining, storing, acting on it — is where UK GDPR obligations attach. Know the distinction.

Lawful basis is your responsibility

Most investigative OSINT uses legitimate interest as its UK GDPR basis — balanced against subject rights. Document it before the work, not after.

Breach data is a grey area

Breach records are public in the sense they've been widely circulated. Using them for legitimate investigation is generally accepted. Using them to access accounts or extort would be criminal. The line is clear.

Children and sensitive categories demand extra care

Special-category data under UK GDPR (health, political views, sexual orientation) needs a specific Schedule 2 condition. Child-related investigations have additional safeguards.

Report accuracy matters ethically, not just legally

Wrong-person attribution causes real harm. The investigator’s ethical duty is to verify before asserting — especially for anything that will go on paper, into a decision, or in front of a tribunal.

This is an overview, not legal advice. For OSINT programmes operating at scale — HR screening, insurance fraud, legal due diligence — consult your DPO or counsel on the specific data-protection and professional-conduct framework.

Getting started with OSINT

For a practitioner route, the resources that consistently produce good investigators are Bellingcat’s Online Investigation Toolkit (free, updated, practitioner-curated), Michael Bazzell’s IntelTechniques (books and training, the standard reference for a decade), and the SANS Institute OSINT training tracks.

For hands-on practice, the Trace Labs missing-person CTF events run regularly — teams compete under time pressure on real open cases, and the community feedback is direct.

For academic grounding, the European Union Intelligence and Security Committee publishes readings, and the UK’s Counter-Terrorism Policing function maintains accessible capability-building resources.

For professional screening use — recruitment, tenancy, fraud, due diligence — automated platforms lower the skills barrier. Tools like BLACKEYES run the pivot-and-verify pattern automatically from an email input and produce a structured report, without the operator needing to manually run each tool category in the toolkit section above.

Frequently asked questions

Is OSINT the same as hacking?

No. OSINT uses only publicly available sources — public social profiles, open registries, historical breach archives that are already in public circulation. Hacking involves unauthorised access to systems or data. The methods and ethics are different, even where the underlying information overlaps.

Do I need technical skills to do OSINT?

The basics can be learned by anyone. Running tools like HaveIBeenPwned, searching Companies House, and checking usernames across platforms is accessible with no technical background. Advanced work — adversary attribution, geolocation, network analysis, metadata forensics — requires training. Platforms like BLACKEYES automate the intermediate layer so non-specialists can access investigative-grade output.

What’s the best place to learn OSINT?

Start with Bellingcat’s Online Investigation Toolkit and Michael Bazzell’s IntelTechniques resources. Both are practitioner-curated and kept current. The SANS Institute offers formal training. For hands-on practice, the Trace Labs CTF events put teams against real missing-person cases under time pressure.

How is OSINT used for business?

Pre-employment screening, tenant referencing, M&A due diligence, fraud investigation, insider-risk programmes, executive-protection travel briefings, competitor analysis, and brand-protection monitoring. The common pattern: taking the same public-data methodology that journalists and investigators use and applying it to specific commercial use cases.

Can OSINT replace professional investigation?

For specific question types, yes — identity verification and digital-footprint work map cleanly onto OSINT methodology. For physical investigation, interviewing, surveillance, and formal evidence-chain work, no. Most modern investigations combine both. OSINT closes the first phase faster; human judgement runs the rest.

How do AI tools change OSINT?

AI has compressed the time cost of routine OSINT passes — what took a trained analyst two hours, an agent can attempt in minutes. What AI does NOT reliably do is judgement, attribution verification, or context interpretation. The emerging best-practice is AI for breadth + human for critical judgement on each finding.

Is OSINT legal in the UK?

Yes. Accessing publicly available data is not itself regulated. Processing the resulting personal data requires a UK GDPR lawful basis — usually legitimate interest for investigative use. Document the basis, respect data-subject rights, retain findings for the period needed and no longer.

Try OSINT without the toolkit

Enter an email. The BLACKEYES pipeline runs every pass — synthesis included — in around fifteen minutes.

Start Free See a sample report

Reports are tools, not conclusive judgements — verify material findings before reliance. See the FAQ