Open source intelligence — OSINT — is the discipline of finding, validating, and synthesising information from publicly available sources to answer specific questions. It sits between research and investigation, and it is one of the most undervalued capabilities in modern security operations. Done well, it produces actionable understanding from sources anyone can access. Done badly, it produces a pile of links and a misleading conclusion.
Start with the Question, Not the Source
The most common OSINT mistake is starting from a tool or a source and trying to find something interesting. Professional analysts start from a precisely framed question and then identify the sources that could plausibly answer it. The question shapes the entire investigation: what evidence would be sufficient, what counter-evidence would change the conclusion, what level of confidence the answer can support.
Plan Sources Before You Use Them
For any OSINT question, identify the source categories most likely to hold answers: public registers, social media, archived web content, code repositories, court records, sanctions lists, leaked datasets, technical infrastructure data. Plan which ones you will use, why, and what you expect each to contribute. The plan is what keeps an investigation focused; without it, OSINT becomes browsing.
Validation, Not Collection, Is the Hard Part
Anyone can collect information. The discipline is in validating it. Cross-source corroboration (does this fact appear in independent sources?), provenance tracking (where exactly did each piece of information come from, when?), and explicit confidence assessment (what is the strength of the evidence?) are the techniques that distinguish intelligence from speculation. A finding presented as "highly confident" when the underlying evidence is two correlated tweets is intelligence malpractice.
OSINT investigations leave footprints. Username searches across platforms, dorking against specific sites, automated scraping — these can all be visible to the targets if you are not careful. For investigative or counter-fraud work, plan operational security: separate research personas, network egress that does not trace back to your organisation, and clear policies about what subjects you will and will not approach directly.
Structured Analytical Techniques That Work
- Key Assumptions Check — what are you taking for granted that, if wrong, would change the conclusion?
- Analysis of Competing Hypotheses — list multiple explanations for the evidence, evaluate which is best supported
- Devil's Advocate — assigned challenger to the leading hypothesis, with permission to argue hard
- Indicators of Change — defined signs that would shift confidence in your assessment
- Provenance log — every claim in the report tied back to a specific dated source
Where OSINT Pays Off in Security
Threat intelligence: profiling threat actors, tracking their infrastructure, mapping campaigns. Pre-incident research: understanding adversaries before they target you. Fraud investigation: linking accounts, identifying synthetic identities, tracing payment patterns. Due diligence: vendor risk, mergers and acquisitions, hiring sensitive roles. Red-team reconnaissance: adversary-perspective view of your own attack surface. Each of these benefits from a structured OSINT capability, even if it is part-time and lives inside a broader role.
The Habit That Separates Good Analysts from Great Ones
Great analysts write down what they expected to find before they go looking. Then, after the investigation, they compare what they found to what they expected. The discipline of explicit prediction is what improves analytical instinct over time. Without it, every analyst remembers the cases they got right and forgets the cases they got wrong, and judgement does not improve. With it, judgement compounds.