Get Training Advice
Get Training Advice

SEC497: Practical Open-Source Intelligence (OSINT)

SEC497Cyber Defense
  • 6 Days (Instructor-Led)
  • 36 Hours (Self-Paced)
Course authored by:Matt Edmondson
Course authored by:Matt Edmondson
  • GIAC Open Source Intelligence (GOSI)
  • 36 CPEs

    Apply your credits to renew your certifications

  • In-Person, Virtual or Self-Paced

    Attend a live, instructor-led class at a location near you or remotely, or train on your time over 4 months

  • Intermediate Skill Level

    Course material is geared for cyber security professionals with hands-on experience

  • 29 Hands-On Lab(s)

    Apply what you learn with hands-on exercises and labs

Jump to:

Learn to perform effective, secure OSINT research with practical techniques. Explore critical OSINT tools and apply your skills in hands-on labs based on real-world scenarios.

Featured Quote

[SEC497 is] exactly what I wanted-a hands on, real-world deep dive into OSINT challenges, techniques, strategies and actual tools to use.
Mattie Swain10a Labs

Course Overview

SEC497: Practical Open-Source Intelligence (OSINT) provides practical, real-world tools and techniques to help individuals perform OSINT research safely and effectively. The OSINT training course also offers real-world examples of how those tools and techniques have been used to solve a problem or further an investigation. Hands-on labs based on actual scenarios give students opportunities to practice the skills they learn and understand how those skills can help in their research.

What You’ll Learn

  • Perform OSINT investigations with strict OPSEC
  • Manage sock puppet accounts for research
  • Recover deleted or hidden data, including breach and dark web content
  • Trace digital footprints across sites and social media
  • Uncover website owners, linked domains, and metadata
  • Analyze large datasets and produce reports for cybersecurity, M&A, and more

Business Takeaways

  • Enhance competitive intelligence through OSINT techniques
  • Improve risk management by identifying vulnerabilities
  • Strengthen incident response with rapid information gathering
  • Identify and mitigate potential threats from publicly available data
  • Streamline data collection and analysis processes for operational efficiency

Meet Your Author

Matt Edmondson
Matt Edmondson

Matt Edmondson

Senior Instructor

Matt Edmondson, Senior SANS Instructor, STI faculty, and Founder of Argelius Labs, authored SEC497 and SEC587. A DHS veteran with 11 GIAC certifications and OSCP, he draws on 20 years of investigations to deliver accessible, real-world OSINT training.

Read more about Matt Edmondson

Course Syllabus

Explore the course syllabus below to view the full range of topics covered in SEC497: Practical Open-Source Intelligence (OSINT).

Section 1OSINT and OPSEC Fundamentals

This section covers safe OSINT practices, key tools, and OPSEC on a budget. You'll learn to spot risky sites, analyze files, use canary tokens, and create sock puppets. It also introduces research tools, report writing, and offers an optional Linux lab to build command line skills.

Topics covered

  • The OSINT Process
  • OPSEC
  • Canary Tokens
  • Hunchly
  • Effective Note Taking and Report Writing

Labs

  • Managing Your Attribution
  • Dealing with Potential Malware
  • Canary Tokens
  • Hunchly and Obsidian
  • [Optional] Linux Command Line Practice

Section 2Essential OSINT Skills

This section covers essential OSINT skills like using search engines, finding linked websites, archiving and analyzing web data, and setting up monitoring alerts, all with OPSEC in mind. It also explores image and facial recognition, metadata, mapping tools, and ends with an optional capstone analyzing ransomware chat logs.

Topics covered

  • OSINT Link and Bookmark Collections
  • Collecting and Processing Web Data
  • Metadata and Mapping
  • Image Analysis and Reverse Image Searches
  • Facial Recognition and Translations

Labs

  • Instant Data Scraper
  • Metadata
  • Reverse Image Search
  • Facial Recognition and Translation
  • Day 2 Capstone

Section 3Investigating People

This section focuses on investigating individuals or groups by researching usernames, emails, phone numbers, and addresses. It covers fraud detection, social media analysis (including deleted and bot content), geolocation, and methods to access content without an account, while emphasizing privacy and effective research techniques.

Topics covered

  • Privacy
  • Usernames and Contact Information
  • Social Media
  • Geolocation
  • Trends, Sentiment, and Bots

Labs

  • Researching Usernames
  • Keybase and Email
  • Breach Data
  • Twitter/X
  • Detecting AI

Section 4Investigating Websites and Infrastructure

This section dives into investigating websites, IPs, and online infrastructure – even for non-tech-savvy students. It explains key concepts, real-world use cases, and tools to uncover info like IP geolocation, DNS records, WHOIS history, cloud data, and more, helping both general analysts and CTI professionals avoid pitfalls and gain deeper insights.

Topics covered

  • IP Addresses and Common Ports
  • WHOIS and DNS
  • Email Headers and Subdomains
  • Technology-focused Search Engines
  • Cyber Threat Intelligence

Labs

  • IP Address Research
  • WHOIS and DNS
  • Amass and Eyewitness
  • Censys and Shodan
  • Buckets of Fun

Section 5Automation, the Dark Web, and Large Data Sets

This section explores business research, Wi-Fi forensics, AI, and dark web investigations. You'll learn to triage large datasets, track crypto activity, and automate tasks without coding. It wraps up with resources to continue your OSINT journey, making it a well-rounded and practical mix of topics.

Topics covered

  • Researching Businesses and Wireless
  • AI for OSINT
  • Dealing with Large Datasets
  • Dark Web and Cryptocurrency
  • Automation and Path Forward

Labs

  • Business
  • Wireless
  • Bulk Data Triage
  • Tor and PGP
  • AI

Section 6Capstone: Capture the Flag

The capstone for the SEC497 course is a multi-hour event which allows students to work together in small groups to create a threat assessment for a fictional client. Students will use the skills learned throughout the course on a variety of real-world sites. The instructor will provide feedback to each group.

Things You Need To Know

Relevant Job Roles

Data Analysis (OPM 422)

NICE: Implementation and Operation

Responsible for analyzing data from multiple disparate sources to provide cybersecurity and privacy insight. Designs and implements custom algorithms, workflow processes, and layouts for complex, enterprise-scale data sets used for modeling, data mining, and research purposes.

Explore learning path

Protection

SCyWF: Protection And Defense

This role uses cybersecurity tools to protect information, systems and networks from cyber threats. Find the SANS courses that map to the Protection SCyWF Work Role.

Explore learning path

All-Source Analyst (DCWF 111)

DoD 8140: Intelligence (Cyberspace)

Analyzes data from multiple sources to prepare environments, respond to information requests, and support intelligence planning and collection requirements.

Explore learning path

Threat Analysis (OPM 141)

NICE: Protection and Defense

Responsible for collecting, processing, analyzing, and disseminating cybersecurity threat assessments. Develops cybersecurity indicators to maintain awareness of the status of the highly dynamic operating environment.

Explore learning path

All-Source Collection Manager (DCWF 311)

DoD 8140: Intelligence (Cyberspace)

Identifies collection priorities, develops plans using available assets, and monitors execution to meet operational intelligence requirements.

Explore learning path

All-Source Collection Requirements Manager (DCWF 312)

DoD 8140: Intelligence (Cyberspace)

Evaluates collection strategies, develops and validates requirements, and assesses performance to optimize collection asset effectiveness.

Explore learning path

OSINT Investigator/Analyst

Cyber Defense

These resourceful professionals gather requirements from their customers and then, using open sources and mostly resources on the internet, collect data relevant to their investigation. They may research domains and IP addresses, businesses, people, issues, financial transactions, and other targets in their work. Their goals are to gather, analyze, and report their objective findings to their clients so that the clients might gain insight on a topic or issue prior to acting.

Explore learning path

Cyber Operations Planner (DCWF 332)

DoD 8140: Cyber Effects

Coordinates cyber operations plans, working with analysts and operators to support targeting and synchronization of actions in cyberspace.

Explore learning path

Course Schedule & Pricing

Looking for Group Purchase Options?Contact Us

GIAC Certification Attempt

Add a GIAC certification attempt and receive free two practice tests. View pricing in the info icons below.

OnDemand Course Access

When purchasing a live instructor-led class, add an additional 4 months of online access after your course. View pricing in the info icons below.

Showing 10 of 19

Learn Alongside Leading Cybersecurity Professionals From Around The World

  • Slide 1 of 4
    I appreciate the realism in all of these labs. Students can easily turn around and do real world OSINT investigations with many of these labs.
    Erich Nieskes
  • Slide 2 of 4
    Very Informative course and provided pointers to numerous breach data sites which could aid numerous investigations.
    Kanika Mittal
  • Slide 3 of 4
    Alt text
    Very relevant information is provided that can be deployed immediately even by novice users. Excellent!
    Shay Christensen
  • Slide 4 of 4
    The module on dealing with large data sets was very helpful. Getting a deep understanding on the challenges large data sets pose and how to work around them is very helpful and practical.
    Jamal Gumbs
Slide 1 of 0

Benefits of Learning with SANS

Instructor teaching to a class

Get feedback from the world’s best cybersecurity experts and instructors

OnDemand Mobile App

Choose how you want to learn - online, on demand, or at our live in-person training events

Resources

Get access to our range of industry-leading courses and resources

AltStyle によって変換されたページ (->オリジナル) /