Finding the Open Source Intelligence (OSINT) that affects your business or agency can help reduce your attack surface. You just have to find it first. Take a look at how OSINT works and how to secure it.

According to the Office of the Director of National Intelligence, Open Source Intelligence (OSINT) “is publicly available information appearing in print or electronic form including radio, television, newspapers, journals, the internet, commercial databases and videos, graphics and drawings.”

A Primer on OSINT

After you’ve found that OSINT exists in your business, you need to take a closer look in order to lock it down. The Open Web Application Security Project (OWASP) offers a five-step process for managing it:

  1. Find the source: Determine the source at which to look for OSINT.
  2. Harvesting: Obtain relevant data from the source you found.
  3. Data processing: Process the data obtained from the source to uncover its meaningful information.
  4. Analysis: Join that information across multiple sources.
  5. Reporting: Create a final report on what they’ve found where.

Doing this makes it easier to know what assets you have and what those devices might have access to. That includes whatever someone can find in public without digging or breaking into any networks. That might be public assets within the company or in social media posts. Look for employee posts threat actors could use for a phishing attack, documents that they could sell and/or network diagrams that attackers could use for moving within the network once they’ve gained a foothold.

Some Common OSINT Challenges

OSINT does come with certain obstacles, however. One of the greatest challenges is how personnel can collect, process and analyze relevant information without breaking privacy rules. Consider gaining the explicit consent of data subjects before doing anything with information from them.

There’s also the issue of filtering content. More tools and assets mean more data. Not all that information is useful, however. Applying content filters helps limit OSINT to only high-quality information. This requires even more efforts to collect, process and analyze relevant data.

10 OSINT Tools That Can Help

To push back against these challenges, equip teams with a lot of different tools to help them collect OSINT. Provided below are 10 tools that they might consider using. (These tools are not ranked; they are listed alphabetically.)


With BuiltWith, it’s possible to uncover the different tech stacks and platforms that power certain websites. It also generates a list of JavaScript/CSS libraries, plugins and other utilities used by the website in question. Personnel can then use that to perform vital functions, such as patching WordPress weaknesses and updating a plugin with a new version.


An OSINT tool written in Python, Creepy collects geolocation data from social networking sites as well as image hosting services. It enables users to present that data on a map. Not only that, but users can also download those results in .CSV or .KML to show in Google Maps.


theHarvester is an OSINT tool through which users can gather emails, subdomains, IPs, URLs and other pieces of data using numerous public data sources. On the passive side, theHarvester is capable of using search engines such as DuckDuckGo and Google. But it also comes with active search capabilities such as conducting DNS brute forcing and taking screenshots of whatever subdomains it finds.


A Java tool that runs on Windows-, Linux- and macOS-powered machines, Maltego is a graphical link analysis tool that helps users to gather and connect OSINT as part of an ongoing investigation. Maltego comes with 58 data integrations from over 35 data partners, and it allows users to choose four different layouts to recognize patterns in the data they’ve uncovered.


The value of Metagoofil lies in its ability to extract metadata from public documents, including PDFs and Microsoft Office files. It does this by using a Google search to find and download the documents to a local disk. At that point, the tool uses Hachoir, PdfMiner and other libraries to lift the metadata from those documents.


Recon-ng is a framework that stands apart from others due to its focus on web-based open source reconnaissance. It helps users to pursue their reconnaissance work by way of modules. Towards that end, Recon-ng comes with several built-in modules, such as those that help users to uncover further domains related to a target domain.


With Shodan, users can search the web for internet-connected devices. Websites provide some insight into those assets, but Shodan takes its scans a step further by revealing assets like Internet of Things (IoT) products. Shodan helps achieve comprehensive visibility over all a group’s devices and to keep those assets up to date.


Those running Linux- and Windows-based machines can use SpiderFoot to automate their collection of OSINT. This open source reconnaissance tool comes with over 200 modules for data collection and analysis. This can help gain a broad view of their attack surfaces, including low-hanging fruit like unmanaged assets and exposed credentials.


With more than 25 billion records stored about online assets, Spyse helps users to collect public data relating to websites, servers and devices connected on the web. Security teams can use that knowledge to check on risks and suspicious connections between those points in an effort to minimize their employer’s attack surface.


Unlike the other OSINT tools discussed thus far, TinEye focuses on reverse image searches. It can help moderate content that’s posted on the web and to detect instances of fraud involving a brand. What’s more, teams can use TinEye to track where those images are appearing online.

The Importance of Trust With OSINT

Regardless of whether they elect to work with one of the utilities discussed above or something else, security teams need to make sure they’re working with tools that they can trust. Such is the logic behind supporting the Open Cybersecurity Alliance and its work to connect the fragmented digital security landscape using agreed-upon technologies. It’s also the idea behind leveraging trusted threat hunting tools that come with over 100 Technology Alliance programs and integrations.

More from Intelligence & Analytics

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

Email campaigns leverage updated DBatLoader to deliver RATs, stealers

11 min read - IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. X-Force has observed nearly two dozen email campaigns since late June leveraging the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. DBatLoader malware has been used since 2020 by cybercriminals to install commodity malware remote access Trojans (RATs) and infostealers, primarily via malicious spam (malspam). DBatLoader…

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today