SEC587: Advanced Open-Source Intelligence (OSINT) Gathering and Analysis

  • In Person (6 days)
  • Online
36 CPEs

With Open-Source Intelligence (OSINT) being the engine of most major investigations in this digital age the need for a more advanced course was imminent. The data in almost every OSINT investigation becomes more complex to collect, exploit and analyze. For this OSINT practitioners all around the world have a need for performing OSINT at scale and means and methods to check and report on the reliability of their analysis for sound and unbiased reports. In SEC587 you will learn how to perform advanced OSINT Gathering & Analysis as well as understand and use common programming languages such as JSON and Python. SEC587 also will go into Dark Web and Financial (Cryptocurrency) topics as well as disinformation, advanced image and video OSINT analysis. This is an advanced fast-paced course that will give seasoned OSINT investigators new techniques and methodologies and entry-level OSINT analysts that extra depth in finding, collecting and analyzing data sources from all around the world.

What You Will Learn

SANS SEC587 is an advanced Open-Source Intelligence (OSINT) course for those who already know the foundations of OSINT. The goal is to provide students with more in-depth and technical OSINT knowledge. Students will learn OSINT skills and techniques that law enforcement, intelligence analysts, private investigators, journalists, penetration testers and network defenders use in their investigations.

Open-source intelligence collection and analysis techniques are increasingly useful in a world where more and more information is added to the internet every day. With billions of internet users sharing information on themselves, their organizations, and people and events they have knowledge of, the internet is a resource-rich environment for intelligence collection. SEC587 is designed to teach you how to efficiently utilize this wealth of information for your own investigations.

SEC587 will take your OSINT collection and analysis abilities to the next level, whether you are involved in intelligence analysis, criminal and fraud investigations, or just curious about how to find out more about anything! SEC587 is replete with hands-on exercises, real-world scenarios, and interaction with live internet and dark web data sources.

This course is also blended with all the fundamentals an OSINT analyst will need to learn and understand and apply basic coding in languages such as Python, JSON, and shell utilities as well as interacting with APIs for automating your OSINT processes.

SEC587 students will learn effective OSINT methods and techniques including:

  • Structured intelligence analysis
  • Rating the reliability of information and its sources
  • Researching sensitive and secretive groups
  • Practical and Advanced Image and video analysis and verification
  • Dark web and criminal underground investigations.
  • Operational Security (OPSEC) for OSINT
  • Fact-checking and analysis of disinformation and misinformation
  • Knowing cryptocurrency fundamentals and tracking
  • Using basic coding to facilitate information collection and analysis
  • Interacting with APIs for data collection and filtering
  • Conducting internet monitoring
  • Automation techniques to support OSINT processes

You Will Receive with this Course:

Physical and digital workbooks and a course specific Virtual Machine (VM) tailored for this Advanced Open Source Intelligence Gathering and Analysis course

This Course Will Prepare You to:

  • Take a dive more in-depth into finding, collecting, and analyzing information found on the internet
  • Debug, understand, alter, and create your own OSINT-focused Python scripts
  • Move and pivot around safely on the Dark Web
  • Perform financial OSINT investigations

Syllabus (36 CPEs)

Download PDF
  • Overview

    We live in an information age where disinformation is becoming more and more common.

    In the first section of day 1 students will learn what disinformation is by understanding how disinformation campaigns are set up and deployed.

    The rest of day one serves as an introduction to coding automation techniques for OSINT and teaches students how to efficiently collect and analyze large quantities of information. The basics of simple scripts are covered, along with simple techniques for manipulating data that has been collected. JavaScript Object Notation (JSON) data is commonly encountered by OSINT analysts and must be appropriately collected, filtered, manipulated, and searched to be leveraged in an investigation.

    • Detecting and analyzing disinformation and fake news
    • Using shell utilities for OSINT data collection and analysis
    • Determining file and data types
    • Working with structured and unstructured data
    • Normalization of data for analysis
    • Analyzing large sets of data
    • Searching and extracting specific data from a dataset
    • Understanding and parsing JavaScript Object Notation data
    • Introduction to Application Programming Interfaces (APIs)
  • Overview

    Standard intelligence information analysis techniques and processes for assessing the reliability of information are a key element of intelligence, and application of these techniques to OSINT are discussed.

    We close off day one with an advanced section on how to analyze gathered OSINT information using several reliability rating and analytic assessment techniques such as Admiralty code, Analysis of Competing Hypothesis and CRAAP analysis. These techniques will help students to make their overall analysis outcome become more solid.

    Students will also learn how to detect and analyze various forms of disinformation using advanced and structured methodologies and reliability rating systems.

    Day two will also show students what APIs are and how to access them using various coding languages. We close off day two with an advanced section on how to perform data analysis using Python and Pandas coding.

    • Understanding reliability rating models for OSINT
    • Rating the reliability of information
    • US Army OSINT and the Admiralty/NATO system
    • Currency, Relevance, Authority, Accuracy & Purpose (CRAAP)
    • Standard intelligence assessment techniques
    • Analysis of Competing Hypotheses (ACH) and other methods
    • Sharing and organizing data on GitHub
    • Fundamentals of the Python programming language
    • Data collection via API using Python
    • Data analysis with Python and Pandas

  • Overview

    The beginning of day three is about how to analyze sensitive groups and individuals who identify with groups online. This is becoming increasingly important because many of the targets of OSINT work may be individuals who like to identify themselves within a group or are part of a group.

    Students will also learn practical and advanced image and video verification techniques.

    • Use of Unique Identifying Labels (UILs)
    • Identifying Sensitive Groups using UIL techniques
    • Investigate and link individuals using UILs
    • Discovering the nexus of hate groups and victims
    • Practical and Advanced Image and video verification techniques
  • Overview

    This day starts off with instruction on useful concepts for creating and maintaining fictitious identities (sock puppets), particularly those used to interact with others, and how to maintain Operations Security (OPSEC). Within SEC587 students will get a more advanced understanding of how OSINT techniques can be applied on the Dark Web by learning about dark web networks. Students will learn techniques for collecting information on the dark web from private groups and underground forums or marketplaces. We will close of this day with an examination of the fundamentals of cryptocurrency, and techniques for tracking public cryptocurrency transactions.

    • Creating and maintaining false personas
    • Communicating with targets and other sources of information
    • Operational security (OPSEC)
    • Dark web basics
    • Decentralized DNS systems
    • Searching for dark web content
    • Essential cybercrime underground concepts
    • Underground marketplaces, shops and forums
    • Creating and maintaining false personas
    • Communicating with targets and other sources of information
    • Understanding cryptocurrency and the blockchain
    • Investigating cryptocurrency wallets and transactions
  • Overview

    Day five will start with tools and techniques that will aid OSINT analysts in using and building their own monitoring and online searching tools. This section will teach students how to utilize third party web-based monitoring tools as well as how to monitor various topics of interest. Students will also learn how to find, gather, and analyze everything that is related to vehicles (cars, boats, planes, trains etc.) using open-source information.

    • Practical OSINT monitoring using web services
    • Automated internet monitoring using third-party tools
    • Visualization of data sets to support network analysis
    • Collection and analysis of open-source vehicle tracking information
  • Overview

    This will be the capstone for SEC587 that brings together everything that students have learned throughout the course. This will be a team effort where groups compete against each other by collecting OSINT data about live online subjects. The output from this capstone event will be turned in as a deliverable to the client (the instructor and fellow classmates). This hands-on event reinforces what students have practiced during labs and adds the complexity of performing OSINT using Python code and various advanced OSINT techniques under time pressure as a group.


SEC587 is a fast-paced, advanced course that is meant to build upon previous knowledge and experience in OSINT. The SANS SEC487 Open-Source Intelligence Gathering and Analysis course is recommended but not required prior to taking this course.

  • Basic knowledge and experience with open-source intelligence collection.
  • Rudimentary understanding of intelligence analysis
  • Knowledge of how to use a Virtual Machine (VM)

Laptop Requirements


A properly configured system is required for each student participating in this course. Before coming to class, carefully read and follow these instructions exactly.

CRITICAL NOTE: Apple systems using the M1 processor line cannot perform the necessary virtualization functionality and therefore cannot in any way be used for this course.

Host Operating System: Latest version of Windows 10, macOS 10.15.x or later, or Linux that also can install and run VMware virtualization products described below.

It is necessary to fully update your host operating system prior to the class to ensure you have the right drivers and patches installed to utilize the latest USB 3.0 devices.

Those who use a Linux host must also be able to access exFAT partitions using the appropriate kernel or FUSE modules.

You also must have 8 GB of RAM or higher for the VM to function properly in the class.

It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machine will run on your laptop.

In addition to having 64-bit capable hardware, AMD-V, Intel VT-x, or the equivalent must be enabled in BIOS/UEFI.

Download and install either VMware Workstation Pro 15.5.x, VMware Player 15.5.x or Fusion 11.5.x or higher versions before class. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website.

Other virtualization software, such as VirtualBox and Hyper-V, are not appropriate because of compatibility and troubleshooting problems you might encounter during class.

VMware Workstation Pro and VMware Player on Windows 10 is not compatible with Windows 10 Credential Guard and Device Guard technologies. Please disable these capabilities for the duration of the class, if they're enabled on your system, by following instructions in this document.


  • CPU: 64-bit 2.0+ GHz processor or higher-based system is mandatory for this course (Important - Please Read: a 64-bit system processor is mandatory)
  • BOIS/UEFI: VT-x, AMD-V, or the equivalent must be enabled in the BIOS/UEFI
  • RAM: 8 GB (gigabytes) of RAM or higher is mandatory for this course (Important - Please Read: 8 GB of RAM or higher is mandatory)
  • Wireless Ethernet 802.11 G/N/AC
  • USB 3.0 port (courseware provided via USB)
  • Disk: 30 gigabytes of free disk space
  • VMware Workstation Pro 15.5.X+, VMware Player 15.5.X+ or Fusion 11.5+
  • Privileged access to the host operating system with the ability to disable security tools
  • A Linux virtual machine will be provided in class

Your course media will now be delivered via download. The media files for class can be large, roughly 40-50GB in size. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.

SANS has begun providing printed materials in PDF form and this class uses an electronic workbook in addition to the PDFs. In this new environment, we found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.

If you have additional questions about the laptop specifications, please contact

Author Statement

"I have been practicing Open-Source Intelligence for over 20 years. There are lots of good OSINT study materials out there, but none took me to that advanced level. I know people want more, complex, in-depth knowledge on how to utilize OSINT in a professional way. This course was built by OSINT investigators and analysts with years and years of real-world experience in various backgrounds for OSINT investigators & analysts. This course is not about pushing buttons, it is all about in-depth and advanced methodology, sound analysis and practical real-world examples."

- Nico Dekens

"Although there are a number of open-source intelligence courses available, few go far beyond manually collecting information using browsers and search engines. Although these are core skills, there is another level OSINT investigators and analysts can get to. We designed this course with more advanced content to show students how to improve their collection and analysis using OSINT. Covering concepts from simple coding for automated collection and monitoring to a better understanding of how one conducts real intelligence analysis, it is all based on actual use cases with a hands-on learning style."

- John TerBush

"OSINT has become an essential part of many facets of information security. Whether working primarily as a network defender, a red teamer, or as an OSINT analyst, the core OSINT skills have applicability to many problems that we face in Infosec. To effectively collect and analyze the ever increasing amounts of relevant information, a shift must be made to leverage automation. This course covers different approaches to automation of the OSINT process as well as diving into more advanced analysis techniques. Building on use cases that reflect real-world problems, the course provides learning opportunities through relevant hands-on exercises, giving students tools and techniques that they can take back and apply to their unique challenges in their workplaces."

- David Mashburn


Having a broad coverage over multiple areas of OSINT is really helpful to reinforce the fundamentals and understand the diverse applications of an open source investigator's skills.
Dan Black
This content is the next level for OSINT researchers. It fills in the areas that I have not been using but wanted to learn.
Janie Brewer
Very relevant material that provided a lot of good resources for my day to day work.
Christopher Brown

    Register for SEC587