SEC587: Advanced Open-Source Intelligence (OSINT) Gathering and Analysis

  • Online
36 CPEs

Open-Source Intelligence (OSINT) is the engine of most major investigations in this digital age, so there has been an increasing need for a more advanced course on the topic. The data in almost every OSINT investigation have become more complex to collect, exploit, and analyze, so practitioners around the world need to perform OSINT at scale and have the means and methods to check and report on the reliability of their analysis for sound and unbiased reports. In SEC587 you will learn how to perform advanced OSINT gathering and analysis, and understand and use common programming languages such as JSON and Python. SEC587 will also cover the dark web and financial (cryptocurrency) topics, as well as OSINT analysis of disinformation and fake news. This is a fast-paced advanced course that provides seasoned OSINT investigators with new techniques and methodologies, while giving entry-level OSINT analysts the extra depth they need to find, collect, and analyze data sources from all around world.

What You Will Learn

SANS SEC587 is an advanced open-source Intelligence (OSINT) course for those who already know the foundations of OSINT. This course will provide students with more in-depth and technical OSINT knowledge. Students will learn OSINT skills and techniques used in investigations by law enforcement, intelligence analysts, private investigators, journalists, penetration testers, and network defenders.

Open-source intelligence collection and analysis techniques are increasingly useful in a world where more and more information is added to the Internet every day. Billions of Internet users share information on themselves, their organizations, and people and events they have knowledge of, so it is a resource-rich environment for intelligence collection. SEC587 is designed to teach you how to efficiently use this wealth of information for your own investigations.

SEC587 will take your OSINT collection and analysis abilities to the next level, whether you are involved in intelligence analysis, criminal and fraud investigations, or just curious about how to find out more about anything! The course is filled with hands-on exercises, real-world scenarios, and interaction with live Internet and dark web data sources. SEC587 also provides all the fundamentals an OSINT analyst will need to learn, understand, and apply basic coding in languages such as Python, JSON, and shell utilities, as well as to interact with APIs to automate your OSINT processes.

In SEC587, students will learn effective OSINT methods and techniques such as:

  • Structured intelligence analysis
  • Rating the reliability of information and its sources
  • Researching sensitive and secretive groups
  • Image and video analysis and verification
  • Dark web and criminal underground investigations.
  • Creating and operating false personas (sock puppets)
  • Fact-checking and analysis of disinformation and misinformation
  • Cryptocurrency fundamentals and tracking
  • Using basic coding to facilitate information collection and analysis
  • Interacting with APIs for data collection and filtering
  • Conducting Internet monitoring
  • Automation techniques to support OSINT processes

Syllabus (36 CPEs)

  • Overview

    Section one of the course introduces coding automation techniques for OSINT and teaches how to efficiently collect and analyze large quantities of information. The basics of simple scripts are covered, along with simple techniques to manipulate data that have been collected. OSINT analysts frequently encounter JavaScript Object Notation (JSON) data, so those data must be appropriately collected, filtered, manipulated, and searched in order to be leveraged in an investigation. Standard intelligence information analysis techniques and processes to assess the reliability of information are a key element of intelligence, so well discuss the application of these techniques to OSINT. We close the first course section with an advanced discussion on how to analyze gathered OSINT information using several reliability rating and analytic assessment techniques, including Admiralty Code, Analysis of Competing Hypothesis, Currency, Relevance, Authority, Accuracy & Purpose (CRAAP) Analysis, and Adversarial Misinformation and Influence Tactics & Techniques (AMITT). These techniques will help students strengthen and consolidate their overall analysis outcome.

    • Introduction to OSINT automation
    • Using shell utilities for OSINT research
    • Determining file and data types
    • Working with structured and unstructured data
    • Normalizing data for analysis
    • Analyzing large sets of data
    • Searching and extracting specific data from a dataset
    • Understanding and parsing JavaScript Object Notation data
    • Sharing and organizing data on Github
    • Rating the reliability of information
      • Admiralty/NATO system
      • CRAAP
    • Standard intelligence assessment techniques
      • Analysis of Competing Hypotheses (ACH) and other methods
      • AMITT
  • Overview

    We live in an information age when disinformation is becoming more and more common.

    In this section students will learn what disinformation is by understanding how disinformation campaigns are set up and deployed. Students will also learn how to detect and analyze various forms of disinformation using advanced and structured methodologies and reliability rating systems. We will also show students what APIs are and how to access them using various coding languages. We close the course section with an advanced discussion on how to perform data analysis using Python and Pandas coding.

    • Understanding and analyzing disinformation
    • API introduction and overview
    • Data retrieval using command-line utilities
    • Data collection via API using Python curl
    • Data analysis with Python and Pandas
  • Overview

    The third course section starts with a discussion of financial OSINT that examines the fundamentals of cryptocurrency and techniques to track public cryptocurrency transactions. We will then turn to how to analyze sensitive groups and individuals who identify with groups online. This is becoming increasingly important because many of the targets of OSINT work may be individuals who like to identify themselves within a group or are part of a group.

    • Understanding cryptocurrency and the blockchain
    • Investigating cryptocurrency wallets and transactions
    • Use of Unique Identifying Labels (UILs)
    • Identifying sensitive groups using UIL techniques
    • Target lists and individuals using UILs
    • Discovering the nexus of hate groups and victims
  • Overview

    In this course section, students will learn about dark web networks in order to gain a more advanced understanding of how OSINT techniques can be applied on the dark web. We will look at techniques to collect information on the dark web from private groups and underground forums and marketplaces. Students will also learn how to maintain Operations Security (OPSEC), core concepts to create and maintain false personas (sock puppets), and practical image and video verification techniques.

    • Dark web basics
    • Decentralized DNS systems
    • Tor basics
    • Searching on Tor
    • Essential cybercrime underground concepts
    • Underground marketplaces, shops, and forums
    • Creating and maintaining false personas
    • Communicating with targets and other sources of information
    • Practical Image and video verification techniques
  • Overview

    This course sections will start with tools and techniques to help OSINT analysts use and build their own monitoring and online search tools. Students will learn how to utilize third-party, web-based monitoring tools as well as how to craft custom Python code to monitor various topics of interest. Students will also learn how to use open-source information to find, gather, and analyze everything that is related to vehicles (cars, boats, planes, trains, etc.).

    • Using web services for practical OSINT monitoring
    • Monitoring using third-party tools
    • Creating custom Python code for monitoring
    • Gathering and analyzing vehicle tracking information
  • Overview

    This capstone section for SEC587 will brings together everything students have learned throughout the course. Students working in teams will compete against each other by collecting OSINT data about live online subjects. The output will be turned in as a deliverable to the client (the instructor and fellow classmates). This hands-on event reinforces what students have practiced during labs and adds the complexity of performing OSINT using Python code and various advanced OSINT techniques under time pressure as a group.


SEC587 is a fast-paced advanced course that is meant to build upon previous knowledge and experience in OSINT. SEC487: Open-Source Intelligence Gathering and Analysis course is recommended but not required prior to taking this course. The basic prerequisites for SEC587 are:

  • Basic knowledge and experience with open-source intelligence collection.
  • Rudimentary understanding of intelligence analysis
  • Knowledge of how to use a Virtual Machine

Laptop Requirements


A properly configured system is required for each student participating in this course. Before coming to class, carefully read and follow these instructions exactly.

Host Operating System: Latest version of Windows 10, macOS 10.15.x or later, or Linux that also can install and run VMware virtualization products described below.

It is necessary to fully update your host operating system prior to the class to ensure you have the right drivers and patches installed to utilize the latest USB 3.0 devices.

Those who use a Linux host must also be able to access exFAT partitions using the appropriate kernel or FUSE modules.

You also must have 8 GB of RAM or higher for the VM to function properly in the class.

It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machine will run on your laptop.

In addition to having 64-bit capable hardware, AMD-V, Intel VT-x, or the equivalent must be enabled in BIOS/UEFI.

Download and install either VMware Workstation Pro 15.5.x, VMware Player 15.5.x, or Fusion 11.5.x or higher versions before class. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial on its website.

Other virtualization software, such as VirtualBox and Hyper-V, are not appropriate because of compatibility and troubleshooting problems you might encounter during class.

VMware Workstation Pro and VMware Player on Windows 10 are not compatible with Windows 10 Credential Guard and Device Guard technologies. Please disable these capabilities for the duration of the class if they're enabled on your system.


  • CPU: 64-bit 2.0+ GHz processor or higher-based system is mandatory for this course (Important - Please Read: A 64-bit system processor is mandatory)
  • BIOS/UEFI: VT-x, AMD-V, or the equivalent must be enabled in the BIOS/UEFI
  • RAM: 8 GB (gigabytes) of RAM or higher is mandatory for this course (Important - Please Read: 8 GB of RAM or higher is mandatory)
  • Wireless Ethernet 802.11 G/N/AC
  • USB 3.0 port (courseware provided via USB)
  • Disk: 30 gigabytes of free disk space
  • VMware Workstation Pro 15.5.X+, VMware Player 15.5.X+, or Fusion 11.5+
  • Privileged access to the host operating system with the ability to disable security tools
  • A Linux virtual machine will be provided in class

Your course media will be delivered via download, and can be large, roughly 40-50GB in size.You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as soon as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.

SANS has begun providing printed materials in PDF form and this course uses an electronic workbook in addition to the PDFs. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.

If you have additional questions about the laptop specifications, please contact

Author Statement

"I have been practicing open-source intelligence for over 20 years. There are lots of good OSINT study materials out there, but none took me to an advanced level. I know people want more complex and in-depth knowledge of how to utilize OSINT in a professional way. This course was built by OSINT investigators and analysts with years and years of real-world experience in various backgrounds for OSINT investigators and analysts. The course is not about pushing buttons; it is all about in-depth and advanced methodology, sound analysis, and practical real-world examples."

- Nico Dekens

"Although there are a number of open-source intelligence courses available, few go much beyond manually collecting information from web platforms or search engines with a browser. Although core skills are important, there is another level that OSINT investigators and analysts can get to. This course covers concepts from simple coding to conduct automated collection and monitoring to a better understanding of how one conducts real intelligence analysis. Best of all, the course is based on realistic use cases with a hands-on learning style. If you are looking for an advanced, immersive, and interactive OSINT course, this training is for you!"

- John TerBush

"OSINT has become an essential part of many facets of information security. Whether you work primarily as a network defender, a red teamer, or an OSINT analyst, the core OSINT skills have applicability to many problems that we all face in InfoSec. To effectively collect and analyze the ever-increasing amounts of relevant information, a shift must be made to leverage automation. This course covers different approaches to automation of the OSINT process and also dives into more advanced analysis techniques. Building on use cases that reflect real-world problems, the course provides learning opportunities through relevant hands-on exercises, giving students tools and techniques that they can take back and apply to their unique challenges in their workplaces."

- David Mashburn

Register for SEC587

  • In Person

Training events and topical summits feature presentations and courses in classrooms around the world.

Learn more
  • Live Online

Live, interactive sessions with SANS instructors over the course of one or more weeks, at times convenient to students worldwide.

Learn more
  • OnDemand

Study and prepare for GIAC Certification with four months of online access. Includes labs and exercises, and support.

Learn more