SEC587: Advanced Open-Source Intelligence (OSINT) Gathering and Analysis

  • In Person (6 days)
  • Online
36 CPEs

With Open-Source Intelligence (OSINT) being the engine of most major investigations in this digital age the need for a more advanced course was imminent. The data in almost every OSINT investigation becomes more complex to collect, exploit and analyze. For this OSINT practitioners all around the world have a need for performing OSINT at scale and means and methods to check and report on the reliability of their analysis for sound and unbiased reports. In SEC587 you will learn how to perform advanced OSINT Gathering & Analysis as well as understand and use common programming languages such as JSON and Python. SEC587 also will go into Dark Web and Financial (Cryptocurrency) topics as well as disinformation, advanced image and video OSINT analysis. This is an advanced fast-paced course that will give seasoned OSINT investigators new techniques and methodologies and entry-level OSINT analysts that extra depth in finding, collecting and analyzing data sources from all around the world.

What You Will Learn

SANS SEC587 is an advanced Open-Source Intelligence (OSINT) course for those who already know the foundations of OSINT. The goal is to provide students with more in-depth and technical OSINT knowledge. Students will learn OSINT skills and techniques that law enforcement, intelligence analysts, private investigators, journalists, penetration testers and network defenders use in their investigations.

Open-source intelligence collection and analysis techniques are increasingly useful in a world where more and more information is added to the internet every day. With billions of internet users sharing information on themselves, their organizations, and people and events they have knowledge of, the internet is a resource-rich environment for intelligence collection. SEC587 is designed to teach you how to efficiently utilize this wealth of information for your own investigations.

SEC587 will take your OSINT collection and analysis abilities to the next level, whether you are involved in intelligence analysis, criminal and fraud investigations, or just curious about how to find out more about anything! SEC587 is replete with hands-on exercises, real-world scenarios, and interaction with live internet and dark web data sources.

This course is also blended with all the fundamentals an OSINT analyst will need to learn and understand and apply basic coding in languages such as Python, JSON, and shell utilities as well as interacting with APIs for automating your OSINT processes.

Skills Learned

  • Debug, understand, alter, and create your own OSINT-focused Python scripts
  • Move and pivot around safely on the Dark Web
  • Perform financial OSINT investigations

Syllabus Summary

  • Section 1: Disinformation and Coding for OSINT Efficiency
  • Section 2: Intelligence Analysis and Data Analysis with Python
  • Section 3: Sensitive Group Investigations, Video and Image Verification, and Artificial Intelligence for OSINT
  • Section 4: Sock Puppets, OPSEC, Dark Web and Cryptocurrency
  • Section 5: Automated Monitoring, Vehicle Tracking, and Dealing with Password-Protected Files
  • Section 6: Capstone

What You Will Receive

Physical and digital workbooks and a course specific Virtual Machine (VM) tailored for this Advanced Open Source Intelligence Gathering and Analysis course

Syllabus (36 CPEs)

Download PDF
  • Overview

    We live in an information age where disinformation is becoming more and more common.

    In the first section of day 1 students will learn what disinformation is by understanding how disinformation campaigns are set up and deployed.

    The rest of day one serves as an introduction to coding automation techniques for OSINT and teaches students how to efficiently collect and analyze large quantities of information. The basics of simple scripts are covered, along with simple techniques for manipulating data that has been collected. JavaScript Object Notation (JSON) data is commonly encountered by OSINT analysts and must be appropriately collected, filtered, manipulated, and searched to be leveraged in an investigation.

    • Detecting and analyzing disinformation and fake news
    • Using shell utilities for OSINT data collection and analysis
    • Determining file and data types
    • Working with structured and unstructured data
    • Normalization of data for analysis
    • Analyzing large sets of data
    • Searching and extracting specific data from a dataset
    • Understanding and parsing JavaScript Object Notation data
    • Introduction to Application Programming Interfaces (APIs)
  • Overview

    Standard intelligence information analysis techniques and processes for assessing the reliability of information are a key element of intelligence, and application of these techniques to OSINT are discussed.

    We close off day one with an advanced section on how to analyze gathered OSINT information using several reliability rating and analytic assessment techniques such as Admiralty code, Analysis of Competing Hypothesis and CRAAP analysis. These techniques will help students to make their overall analysis outcome become more solid.

    Students will also learn how to detect and analyze various forms of disinformation using advanced and structured methodologies and reliability rating systems.

    Day two will also show students what APIs are and how to access them using various coding languages. We close off day two with an advanced section on how to perform data analysis using Python and Pandas coding.

    • Understanding reliability rating models for OSINT
    • Rating the reliability of information
    • US Army OSINT and the Admiralty/NATO system
    • Currency, Relevance, Authority, Accuracy & Purpose (CRAAP)
    • Standard intelligence assessment techniques
    • Analysis of Competing Hypotheses (ACH) and other methods
    • Sharing and organizing data on GitHub
    • Fundamentals of the Python programming language
    • Data collection via API using Python
    • Data analysis with Python and Pandas
  • Overview

    The beginning of day three is about how to analyze sensitive groups and individuals who identify with groups online. This is becoming increasingly important because many of the targets of OSINT work may be individuals who like to identify themselves within a group or are part of a group.

    Students will also learn practical and advanced image and video verification techniques and talk about practical ways to incorporate artificial intelligence into their OSINT research.

    • Use of Unique Identifying Labels (UILs)
    • Identifying Sensitive Groups using UIL techniques
    • Investigate and link individuals using UILs
    • Discovering the nexus of hate groups and victims
    • Practical and Advanced Image and video verification techniques
    • Artificial Intelligence for OSINT
  • Overview

    This day starts off with instruction on useful concepts for creating and maintaining fictitious identities (sock puppets), particularly those used to interact with others, and how to maintain Operations Security (OPSEC). Within SEC587, students will get a more advanced understanding of how OSINT techniques can be applied on the Dark Web by learning about dark web networks. Students will learn advanced techniques for finding the true location of servers hosting sites on the dark web as well as automated methods for dark web monitoring. We will close this day with an examination of the fundamentals of cryptocurrency and techniques for tracking public cryptocurrency transactions.

    • Creating and maintaining false personas
    • Communicating with targets and other sources of information
    • Operational security (OPSEC)
    • Dark web basics
    • Decentralized DNS systems
    • Searching for dark web content
    • Essential cybercrime underground concepts
    • Underground marketplaces, shops and forums
    • Understanding cryptocurrency and the blockchain
    • Investigating cryptocurrency wallets and transactions
  • Overview

    Day five will start with tools and techniques that will aid OSINT analysts in using and building their own monitoring and online searching tools. This section will teach students how to utilize third party web-based monitoring tools as well as how to monitor various topics of interest. Students will also learn how to find, gather, and analyze everything that is related to vehicles (cars, boats, planes, trains etc.) using open-source information. We'll end the day by covering technical methods to access information in password-protected files.

    • Practical OSINT monitoring using web services
    • Automated internet monitoring using third-party tools
    • Visualization of data sets to support network analysis
    • Collection and analysis of open-source vehicle tracking information
    • Methods to access information in password-protected files
  • Overview

    This will be the capstone for SEC587 that brings together everything that students have learned throughout the course. This will be a team effort where groups compete against each other by collecting OSINT data about live online subjects. The output from this capstone event will be turned in as a deliverable to the client (the instructor and fellow classmates). This hands-on event reinforces what students have practiced during labs and adds the complexity of performing OSINT using Python code and various advanced OSINT techniques under time pressure as a group.


SEC587 is a fast-paced, advanced course that is meant to build upon previous knowledge and experience in OSINT. The SANS SEC497: Practical Open-Source Intelligence (OSINT) course is recommended, but not required prior to taking this course.

  • Basic knowledge and experience with open-source intelligence collection.
  • Rudimentary understanding of intelligence analysis
  • Knowledge of how to use a Virtual Machine (VM)

Laptop Requirements

Important! Bring your own system configured according to these instructions.

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will not be able to fully participate in hands-on exercises in your course. Therefore, please arrive with a system meeting all of the specified requirements.

Back up your system before class. Better yet, use a system without any sensitive/critical data. SANS is not responsible for your system or data.

  • CPU: 64-bit Intel i5/i7 (8th generation or newer), or AMD equivalent. A x64 bit, 2.0+ GHz or newer processor is mandatory for this class.
  • CRITICAL: Apple systems using the M1/M2 processor line cannot perform the necessary virtualization functionality and therefore cannot in any way be used for this course.
  • BIOS settings must be set to enable virtualization technology, such as "Intel-VTx" or "AMD-V" extensions. Be absolutely certain you can access your BIOS if it is password protected, in case changes are necessary.
  • 16GB of RAM or more is required.
  • 50GB of free storage space or more is required.
  • At least one available USB 3.0 Type-A port. A Type-C to Type-A adapter may be necessary for newer laptops. Some endpoint protection software prevents the use of USB devices, so test your system with a USB drive before class.
  • Wireless networking (802.11 standard) is required. There is no wired Internet access in the classroom.
  • Your host operating system must be the latest version of Windows 10, Windows 11, or macOS 10.15.x or newer.
  • Fully update your host operating system prior to the class to ensure you have the right drivers and patches installed.
  • Linux hosts are not supported in the classroom due to their numerous variations. If you choose to use Linux as your host, you are solely responsible for configuring it to work with the course materials and/or VMs.
  • Local Administrator Access is required. (Yes, this is absolutely required. Don't let your IT team tell you otherwise.) If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different laptop.
  • You should ensure that antivirus or endpoint protection software is disabled, fully removed, or that you have the administrative privileges to do so. Many of our courses require full administrative access to the operating system and these products can prevent you from accomplishing the labs.
  • Any filtering of egress traffic may prevent accomplishing the labs in your course. Firewalls should be disabled or you must have the administrative privileges to disable it.
  • Download and install VMware Workstation Pro 16.2.X+ or VMware Player 16.2.X+ (for Windows 10 hosts), VMware Workstation Pro 17.0.0+ or VMware Player 17.0.0+ (for Windows 11 hosts), or VMWare Fusion Pro 12.2+ or VMware Fusion Player 11.5+ (for macOS hosts) prior to class beginning. If you do not own a licensed copy of VMware Workstation Pro or VMware Fusion Pro, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website. Also note that VMware Workstation Player offers fewer features than VMware Workstation Pro. For those with Windows host systems, Workstation Pro is recommended for a more seamless student experience.
  • On Windows hosts, VMware products might not coexist with the Hyper-V hypervisor. For the best experience, ensure VMware can boot a virtual machine. This may require disabling Hyper-V. Instructions for disabling Hyper-V, Device Guard, and Credential Guard are contained in the setup documentation that accompanies your course materials.
  • Download and install 7-Zip (for Windows Hosts) or Keka (for macOS hosts). These tools are also included in your downloaded course materials.

Your course media is delivered via download. The media files for class can be large. Many are in the 40-50GB range, with some over 100GB. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as soon as you get the link. You will need your course media immediately on the first day of class. Do not wait until the night before class to start downloading these files.

Your course materials include a "Setup Instructions" document that details important steps you must take before you travel to a live class event or start an online class. It may take 30 minutes or more to complete these instructions.

Your class uses an electronic workbook for its lab instructions. In this new environment, a second monitor and/or a tablet device can be useful for keeping class materials visible while you are working on your course's labs.

If you have additional questions about the laptop specifications, please contact support

Author Statement

"I have been practicing Open-Source Intelligence for over 20 years. There are lots of good OSINT study materials out there, but none took me to that advanced level. I know people want more, complex, in-depth knowledge on how to utilize OSINT in a professional way. This course was built by OSINT investigators and analysts with years and years of real-world experience in various backgrounds for OSINT investigators & analysts. This course is not about pushing buttons, it is all about in-depth and advanced methodology, sound analysis and practical real-world examples."

- Nico Dekens

"I am truly honored and thrilled to join the team as a co-author for the SANS SEC587 Advanced OSINT course. It is a privilege to contribute to the development of a curriculum that empowers students with cutting-edge skills to navigate the vast and ever-evolving landscape of open-source intelligence. I am excited to build on a foundation laid out in the SEC497 OSINT course and explore advanced topics focused on equipping professionals with the necessary tools and techniques to effectively gather, analyze, and utilize information in an effective and responsible manner."

-Matt Edmondson


Very relevant material that provided a lot of good resources for my day to day work.
Christopher Brown
Having a broad coverage over multiple areas of OSINT is really helpful to reinforce the fundamentals and understand the diverse applications of an open source investigator's skills.
Dan Black
This content is the next level for OSINT researchers. It fills in the areas that I have not been using but wanted to learn.
Janie Brewer

    Register for SEC587

    Prices below exclude applicable taxes and shipping costs. If applicable, these will be shown on the last page of checkout.