Major Update

SEC587: Advanced Open-Source Intelligence (OSINT) Gathering and Analysis

  • In Person (6 days)
  • Online
36 CPEs

With Open-Source Intelligence (OSINT) being the engine of most major investigations in this digital age the need for a more advanced course was imminent. The data in almost every OSINT investigation becomes more complex to collect, exploit and analyze. For this OSINT practitioners all around the world have a need for performing OSINT at scale and means and methods to check and report on the reliability of their analysis for sound and unbiased reports. In SEC587 you will learn how to perform advanced OSINT Gathering & Analysis as well as understand and use common programming languages such as JSON and Python. SEC587 also will go into Dark Web and Financial (Cryptocurrency) topics as well as disinformation, advanced image and video OSINT analysis. This is an advanced fast-paced course that will give seasoned OSINT investigators new techniques and methodologies and entry-level OSINT analysts that extra depth in finding, collecting and analyzing data sources from all around the world.

What You Will Learn

Beyond the Basics: Advanced OSINT Techniques

SANS SEC587 is an advanced Open-Source Intelligence (OSINT) course for those who already know the foundations of OSINT. The goal is to provide students with more in-depth and technical OSINT knowledge. Students will learn OSINT skills and techniques that law enforcement, intelligence analysts, private investigators, journalists, penetration testers and network defenders use in their investigations.

Open-source intelligence collection and analysis techniques are increasingly useful in a world where more and more information is added to the internet every day. With billions of internet users sharing information on themselves, their organizations, and people and events they have knowledge of, the internet is a resource-rich environment for intelligence collection. SEC587 is designed to teach you how to efficiently utilize this wealth of information for your own investigations.

SEC587 will take your OSINT collection and analysis abilities to the next level, whether you are involved in intelligence analysis, criminal and fraud investigations, or just curious about how to find out more about anything! SEC587 is replete with hands-on exercises, real-world scenarios, and interaction with live internet and dark web data sources.

This course is also blended with all the fundamentals an OSINT analyst will need to learn and understand and apply basic coding in languages such as Python, JSON, and shell utilities as well as interacting with APIs for automating your OSINT processes.

"The course manages to provide both breadth and depth, with practical hands-on practices and tools students can implement right away." - Patrick Muprhy, Palo Alto Networks

What Is Open-Source Intelligence (OSINT) Automation?

Open-source intelligence automation leverages advanced software tools and algorithms to expedite the collection, analysis, and interpretation of publicly accessible data. By automating the processing of vast amounts of information from sources like social media, news outlets, and databases, it enhances the speed, accuracy, and scalability of intelligence gathering. This technology is crucial for real-time decision-making in fields such as cybersecurity, market analysis, and national security.

Business Takeaways

  • Enhance decision-making with actionable insights from public data
  • Proactively identify risks using advanced OSINT techniques
  • Increase efficiency through automated intelligence gathering
  • Stay ahead competitively by monitoring industry and market trends
  • Ensure compliance in legal and ethical intelligence collection.

Skills Learned

  • Gather and analyze public data to generate actionable intelligence with advanced OSINT tools and techniques
  • Utilize automated systems to streamline the OSINT process, increasing efficiency and accuracy in intelligence gathering
  • Identify and mitigate security threats by understanding and applying OSINT to predict and prevent potential vulnerabilities
  • Navigate legal and ethical considerations in intelligence gathering to ensure compliance with applicable laws and standards
  • Apply OSINT for competitive advantage by monitoring and analyzing market and industry trends to inform business strategy
  • Enhance decision-making processes with real-time, data-driven insights from a variety of open and publicly accessible sources
  • Implement technological solutions to effectively manage and analyze large datasets from disparate sources, fostering more informed business decisions.

Hands-On Advanced OSINT Training

SEC587: Advanced Open-Source Intelligence Techniques offers an immersive experience through practical labs and real-world scenarios, allowing students to master intelligence gathering using publicly available data. This course emphasizes hands-on practice with real-world tools and data, providing guided labs for beginners and more challenging tasks for advanced users, enabling tailored learning at any skill level. Participants will tackle a variety of case studies and simulations that mirror the complex challenges faced by professionals in corporate, security, and governmental fields. The curriculum is designed not only to build a solid foundation in OSINT methodologies but also to instill the ability to ethically and legally apply these skills in professional settings. Students will leave with continued access to course materials and tools, empowering them to further refine their abilities after taking the course.

Hands-on labs include:

  • Section 1: Analyzing the Macron video, Checking Disinformation, Unique Identifying Labels, Pivot using UILs
  • Section 2: Python
  • Section 3: Reverse Image search for Context, Image Verification, Video Verification, Advanced Enumeration
  • Section 4: Network OPSEC Analysis, dark Web De-Anonymization, Dark Web Search, Tracking Ransomware Funds
  • Section 5: SearxNG, Dealing with Password Protected Files, WebDataRA and Gephi Analysis, Aviation OSINT, Maritime OSINT, Secrets
  • Bonus Labs: Network OPSEC Analysis with Wireshark, OSINT Data Analysis with Shell Utilities, Processing JSON Data, Working with Web APIs, Motor Vehicle OSINT, Introduction to Python, Python Code Analysis, Installing the Snapchat Story Downloader, Python Web Calls, Python Data Analysis

"All the labs really reinforce the lessons." - Patrick Murphy, Palo Alto Networks

"The labs were very helpful in solidifying the content and gettings hands-on experience." - Cynthia Brewer, Booz Allen Hamilton

Syllabus Summary

  • Section 1: Disinformation and Coding for OSINT Efficiency
  • Section 2: Intelligence Analysis and Data Analysis with Python
  • Section 3: Sensitive Group Investigations, Video and Image Verification, and Artificial Intelligence for OSINT
  • Section 4: Sock Puppets, OPSEC, Dark Web and Cryptocurrency
  • Section 5: Automated Monitoring, Vehicle Tracking, and Dealing with Password-Protected Files
  • Section 6: Capstone

What You Will Receive

Physical and digital workbooks and a course specific Virtual Machine (VM) tailored for this Advanced Open Source Intelligence Gathering and Analysis course

Syllabus (36 CPEs)

Download PDF
  • Overview

    We live in an information age where disinformation is becoming more and more common.

    In the first section of day 1 students will learn what disinformation is by understanding how disinformation campaigns are set up and deployed.

    Standard intelligence information analysis techniques and processes for assessing the reliability of information are a key element of intelligence, and application of these techniques to OSINT are discussed.

    We have a section on how to analyze gathered OSINT information using several reliability rating and analytic assessment techniques such as Admiralty code, Analysis of Competing Hypothesis and CRAAP analysis. These techniques will help students to make their overall analysis outcome become more solid.

    Many of the targets of OSINT work may be individuals who like to identify themselves within a group or as part of a group, so we’ll cover how to analyze sensitive groups and individuals who identify with groups online.

    Students will also learn how to detect and analyze various forms of disinformation using advanced and structured methodologies and reliability rating systems.

    We’ll end the section with an introduction to AI for OSINT.

    • Analyzing the Macron video
    • (Optional) Checking Disinformation
    • Unique Identifying Labels
    • Pivot Using UILs
    • Detecting and analyzing disinformation and fake news
    • Understanding reliability rating models for OSINT
    • Rating the reliability of information
    • US Army OSINT and the Admiralty/NATO system
    • Currency, Relevance, Authority, Accuracy & Purpose (CRAAP)
    • Standard intelligence assessment techniques
    • Analysis of Competing Hypotheses (ACH) and other methods
    • Use of Unique Identifying Labels (UILs)
    • Identifying Sensitive Groups using UIL techniques
    • Investigate and link individuals using UILs
    • Discovering the nexus of hate groups and victims
    • An introduction to AI for OSINT
  • Overview

    This content is all new, includes seven new hands-on labs and requires no previous experience! We start off with the building blocks of Python that are most important for OSINT and keep increasing the functionality to perform such tasks as web scraping, all while managing our attribution.

    We use Python to build an automated intelligence dashboard that updates in real time and can be customized in endless ways. We cover out to utilize third-party APIs including those belonging to AI providers to help us automatically evaluate programs and perform other tasks.

    Finally, we end the section by covering persistent monitoring of sites like Telegram and Discord, and how we can move our Python code to the cloud using serverless infrastructure like AWS Lamba.

    • Python Level 1
    • Python Level 2
    • Python Level 3
    • Python Level 4
    • Python Level 5
    • Python Level 6
    • Python Level 7
    • Python fundamentals for OSINT
    • Web requests and parsing web pages
    • Managing attribution with Python
    • Intermediate web scraping
    • Creating an automated intelligence dashboard
    • Interacting with APIs, including AI
    • Persistent Monitoring
    • Automating your Python code in the cloud
  • Overview

    This section starts off with practical and advanced image and video verification techniques utilizing both tools inside the course VM, and cloud based resources.

    We will then discuss practical ways to incorporate artificial intelligence into their OSINT research as both a means for increasing our efficiency and effectiveness, but also in detecting AI being used by others to generate content.

    The section ends with advanced enumeration where we cover methods to find domains related to your target, to discover difficult to find infrastructure on websites and in the cloud, and perform 100% passive enumeration on a target website.

    • Reverse Image search for Context
    • Image Verification
    • Video Verification
    • Advanced Enumeration
    • Image analysis and reverse image searches
    • Video analysis
    • Cloud based video analysis
    • Prompt Engineering
    • AI for code review
    • AI for automating social media accounts
    • Detecting AI generated content
    • Automated scans of a website for sensitive files
    • Discovering cloud based assets
    • 100% passive enumeration of a website
  • Overview

    This day starts off with instruction on useful concepts for creating and maintaining fictitious identities (sock puppets), particularly those used to interact with others, and how to maintain Operations Security (OPSEC).

    Within SEC587, students will get a more advanced understanding of how OSINT techniques can be applied on the Dark Web by learning about the criminal underground including the initial access marketplaces fed by data stealer logs. Students will learn advanced techniques for finding the true location of servers hosting sites on the dark web as well as automated methods for dark web monitoring.

    We will close this day with an examination of the fundamentals of cryptocurrency and techniques for tracking public cryptocurrency transactions.

    • Network OPSEC Analysis
    • Dark Web De-Anonymization
    • Dark Web Search
    • Tracking Ransomware Funds
    • Creating and maintaining false personas
    • Communicating with targets and other sources of information
    • Operational security (OPSEC)
    • Searching for dark web content
    • Essential cybercrime underground concepts
    • Underground marketplaces, shops and forums
    • Technical methods to de-anonymize dark websites
    • Understanding cryptocurrency and the blockchain
    • Investigating cryptocurrency wallets and transactions
  • Overview

    Day five will start with tools and techniques that will aid OSINT analysts in using and building their own monitoring and online searching tools. This section will teach students how to utilize third party web-based monitoring tools as well as how to monitor various topics of interest.

    We'll cover technical methods to access information in password-protected files encountered online and will also learn how to find, gather, and analyze information that is related to vehicles (cars, boats, planes, etc.) using open-source information.

    We'll end the day by using automated methods to identify sensitive credentials in various offline and online sources.

    • SearxNG
    • Dealing with Password Protected Files
    • (Optional) WebDataRA and Gephi Analysis
    • Aviation OSINT
    • Maritime OSINT
    • Secrets
    • Practical OSINT monitoring using web services
    • Automated internet monitoring using third-party tools
    • Visualization of data sets to support network analysis
    • Collection and analysis of open-source vehicle tracking information
    • Methods to access information in password-protected files
    • Methods to identify sensitive credentials in both offline and online repositories
  • Overview

    This will be the capstone for SEC587 that brings together everything that students have learned throughout the course. This will be a team effort where groups compete against each other by collecting OSINT data about live online subjects. The output from this capstone event will be turned in as a deliverable to the client (the instructor and fellow classmates). This hands-on event reinforces what students have practiced during labs and adds the complexity of performing OSINT using Python code and various advanced OSINT techniques under time pressure as a group.


SEC587 is a fast-paced, advanced course that is meant to build upon previous knowledge and experience in OSINT. The SANS SEC497: Practical Open-Source Intelligence (OSINT) course is recommended, but not required prior to taking this course.

  • Basic knowledge and experience with open-source intelligence collection.
  • Rudimentary understanding of intelligence analysis
  • Knowledge of how to use a Virtual Machine (VM)

Laptop Requirements

Important! Bring your own system configured according to these instructions.

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will not be able to fully participate in hands-on exercises in your course. Therefore, please arrive with a system meeting all of the specified requirements.

Back up your system before class. Better yet, use a system without any sensitive/critical data. SANS is not responsible for your system or data.

  • CPU: 64-bit Intel i5/i7 (8th generation or newer), or AMD equivalent. A x64 bit, 2.0+ GHz or newer processor is mandatory for this class.
  • CRITICAL: Apple systems using the M1/M2 processor line cannot perform the necessary virtualization functionality and therefore cannot in any way be used for this course.
  • BIOS settings must be set to enable virtualization technology, such as "Intel-VTx" or "AMD-V" extensions. Be absolutely certain you can access your BIOS if it is password protected, in case changes are necessary.
  • 16GB of RAM or more is required.
  • 50GB of free storage space or more is required.
  • At least one available USB 3.0 Type-A port. A Type-C to Type-A adapter may be necessary for newer laptops. Some endpoint protection software prevents the use of USB devices, so test your system with a USB drive before class.
  • Wireless networking (802.11 standard) is required. There is no wired Internet access in the classroom.


  • Your host operating system must be the latest version of Windows 10, Windows 11, or macOS 10.15.x or newer.
  • Fully update your host operating system prior to the class to ensure you have the right drivers and patches installed.
  • Linux hosts are not supported in the classroom due to their numerous variations. If you choose to use Linux as your host, you are solely responsible for configuring it to work with the course materials and/or VMs.
  • Local Administrator Access is required. (Yes, this is absolutely required. Don't let your IT team tell you otherwise.) If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different laptop.
  • You should ensure that antivirus or endpoint protection software is disabled, fully removed, or that you have the administrative privileges to do so. Many of our courses require full administrative access to the operating system and these products can prevent you from accomplishing the labs.
  • Any filtering of egress traffic may prevent accomplishing the labs in your course. Firewalls should be disabled or you must have the administrative privileges to disable it.
  • Download and install VMware Workstation Pro 16.2.X+ or VMware Player 16.2.X+ (for Windows 10 hosts), VMware Workstation Pro 17.0.0+ or VMware Player 17.0.0+ (for Windows 11 hosts), or VMWare Fusion Pro 12.2+ or VMware Fusion Player 11.5+ (for macOS hosts) prior to class beginning. If you do not own a licensed copy of VMware Workstation Pro or VMware Fusion Pro, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website. Also note that VMware Workstation Player offers fewer features than VMware Workstation Pro. For those with Windows host systems, Workstation Pro is recommended for a more seamless student experience.
  • On Windows hosts, VMware products might not coexist with the Hyper-V hypervisor. For the best experience, ensure VMware can boot a virtual machine. This may require disabling Hyper-V. Instructions for disabling Hyper-V, Device Guard, and Credential Guard are contained in the setup documentation that accompanies your course materials.
  • Download and install 7-Zip (for Windows Hosts) or Keka (for macOS hosts). These tools are also included in your downloaded course materials.

Your course media is delivered via download. The media files for class can be large. Many are in the 40-50GB range, with some over 100GB. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as soon as you get the link. You will need your course media immediately on the first day of class. Do not wait until the night before class to start downloading these files.

Your course materials include a "Setup Instructions" document that details important steps you must take before you travel to a live class event or start an online class. It may take 30 minutes or more to complete these instructions.

Your class uses an electronic workbook for its lab instructions. In this new environment, a second monitor and/or a tablet device can be useful for keeping class materials visible while you are working on your course's labs.

If you have additional questions about the laptop specifications, please contact support

Author Statement

"I have been practicing Open-Source Intelligence for over 20 years. There are lots of good OSINT study materials out there, but none took me to that advanced level. I know people want more, complex, in-depth knowledge on how to utilize OSINT in a professional way. This course was built by OSINT investigators and analysts with years and years of real-world experience in various backgrounds for OSINT investigators & analysts. This course is not about pushing buttons, it is all about in-depth and advanced methodology, sound analysis and practical real-world examples."

- Nico Dekens

"I am truly honored and thrilled to join the team as a co-author for the SANS SEC587 Advanced OSINT course. It is a privilege to contribute to the development of a curriculum that empowers students with cutting-edge skills to navigate the vast and ever-evolving landscape of open-source intelligence. I am excited to build on a foundation laid out in the SEC497 OSINT course and explore advanced topics focused on equipping professionals with the necessary tools and techniques to effectively gather, analyze, and utilize information in an effective and responsible manner."

-Matt Edmondson


Very relevant material that provided a lot of good resources for my day to day work.
Christopher Brown
This content is the next level for OSINT researchers. It fills in the areas that I have not been using but wanted to learn.
Janie Brewer
Having a broad coverage over multiple areas of OSINT is really helpful to reinforce the fundamentals and understand the diverse applications of an open source investigator's skills.
Dan Black

    Register for SEC587

    Learn about Group Pricing

    Prices below exclude applicable taxes and shipping costs. If applicable, these will be shown on the last page of checkout.