Talk With an Expert

SEC587: Advanced Open-Source Intelligence (OSINT) Gathering and Analysis

SEC587Cyber Defense
  • 6 Days (Instructor-Led)
  • 36 Hours (Self-Paced)
Course created by:
Matt Edmondson
Matt Edmondson
SEC555: SIEM with Tactical Analytics
Course created by:
Matt Edmondson
Matt Edmondson
  • 36 CPEs

    Apply your credits to renew your certifications

  • In-Person, Virtual or Self-Paced

    Attend a live, instructor-led class at a location near you or remotely, or train on your time over 4 months

  • 28 Hands-On Lab(s)

    Apply what you learn with hands-on exercises and labs

Learn how to perform advanced OSINT investigations as well as utilize JSON and Python. Explore topics such as cryptocurrency, the dark web, disinformation, and advanced image and video OSINT analysis.

Course Overview

Open-Source Intelligence (OSINT) is the engine behind most modern investigations. As cases grow more complex and data sources multiply, basic techniques often fall short. SEC587 is fast-paced advanced OSINT training that tackles these challenges head-on, delivering cutting-edge methods to collect and analyze OSINT data at scale.

You'll learn to integrate programming and automation using Python and APIs to gather information efficiently. The curriculum also teaches rigorous techniques to verify sources and ensure your findings are unbiased. SEC587 also explores specialized OSINT domains: the Dark Web, cryptocurrency tracing, disinformation campaigns, Russian and Chinese OSINT, advanced image/video forensics, and even leveraging AI for analysis.

Throughout the six-day course, 28+ hands-on labs immerse you in realistic scenarios—from tracing cryptocurrency transactions to sanctioned entities to exposing deepfake videos. This intensive practice ensures that, by the end of SEC587, you will be able to confidently apply these advanced techniques in real-world investigations.

What You’ll Learn

  • Use advanced OSINT techniques to gather and analyze public data for actionable intelligence
  • Automate OSINT processes to improve efficiency and accuracy in data collection
  • Detect and prevent security threats by identifying potential vulnerabilities
  • Ensure compliance by navigating legal and ethical considerations in intelligence gathering
  • Leverage OSINT for market analysis and data-driven business decision-making

Business Takeaways

  • Enhance decision-making with actionable insights from public data
  • Proactively identify risks using advanced OSINT techniques
  • Increase efficiency through automated intelligence gathering
  • Stay ahead competitively by monitoring industry and market trends
  • Ensure compliance in legal and ethical intelligence collection

Course Syllabus

Explore the course syllabus below to view the full range of topics covered in SEC587: Advanced Open-Source Intelligence (OSINT) Gathering and Analysis.

Section 1Disinformation, Intelligence Analysis, Russian and Chinese OSINT

Section one introduces disinformation and methods for assessing information reliability using techniques like Admiralty code, CRAAP, and ACH. It also covers Russian and Chinese OSINT, with hands-on labs in disinformation detection, facial recognition, and accessing restricted platforms.

Topics covered

  • Detect Disinformation with Reliability Models
  • Apply OSINT Frameworks: NATO, CRAAP, ACH
  • Use UILs For Analysis of Sensitive Groups
  • Explore Russian OSINT: Facial, Business Intel
  • Overcome Access Issues in Chinese OSINT

Labs

  • Analyzing the Macron Video
  • (Optional) Checking Disinformation
  • Russian Facial Recognition
  • U.S. Foreign Agents Registration Act (FARA)
  • Accessing Chinese Websites

Section 2Python for OSINT

In Section two, students learn key Python skills for OSINT, including web scraping and attribution management. You’ll build a real-time intelligence dashboard, integrate AI-powered APIs, and explore persistent monitoring of platforms like Telegram and Discord, plus deploying Python code via AWS Lambda.

Topics covered

  • Learn Python for OSINT & Web Extraction
  • Manage Attribution & Perform Web Scraping
  • Build An Automated Intelligence Dashboard
  • Interact With APIs, Including AI Tools
  • Automate & Deploy Python Code in The Cloud

Labs

  • Python Levels 1–7

Section 3Video, Image and Audio Analysis, AI for OSINT, Advanced Enumeration and Gaming

This section covers advanced image and video verification, steganography detection, and AI-powered audio analysis, including transcription and speaker recognition. Students learn to integrate AI into OSINT research while detecting AI-generated content. It also explores advanced domain enumeration techniques and concludes with a new section on gaming OSINT.

Topics covered

  • Conduct Image/Video Analysis & Reverse Search
  • Use AI For Audio Analysis & Speaker ID
  • Leverage AI For OSINT & Social Media Tasks
  • Detect AI Content & Perform Website Scans
  • Discover Cloud Assets & Gaming OSINT

Labs

  • Image and Video Verification
  • Steganography
  • Speaker Diarization
  • Advanced Enumeration
  • Gaming

Section 4Sock Puppets, OPSEC, Dark Web, Cryptocurrency and Wireless

This section covers creating and managing sock puppets while maintaining OPSEC. Students explore OSINT techniques for the Dark Web, tracking criminal marketplaces, locating hidden servers, and automating monitoring. It includes a cryptocurrency lab on transaction tracking and sanctioned entities. The day ends with a wireless OSINT overview.

Topics covered

  • Create & Manage False Personas With OPSEC
  • Search Dark Web & Understand Cybercrime
  • Use Tech to De-Anonymize Dark Websites
  • Track Crypto Transactions & Sanctioned Addresses
  • Explore Wireless Tech & Detect Modern Drones

Labs

  • Network OPSEC Analysis
  • Dark Web De-Anonymization
  • Dark Web Search
  • Cryptocurrency
  • Detecting Modern Drones

Section 5Automated Monitoring, Vehicle Tracking, and Dealing with Password-Protected Files

Section five covers building and using OSINT monitoring tools, including third-party and self-hosted options for OPSEC. Students learn to access password-protected files, gather vehicle-related OSINT, and automate credential discovery across offline and online sources. A new lab explores workflow automation frameworks for efficient intelligence gathering.

Topics covered

  • Conduct OSINT Monitoring with Tools
  • Use Self-Hosted Workflow Automation
  • Visualize Data for Network Analysis
  • Collect & Analyze Open-Source Vehicle Data
  • Access Password-Protected Files & Credentials

Labs

  • N8n
  • SearxNG
  • Dealing with Password Protected Files
  • Aviation and Maritime OSINT
  • Secrets

Section 6Capstone

The SEC587 capstone is a team-based OSINT challenge, collecting live data under time pressure. Teams apply Python and advanced techniques, delivering findings to peers.

Things You Need To Know

Relevant Job Roles

Data Analysis (OPM 422)

NICE: Implementation and Operation

Responsible for analyzing data from multiple disparate sources to provide cybersecurity and privacy insight. Designs and implements custom algorithms, workflow processes, and layouts for complex, enterprise-scale data sets used for modeling, data mining, and research purposes.

Explore learning path

All-Source Analyst (DCWF 111)

DoD 8140: Intelligence (Cyberspace)

Analyzes data from multiple sources to prepare environments, respond to information requests, and support intelligence planning and collection requirements.

Explore learning path

Threat Analysis (OPM 141)

NICE: Protection and Defense

Responsible for collecting, processing, analyzing, and disseminating cybersecurity threat assessments. Develops cybersecurity indicators to maintain awareness of the status of the highly dynamic operating environment.

Explore learning path

All-Source Collection Manager (DCWF 311)

DoD 8140: Intelligence (Cyberspace)

Identifies collection priorities, develops plans using available assets, and monitors execution to meet operational intelligence requirements.

Explore learning path

All-Source Collection Requirements Manager (DCWF 312)

DoD 8140: Intelligence (Cyberspace)

Evaluates collection strategies, develops and validates requirements, and assesses performance to optimize collection asset effectiveness.

Explore learning path

OSINT Investigator/Analyst

Cyber Defense

These resourceful professionals gather requirements from their customers and then, using open sources and mostly resources on the internet, collect data relevant to their investigation. They may research domains and IP addresses, businesses, people, issues, financial transactions, and other targets in their work. Their goals are to gather, analyze, and report their objective findings to their clients so that the clients might gain insight on a topic or issue prior to acting.

Explore learning path

Cyber Operations Planner (DCWF 332)

DoD 8140: Cyber Effects

Coordinates cyber operations plans, working with analysts and operators to support targeting and synchronization of actions in cyberspace.

Explore learning path

Cybersecurity Researcher

European Cybersecurity Skills Framework

Research the cybersecurity domain and incorporate results in cybersecurity solutions.

Explore learning path

Target Digital Network Analyst (DCWF 132)

DoD 8140: Cyber Effects

Performs advanced analysis of collection and open-source data to track target activity, profile cyber behavior, and support cyberspace operations.

Explore learning path

Course Schedule & Pricing

Looking for Group Purchasing Options?Contact Us
Filter by:
  • Location & instructor

    Virtual (OnDemand)

    Instructed by Matt Edmondson
    Date & Time
    OnDemand (Anytime)Self-Paced, 4 months access
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Amsterdam, NL & Virtual (live)

    Instructed by Steven Harris
    Date & Time
    Fetching schedule..View event details
    Course price
    €8,230 EUR*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Las Vegas, NV, US & Virtual (live)

    Instructed by Matt Edmondson
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    London, GB & Virtual (live)

    Instructed by Steven Harris
    Date & Time
    Fetching schedule..View event details
    Course price
    £7,160 GBP*Prices exclude applicable taxes | EUR price available during checkout
    Registration Options
  • Location & instructor

    Tokyo, JP & Virtual (live)

    Instructed by Nico Dekens
    Date & Time
    Fetching schedule..View event details
    Course price
    ¥1,335,000 JPY*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Amsterdam, NL & Virtual (live)

    Instructed by Nico Dekens
    Date & Time
    Fetching schedule..View event details
    Course price
    €8,230 EUR*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Washington, DC, US & Virtual (live)

    Instructed by Matt Edmondson
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Amsterdam, NL & Virtual (live)

    Instructed by Nico Dekens
    Date & Time
    Fetching schedule..View event details
    Course price
    €8,230 EUR*Prices exclude applicable local taxes
    Registration Options
Showing 8 of 9

Benefits of Learning with SANS

Instructor teaching to a class

Get feedback from the world’s best cybersecurity experts and instructors

OnDemand Mobile App

Choose how you want to learn - online, on demand, or at our live in-person training events

Resources

Get access to our range of industry-leading courses and resources