SEC504: Hacker Tools, Techniques, and Incident Handling
SEC504Offensive Operations
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
SEC587: Advanced Open-Source Intelligence (OSINT) Gathering and Analysis
SEC587Cyber Defense
- 6 Days (Instructor-Led)
- 36 Hours (Self-Paced)
Course created by:
Matt Edmondson
Course created by:Matt Edmondson
- 36 CPEs
Apply your credits to renew your certifications
- In-Person, Virtual or Self-Paced
Attend a live, instructor-led class at a location near you or remotely, or train on your time over 4 months
- 28 Hands-On Lab(s)
Apply what you learn with hands-on exercises and labs
Learn how to perform advanced OSINT investigations as well as utilize JSON and Python. Explore topics such as cryptocurrency, the dark web, disinformation, and advanced image and video OSINT analysis.
Featured Quote
The course manages to provide both breadth and depth, with practical hands-on practices and tools students can implement right away.
Course Overview
Open-Source Intelligence (OSINT) is the engine behind most modern investigations. As cases grow more complex and data sources multiply, basic techniques often fall short. SEC587 is fast-paced advanced OSINT training that tackles these challenges head-on, delivering cutting-edge methods to collect and analyze OSINT data at scale.
You'll learn to integrate programming and automation using Python and APIs to gather information efficiently. The curriculum also teaches rigorous techniques to verify sources and ensure your findings are unbiased. SEC587 also explores specialized OSINT domains: the Dark Web, cryptocurrency tracing, disinformation campaigns, Russian and Chinese OSINT, advanced image/video forensics, and even leveraging AI for analysis.
Throughout the six-day course, 28+ hands-on labs immerse you in realistic scenarios—from tracing cryptocurrency transactions to sanctioned entities to exposing deepfake videos. This intensive practice ensures that, by the end of SEC587, you will be able to confidently apply these advanced techniques in real-world investigations.
What You’ll Learn
- Use advanced OSINT techniques to gather and analyze public data for actionable intelligence
- Automate OSINT processes to improve efficiency and accuracy in data collection
- Detect and prevent security threats by identifying potential vulnerabilities
- Ensure compliance by navigating legal and ethical considerations in intelligence gathering
- Leverage OSINT for market analysis and data-driven business decision-making
Business Takeaways
- Enhance decision-making with actionable insights from public data
- Proactively identify risks using advanced OSINT techniques
- Increase efficiency through automated intelligence gathering
- Stay ahead competitively by monitoring industry and market trends
- Ensure compliance in legal and ethical intelligence collection
Meet Your Author
Matt Edmondson
Senior InstructorMatt Edmondson has revolutionized open-source intelligence by operationalizing OSINT for federal law enforcement and Fortune 100 firms, spearheading dark web investigations that contributed to major cybercrime takedowns like Genesis Market.
Read more about Matt EdmondsonCourse Syllabus
Explore the course syllabus below to view the full range of topics covered in SEC587: Advanced Open-Source Intelligence (OSINT) Gathering and Analysis.
Section 1Disinformation, Intelligence Analysis, Russian and Chinese OSINT
Section one introduces disinformation and methods for assessing information reliability using techniques like Admiralty code, CRAAP, and ACH. It also covers Russian and Chinese OSINT, with hands-on labs in disinformation detection, facial recognition, and accessing restricted platforms.
Topics covered
- Detect Disinformation with Reliability Models
- Apply OSINT Frameworks: NATO, CRAAP, ACH
- Use UILs For Analysis of Sensitive Groups
- Explore Russian OSINT: Facial, Business Intel
- Overcome Access Issues in Chinese OSINT
Labs
- Analyzing the Macron Video
- (Optional) Checking Disinformation
- Russian Facial Recognition
- U.S. Foreign Agents Registration Act (FARA)
- Accessing Chinese Websites
Section 2Python for OSINT
In Section two, students learn key Python skills for OSINT, including web scraping and attribution management. You’ll build a real-time intelligence dashboard, integrate AI-powered APIs, and explore persistent monitoring of platforms like Telegram and Discord, plus deploying Python code via AWS Lambda.
Topics covered
- Learn Python for OSINT & Web Extraction
- Manage Attribution & Perform Web Scraping
- Build An Automated Intelligence Dashboard
- Interact With APIs, Including AI Tools
- Automate & Deploy Python Code in The Cloud
Labs
- Python Levels 1–7
Section 3Video, Image and Audio Analysis, AI for OSINT, Advanced Enumeration and Gaming
This section covers advanced image and video verification, steganography detection, and AI-powered audio analysis, including transcription and speaker recognition. Students learn to integrate AI into OSINT research while detecting AI-generated content. It also explores advanced domain enumeration techniques and concludes with a new section on gaming OSINT.
Topics covered
- Conduct Image/Video Analysis & Reverse Search
- Use AI For Audio Analysis & Speaker ID
- Leverage AI For OSINT & Social Media Tasks
- Detect AI Content & Perform Website Scans
- Discover Cloud Assets & Gaming OSINT
Labs
- Image and Video Verification
- Steganography
- Speaker Diarization
- Advanced Enumeration
- Gaming
Section 4Sock Puppets, OPSEC, Dark Web, Cryptocurrency and Wireless
This section covers creating and managing sock puppets while maintaining OPSEC. Students explore OSINT techniques for the Dark Web, tracking criminal marketplaces, locating hidden servers, and automating monitoring. It includes a cryptocurrency lab on transaction tracking and sanctioned entities. The day ends with a wireless OSINT overview.
Topics covered
- Create & Manage False Personas With OPSEC
- Search Dark Web & Understand Cybercrime
- Use Tech to De-Anonymize Dark Websites
- Track Crypto Transactions & Sanctioned Addresses
- Explore Wireless Tech & Detect Modern Drones
Labs
- Network OPSEC Analysis
- Dark Web De-Anonymization
- Dark Web Search
- Cryptocurrency
- Detecting Modern Drones
Section 5Automated Monitoring, Vehicle Tracking, and Dealing with Password-Protected Files
Section five covers building and using OSINT monitoring tools, including third-party and self-hosted options for OPSEC. Students learn to access password-protected files, gather vehicle-related OSINT, and automate credential discovery across offline and online sources. A new lab explores workflow automation frameworks for efficient intelligence gathering.
Topics covered
- Conduct OSINT Monitoring with Tools
- Use Self-Hosted Workflow Automation
- Visualize Data for Network Analysis
- Collect & Analyze Open-Source Vehicle Data
- Access Password-Protected Files & Credentials
Labs
- N8n
- SearxNG
- Dealing with Password Protected Files
- Aviation and Maritime OSINT
- Secrets
Section 6Capstone
The SEC587 capstone is a team-based OSINT challenge, collecting live data under time pressure. Teams apply Python and advanced techniques, delivering findings to peers.
Things You Need To Know
Relevant Job Roles
Data Analysis (OPM 422)
NICE: Implementation and OperationResponsible for analyzing data from multiple disparate sources to provide cybersecurity and privacy insight. Designs and implements custom algorithms, workflow processes, and layouts for complex, enterprise-scale data sets used for modeling, data mining, and research purposes.
Explore learning pathAll-Source Analyst (DCWF 111)
DoD 8140: Intelligence (Cyberspace)Analyzes data from multiple sources to prepare environments, respond to information requests, and support intelligence planning and collection requirements.
Explore learning pathThreat Analysis (OPM 141)
NICE: Protection and DefenseResponsible for collecting, processing, analyzing, and disseminating cybersecurity threat assessments. Develops cybersecurity indicators to maintain awareness of the status of the highly dynamic operating environment.
Explore learning pathAll-Source Collection Manager (DCWF 311)
DoD 8140: Intelligence (Cyberspace)Identifies collection priorities, develops plans using available assets, and monitors execution to meet operational intelligence requirements.
Explore learning pathAll-Source Collection Requirements Manager (DCWF 312)
DoD 8140: Intelligence (Cyberspace)Evaluates collection strategies, develops and validates requirements, and assesses performance to optimize collection asset effectiveness.
Explore learning pathOSINT Investigator/Analyst
Cyber DefenseThese resourceful professionals gather requirements from their customers and then, using open sources and mostly resources on the internet, collect data relevant to their investigation. They may research domains and IP addresses, businesses, people, issues, financial transactions, and other targets in their work. Their goals are to gather, analyze, and report their objective findings to their clients so that the clients might gain insight on a topic or issue prior to acting.
Explore learning pathCyber Operations Planner (DCWF 332)
DoD 8140: Cyber EffectsCoordinates cyber operations plans, working with analysts and operators to support targeting and synchronization of actions in cyberspace.
Explore learning pathCybersecurity Researcher
European Cybersecurity Skills FrameworkResearch the cybersecurity domain and incorporate results in cybersecurity solutions.
Explore learning pathTarget Digital Network Analyst (DCWF 132)
DoD 8140: Cyber EffectsPerforms advanced analysis of collection and open-source data to track target activity, profile cyber behavior, and support cyberspace operations.
Explore learning pathCourse Schedule & Pricing
Looking for Group Purchasing Options?Contact Us
OnDemand Bundle
When purchasing a live, instructor-led course, add 4 months of online access. View price in the info icons below.
SANS Skills Quest by NetWars Core Edition
Add 6 months of hands-on skills practice. Add to your cart when purchasing your course.
Filter by:
Location & instructorDate & TimeCourse priceRegistration Options
- Location & instructor
Virtual (OnDemand)
Instructed by Matt EdmondsonDate & TimeOnDemand (Anytime)Self-Paced, 4 months accessCourse price$8,780 USD*Prices exclude applicable local taxesRegistration Options - Location & instructor
Amsterdam, NL & Virtual (live)
Instructed by Steven HarrisDate & TimeFetching schedule..View event detailsCourse price€8,230 EUR*Prices exclude applicable local taxes - Location & instructor
Las Vegas, NV, US & Virtual (live)
Instructed by Matt EdmondsonDate & TimeFetching schedule..View event detailsCourse price$8,780 USD*Prices exclude applicable local taxes - Location & instructor
London, GB & Virtual (live)
Instructed by Steven HarrisDate & TimeFetching schedule..View event detailsCourse price£7,160 GBP*Prices exclude applicable taxes | EUR price available during checkout - Location & instructor
Tokyo, JP & Virtual (live)
Instructed by Nico DekensDate & TimeFetching schedule..View event detailsCourse price¥1,335,000 JPY*Prices exclude applicable local taxes - Location & instructor
Amsterdam, NL & Virtual (live)
Instructed by Nico DekensDate & TimeFetching schedule..View event detailsCourse price€8,230 EUR*Prices exclude applicable local taxes - Location & instructor
Washington, DC, US & Virtual (live)
Instructed by Matt EdmondsonDate & TimeFetching schedule..View event detailsCourse price$8,780 USD*Prices exclude applicable local taxes - Location & instructor
Amsterdam, NL & Virtual (live)
Instructed by Nico DekensDate & TimeFetching schedule..View event detailsCourse price€8,230 EUR*Prices exclude applicable local taxes
Showing 8 of 9
Learn Alongside Leading Cybersecurity Professionals From Around The World
- Slide 1 of 3This content is the next level for OSINT researchers. It fills in the areas that I have not been using but wanted to learn.
- Slide 2 of 3Very relevant material that provided a lot of good resources for my day to day work.
- Slide 3 of 3Having a broad coverage over multiple areas of OSINT is really helpful to reinforce the fundamentals and understand the diverse applications of an open source investigator's skills.
Slide 1 of 0
(1/0)
Benefits of Learning with SANS
Get feedback from the world’s best cybersecurity experts and instructors
Choose how you want to learn - online, on demand, or at our live in-person training events
Get access to our range of industry-leading courses and resources