SEC537: Practical Open-Source Intelligence (OSINT) Analysis and Automation

  • Online
12 CPEs

This course teaches practical open-source intelligence (OSINT) analysis and automation techniques. You will learn tradecraft tips, tactics, techniques, and procedures based on real-world examples that will enable you to carry out in-depth OSINT analysis of groups, image and video verification, and OSINT operations security, as well as understand the foundations of automating OSINT with Python.

What You Will Learn

SEC537 is a two-day course on open-source intelligence (OSINT) for those who already know the foundations of OSINT. The goal is to provide students with more in-depth and technical OSINT knowledge. The course teaches effective methods and techniques for the identification of sensitive groups, image and video verification, browser operations security (OPSEC), and network traffic analysis and Python for OSINT purposes. You will learn OSINT skills and techniques that law enforcement, private investigators, journalists, penetration testers, and network defenders use in order to keep a low profile while scouring the Internet. You will also learn how to analyze groups to make a more in-depth OSINT analysis. As the Internet is becoming more and more of a multimedia platform, you will learn how to fact-check and verify images and video footage.

On the first course day you will learn practical OSINT analysis by completing eight hands-on labs about browser OPSEC, searching sensitive groups, image and video verification, and network traffic analysis for OSINT. On day two we'll move on to eight new labs on Python coding that cover Python fundamentals, requesting and parsing JSON, making web calls, making DNS requests, and extracting EXIF data.

What You Will Receive With This Course

  • Physical and digital workbooks
  • Virtual Machine tailored to the course

This Course Will Prepare You To

  • Take a deeper dive into finding, collecting, and analyzing information found on the Internet
  • Debug, understand, alter, and create your own OSINT-focused Python scripts

Hands-On Labs

The hands-on labs will teach you how to become more adept at finding, collecting, and analyzing OSINT information. The labs draw on practical, real-world examples. Each lab has step-by-step instructions that enable you to learn new OSINT skills or become even more knowledgeable and skilled with the OSINT techniques and procedures you already know.

Syllabus (12 CPEs)

  • Overview

    You will begin by learning about the different levels of operational security (OPSEC) and how to use your browser with OPSEC in mind by changing settings and installing add-ons. How do we know if those add-ons are secure? During the second part of the day you will learn how to analyze your system's network traffic using a variety of tools in order to gain a better understanding of what network traffic is being sent and received from your analysis system. With a more secure platform in place, we'll shift our attention to finding and analyzing sensitive groups and individuals who identify with groups online. This is becoming increasingly important because many of the targets of OSINT work may be individuals who like to identify themselves within a group or are part of a group. To close out the day we'll shift our focus from group membership to what people are posting on the Internet. The modules will teach you how to verify and geolocate image and video footage.

    • Browser OPSEC
    • Network Traffic
    • Unique Identifying Labels
    • Reverse Image Search for Context
    • Searching Twitter Lists
    • Pivoting Using UILs
    • Image Verification
    • Video Verification
    • Browser Operations Security (OPSEC)
    • Understanding Network Traffic for OSINT
    • Identifying Sensitive Groups Using Unique Identifying Labels
    • Target Lists and Individuals Using UILs
    • Determining Context and Narrative from Images
    • Verifying and Geolocation Image and Video Content
  • Overview

    One of the most frequent comments we hear in OSINT analyst circles is "I want to learn Python programming to be more efficient at collecting and analyzing OSINT." This entire day of fast-paced course content will take students from zero knowledge of programming with Python to an advanced beginner level. You will learn the fundamentals of Python coding and how to read, write, and execute your own Python scripts within a structured, supportive environment. We know that programming can seem difficult and complex, so we created small, comprehensive modules with hands-on elements. These fundamentals are needed for an OSINT analyst to automate tasks and code scripts in Python that help extract and analyze valuable OSINT information. Several longer, more complex exercises will reinforce the courseware lessons with step-by-step directions and explanations. Students will learn everything from why Python is a useful language for OSINT coding to the differences between Python dictionaries and lists, function creation, and Python module use. These topics are taught with a focus on OSINT and on making the analyst's jobs easier.

    • Introduction to the Python Interpreter
    • Using iPython
    • String and Numeric Manipulation with Python
    • Web-JSON with Python
    • Extracting whois Information with Python
    • Introduction to Python
    • Using iPython
    • Python Collections
    • Python Strings
    • Python Web-JSON
    • Python whois


  • Basic knowledge and experience with OSINT and how it is used
  • Knowledge of how to use a Virtual Machine
  • Prior completion of the SEC487 OSINT course is helpful but not required

Laptop Requirements

Important! Bring your own system configured according to these instructions!

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.

CRITICAL NOTE: Apple systems using the M1 processor line cannot perform the necessary virtualization functionality and therefore cannot in any way be used for this course.

Host Operating System: Latest version of Windows 10, macOS 10.15.x or later, or Linux that also can install and run VMware virtualization products described below.

It is necessary to fully update your host operating system prior to the class to ensure that you have the right drivers and patches installed to utilize the latest USB 3.0 devices.

Students who use a Linux host must also be able to access exFAT partitions using the appropriate kernel or FUSE modules.

Students also must have 8 gigabytes of RAM or higher for the VM to function properly in the class.

It is critical that your CPU and operating system support 64 bit so that our 64-bit guest virtual machine will run on your laptop.

In addition to having 64-bit-capable hardware, AMD-V, Intel VT-x, or the equivalent must be enabled in BIOS/UEFI.

You must download and install either VMware Workstation Pro 15.5.x, VMware Player 15.5.x, or Fusion 11.5.x or higher versions before class. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial on its website.

Other types of virtualization software, such as VirtualBox and Hyper-V, are not appropriate because of compatibility and troubleshooting problems you might encounter during class.

VMware Workstation Pro and VMware Player on Windows 10 is not compatible with Windows 10 Credential Guard and Device Guard technologies.


  • CPU: 64-bit 2.0+ GHz processor or higher-based system is mandatory for this course (Important - Please Read: a 64-bit system processor is mandatory)
  • BIOS/UEFI: VT-x, AMD-V, or the equivalent must be enabled in the BIOS/UEFI
  • RAM: 8 gigabytes of RAM or higher is mandatory for this course (Important - Please Read: 8 gigabytes of RAM or higher is mandatory)
  • Wireless Ethernet 802.11 G/N/AC
  • USB 3.0 port (courseware provided via USB)
  • Disk: 30 gigabytes of free disk space
  • VMware Workstation Pro 15.5.X+, VMware Player 15.5.X+, or Fusion 11.5+
  • Privileged access to the host operating system with the ability to disable security tools
  • A Linux virtual machine will be provided in class

Your course media will be delivered via download. The media files for class can be large, roughly 40-50 gigabytes in size. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as soon as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.

SANS has begun providing printed materials in PDF form, and this class uses an electronic workbook in addition to the PDFs. In this new environment, we have found that a second monitor and/or a tablet device can be useful for keeping the class materials visible while the instructor is presenting or while you are working on lab exercises

Author Statement

"After I first learned the fundamentals of OSINT a few decades ago, there were no practical and in-depth OSINT courses where I could learn more advanced techniques. I have co-developed this course to fill that gap and need. In SEC537 you will learn advanced OSINT techniques, drawing on practical techniques and tradecraft tips from the course authors' years of field experience. The hands-on labs are designed to mimic real-world case examples full of tools and tradecraft techniques. This course is designed by OSINT professionals for OSINT professionals who need to learn those in-depth and advanced OSINT analysis and automation techniques." - Nico Dekens

"OSINT is a powerful tool in our investigations, but there can be challenges in handling the volume of data that we encounter. Automation is a critical part of efficiently collecting and processing our data into OSINT. While commercial tools can help, you will encounter edge cases or limitations of tools that require a solution tailored to your environment and specific workflow needs. In some cases, data may be accessible via API calls. Whatever the case, Python is an excellent choice to address OSINT automation needs. Python has a robust and supportive user community and there are many OSINT projects readily available that are written in Python. Whether you adapt something that is available, add a new module to an existing framework, or write something entirely new, Python is an essential skill for OSINT." - David Mashburn

Register for SEC537

  • In Person

Training events and topical summits feature presentations and courses in classrooms around the world.

Learn more
  • Live Online

Live, interactive sessions with SANS instructors over the course of one or more weeks, at times convenient to students worldwide.

Learn more
  • OnDemand

Study and prepare for GIAC Certification with four months of online access. Includes labs and exercises, and support.

Learn more