What Is OSINT? Open-Source Intelligence Explained (2026)

May 22, 2026·11 min read

OSINT — open-source intelligence — is the collection and analysis of information from publicly available sources to answer a specific question. The sources are open: websites, social media, public records, satellite imagery, news archives. The intelligence is what you derive from them. It sounds simple, but done well it is one of the most powerful investigative techniques available to journalists, security researchers, law enforcement, and curious individuals alike.

Definition and Origins

The term originated in military and intelligence communities in the 1980s as a formal discipline alongside signals intelligence (SIGINT) and human intelligence (HUMINT). The CIA and NSA developed OSINT programs to analyse foreign newspapers, radio broadcasts, and academic publications — all public, all legally accessible.

The internet changed everything. What once required physical libraries and translation teams now requires a browser and methodical thinking. The volume of publicly available information has grown so large that the bottleneck is no longer access — it is understanding how to find the right signal in an ocean of noise.

Today, OSINT is practiced by intelligence agencies, police forces, corporate security teams, journalists, fact-checkers, private investigators, and thousands of hobbyists coordinating in communities like Bellingcat and the OSINT Framework Discord.

Legal vs Illegal: Where the Line Is

The defining feature of OSINT is that it uses publicly available information. That distinction matters legally. Accessing a public website is not hacking. Reading a public social media profile is not surveillance. Searching public records is a civic right in most countries.

Where OSINT becomes illegal — or at minimum unethical — is in how results are used:

Activity	Generally Legal?
Searching public social media profiles	Yes
Reverse image / face searching a public photo	Yes
Reading public court records, company filings	Yes
Accessing content behind a login without permission	No — unauthorised access
Using findings to harass or stalk someone	No — harassment laws apply
Scraping data in violation of a site's ToS	Legal grey area — civil risk
Making employment decisions based on findings (US)	No — FCRA may apply
Sharing private info to cause harm (doxxing)	No — criminal in many jurisdictions

The ethical principle most OSINT practitioners follow: collect only what is necessary, use findings only for legitimate purposes, and never weaponise information against private individuals who have not entered public life.

Who Uses OSINT and Why

Investigative Journalists

Organisations like Bellingcat have made OSINT famous by using it to geolocate photos from conflict zones, identify military units from equipment markings, and track the movements of individuals using nothing but public satellite imagery and social media posts. Their investigation into the MH17 shootdown — conducted entirely with open sources — set a new standard for what citizen journalism can achieve.

Law Enforcement and Intelligence Agencies

Police forces use OSINT to build background on suspects, locate missing persons, and monitor public communications for criminal activity. Europol and the FBI have dedicated OSINT units. Much of what the public imagines as high-tech surveillance is in practice methodical searching of public sources.

Corporate Security and Threat Intelligence

Security teams use OSINT to monitor for leaked credentials (dark web forums indexed by tools like Have I Been Pwned), identify phishing infrastructure, map an organisation's public attack surface, and vet employees or contractors. This discipline is often called OSINT for SOCMINT (social media intelligence) in enterprise contexts.

Private Individuals

People use OSINT daily without calling it that — verifying someone they met online, researching a potential employer, checking whether a charity is legitimate, or finding information about themselves that is publicly visible. Catching a catfish is a common personal OSINT task.

Security Researchers and Bug Bounty Hunters

Ethical hackers use OSINT in the reconnaissance phase of penetration testing — mapping exposed infrastructure, identifying email patterns, finding forgotten subdomains, and gathering anything a real attacker would use before touching a single packet.

Core OSINT Tools and Techniques

These are the categories most OSINT practitioners work with. Mastery of even two or three of them covers the majority of everyday investigative needs.

Search Engine Dorking

Advanced search operators that surface content search engines index but standard queries miss.

site:example.com filetype:pdf— Find all PDFs on a domain
"full name" site:linkedin.com— Find LinkedIn profiles
inurl:admin intitle:login— Find exposed admin panels

Reverse Image and Face Search

Upload a photo to find where it appears elsewhere online. Google Images finds exact copies; face search engines find different photos of the same person.

Google Images— Best for finding exact photo copies
FaceSift— Finds different photos of the same face across the web
TinEye— Tracks image origins and copies

Username and Email Lookup

Checking whether a username or email address is registered across multiple platforms reveals a person's online footprint.

Sherlock— Open-source tool checking 300+ platforms
Maigret— More detailed than Sherlock, returns profile data
Hunter.io— Finds corporate email patterns

WHOIS and Domain Intelligence

Domain registration records often contain names, emails, and addresses — especially for older domains registered before privacy protection became standard.

whois.domaintools.com— Historical WHOIS records
Shodan— Search engine for internet-connected devices
Censys— Indexes TLS certificates and exposed services

Geolocation from Photos

Photos contain clues — shadows that reveal sun angle, street signs in peripheral vision, distinctive architecture, or embedded GPS data in EXIF metadata.

GeoSpy— AI-based photo geolocation
Google Street View— Manual cross-referencing of visual landmarks
Jeffrey's Exif Viewer— Extracts GPS and device data from image files

Social Media Analysis

Public posts, follower graphs, check-ins, and tagged photos create a detailed map of a person's life, relationships, and routine.

Wayback Machine— Archive of deleted social media content
Social Searcher— Real-time monitoring across platforms
Facebook Graph Search— Find mutual connections, groups, and posts

Reverse Face Search as an OSINT Tool

Of all OSINT techniques available to a non-technical investigator, reverse face search is one of the most immediately useful. A standard reverse image search (Google, TinEye) finds exact pixel matches — the same file appearing on multiple pages. A face search engine goes further: it extracts facial geometry from the uploaded photo and finds different photos of the same person across the indexed web.

This distinction matters enormously in practice. A catfisher uses a stolen photo but posts it under a different name. Google will not find the original because the file is different. A face search will, because the face is the same.

Typical OSINT workflow using face search:

Save the subject's photo from the platform being investigated
Upload to FaceSift — results appear in under a minute
Review matches by similarity score — focus on results above 75%
Unlock source URLs ($1) to visit the pages where the face was found
Cross-reference names, locations, and context across matched pages
Combine with username lookup and Google dorking to build a fuller picture

Face search results are a starting point, not a conclusion. A high similarity score means the faces look alike — always verify through the source page and additional signals before drawing any conclusions. The OSINT principle of corroboration from independent sources applies here as everywhere.

Getting Started with OSINT

You do not need specialist software or technical skills to begin. Most effective OSINT work is methodical thinking applied to freely available tools.

Start with a clear question

OSINT without a goal produces noise. Define what you are trying to establish before you start — "is this person who they claim to be?" or "where was this photo taken?" is a question. "Find everything about this person" is not.

Learn the foundational tools

The OSINT Framework (osintframework.com) maps hundreds of tools by category — an essential reference. Start with search dorking, reverse image search, and username lookup before moving to more technical tools like Shodan or Maltego.

Practice on yourself

Before investigating anyone else, run an OSINT audit on yourself. Search your name, reverse search your profile photos, look up your email address. You will likely be surprised what is findable — and it is a good forcing function for locking down what you do not want public.

Recommended resources

→OSINT Framework (osintframework.com) — Categorised map of OSINT tools
→Bellingcat Online Investigation Toolkit (docs.google.com/spreadsheets (Bellingcat)) — Curated tool list from the world's best open-source investigators
→TraceLabs (tracelabs.org) — Crowdsourced OSINT for missing persons — real practice with a humanitarian purpose
→Michael Bazzell's OSINT Techniques (inteltechniques.com) — The definitive book and podcast on personal OSINT

A note on ethics: The OSINT community has a strong norm against doxxing — publishing personal information to expose or harm someone. Finding information is not the same as having the right to share it. Use what you find responsibly, and when in doubt, do not publish.

Try reverse face search — a core OSINT technique

Upload a photo and find where that face appears across the public web. No account required. Results in under a minute.

Run a Face Search →