Training
Featured CourseView All Courses
Get a free hour of SANS training

Experience SANS training through course previews.

Learn More
Learning Paths
FeaturedView all Focus Areas
Cloud Security Training
Can't find what you are looking for?

Let us help.

Contact us
Resources
SANS Community Benefits

Connect, learn, and share with other cybersecurity professionals

CISO Network

Engage, challenge, and network with fellow CISOs in this exclusive community of security leaders

Join the SANS Community

Become a member for instant access to our free resources.

Sign Up
For Organizations
Public Sector

Mission-focused cybersecurity training for government, defense, and education

Partnerships

Explore industry-specific programming and customized training solutions

Sponsorship Opportunities

Sponsor a SANS event or research paper

Interested in developing a training plan to fit your organization’s needs?

We're here to help.

Contact Us
Talk with an expert
Talk with an expert

SEC497: Practical Open-Source Intelligence (OSINT)

SEC497Cyber Defense
  • 6 Days (Instructor-Led)
  • 36 Hours (Self-Paced)
Course created by:
Matt Edmondson
Matt Edmondson
Register NowCourse Preview
SEC497: Practical Open-Source Intelligence (OSINT)
Course created by:
Matt Edmondson
Matt Edmondson
Register NowCourse Preview
  • GIAC Open Source Intelligence (GOSI)

    Learn about certification

  • 36 CPEs

    Apply your credits to renew your certifications

  • In-Person, Virtual or Self-Paced

    Attend a live, instructor-led class at a location near you or remotely, or train on your time over 4 months

  • Intermediate Skill Level

    Course material is geared for cyber security professionals with hands-on experience

  • 29 Hands-On Lab(s)

    Apply what you learn with hands-on exercises and labs

Jump to:

Learn to perform effective, secure OSINT research with practical techniques. Explore critical OSINT tools and apply your skills in hands-on labs based on real-world scenarios.

Featured Quote

[SEC497 is] exactly what I wanted-a hands on, real-world deep dive into OSINT challenges, techniques, strategies and actual tools to use.
Mattie Swain10a Labs

Course Overview

SEC497: Practical Open-Source Intelligence (OSINT) provides practical, real-world tools and techniques to help individuals perform OSINT research safely and effectively. The OSINT training course also offers real-world examples of how those tools and techniques have been used to solve a problem or further an investigation. Hands-on labs based on actual scenarios give students opportunities to practice the skills they learn and understand how those skills can help in their research.

What You’ll Learn

  • Perform OSINT investigations with strict OPSEC
  • Manage sock puppet accounts for research
  • Recover deleted or hidden data, including breach and dark web content
  • Trace digital footprints across sites and social media
  • Uncover website owners, linked domains, and metadata
  • Analyze large datasets and produce reports for cybersecurity, M&A, and more

Business Takeaways

  • Enhance competitive intelligence through OSINT techniques
  • Improve risk management by identifying vulnerabilities
  • Strengthen incident response with rapid information gathering
  • Identify and mitigate potential threats from publicly available data
  • Streamline data collection and analysis processes for operational efficiency

Meet Your Author

Matt Edmondson
Matt Edmondson

Matt Edmondson

Senior Instructor

Matt Edmondson has revolutionized open-source intelligence by operationalizing OSINT for federal law enforcement and Fortune 100 firms, spearheading dark web investigations that contributed to major cybercrime takedowns like Genesis Market.

Read more about Matt Edmondson

Course Syllabus

Explore the course syllabus below to view the full range of topics covered in SEC497: Practical Open-Source Intelligence (OSINT).

Section 1OSINT and OPSEC Fundamentals

This section covers safe OSINT practices, key tools, and OPSEC on a budget. You'll learn to spot risky sites, analyze files, use canary tokens, and create sock puppets. It also introduces research tools, report writing, and offers an optional Linux lab to build command line skills.

Topics covered

  • The OSINT Process
  • OPSEC
  • Canary Tokens
  • Hunchly
  • Effective Note Taking and Report Writing

Labs

  • Managing Your Attribution
  • Dealing with Potential Malware
  • Canary Tokens
  • Hunchly and Obsidian
  • [Optional] Linux Command Line Practice

Section 2Essential OSINT Skills

This section covers essential OSINT skills like using search engines, finding linked websites, archiving and analyzing web data, and setting up monitoring alerts, all with OPSEC in mind. It also explores image and facial recognition, metadata, mapping tools, and ends with an optional capstone analyzing ransomware chat logs.

Topics covered

  • OSINT Link and Bookmark Collections
  • Collecting and Processing Web Data
  • Metadata and Mapping
  • Image Analysis and Reverse Image Searches
  • Facial Recognition and Translations

Labs

  • Instant Data Scraper
  • Metadata
  • Reverse Image Search
  • Facial Recognition and Translation
  • Day 2 Capstone

Section 3Investigating People

This section focuses on investigating individuals or groups by researching usernames, emails, phone numbers, and addresses. It covers fraud detection, social media analysis (including deleted and bot content), geolocation, and methods to access content without an account, while emphasizing privacy and effective research techniques.

Topics covered

  • Privacy
  • Usernames and Contact Information
  • Social Media
  • Geolocation
  • Trends, Sentiment, and Bots

Labs

  • Researching Usernames
  • Keybase and Email
  • Breach Data
  • Twitter/X
  • Detecting AI

Section 4Investigating Websites and Infrastructure

This section dives into investigating websites, IPs, and online infrastructure – even for non-tech-savvy students. It explains key concepts, real-world use cases, and tools to uncover info like IP geolocation, DNS records, WHOIS history, cloud data, and more, helping both general analysts and CTI professionals avoid pitfalls and gain deeper insights.

Topics covered

  • IP Addresses and Common Ports
  • WHOIS and DNS
  • Email Headers and Subdomains
  • Technology-focused Search Engines
  • Cyber Threat Intelligence

Labs

  • IP Address Research
  • WHOIS and DNS
  • Amass and Eyewitness
  • Censys and Shodan
  • Buckets of Fun

Section 5Automation, the Dark Web, and Large Data Sets

This section explores business research, Wi-Fi forensics, AI, and dark web investigations. You'll learn to triage large datasets, track crypto activity, and automate tasks without coding. It wraps up with resources to continue your OSINT journey, making it a well-rounded and practical mix of topics.

Topics covered

  • Researching Businesses and Wireless
  • AI for OSINT
  • Dealing with Large Datasets
  • Dark Web and Cryptocurrency
  • Automation and Path Forward

Labs

  • Business
  • Wireless
  • Bulk Data Triage
  • Tor and PGP
  • AI

Section 6Capstone: Capture the Flag

The capstone for the SEC497 course is a multi-hour event which allows students to work together in small groups to create a threat assessment for a fictional client. Students will use the skills learned throughout the course on a variety of real-world sites. The instructor will provide feedback to each group.

Things You Need To Know

Relevant Job Roles

Data Analysis (OPM 422)

NICE: Implementation and Operation

Responsible for analyzing data from multiple disparate sources to provide cybersecurity and privacy insight. Designs and implements custom algorithms, workflow processes, and layouts for complex, enterprise-scale data sets used for modeling, data mining, and research purposes.

Explore learning path

Threat Analysis (OPM 141)

NICE: Protection and Defense

Responsible for collecting, processing, analyzing, and disseminating cybersecurity threat assessments. Develops cybersecurity indicators to maintain awareness of the status of the highly dynamic operating environment.

Explore learning path

OSINT Investigator/Analyst

Cyber Defense

These resourceful professionals gather requirements from their customers and then, using open sources and mostly resources on the internet, collect data relevant to their investigation. They may research domains and IP addresses, businesses, people, issues, financial transactions, and other targets in their work. Their goals are to gather, analyze, and report their objective findings to their clients so that the clients might gain insight on a topic or issue prior to acting.

Explore learning path

Course Schedule & Pricing

Looking for Group Purchase Options?Contact Us

GIAC Certification Attempt

Add a GIAC certification attempt and receive free two practice tests. View pricing in the info icons below.

OnDemand Course Access

When purchasing a live instructor-led class, add an additional 4 months of online access after your course. View pricing in the info icons below.

Filter by:
  • Location & instructor

    Virtual (OnDemand)

    Instructed by Matt Edmondson
    Date & Time
    OnDemand (Anytime)Self-Paced, 4 months access
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Enrollment options
    Self-Paced
  • Location & instructor

    Singapore, SG & Virtual (live)

    Instructed by Chris Pizor
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,900 USD*Prices exclude applicable local taxes
    Enrollment options
    In-PersonVirtual
  • Location & instructor

    Washington, DC, US & Virtual (live)

    Instructed by Mick Douglas
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Enrollment options
    In-PersonVirtual
  • Location & instructor

    Anaheim, CA, US & Virtual (live)

    Instructed by Chris Pizor
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Enrollment options
    In-PersonVirtual
  • Location & instructor

    Huntsville, AL, US & Virtual (live)

    Instructed by Matt Edmondson
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Enrollment options
    In-PersonVirtual
  • Location & instructor

    Virtual (live)

    Instructed by Chris Pizor
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,900 USD*Prices exclude applicable local taxes
    Enrollment options
    Virtual
  • Location & instructor

    Amsterdam, NL & Virtual (live)

    Instructed by Dario Beniamini
    Date & Time
    Fetching schedule..View event details
    Course price
    €8,230 EUR*Prices exclude applicable local taxes
    Enrollment options
    In-PersonVirtual
  • Location & instructor

    Virginia Beach, VA, US & Virtual (live)

    Instructed by Matt Edmondson
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Enrollment options
    Virtual
Showing 8 of 26

Learn Alongside Leading Cybersecurity Professionals From Around The World

Slide 1 of 0

Benefits of Learning with SANS

Instructor teaching class with code in the background

Get feedback from the world’s best cybersecurity experts and instructors

Learning via laptop

Choose how you want to learn - online, on demand, or at our live in-person training events

Learning via laptop

Get access to our range of industry-leading courses and resources