What Is OSINT: Cycle, Sources, Tools and Legal Framework

OSINT is the intelligence discipline that produces useful conclusions from public-source information. The acronym stands for Open Source INTelligence. It gathers, processes and analyses information obtained from public or legally accessible sources to produce an actionable deliverable. The difference with "searching on Google" is method: OSINT structures the work with a formal intelligence cycle, specialised tools, judgement to filter noise and traceable documentation. In 2026 OSINT is a standard part of any professional Red Team exercise, the reconnaissance phase of a serious pentest, corporate pre-M&A due diligence and cyber threat intelligence (CTI) work.

This guide explains what OSINT really is, the intelligence cycle that structures any professional investigation, the five source families that real OSINT work draws from, the tools that make up the modern toolkit (Maltego, Shodan, Censys, SpiderFoot, theHarvester, Google Dorks, SOCMINT), six real-world use cases that show up in European companies, the GDPR legal framework, common mistakes and how an organisation defends itself against adversarial OSINT.

What OSINT is

OSINT is a methodology and a set of practices to obtain actionable intelligence from publicly accessible information. Three key ideas:

1. Legally accessible sources. Search engines, social media, corporate registries, official bulletins, public forums, open datasets, TLS certificates, passive DNS, indexed breach leaks, public records from public bodies.
2. Structured process. The difference between OSINT and snooping is the cycle: requirements, collection, processing, analysis, dissemination, feedback.
3. Actionable end product. Not "raw data"; conclusions that back a decision.

What it brings operationally:

• Attack surface reconnaissance before a Red Team or pentest.
• Threat intelligence on the actors that target the client's sector.
• Digital due diligence of providers, partners and merger candidates.
• Internal and external fraud investigation.
• Support to judicial investigation (with a court order) or journalism.
• Identification of own data leaks in the open internet.

What OSINT is NOT:

• Unauthorised access to systems (that is intrusion, criminally prosecuted in most jurisdictions).
• Purchase of cracked databases for use outside authorised security research.
• Mass surveillance of citizens without a legal framework.
• Bulk collection of personal data without a documented legal basis.

The intelligence cycle

Any professional OSINT work follows the six phases of the classic intelligence cycle. Skipping one is what separates amateur work from a serious investigation.

1. Requirements

Define which business question the investigation answers. "Map employees of company X" is not a requirement; "identify employees with privileged access and exposed digital footprint to assess spear phishing risk" is.

2. Collection

Active or passive search according to the plan: search engines, APIs, authorised scraping, forum monitoring, subscription to CTI feeds. The quality of the collection drives the quality of the final product.

3. Processing

Filter, normalise, deduplicate, translate. Raw findings are rarely directly useful. This is the most underestimated phase.

4. Analysis

Cross-reference sources, identify patterns, build hypotheses, validate or discard them. The analyst's judgement enters here; the tool does not decide anything by itself.

5. Dissemination

Delivery of the product to the requester in the format they need. For a CISO, executive summary plus matrix. For a Red Team operator, IoCs and concrete domains. For an M&A committee, an executive report with risks and red flags.

6. Feedback

The requester evaluates whether the product solved their question. What was learned feeds the next cycle. Without this phase, errors repeat.

The five source families

Serious OSINT combines information from five categories. Specialising in only one limits the result.

Technical and infrastructure sources

DNS, TLS certificates, service banners, passive scans, BGP, WHOIS. Detectable with tools like Shodan, Censys, crt.sh, SecurityTrails, DNSDumpster. It is the basis of the technical enumeration that opens infrastructure pentesting and Red Team work.

Traditional web sources

Search engines (Google, Bing, Yandex, DuckDuckGo), web archive, official sites, government bulletins, corporate registries, transparency portals. Google Dorks techniques sit here, increasingly complemented by LLM-driven query generators.

SOCMINT (Social Media Intelligence)

LinkedIn, X (Twitter), Instagram, TikTok, Telegram, Discord, Reddit, sector forums. Information on people, events, opinions, connections. The most legally sensitive source and the one that changes the most: APIs and platform policies shift every year.

Digital HUMINT and deep web

Leaks on pastebins, underground forums, marketplaces, Telegram channels dedicated to leaks. Responsible investigation requires care not to cross legal lines. OSINT here blends with purchased threat intelligence and passive observation of actors.

GEOINT (Geospatial Intelligence)

Satellite imagery (Google Earth Pro, Sentinel Hub, Planet Labs public data), Street View, cadastral maps, cartographic data. Useful in physical facility investigation, real estate due diligence, investigative journalism.

The modern toolkit

The tools that appear in professional investigation in 2026. The typical stack of a serious OSINT investigator combines five or six.

Maltego

The reference graph analysis platform. Builds relationship graphs from entities (people, domains, IPs, emails) and transforms that query them against external sources. Standard for investigations producing an auditable visual deliverable.

Shodan and Censys

Search engines for internet-connected devices. Allow queries like "every server with vulnerable FortiOS exposed in Spain" or "every recent TLS certificate for a given domain". Essential in external pentesting and in attack-surface CTI.

SpiderFoot

Open source OSINT automation platform. Configure modules by category (DNS, certificates, social media, leaks, malicious domains) and launch an unattended investigation against a target. Ideal for initial passes before drilling down manually.

theHarvester

A classic CLI tool for quick enumeration of emails and subdomains from search engines and other sources. A staple in any Red Team toolkit.

Google Dorks and variants

The classic technique of advanced operators in search engines. Still the first rung of any serious OSINT. Accelerators powered by language models generate query variants automatically.

Have I Been Pwned and equivalent services

Verification of credential exposure in known breaches. The free version covers the personal case; commercial APIs (HIBP Pro, IntelX, Snusbase, Dehashed) cover formal investigations.

SocialLinks, OSINT Industries, Skopenow

Commercial SOCMINT platforms oriented to people investigation. Usage rules vary by jurisdiction. Legitimate companies use them in due diligence; opaque companies use them in the grey zones of corporate stalking.

AI accelerators

ChatGPT, Claude, Gemini, Perplexity for summarising findings, generating queries and machine translation. Traceability is the challenge: if AI is part of the process, the output becomes less auditable. Pragmatic fix: log the prompt, the model and the result inside the graph or the case file.

Real use cases in European companies

The six most frequent scenarios in professional projects.

1. Reconnaissance in Red Team and pentesting

Phase 1 of any serious offensive exercise. The operator builds the client's attack surface map: forgotten subdomains, exposed certificates, key employees on LinkedIn, corporate GitHub repos with secrets, leaked credentials, exposed admin panels. More in what is a penetration test.

2. Cyber Threat Intelligence

The CTI team studies which groups attack the sector, which TTPs they use, what infrastructure they maintain and which IoCs would be relevant. Mapping against MITRE ATT&CK lets the team prioritise defence.

3. Pre-M&A or pre-contract due diligence

Before signing the acquisition of a company, a merger or a contract with a critical provider, the M&A team requests digital due diligence: corporate structure, digital exposure, reputation of the leadership team, pending disputes, reputational risks, credential checks for key managers.

4. Internal investigation and fraud

Compliance and HR departments use OSINT to investigate internal complaints, suspected fraud, undeclared conflicts of interest, public conduct of an employee with reputational impact on the company. Strict legal framework.

5. Monitoring of own digital footprint

Security teams use regular OSINT to detect own leaks before the attacker does: GitHub repos with secrets, exposed S3 buckets, registered homograph domains, data on underground leaks. The sibling discipline to attack-surface auditing.

6. Investigative journalism and litigation

Journalists use OSINT for complex investigations: opaque corporate networks, tax havens, source identity verification, image and video verification. Law firms use it as litigation support. Bellingcat is the public reference for this use.

Legal framework in the EU

OSINT lives in a heavily regulated zone under GDPR and national data protection laws.

Public information yes, but with conditions

Accessing public information is legal by default. The complication appears when personal data is aggregated: each individual datum may be public, but its aggregation creates a profile that falls under GDPR even if each piece was free. European data protection authorities have sanctioned OSINT processing with aggregation lacking a documented legal basis.

Applicable legal bases

For formal corporate investigation: well-argued and registered legitimate interest of the controller, or contract execution (pre-signing due diligence), or compliance with a legal obligation (KYC, AML). Without a documented legal basis, the processing is unlawful.

Specially protected data

Health, sexual orientation, ideology, religion, trade union membership: processing is prohibited except in limited cases. OSINT that collects this kind of data without clear justification is a serious infringement.

Minimisation and proportionality

Only data strictly necessary for the objective is collected. "Just in case" mass investigations do not survive an audit.

Short retention

The OSINT product and the raw data are erased at project closure, unless a legal obligation requires otherwise (litigation, judicial request).

Breaches, leaks and cracked material

Services offering access to breaches or cracked data (Snusbase, Dehashed) have legitimate use defensible in authorised security research. Any use outside that frame is illegal in the EU (unlawful processing of personal data plus potential criminal liability).

Subjects in the EU

GDPR applies when the subjects are in the EU, even if the investigator is outside. Investigations against EU citizens from the US or other jurisdictions still have to comply with GDPR.

Internal corporate transparency

Internal OSINT investigations (on employees) require adequate prior information, a documented policy and proportionality. The López Ribalda v. Spain ruling (ECtHR 2019) sets the European standard.

Common mistakes in professional OSINT

What turns up in consulting and audits of existing OSINT projects.

OSINT without a business question. The investigation starts with "gather everything on X" instead of "answer Y to decide Z". The result is a sea of data with no actionable value.

Skipping the formal cycle. Skipping processing and analysis, delivering raw data to the requester. The product is unreadable and nobody makes decisions with it.

Relying on a single source. Specialising in SOCMINT or Shodan while ignoring other sources. Serious OSINT combines five families at minimum.

No traceable documentation. The analyst remembers what they did but does not log it. If the investigation is challenged in court, in audit or in dispute, there is no documentary defence.

Crossing legal lines through ignorance. Aggregating profiles of citizens without a legal basis, digging through breaches for unauthorised purposes, mass scraping against platform ToS that ban automation.

Not considering countermeasures. The target may have decoy profiles, fake social media accounts, honey infrastructure. Without contrast and triangulation, the investigator falls for them.

Using generative AI without traceability. AI accelerates but the auditability of the product drops. If the formal client asks for reproducibility and only model outputs are provided, the work is not defensible.

How to defend against adversarial OSINT

If OSINT is what your adversary does before attacking, defence comes down to reducing what they can find.

• Quarterly or biannual own OSINT audit. Test exactly what a Red Team would find about the organisation.
• Sanitisation of forgotten subdomains and certificates. Updated inventory and removal of what is not used.
• Social media policy for sensitive roles (CISO, CFO, CTO, legal). Minimum viable public exposure.
• Cleanup of corporate GitHub repos. Rotated secrets, deleted old branches, continuous scanning with TruffleHog or Gitleaks.
• Monitoring of own leaks on pastebins, underground forums and public repos.
• Training for exposed-profile employees on personal exposure on social media (badge photos, screenshots with sensitive data, geolocation in posts).
• Removal policy for people who no longer work at the company but remain on LinkedIn as active contacts.
• Brand and homograph domain monitoring. Services that alert when registered variants appear.

Compliance fit

Well-done OSINT delivers direct evidence in several frameworks:

• NIS2 (article 21). Formalised threat intelligence and risk management. The organisation's own OSINT capability is part of a reasonable defensive programme. More in NIS2 in Spain: a compliance guide for 2026.
• DORA (articles 13, 26). Threat-led penetration tests (TLPT) that require a formal OSINT phase. More in DORA compliance guide for financial entities 2026.
• ISO 27001:2022 (control 5.7 threat intelligence). Continuous monitoring of external threats.
• PCI DSS v4.0 (req. 12). Security programme that includes threat intelligence.
• GDPR. OSINT itself is the regulated activity, not just a requirement.

Frequently asked questions

Difference between OSINT and HUMINT?

OSINT works with public or legally accessible information without covert contact. HUMINT (Human Intelligence) involves interaction with people, human sources, in many cases covertly or under deception. HUMINT is the territory of state intelligence services and of some private investigations with a specific legal framework; OSINT is accessible to any qualified professional.

Is OSINT legal to investigate a competitor?

Investigating the public digital footprint of a competitor (website, communications, corporate profiles) is legal and normal in competitive intelligence. Investigating individual employees of the competitor by aggregating personal profiles without a legal basis enters the grey zone or becomes illegal depending on scope.

What technical level does doing OSINT require?

A basic initial level allows useful results for simple due diligence and light reconnaissance. A professional level with graphs in Maltego, automation in SpiderFoot, custom scripts and cross-analysis of five sources requires 6 to 12 months of intensive practice or specific training (SANS SEC487, Michael Bazzell's IntelTechniques, Bellingcat workshops).

Does OSINT replace technical pentesting?

No. OSINT feeds the reconnaissance phase, but technical pentesting attacks the assets identified during OSINT and tests whether they are exploitable. They are complementary. More on methodology in what is a penetration test.

What does Bellingcat actually use?

A public combination of sources: satellite imagery (Sentinel Hub, Google Earth, Planet), social media (X, Telegram, Reddit, TikTok), photo and video metadata analysis, web archiving, geolocation by image, collaborative OSINT. Almost everything they use is public and replicable; the difference is the discipline of the analysis.

When does OSINT become stalking?

When it focuses on a physical person without a documented legal basis, collects private personal data even if accessible, persists over time and is used to pursue, intimidate or unduly influence. The boundary is not technical, it is legal. European data protection authorities regularly sanction this kind of behaviour.

Related resources

• What is a penetration test: the technical phase that follows OSINT reconnaissance.
• What is threat hunting and how it works: the sibling discipline that consumes OSINT maps of the adversary.
• What is ransomware: how it works: one of the threat categories that OSINT-led CTI tracks continuously.
• What is a SOC (Security Operations Center): the operation that integrates OSINT signals into daily detection.
• What is a CVE: vulnerabilities explained: how OSINT-tracked CVE chatter informs prioritisation.
• NIS2 in Spain: compliance guide for 2026: the framework where OSINT-driven threat intelligence becomes evidence.

Professional OSINT at Secra

At Secra we integrate OSINT into the reconnaissance phase of every Red Team exercise and every attack-surface audit, with a focus on documentary traceability so the deliverable holds up under legal review and audit. The usual scope includes technical reconnaissance (subdomains, certificates, exposed services), SOCMINT with GDPR care, search for client-owned leaks, identification of exposed-profile employees, brand and homograph domain monitoring, and a final actionable product with concrete priorities. If your organisation wants to measure empirically how much a motivated attacker would find about your current digital footprint before investing in technical defences, get in touch through contact or check our red team service.