🔒
DELIGHT Cybersecurity Workbook Series

OSINT & Cybersecurity

This workbook is restricted to enrolled students. Enter the access code provided by your instructor to continue.

Incorrect code. Please try again.
🔍 DELIGHT Cybersecurity Workbook Series

OSINT & Cybersecurity
Training Workbook

A hands-on learning path from beginner to advanced — self-paced, free tools only

5
Modules
25
Lab Exercises
45+
Free Tools
~25h
Total Time
Module 1
Foundations of OSINT
Beginner · ~3.5 hours
Module 2
Digital Footprinting
Beginner · ~4 hours
Module 3
Network & Domain Intel
Intermediate · ~4 hours
Module 4
People & Social Media
Intermediate · ~4 hours
Module 5
Advanced Recon & CTF
Advanced · ~9 hours
Appendix
Tools & Certifications
Reference guide
🔍
Foundations of OSINT
Understand what OSINT is, how it works, and its role in cybersecurity
● Beginner — ~3.5 hours

📋 Learning Objectives

ℹ️
What is OSINT? Open Source Intelligence (OSINT) is the collection and analysis of information from publicly available sources. It is legal, ethical, and widely used by security professionals, journalists, law enforcement, and researchers.

🧰 Core Concepts

Passive vs Active Reconnaissance

Passive recon (OSINT) — gathering info without touching the target system. No logs left. Examples: Googling a domain, checking WHOIS records.

Active recon — directly interacting with the target (port scanning, sending packets). Leaves traces and may be illegal without permission.

The OSINT Framework

Visit osintframework.com — it is a visual tree of free OSINT tools organized by category (usernames, email, IP, social media, etc.). Each leaf node links directly to a working tool. Bookmark this as your primary reference directory.

IntelTechniques by Michael Bazzell

Visit inteltechniques.com/tools — custom search forms that query multiple sources simultaneously. Also check his book Open Source Intelligence Techniques and his free podcast.

Bellingcat's Online Investigation Toolkit

A free, community-maintained Google Sheet used by investigative journalists worldwide. Organised by category — geolocation, satellite imagery, social media, archiving, and verification. Less of a click-through tree than OSINT Framework; more of a working reference list you keep open in a tab.

1.1
Exploring the OSINT Framework
⏱ 30 min
🎯
Objective: Familiarise yourself with the OSINT Framework structure and identify 5 tools you will use later in this workbook.
1
Open osintframework.com in your browser. Spend 5 minutes clicking through the mind map without any goal — just exploring the categories.
2
Navigate to: Username → expand the tree → click on Namechk and Sherlock. Note what each tool does in your notes below.
3
Navigate to: Email Address → open HaveIBeenPwned. This checks if an email was in a data breach.
4
Navigate to: IP Address & Domain Name → open Shodan and Whois Lookup. Do not perform any searches yet — just note the interface.
5
In the notes field below, list 5 tools you found and one sentence on what each does.
1.2
Setting Up a Safe Investigation Environment
⏱ 45 min
⚠️
Why this matters: Your IP address, browser fingerprint, and cookies can reveal your identity to targets. Always use a separate investigation environment.
1
Create a dedicated browser profile — In Chrome or Firefox, create a new profile named "OSINT Investigations". This keeps cookies, history, and logins separate.
2
Install a VPN (free options) — Proton VPN (free tier) or Windscribe (10GB/month free). This masks your real IP during investigations.
3
Create an investigation email — Use ProtonMail or Tutanota to create a dedicated email account used only for OSINT tool sign-ups. Never use your personal email.
4
Install browser extensions:
  • uBlock Origin — ad and tracker blocking
  • Privacy Badger — blocks invisible trackers
  • User-Agent Switcher — change your browser fingerprint
5
Bookmark key resources: osintframework.com, inteltechniques.com/tools, shodan.io, haveibeenpwned.com
1.3
Knowledge Check — Foundations
⏱ 15 min
1. Which of the following is an example of PASSIVE reconnaissance?
Running nmap against a target server
Looking up a domain's WHOIS record
Sending a phishing email to test a user
Logging into a company's web portal

2. What is the primary purpose of the OSINT Framework website?
To automatically hack target websites
To store your investigation results
To provide a curated directory of free OSINT tools organised by category
To train AI models on public data

3. Why should you use a VPN and separate browser profile for OSINT work?
To access blocked streaming services
To prevent revealing your identity and contaminating investigations with personal cookies
To make searches faster
VPNs are not needed for OSINT work
1.4
Exploring the Bellingcat Toolkit
⏱ 25 min
🎯
Objective: Learn to navigate Bellingcat's tool spreadsheet — the journalist's equivalent of the OSINT Framework — and find tools the Framework doesn't cover.
1
Open the Bellingcat Toolkit Google Sheet. Note it has multiple tabs along the bottom — these are categories, not just one long list.
2
Find the Geolocation tab and list 3 tools you have never heard of before.
3
Find the Satellite Imagery tab. Compare it with the OSINT Framework — does the Framework tree even have a satellite imagery category? Note the gap.
4
Find the Archiving tab — these are tools for preserving web pages and social posts before they get deleted, a critical step in real investigations.
5
Compare Bellingcat's Toolkit to OSINT Framework and IntelTechniques: which is best for journalism-style verification work? Which is best for quick tool discovery? Note your answer below.

👤
Digital Footprinting
Search usernames, emails, images, and breached credentials
● Beginner — ~4 hours
📌
Practice Target: All labs in this module use yourself as the target — search your own username, email, and images. This is the safest and most educational approach. Never investigate real people without consent.

🛠 Tools You Will Use

ToolPurposeURLCost
NamechkUsername availability across 100+ platformsnamechk.comFree
SherlockCLI username hunt across social networksGitHubFree
HaveIBeenPwnedCheck email in known data breacheshaveibeenpwned.comFree
Google ImagesReverse image searchimages.google.comFree
TinEyeReverse image search with historytineye.comFreemium
IntelTechniques EmailMulti-source email lookupinteltechniques.comFree
OSINT IndustriesReal-time email/phone/username → linked account lookuposint.industriesFreemium
Intelligence XSearches leaks, dark web archives & historical recordsintelx.ioFreemium
2.1
Username OSINT — Finding Your Digital Presence
⏱ 30 min
🎯
Objective: Discover which platforms your username appears on using two different tools and compare results.
1
Go to Namechk.com. Enter one of your common usernames (not your real name, just a handle you use online). Note all platforms where it shows as "taken".
2
Go to whatsmyname.app — an alternative with more detailed results. Enter the same username.
3
Visit each found profile URL and verify: does this account actually belong to you, or is someone else using the same username?
4
Optional — Sherlock (requires Python):
pip install sherlock-project sherlock yourusername
Sherlock is a command-line tool that searches 300+ sites. Compare results with Namechk.
5
Record your findings below. Note: which tool found more? Which had fewer false positives?
2.2
Email Breach Check & Exposure Analysis
⏱ 20 min
1
Go to HaveIBeenPwned.com. Enter your personal email address. Note which breaches it appears in.
2
For each breach listed, click the breach name to read: What data was exposed? (email, password, phone, address?) When did it happen?
3
Go to IntelTechniques Email Search. Enter your email and note which additional platforms it finds.
4
Defence reflection: For every breach you found, consider: Have you already changed the password for that service? Do you reuse that password anywhere else?
2.3
Reverse Image Search — Image Footprinting
⏱ 25 min
⚠️
Privacy tip: Attackers use reverse image search to identify people from profile photos. This lab shows you your own exposure.
1
Save your profile photo from any social media platform to your computer.
2
Go to Google Images → click the camera icon → upload your photo. Note all pages where this image appears.
3
Repeat using TinEye.com. Compare results — TinEye often finds older instances that Google misses.
4
Try PimEyes.com (free tier limited). This specialises in finding faces across the internet.
5
Metadata check: Right-click your photo → Properties → Details. Does it contain GPS coordinates, camera model, or date/time? If yes, this metadata is embedded in every copy of this photo you share.
2.4
OSINT Industries — Cross-Platform Identity Lookup
⏱ 20 min
ℹ️
About OSINT Industries: A real-time lookup tool — feed it an email, phone number, username, or crypto wallet address and it shows which online accounts (Instagram, Telegram, CashApp, and more) are tied to it. The free tier limits how many lookups you get, so use it deliberately.
1
Create a free account at osint.industries using your investigation-only email from Lab 1.2.
2
Run a lookup on your own email address. Note every platform it returns — does it match what you already found manually in Lab 2.1/2.2?
3
Check whether it surfaces anything Namechk, WhatsMyName, or HaveIBeenPwned missed (e.g. account creation dates, profile photos, last-active timestamps).
4
Reflect: this tool aggregates several lookups into one pass. What's the trade-off of using an aggregator like this versus checking each source manually?
2.5
Intelligence X — Deep & Dark Web Search
⏱ 30 min
⚠️
Scope reminder: Intelligence X indexes data from the dark web and leak sites. You are only ever searching your own identifiers in this lab — never search or attempt to access another person's data, and never attempt to browse the dark web directly through this tool.
1
Go to intelx.io and create a free account.
2
Search your own email address. Intelligence X will show you which leak databases, pastes, or historical web archives mention it.
3
Compare the result set to what HaveIBeenPwned showed you in Lab 2.2. Intelligence X often surfaces raw paste data and historical snapshots that breach-checkers don't.
4
Note the free-tier limits you hit (search count, result depth) — this is typical of "freemium" deep-search tools and important to know before relying on one professionally.

🌐
Network & Domain Intelligence
Investigate domains, IPs, subdomains, and internet-connected devices
● Intermediate — ~4 hours
⚠️
Important: Only investigate domains you own or have explicit permission to test. For practice, use dedicated training targets like scanme.nmap.org (maintained by Nmap for testing) or use your own domains.

🛠 Tools You Will Use

ToolPurposeURLCost
ShodanSearch engine for internet-connected devicesshodan.ioFreemium
WHOISDomain registration infodomaintools.comFree
DNSDumpsterDNS records and subdomain enumerationdnsdumpster.comFree
CensysInternet-wide scan data, certificatescensys.ioFreemium
VirusTotalScan URLs/IPs/files for malwarevirustotal.comFree
Wayback MachineView old versions of websitesweb.archive.orgFree
3.1
WHOIS & DNS Investigation
⏱ 40 min
🎯
Practice Target: Use example.com for WHOIS practice — it is a public domain maintained by IANA specifically for documentation purposes.
1
Go to whois.domaintools.com. Search for example.com. Note: registrar, creation date, expiry date, name servers, and whether WHOIS privacy is enabled.
2
Go to DNSDumpster.com. Search for example.com. This reveals: A records (IP addresses), MX records (mail servers), TXT records, and subdomains.
3
Using the Command Line (Windows PowerShell, Mac/Linux Terminal):
# On Windows: nslookup example.com nslookup -type=MX example.com nslookup -type=TXT example.com # On Mac/Linux: dig example.com dig MX example.com dig TXT example.com
4
Go to web.archive.org and search example.com. How far back does the history go? What has changed?
5
Record all discovered information in the notes below. This is the format a real OSINT report would use.
3.2
Shodan — Exploring Exposed Devices
⏱ 45 min
ℹ️
About Shodan: Shodan continuously scans the entire internet and indexes what it finds — open ports, services, software versions, and more. Create a free account at shodan.io for basic access.
1
Create a free account at shodan.io. The free tier gives you 2 search pages.
2
Try these example searches to understand what Shodan can find:
# Find webcams running on default HTTP webcamxp # Find devices running Apache in a country apache country:"NG" # Find default login pages "default password" port:80
3
Click on any result and study the device record: What port is open? What software version? Is it vulnerable? Shodan often links to known CVEs (vulnerabilities).
4
Do NOT attempt to connect to or interact with any device you find on Shodan. Viewing the record is passive and legal. Connecting is not.
5
Reflect: Why is it dangerous that these devices are publicly visible? Write your analysis below.
3.3
Google Dorking — Advanced Search Techniques
⏱ 40 min
🔍
Google Dorking uses advanced Google search operators to find information that isn't easily visible through normal searches — exposed files, login pages, email lists, and more.

Essential Google Operators

OperatorFunctionExample
site:Search only within a domainsite:example.com login
filetype:Find specific file typesfiletype:pdf "confidential"
intitle:Words in page titleintitle:"index of" passwords
inurl:Words in URLinurl:admin panel
cache:Google's cached versioncache:example.com
"exact phrase"Search exact string"error: password incorrect"
1
Open Google and practice each operator above using your own website or school domain as the target. For example: site:youruniversity.edu filetype:pdf
2
Try this safe search to see exposed directory listings:
intitle:"index of" "parent directory"
These are web server folders left open by accident — a common misconfiguration.
3
Visit Google Hacking Database (GHDB) on Exploit-DB. Browse categories — this is a public repository of Google dorks for educational research.
4
Create your own dork that finds PDFs containing your university/school name:
site:youruniversitydomain.edu filetype:pdf "student"

🕵️
People & Social Media Intelligence
Profile pivoting, social media OSINT, and geolocation
● Intermediate — ~4 hours
🚫
Ethics Warning: Never investigate real individuals without their consent unless you are in a documented law enforcement or authorized security role. All labs use public figures, fictional targets, or yourself.
4.1
LinkedIn & Professional OSINT
⏱ 30 min
🎯
Scenario: You are a penetration tester. Before an engagement, you research the client company on LinkedIn to understand the employee structure and identify potential social engineering targets.
1
Choose a large public company (e.g. a bank, tech company, or telecom in your country). Search for it on LinkedIn.
2
Use this Google dork to find employee profiles without logging into LinkedIn:
site:linkedin.com/in "Company Name" "IT" OR "Security" OR "Network"
3
From public profiles, what can you infer? Technologies used, software stacks, seniority levels, who the IT manager is?
4
From an attacker's perspective, how would this information help craft a spear phishing email? Write a reflection below (do NOT write an actual phishing email).
4.2
Geolocation from Images (GEOINT)
⏱ 45 min
📍
GEOINT (Geospatial Intelligence) is the art of determining where a photo was taken from visual clues — road signs, building styles, vegetation, language, sun angle, and more. It's widely used in journalism and investigations.
1
Visit GeoGuessr.com (free mode available). This game drops you in random Google Street View locations. Practice identifying country, then city, then street. This builds your visual location intuition.
2
Visit GeoSpy.ai — upload any outdoor photo and it attempts to identify the location using AI analysis of visual features.
3
Manual geolocation exercise: Find any public photo on social media that shows an outdoor location (from a public figure or news article). Using only visual clues, try to identify:
  • Country (look for license plates, signage language, electrical infrastructure, driving side)
  • Region (vegetation type, architecture style, terrain)
  • Verify using Google Maps Street View
4
Check image metadata using ExifMeta.com — upload the image and check for embedded GPS coordinates.
4.3
Twitter/X OSINT — Searching Without an Account
⏱ 30 min
1
Use IntelTechniques Twitter search form at inteltechniques.com/tools/Twitter.html
2
Search for any public figure's tweets using the Advanced Search section. Combine:
# Direct Google search for tweets: site:x.com "username" "keyword" since:2024-01-01 # Find tweets with location: site:x.com "username" "near:"
3
Use TweetBeaver or Sometimes Magic to find the join date, tweet count, and follower history of a public account.
4
Practise building a timeline for a public figure — when did they start tweeting? What topics do they post about? Do they reveal location information in posts?

🏆
Advanced Recon & CTF Challenges
Automated OSINT tools, Maltego, and hands-on CTF practice
● Advanced — ~9 hours

🛠 Tools You Will Use

ToolPurposeURLCost
theHarvesterCLI — automates email, subdomain, employee discoveryGitHubFree
Maltego CEVisual link analysis across people, domains, IPsmaltego.comFreemium
SpiderFootAutomated OSINT collection from 100+ sourcesGitHubFree
Recon-ngModular CLI recon frameworkGitHubFree
DataSploitAggregates OSINT on companies, people, phones, cryptoGitHubFree
OSRFrameworkCombines OSINT sources — web, API & CLI outputGitHubFree
GasMaskSearch-engine-based target info gatheringGitHubFree
5.1
theHarvester — Automated Email & Domain Recon
⏱ 45 min
ℹ️
theHarvester is a Python tool that automates gathering emails, subdomains, hosts, and employee names from public sources. It comes pre-installed on Kali Linux.
1
Install (if not on Kali):
pip install theHarvester # OR clone from GitHub: git clone https://github.com/laramies/theHarvester cd theHarvester pip install -r requirements/base.txt
2
Basic usage — search a domain:
# Search for emails/subdomains using multiple sources theHarvester -d example.com -l 500 -b all # Use specific source only theHarvester -d example.com -l 100 -b google # Save output to HTML report theHarvester -d example.com -l 500 -b all -f report
3
Run theHarvester against example.com or your own domain. Document all findings: email addresses found, subdomains discovered, IP ranges.
4
Compare theHarvester results with your manual DNSDumpster results from Module 3. Which found more? What did each miss?
5.2
Maltego CE — Visual Link Analysis
⏱ 50 min
🗺️
Why Maltego is different: Instead of a list of search results, Maltego builds a visual graph. You start with one "entity" (a domain, email, person) and run "transforms" that pull in related entities, drawing lines between everything that connects. This is how professional investigators map relationships at scale.
1
Download Maltego Community Edition (free). Registration is required — use your investigation email.
2
Start a new graph and drag a Domain entity onto the canvas. Type in a domain you've already researched (e.g. example.com or your own).
3
Right-click the entity and run the "To DNS Name" and "To IP Address" transforms. Watch new connected nodes appear automatically.
4
Add an Email Address entity for an address you control, and run available transforms on it too. Notice how Maltego starts drawing lines between previously separate nodes if they share infrastructure.
5
Compare this graph to your text-based notes from Lab 3.1 (WHOIS/DNS). Which format made the relationships easier to spot — the spreadsheet-style notes or the visual graph?
5.3
SpiderFoot — Automated OSINT Collection
⏱ 40 min
🕸️
About SpiderFoot: A self-hosted automation engine — point it at a domain, IP, or email and it queries 100+ data sources for you, then visualises how everything connects. Think of it as automating everything you did manually in Modules 2 and 3.
1
Install SpiderFoot:
git clone https://github.com/smicallef/spiderfoot.git cd spiderfoot pip install -r requirements.txt python3 sf.py -l 127.0.0.1:5001
Then open http://127.0.0.1:5001 in your browser.
2
Create a new scan against a domain you've already researched. Choose the "Footprint" scan template for a balanced, non-intrusive scan.
3
Let the scan run, then explore the results tabs: Browse (raw findings), Graph (visual map), and Correlations (SpiderFoot's automatic risk flags).
4
Compare total findings against your manual Module 3 work (WHOIS, DNSDumpster, theHarvester). How much time did automation save? What did it find that you missed manually?
5.4
Recon-ng — CLI Modular Reconnaissance
⏱ 35 min
⌨️
About Recon-ng: A modular CLI framework with a Metasploit-style workflow — you load "modules" into a "workspace" and chain them together. Good for building genuine command-line comfort before tackling pentesting tools later in your career.
1
Install and launch:
pip install recon-ng recon-ng
2
Create a workspace and load a domain module:
[recon-ng][default] > workspaces create mywork [recon-ng][mywork] > marketplace install recon/domains-hosts/hackertarget [recon-ng][mywork] > modules load recon/domains-hosts/hackertarget [recon-ng][mywork][hackertarget] > options set SOURCE example.com [recon-ng][mywork][hackertarget] > run
3
View what was collected: show hosts. Try loading one more module from the marketplace (e.g. a contacts or companies module) and chain it onto the same workspace.
4
Reflect: how does Recon-ng's "load module → set options → run" pattern compare to the menu-driven SpiderFoot interface from Lab 5.3? Which would you reach for in a script vs. an exploratory scan?
5.5
DataSploit — Multi-Target Aggregated Recon
⏱ 30 min
⚠️
Note: DataSploit is an older project with less active maintenance than SpiderFoot or Recon-ng. Expect to troubleshoot Python dependency issues — that's a normal part of working with community open-source tools, and good practice for your career.
1
Clone and set up in a virtual environment to avoid dependency conflicts:
git clone https://github.com/DataSploit/datasploit.git cd datasploit python3 -m venv venv source venv/bin/activate pip install -r requirements.txt
2
Run a domain-focused scan against a domain you've already profiled in earlier modules, and let it aggregate results from multiple sources in one pass.
3
Review the output format options (JSON / text). Note one advantage of getting JSON output if you wanted to feed results into another tool or script.
4
Document any setup problems you hit and how you solved them — this troubleshooting log is itself a useful skill record.
5.6
OSRFramework — Combined Username & Email Search
⏱ 25 min
🔗
About OSRFramework: Bundles several small OSINT utilities (username checking, DNS lookups, metadata extraction) behind one consistent CLI/API/web interface — useful once you've outgrown one-off tools like Namechk and want scriptable output.
1
Install via pip:
pip install osrframework
2
Run a username search across its supported platform list:
usufy -n yourusername -o csv -f results.csv
3
Open the generated CSV. Compare the platform list and hit-rate against Sherlock (Lab 2.1) — OSRFramework and Sherlock check overlapping but not identical platform lists.
4
Try the mailfy module on a domain to enumerate likely email address formats. Note: this only checks plausible addresses, it does not confirm they're active.
5.7
GasMask — Search-Engine-Powered Target Profiling
⏱ 25 min
🔎
About GasMask: Automates the kind of search-engine-based discovery you did manually in Lab 3.3 (Google Dorking) — but runs it across Bing, Google, and Yandex simultaneously, plus pulls from GitHub, YouTube, and Twitter/X.
1
Clone and install:
git clone https://github.com/twelvesec/gasmask.git cd gasmask pip install -r requirements.txt python3 gasmask.py
2
Inside the GasMask shell, target a domain you've researched before:
set DOMAIN example.com search
3
Review what came back from each search engine. Note which engine (Google, Bing, or Yandex) surfaced results the others didn't — Yandex in particular often indexes differently from Western search engines.
4
Try the GitHub search feature against your domain or organisation name — exposed API keys and internal config files in public repos are a real, common finding in professional engagements.
5.8
PhoneInfoga — Phone Number OSINT
⏱ 30 min
📱
About PhoneInfoga: An open-source CLI tool that footprints a phone number. It uses number-formatting libraries to identify carrier, line type (mobile/VoIP/landline), and country, then aggregates search-engine and OSINT-API results to surface where that number appears publicly online. It has no database of its own — everything is looked up live.
1
Install PhoneInfoga:
# Via pip pip install phoneinfoga # OR via Docker (no local Python setup needed) docker pull sundowndev/phoneinfoga:latest
2
Run a basic scan on your own number (E.164 format, e.g. +234...):
# CLI mode phoneinfoga scan -n "+15555555555" # OR launch the web UI for an interactive view docker run --rm -p 8080:8080 sundowndev/phoneinfoga:latest serve -p 8080 --bind 0.0.0.0
3
Review the output: carrier name, line type, country/region, and any OSINT footprint results (search engine hits, social media matches). Note which fields came from number-formatting logic vs. which came from live web lookups.
4
Compare this against a lookup on a service like Truecaller (no account needed to compare concepts). Reflect: Truecaller's data comes from crowdsourced contact books, while PhoneInfoga's comes from live public search — which is more current? Which is more invasive?
5.9
TryHackMe — OSINT CTF Rooms
⏱ 2 hours
🏆
TryHackMe offers guided, legal CTF challenges in a browser-based environment. The following rooms are free and perfect for OSINT practice.

Recommended Rooms (in order)

RoomFocusDifficultyLink
OhSINTClassic intro OSINT room — find info hidden in a photo🟢 EasyLink →
Searchlight — OSINTSocial media, username, image OSINT🟢 EasyLink →
Google DorkingPractical Google dork challenges🟢 EasyLink →
OSINT FundamentalsFramework, tools, methodology🟡 MediumLink →
WebOSINTDomain, hosting, historical data🟡 MediumLink →
Sakura RoomFull investigation — username, email, crypto, geolocation🟡 MediumLink →
5.10
Capstone — Write a Full OSINT Report
⏱ 90 min
🏁
Final Challenge: Choose a large public company (e.g. a public telecom, bank, or university). Using only passive techniques, write a professional OSINT report. This simulates what a red team would produce before a penetration test.

Report Template

OSINT REPORT ============ Target Organisation: Report Date: Investigator: 1. EXECUTIVE SUMMARY Brief overview of what was found and the overall risk level. 2. DOMAIN & INFRASTRUCTURE - Domain registrar and registration date - IP addresses and hosting provider - Subdomains discovered - Open ports (Shodan findings) - Technologies in use (Wappalyzer, BuiltWith) 3. EMPLOYEE INTELLIGENCE - Key personnel identified (IT/Security roles) - Email format discovered (e.g. firstname@company.com) - LinkedIn profiles found - Breach exposure (HaveIBeenPwned) 4. SOCIAL MEDIA FOOTPRINT - Official accounts and follower count - Third-party mentions - Employee social accounts 5. HISTORICAL DATA - Wayback Machine observations - Old technology stacks - Past incidents (Google: "company name" data breach) 6. RISK ASSESSMENT - Critical findings (HIGH) - Notable findings (MEDIUM) - Informational findings (LOW) 7. RECOMMENDATIONS - Specific defensive actions the organisation should take

📚
Tools, Resources & Certifications
Everything you need to continue learning after this workbook
Updated: This table now includes all newly discovered free and freemium platforms. Every tool here can be used with no payment required (freemium = free tier available). Paid-only platforms are listed separately below.

🔧 Complete Free Tool Reference

CategoryToolWhat It DoesURLCost
Directories & Frameworks
DirectoryOSINT FrameworkVisual tree of 500+ free OSINT tools by categoryosintframework.comFree
DirectoryIntelTechniquesAggregated search forms by Michael Bazzell (ex-FBI)inteltechniques.comFree
DirectoryBellingcat Toolkit ⭐ NEW500+ tools for journalism, geolocation & verification — Google SheetGoogle SheetFree
Username & Identity
UsernameSherlockCLI tool — hunts username across 300+ social networksGitHubFree
UsernameNamechkUsername availability across 100+ platformsnamechk.comFree
UsernameWhatsMyNameUsername search with verification links — more detailed than Namechkwhatsmyname.appFree
Email & Breach Data
EmailHaveIBeenPwnedCheck email address against known data breacheshaveibeenpwned.comFree
EmailHunter.ioFind email addresses tied to a domainhunter.ioFreemium
Email / IdentityOSINT Industries ⭐ NEWReal-time lookup — maps email/phone/username to connected accounts across Instagram, Telegram, CashApp & moreosint.industriesFreemium
Domain, DNS & Network
DomainWHOIS LookupDomain registration info — registrar, owner, datesdomaintools.comFree
DomainDNSDumpsterDNS records, subdomains, and visual domain mappingdnsdumpster.comFree
DomainSublist3rCLI subdomain enumeration tool using multiple sourcesGitHubFree
IP / DevicesShodanSearch engine for internet-connected devices — ports, services, CVEsshodan.ioFreemium
IP / DevicesCensysInternet-wide scan data, TLS certificates, attack surface mappingcensys.ioFreemium
Search Engines & Archives
Web HistoryWayback MachineHistorical snapshots of any website going back decadesweb.archive.orgFree
Deep SearchIntelligence X ⭐ NEWSearches leaked databases, dark web archives, and historical records using email/domain/IP/crypto identifiersintelx.ioFreemium
Vulnerability DBGoogle Hacking DBPublic repository of Google dorks for security researchexploit-db.comFree
Images, Metadata & Geolocation
ImagesTinEyeReverse image search — finds older instances than Googletineye.comFreemium
ImagesExifToolExtract GPS, camera, and timestamp metadata from any fileexiftool.orgFree
GeolocationGeoGuessrGame that builds visual geolocation skills (Street View)geoguessr.comFreemium
GeolocationGeoSpy AIAI-powered image geolocation — upload photo to get location estimategeospy.aiFreemium
OSINT Suites (Free / Open Source)
OSINT SuiteMaltego CEVisual link analysis — maps relationships between people, domains, IPsmaltego.comFreemium
OSINT SuiteSpiderFoot ⭐ NEWAutomated OSINT collection — scans IPs, domains, emails, usernames from 100+ sourcesGitHubFree
OSINT SuiteRecon-ng ⭐ NEWModular CLI recon framework — like Metasploit but for OSINTGitHubFree
OSINT SuiteDataSploit ⭐ NEWAggregates OSINT on companies, people, phone numbers, and crypto — outputs multiple formatsGitHubFree
OSINT SuiteOSRFramework ⭐ NEWCombines multiple OSINT sources — web interface, API, and CLI outputGitHubFree
OSINT SuiteGasMask ⭐ NEWGathers target info from Google, Bing, Yandex, GitHub, YouTube, and TwitterGitHubFree
URL, File & Threat Analysis
ThreatVirusTotalScan URLs, IPs, domains, and files against 70+ antivirus enginesvirustotal.comFree
AutomationtheHarvesterCLI — automates email, subdomain, and employee discoveryGitHubFree

💳 Paid Platforms — For Later Consultation

These platforms are enterprise-grade or require paid subscriptions. Not needed as a student, but worth knowing for career progression — especially if you move into threat intelligence, law enforcement, or corporate security roles.

ShadowDragon

Professional OSINT platform with 600+ data sources. Used by law enforcement and intelligence agencies. Offers social media tracking, link analysis, and threat actor monitoring at scale.

shadowdragon.io →

Recorded Future

Enterprise threat intelligence platform (acquired by Mastercard in 2024). Monitors dark web, technical forums, and threat actor activity. Uses AI/ML for predictive risk scoring. Integrates with SIEMs and SOAR.

recordedfuture.com →

Lampyre

All-in-one OSINT platform integrating social media, public records, and dark web sources. User-friendly GUI. Positions itself as a faster, more visual alternative to manual investigation workflows.

lampyre.io →

Maltego Pro / Enterprise

The paid tiers of Maltego unlock full transform limits, commercial data integrations, team collaboration, and API access. The free Community Edition is sufficient for learning, but Pro is the industry standard for professional investigators.

maltego.com →

DeHashed

Search engine for breach data — billions of records covering email, usernames, IPs, physical addresses, phone numbers. More comprehensive than HaveIBeenPwned but requires a paid subscription for full access.

dehashed.com →

1 TRACE

Launched 2024. Combines social media, geospatial, cyber, and financial (cryptocurrency) OSINT in one platform. ISO 27001:2022 certified — trusted by governments and law enforcement for cross-discipline investigations.

1trace.com →

Talkwalker / Hootsuite

AI-powered social media monitoring platform scanning 150M+ websites and 30+ social networks in 187 languages. Used by brands and government agencies for threat monitoring, sentiment analysis, and crisis prediction up to 90 days ahead.

talkwalker.com →

Shodan Pro / Enterprise

Shodan's paid tiers unlock full search results (free is limited to 2 pages), continuous monitoring alerts, full historical data, and API access for automation. Essential for serious network intelligence work.

shodan.io →

💡
Student tip on paid tools: Many paid platforms offer free academic licenses or steep student discounts — always check their website for an "education" or "academic" programme. Maltego, in particular, offers free licences for academic institutions. ShadowDragon and Recorded Future sometimes offer trial access through university cybersecurity programs.

🎓 Certifications to Pursue

Google Cybersecurity Certificate

Beginner-friendly. Covers OSINT basics, security operations, Python scripting. Available on Coursera (~6 months). Good first cert.

CompTIA Security+

Industry gold standard for entry level. Covers threats, OSINT concepts, network security. Recognized globally by employers.

eJPT (eLearnSecurity)

Practical penetration testing. Includes recon phase. More affordable than OSCP. Good stepping stone.

OSCP (Offensive Security)

The premium offensive security cert. 24-hour practical exam. Recognized by top security employers. Requires strong recon skills.

CEH (Certified Ethical Hacker)

Covers OSINT, footprinting, and full hacking methodology. More theoretical but widely recognized in enterprises.

Bellingcat OSINT Training

Free online guides from the world's top open-source investigators. Focuses on journalism and conflict investigation OSINT.

📖 Recommended Books & Resources