SEC487: 6 Days of OSINT

I am no longer associated with the SANS SEC487 course

In January 2022, I resigned from teaching with SANS and transitioned authorship to them. This post is here for historical purposes.

As a system administrator in the early 2000s, my job was to configure big computer servers. I installed and configured web sites and file shares and customized databases according to database administrator requirements. I was good at my job, but it didn’t thrill me.

Then I took my first SANS class. It was the SEC504 course and I was amazed! I loved the post-exploitation activities: escalating privileges, snooping around systems, and gathering data from those computers I’d compromised. With a little luck and some hard work, I shifted my career to cyber where I was being paid to compromise systems. I was happy, but the thrilling part wasn’t there as much as I wanted.

That was when I discovered that, what we in pentesting called “recon”, was a whole field called OSINT. In the Open Source Intelligence (OSINT) field, we get paid to answer our customers’ questions, to find information that they want, to help them understand what their risk is from the data that can be found about them online. This was thrilling. Really.

I loved the hunt for data and the analysis to determine what that data meant. This was the perfect combination of mental challenge; find data, analyze, find data, analyze…report.

So I Made a Class

In the Summer of 2016, I began writing what is now the SANS Institute’s SEC487: Open-Source Intelligence Gathering and Analysis course.


On that page is the following “Author Statement” that further describes why I made this course. It is also below.

“I have always been intrigued by the types and amount of data that are available on the Internet. From researching the best restaurants in a foreign town to watching people via video cameras, it all fascinates me. As the Internet evolved, more high-quality, real-time resources became available and every day was like a holiday, with new and wonderous tools and sites coming online and freely accessible.

“At a certain point, I was no longer in awe of the great resources on the web and, instead, transitioned to surprise that people would post images of themselves in illegal or compromising positions or that a user profile contained such explicit, detailed content. My wonder shifted to concern for these people. Didn’t they know that their [profiles, images, videos, comments, etc.] were publicly accessible? Didn’t they care about it? What I found was that, if you looked in the right places, you could find almost anything about a person, a network, or a company. Piecing together seemingly random pieces of data into meaningful stories became my passion and, ultimately, the reason for this course.

“I recognized that the barrier to performing excellent OSINT was not that there was no free data on the Internet. It was that there was too much data on the Internet. The challenge transitioned from ‘how do I find something’ to ‘how do I find only what I need?’ This course was born from this need to help others learn the tools and techniques to effectively gather and analyze OSINT data from the Internet.”

And that’s where we are now. We have soooooo much data out there and soooooo many people reporting it. But what does it mean to us and to our customers? That is the important question.

About the Course

I designed this 6 day class to be applicable to all the people that use OSINT; from parents to private investigators, insurance claims investigators to incident responders, threat intelligence analysts to penetration testers. Everyone will find useful tips, tricks, and techniques in this class.

This is not a “Just Google It” OSINT course. With over 20 labs across the first 5 days and a Capture the Flag (CTF) event on day 6, we explore by doing. We explore OSINT techniques using interesting, real-world scenarios that take students around the world from Australia to Italy, Brazil to Singapore.

Please take a look at the detailed course syllabus on SANS’s site ( to understand the range of topics we will cover.

I fully realize that learning and growth don’t end once you leave the classroom, so I’ve packed in some extras to help support your OSINT adventures post-class. You will get:

  • Video walkthroughs of all the labs
  • A digital wiki with helpful information about the tools and labs
  • Access to the SEC487 Alumni Slack group so that you can continue the OSINT conversation and questions with your instructors and peers well-after you leave the class.

The winners of the group CTF on day 6 get a beautiful challenge coin (below).


Short, Sweet and Fun!

I could carry on about how much fun it was to create this class or how much more fun it’ll be to begin teaching it in the coming months but, well, I think that goes without saying.

Those that know me, have seen my tweets, or have been in my classes know that I try to make every class fun and exciting. I’ve built that into each part of this class. We use characters from the 1980s iconic movie, The Princess Bride, in the scenarios and examples.

Come join me for 6 days of OSINT, information gathering and analysis!

Comments are closed.

Up ↑

%d bloggers like this: