Open-Source Intelligence is a field built on acronyms. Whether you are a journalist tracing a sanctioned vessel, a corporate due-diligence analyst chasing a beneficial owner, or a SOC analyst pivoting on indicators, you will encounter a shared vocabulary that spans military doctrine, civilian forensics, and internet protocols. This glossary collects the most common OSINT terms every investigator should know, organised by the intelligence discipline they belong to. Each entry includes a short, plain-English explanation so you can use it as a quick reference during real casework.
Core concept
OSINT — Open-Source Intelligence
OSINT is the collection, processing, and analysis of information drawn from publicly available sources to produce actionable intelligence. Sources range from social media posts and corporate registries to satellite imagery, court filings, and leaked datasets. The U.S. Office of the Director of National Intelligence formally recognises OSINT as one of the major intelligence disciplines, alongside HUMINT, SIGINT and GEOINT. Importantly, "open" does not mean "free of legal or ethical constraints" — investigators still need to consider data protection law, terms of service, and operational security.
Intelligence disciplines (INTs)
HUMINT — Human Intelligence
HUMINT is intelligence derived from human sources — interviews, informants, debriefings, and elicitation. It is traditionally distinct from OSINT because it usually requires direct interaction with a person, sometimes covertly. In modern investigations the line blurs: a journalist who DMs a source on Telegram is doing HUMINT-style collection on top of an open-source platform.
SIGINT — Signals Intelligence
SIGINT covers the interception and analysis of communications and electromagnetic emissions, typically the domain of national agencies such as the U.S. National Security Agency. It is generally not available to civilian OSINT analysts, but its sub-branches — particularly ELINT — sometimes overlap with open data such as ADS-B and AIS broadcasts.
GEOINT — Geospatial Intelligence
GEOINT is the exploitation and analysis of imagery and geospatial information to describe, assess, and visually depict physical features and geographically referenced activities on Earth. It blends satellite imagery, terrain data, and metadata such as timestamps and coordinates. Civilian platforms such as Google Earth, Sentinel Hub, and Planet Labs have made GEOINT one of the fastest-growing branches of public-domain intelligence.
IMINT — Imagery Intelligence
IMINT focuses specifically on the exploitation of still images and video — identifying objects, units, and activities visible in a frame. While GEOINT incorporates terrain and mapping context, IMINT is the closer-up forensic interpretation of what is in the picture. Modern IMINT routinely combines optical, infrared, and synthetic-aperture-radar imagery.
SOCMINT — Social Media Intelligence
SOCMINT is a subset of OSINT that focuses on data from social networks: posts, profiles, follower graphs, geotags, and engagement patterns. The term was popularised by analysts at Demos in 2012 and is now standard in counter-terrorism, brand protection, and disinformation research. SOCMINT is highly sensitive to platform terms of service and to evolving privacy regulation such as GDPR.
FININT — Financial Intelligence
FININT is intelligence derived from financial transactions, ownership records, and money flows. It underpins anti-money-laundering, sanctions compliance, and fraud investigations, and is the core mandate of national Financial Intelligence Units coordinated through the Egmont Group. In OSINT contexts FININT often relies on company registries, leaks such as the Panama and Pandora Papers, and blockchain-explorer data.
MARINT — Maritime Intelligence
MARINT deals with vessels, ports, cargo, and the broader maritime domain. It is fed largely by AIS broadcasts, satellite imagery, port-state inspection records, and corporate shipping registries. MARINT has become essential for sanctions enforcement, particularly around dark-fleet tankers and ship-to-ship transfers.
AVINT — Aviation Intelligence
AVINT is the aviation-domain counterpart to MARINT, covering aircraft movements, ownership, and operations. It draws heavily on ADS-B feeds aggregated by services like Flightradar24 and ADS-B Exchange, plus civil aviation registries. AVINT is a workhorse discipline for sanctions tracking, conflict reporting, and corporate-jet investigations.
ELINT — Electronic Intelligence
ELINT is the non-communications branch of SIGINT — the detection and analysis of electromagnetic signals such as radar emissions. It is typically a state-level capability, but civilian researchers increasingly use software-defined radio and crowdsourced sensor networks to map radar coverage in conflict zones.
CTI — Cyber Threat Intelligence
CTI is intelligence about adversaries operating in cyberspace — their infrastructure, malware, motivations, and behaviour. CTI is consumed by SOCs, incident-response teams, and policy makers, and it heavily borrows OSINT methodology. The discipline has its own ecosystem of standards, frameworks, and exchange formats described in the next section.
Cyber Threat Intelligence (CTI) terminology
ATT&CK
The MITRE ATT&CK framework is a globally accessible knowledge base of adversary tactics, techniques, and procedures based on real-world observations. It provides a shared taxonomy that lets defenders describe attacker behaviour consistently — for example, "T1566.001 — Spearphishing Attachment". ATT&CK has become the de-facto common language of CTI and is used in detection engineering, red-team reporting, and threat-actor profiling.
IOC — Indicator of Compromise
An IOC is a piece of forensic data — file hash, IP address, domain, URL, registry key — that points to a possible intrusion. IOCs are the atomic unit of operational CTI: cheap to share, easy to deploy in detection rules, but also easily evaded by sophisticated adversaries. Modern threat hunting therefore treats IOCs as a starting point rather than an end-state.
TTP — Tactics, Techniques, Procedures
TTPs describe how an adversary operates, in increasing order of specificity — strategic goals (tactics), the methods used to achieve them (techniques), and the concrete steps observed in a particular campaign (procedures). They sit higher on the Pyramid of Pain than IOCs because they are harder for an attacker to change. Tracking TTPs is the foundation of behavioural detection and threat-actor attribution.
APT — Advanced Persistent Threat
An APT is a sophisticated, long-running cyber adversary, traditionally state-affiliated, that gains and maintains access to a target network for strategic purposes. The term was popularised by Mandiant's APT1 report in 2013 and now applies to dozens of named groups across multiple countries. APT designations such as APT28, APT29, or Lazarus carry weight in attribution and are often tied to specific TTPs.
Information operations
CIB — Coordinated Inauthentic Behaviour
CIB is a term coined by Meta (then Facebook) to describe networks of accounts working together to manipulate public debate while disguising their identity. CIB is the policy lens through which most major platforms now describe state-sponsored influence operations. For OSINT investigators, CIB cases produce some of the richest open datasets — Meta, X/Twitter, and TikTok publish takedown reports with infrastructure indicators.
Corporate intelligence (CORPINT)
PEP — Politically Exposed Person
A PEP is an individual entrusted with a prominent public function — heads of state, senior politicians, judges, military officers — plus their family and close associates. PEP status implies a higher money-laundering and corruption risk and triggers enhanced due diligence under FATF Recommendation 12. PEP screening is a core compliance task in banking, real estate, and crypto onboarding.
UBO — Ultimate Beneficial Owner
The UBO is the natural person who ultimately owns or controls a legal entity, even when the entity is wrapped in layers of nominees, trusts, or shell companies. Identifying UBOs is essential to AML, sanctions, and anti-corruption work, and is mandated in many jurisdictions through public or restricted beneficial-ownership registers. Open-data resources like OpenCorporates and the Open Ownership Register are key starting points.
KYC / AML / CDD
KYC (Know Your Customer), AML (Anti-Money Laundering), and CDD (Customer Due Diligence) are the regulatory pillars of financial-crime compliance. KYC is the act of identifying and verifying a customer; AML is the broader programme of preventing money laundering; CDD is the ongoing risk-based review of the relationship. These processes consume enormous volumes of OSINT — sanctions lists, adverse media, corporate records — and are heavily covered in FATF guidance.
Legal and access
FOIA — Freedom of Information Act
FOIA is the U.S. statute that gives the public the right to request access to records from federal agencies; many jurisdictions have equivalents (the UK's FOIA 2000, the EU's Regulation 1049/2001, Ukraine's Law on Access to Public Information, and so on). FOIA requests are a powerful but slow OSINT collection tool — especially in long-form investigative journalism. Tools like MuckRock help investigators draft, track, and publish requests.
Maritime intelligence
AIS — Automatic Identification System
AIS is a VHF-based vessel beacon that broadcasts identity, position, course, and speed. It is mandated by IMO SOLAS for most commercial vessels above 300 gross tonnes. AIS data is the backbone of MARINT and is aggregated by services such as MarineTraffic and VesselFinder; however, dark-fleet operators routinely spoof or disable AIS to evade sanctions tracking.
MMSI / IMO number
Every AIS-equipped vessel transmits an MMSI (Maritime Mobile Service Identity) — a nine-digit radio identifier that may change with ownership or flag — and most commercial ships also carry a globally unique seven-digit IMO number assigned by the International Maritime Organization. The IMO number stays with the hull for life, which makes it the more reliable identifier when tracking renamed or reflagged ships.
Aviation intelligence
ADS-B — Automatic Dependent Surveillance-Broadcast
ADS-B is the aviation analogue of AIS: aircraft broadcast their GPS position, altitude, callsign, and ICAO 24-bit address roughly once per second. The FAA and most other regulators have made ADS-B Out mandatory in controlled airspace, which is why platforms like Flightradar24 and ADS-B Exchange can offer near-real-time global flight tracking. ADS-B data is openly received by hobbyist networks, making it one of the richest civilian intelligence streams.
MLAT — Multilateration
MLAT is a positioning technique used as a fallback when an aircraft does not transmit GPS-based ADS-B — the timing differences with which a signal reaches several ground stations are used to triangulate position. MLAT lets ADS-B aggregators continue to track older aircraft and military flights that broadcast Mode S but not Mode S Extended Squitter. It is computationally heavier and slightly less accurate than direct ADS-B.
Geospatial intelligence
AOI — Area of Interest
An AOI is the bounded geographic region an analyst is monitoring or tasking imagery against — for example, a polygon around a specific airbase. AOIs drive imagery search, change-detection alerts, and tipping-and-cueing workflows. Most commercial GEOINT providers such as Planet, Maxar, and Sentinel Hub allow users to define AOIs as GeoJSON polygons.
Military intelligence
BDA — Battle Damage Assessment
BDA is the post-strike evaluation of how much damage was actually inflicted on a target. In the OSINT context, BDA increasingly relies on commercial satellite imagery, social-media uploads, and verified video — the work done by groups like Bellingcat during the war in Ukraine is a canonical example. BDA is inherently uncertain and benefits from triangulating multiple imagery sources and ground reports.
Image intelligence
EXIF — Exchangeable Image File Format
EXIF is the metadata standard embedded in JPEG and TIFF files by digital cameras and phones, including timestamps, camera model, and (sometimes) GPS coordinates. EXIF can be a goldmine in OSINT — but social media platforms typically strip it on upload, so its absence does not prove anything. Reading EXIF is most often done with ExifTool, the de-facto standard utility.
ELA — Error Level Analysis
ELA is a forensic technique that re-saves a JPEG at a known compression level and compares the result to the original — areas that differ significantly are candidates for tampering. ELA is illustrative but easy to misinterpret, especially on heavily re-compressed social-media images. Free web services like FotoForensics let analysts run ELA without installing software.
PRNU — Photo Response Non-Uniformity
PRNU is a sensor-noise fingerprint left on every image a given camera takes, caused by tiny manufacturing variations between pixels. With enough reference images, an investigator can statistically link a questioned photo back to a specific physical sensor — a powerful tool in CSAM cases and in unmasking sock-puppet photographers. The technique was formalised by Jessica Fridrich's group at Binghamton University.
Web and DNS intelligence
WHOIS / RDAP
WHOIS is the legacy protocol for querying domain-registration data — registrant, registrar, creation date, name servers. RDAP (Registration Data Access Protocol) is its modern successor, defined in RFC 7480 and following, returning structured JSON with proper authentication and internationalisation. Since GDPR took effect, most registrant fields are redacted in WHOIS — RDAP is the standards-track path to controlled access.
CT log — Certificate Transparency log
A CT log is a public, append-only ledger of every TLS certificate issued by participating Certificate Authorities, defined in RFC 6962. CT logs are searchable through services like crt.sh and let investigators discover subdomains, attacker phishing infrastructure, and unannounced services. They are one of the highest-leverage data sources in modern WEBINT.
Wayback Machine / archive.today
The Wayback Machine and archive.today are web-archiving services that preserve snapshots of pages over time. They are essential for OSINT because the live web is unstable — content gets deleted, edited, or geo-fenced. Archived versions also serve as evidence in legal and journalism contexts; archive.today is particularly useful because it can capture pages that block the Wayback Machine.
Network intelligence
PDNS — Passive DNS
Passive DNS is the historical record of which domain names resolved to which IPs over time, captured by sensors at recursive resolvers. PDNS lets analysts see relationships that current-state DNS lookups hide — what an attacker domain pointed to last week, or which other domains shared an IP with a known C2 server. Both commercial vendors and the PassiveDNS open-source toolset support this workflow.
ASN / BGP — Autonomous System Number / Border Gateway Protocol
An ASN is the unique identifier assigned to an autonomous system — a network with a single routing policy, usually an ISP, hoster, or large enterprise. BGP is the protocol that ASNs use to advertise routes to each other on the public internet. Tracking ASN ownership and BGP changes via tools like bgp.tools is fundamental to attribution, hijack detection, and infrastructure profiling.
JARM / JA3 / JA4 — TLS fingerprints
JA3, its update JA4, and the active-probe JARM are fingerprinting techniques that build a hash from the parameters of a TLS handshake. These fingerprints are powerful because they cluster servers and clients by their underlying stack — for example, identifying every Cobalt Strike teamserver on the internet that uses a particular profile. JARM was open-sourced by Salesforce in 2020; JA4 was released by FoxIO in 2023.
OSINT tradecraft
OPSEC — Operational Security
OPSEC for OSINT is everything an investigator does to keep their identity, intent, and infrastructure from leaking back to the target. That includes browser isolation, attribution-managed networking, alias separation, and disciplined handling of cookies and metadata. Bad OPSEC has burned more investigations than any technical failure.
Sock-puppet
A sock-puppet is a managed false persona used to access communities, contact targets, or observe content that requires registration. Building credible sock-puppets requires aged accounts, plausible posting history, and consistent metadata — and increasingly, AI-generated faces that survive reverse-image search. Sock-puppet use raises ethical and legal questions and should be governed by an explicit policy.
Hunchly
Hunchly is a browser extension that automatically captures every web page an investigator visits, hashes the content for evidentiary integrity, and organises the result into a searchable case file. It is widely used in investigative journalism, law-enforcement online investigations, and corporate due diligence. Hunchly's appeal is that it removes the discipline burden of manual screenshotting — captures happen by default.
Maltego / SpiderFoot
Maltego and SpiderFoot are entity-graph OSINT platforms — they take seed entities (a domain, an email, a person) and pivot through dozens of data sources to produce a connected graph of related infrastructure and identities. Maltego is the more mature commercial product with a transform marketplace; SpiderFoot is open-source with a paid HX cloud variant. Both are staples of the modern OSINT toolbox.
Dark-web intelligence
Tor / I2P / Freenet
Tor, I2P, and Freenet (now Hyphanet) are anonymity networks that host hidden services unreachable through the regular DNS hierarchy. Tor is by far the largest and most studied — it powers most of what people loosely call "the dark web", including the .onion services tracked by threat-intelligence and law-enforcement teams. I2P and Freenet are smaller but persistently used by specific subcommunities, particularly around file-sharing and resilient publishing.
Document and media intelligence
Stylometry
Stylometry is authorship attribution by quantitative analysis of writing style — word lengths, function-word frequencies, punctuation habits. The technique gained mainstream attention when stylometric analysis pointed at J.K. Rowling as the author of "The Cuckoo's Calling" in 2013. In OSINT, stylometry helps link sock-puppets, attribute leaks, and confirm or refute claims about who wrote a document.
OCR — Optical Character Recognition
OCR turns images of text — scanned PDFs, photos of documents, screenshots — into machine-readable text. Modern OCR engines such as Tesseract and commercial cloud APIs make large document corpora suddenly searchable. Quality drops sharply on low-resolution images, complex scripts, or handwritten material, so OCR output should always be validated against the original.
C2PA / CAI — Content provenance
C2PA (Coalition for Content Provenance and Authenticity) and the Content Authenticity Initiative (CAI) are joined-up standards efforts to attach cryptographically signed provenance metadata to media files — who captured it, what edits were made, what AI tools touched it. The standard is being adopted by camera manufacturers (Leica, Sony, Nikon), publishers (BBC, NYT), and AI companies (OpenAI, Microsoft). For OSINT analysts, C2PA manifests are a new verification surface — both an opportunity and an attack target.
Using this glossary
Treat this list as a starting vocabulary, not a closed canon. Every discipline above has its own deeper lexicon, and the terminology evolves quickly — JA4 only appeared in 2023, C2PA manifests are still rolling out across hardware. The most useful habit for any OSINT practitioner is to read primary sources: standards documents (IETF RFCs, ISO/IMO regulations), platform takedown reports, and the technical write-ups published by groups like Bellingcat, the DFRLab, and Citizen Lab. The acronyms only matter to the extent that they help you describe what you actually found.