collecting-open-source-intelligence

Featured

Collects and synthesizes open-source intelligence (OSINT) about threat actors, malicious infrastructure, and attack campaigns using publicly available data sources, passive reconnaissance tools, and dark web monitoring. Use when investigating external threat actor infrastructure, performing pre-engagement reconnaissance for authorized red team assessments, or enriching CTI reports with publicly available adversary context. Activates for requests involving Maltego, Shodan, OSINT framework, SpiderFoot, or infrastructure reconnaissance.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Collecting Open-Source Intelligence ## When to Use Use this skill when: - Investigating external infrastructure associated with a phishing campaign targeting your organization - Enriching threat actor profiles with publicly observable indicators (WHOIS, ASN data, SSL certificates) - Conducting authorized attack surface discovery to understand your organization's external exposure **Do not use** this skill for active scanning against targets without explicit written authorization — OSINT collection must remain passive (no packets sent to target systems) unless scope permits active recon. ## Prerequisites - Maltego CE or commercial license for graph-based link analysis - Shodan API key (https://shodan.io) for internet-wide device/service discovery - OSINT Framework familiarity (https://osintframework.com) for tool selection - SpiderFoot HX or open-source SpiderFoot for automated OSINT correlation ## Workflow ### Step 1: Define Collection Requirements Establish the intelligence requirement (IR) before collecting. Document: - Target: threat actor group, malicious domain, IP range, or organization - Priority Intelligence Requirements (PIRs): What specific questions need answering? - Legal authority: Passive OSINT is legal; active probing requires authorization - Data handling: TLP classification for collected intelligence ### Step 2: Passive DNS and WHOIS Investigation ```bash # Passive DNS via SecurityTrails API curl "https://api.securitytrails.com/v1/domain/evil-doma...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Integrates with

Ruby on Rails · Backend

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

performing-open-source-intelligence-gathering

Open Source Intelligence (OSINT) gathering is the first active phase of a red team engagement, where operators collect publicly available information about the target organization to identify attack s

12,642 Updated today
mukul975
AI & Automation Featured

conducting-external-reconnaissance-with-osint

Conducts external reconnaissance using Open Source Intelligence (OSINT) techniques to map an organization's external attack surface without directly interacting with target systems. The tester gathers information from public sources including DNS records, certificate transparency logs, search engines, social media, code repositories, and data breach databases to build a comprehensive target profile. Activates for requests involving OSINT reconnaissance, external footprinting, attack surface mapping, or passive information gathering.

12,642 Updated today
mukul975
AI & Automation Featured

building-threat-actor-profile-from-osint

Build comprehensive threat actor profiles using open-source intelligence (OSINT) techniques to document adversary motivations, capabilities, infrastructure, and TTPs for proactive defense.

12,642 Updated today
mukul975
DevOps & Infrastructure Solid

osint-methodology

Comprehensive OSINT methodology for external red-team operations and authorized attack-surface assessments. Covers the 5-stage recon pipeline (seed discovery, asset expansion, enrichment, exposure analysis, reporting), asset-graph discipline with 29 asset types, severity rubric (CRITICAL/HIGH/MEDIUM/LOW/INFO), confidence upgrade workflows, time budgeting, asset-level triage rules, scale-based tactics, identity-fabric mapping (Entra/Okta/ADFS/Google/SAML/M365 Teams+SharePoint+OAuth), API and auth-map methodology, JavaScript deep analysis, mobile attack surface, cloud attack surface, breach×identity correlation, detectability tagging, detection-aware probing (back-off, persona rotation), read-only validator discipline, WAF/CDN bypass + origin discovery, vulnerability prioritization (CVE/EPSS/KEV), phishing infrastructure planning + pretext development, bug bounty submission templates, client deliverable templates with risk translation, threat-actor investigation (incl. RU/CN pivots), cryptocurrency tracing, ima

1,380 Updated 4 days ago
elementalsouls
AI & Automation Featured

performing-ai-driven-osint-correlation

Use AI and LLM-based reasoning to correlate findings across multiple OSINT sources—username enumeration, email lookups, social media profiles, domain records, breach databases, and dark-web mentions—into unified intelligence profiles with confidence scoring and link analysis.

12,642 Updated today
mukul975