Intelligence notes

OSINT Glossary

16 min read

OSINT Glossary

A working glossary of terms used across open-source intelligence, analytical tradecraft, and adjacent disciplines (CTI, GEOINT, counterintelligence, corporate due diligence). Definitions are written for practitioners: precise, operational, and aligned with established doctrine where it exists. Where a deeper note exists in this vault, the term is cross-referenced inline.

A

  • Active Measures (Активные мероприятия) — Soviet/Russian intelligence doctrine encompassing the full spectrum of covert influence operations: disinformation, forgery, front organizations, agents of influence, and political subversion. Distinct from intelligence collection in that the objective is to shape the adversary’s environment, not merely to understand it. The doctrine persists in contemporary Russian services (SVR, GRU, FSB).
  • All-Source Intelligence — Analytical product derived from the fusion of multiple intelligence disciplines (HUMINT, SIGINT, GEOINT, OSINT, MASINT). The defining attribute is cross-discipline corroboration; an all-source analyst weighs each source against the others rather than relying on a single collection channel.
  • APT (Advanced Persistent Threat) — A threat actor — typically state-sponsored or state-aligned — characterized by sustained, targeted, and well-resourced intrusion campaigns against specific strategic objectives. The label denotes intent and capability, not a single intrusion event. (See Advanced Persistent Threats.)
  • Attribution — The analytical process of assigning responsibility for an action — cyber intrusion, influence campaign, kinetic operation — to a specific actor. Attribution operates across technical, behavioral, and geopolitical evidence layers, and is always expressed with a confidence level rather than certainty. (See Attribution.)

B

  • Beneficial Ownership — The natural person(s) who ultimately own or control a legal entity, regardless of the formal chain of nominees, trusts, or shell companies. Beneficial ownership disclosure regimes (EU 5AMLD, US Corporate Transparency Act, UK PSC register) are the legal substrate for corporate OSINT. (See Corporate OSINT and Due Diligence.)
  • BLUF (Bottom Line Up Front) — An analytical writing convention — originating in US military staff practice — in which the principal judgment or recommendation is stated in the opening sentence of a product. Designed for time-constrained consumers who may not read past the first paragraph. The rest of the product justifies, qualifies, and sources the BLUF.
  • Bootleg intelligence — Unverified, unvetted, or single-sourced material that is treated as established fact downstream — often after laundering through a credible-looking aggregator or analytical product. A persistent failure mode in fast-moving OSINT environments, particularly during crises.

C

  • C2 (Command and Control) — In cyber operations, the infrastructure (servers, domains, channels) through which an adversary directs implants on compromised systems. C2 analysis is a core pivot point in CTI investigations: shared C2 infrastructure across intrusions is one of the strongest clustering signals.
  • Chain of Custody — A documented, unbroken record tracking who handled an evidentiary artefact, when, and how, from collection through analysis to dissemination. In OSINT contexts, chain of custody centers on artefact hashing, immutable storage, and tooling provenance. Mandatory for any product intended for legal, accountability, or attribution use. (See OSINT for Human Rights.)
  • Chronolocation — The technique of inferring or constraining the date and/or time of an image or video from visual cues — sun position and shadow length, vegetation state, weather, visible signage, contrails, celestial bodies, or transient features (construction, posters, flags). Complementary to geolocation; together they fix an artefact in space-time.
  • Cognitive Bias — A systematic deviation from rational judgment arising from heuristics, motivated reasoning, or cognitive limits. In intelligence analysis, biases are not individual failings but structural risks to be mitigated through tradecraft (structured analytic techniques, red teaming, devil’s advocacy). (See Cognitive Bias.)
  • Collection — The phase of the intelligence cycle in which information is acquired against standing or ad hoc requirements. In OSINT, collection is bounded by source legality, OPSEC, and reproducibility — captures must be preservable and verifiable.
  • Confirmation Bias — The tendency to seek, weigh, and recall evidence that supports a pre-existing hypothesis while discounting evidence that contradicts it. Among the most operationally damaging biases in intelligence work; canonical mitigations include Analysis of Competing Hypotheses (ACH) and explicit pre-registration of judgments. (See Confirmation Bias.)
  • Confidence Level — A formal qualifier (low / moderate / high) appended to an analytical judgment, expressing the analyst’s assessment of source quality, evidentiary depth, and logical coherence — distinct from probability of the event. (See Intelligence Confidence Levels.)
  • Corroboration vs. Confirmation — A critical tradecraft distinction. Corroboration means independent sourcing: two or more genuinely separate origins (different collection chains, not shared lineage) point to the same fact. Confirmation — in the loose sense — often means the same source repeated downstream, which adds no evidentiary weight. Mistaking circular sourcing for corroboration is a common cause of OSINT failure.
  • CTF (Capture the Flag) — Competitive OSINT events — Trace Labs, Project OWL, Quiztime, GeoGuessr-derived contests — in which teams race to extract intelligence from a curated puzzle or missing-person case file. The dominant skill-building modality in the OSINT community. (See OSINT Community Ecosystem.)
  • CTI (Cyber Threat Intelligence) — The discipline of producing actionable intelligence on adversary cyber actors, capabilities, and campaigns. CTI operates at strategic, operational, and tactical levels, with deliverables ranging from board-level threat assessments to machine-readable IOC feeds. (See Cyber Threat Intelligence.)

D

  • Dark Web — The subset of the deep web accessible only through anonymizing overlay networks (Tor, I2P, Freenet). A distinct OSINT collection environment with its own source ecology — marketplaces, forums, leak sites, ransomware blogs — and its own OPSEC and ethical constraints. (See Dark Web Methodology.)
  • DARKINT — Intelligence derived from systematic collection on dark-web and anonymizing-network sources. Treated as a specialized OSINT subdiscipline rather than a separate INT, given its open-source legal posture. (See DARKINT.)
  • Deduplication — In entity-resolution workflows, the process of identifying and merging records that refer to the same real-world entity despite surface-level variation (transliteration, spelling, formatting, alias). Deduplication is the necessary precondition for accurate link analysis.
  • Diamond Model — An intrusion-analysis framework — adversary, capability, infrastructure, victim — used in CTI to characterize and cluster cyber operations. Each vertex of the diamond is a pivot point for further collection; shared edges across intrusions are the basis for campaign attribution.
  • Disinformation vs. Misinformation — A precise three-way definitional distinction. Disinformation is false or misleading content disseminated with deliberate intent to deceive. Misinformation is erroneous content shared without deceptive intent (the sharer believes it true). Malinformation is genuinely true content deployed out of context, selectively, or at a particular time to cause harm. The intent and veracity axes must be analyzed separately.

E

  • ELINT (Electronic Intelligence) — A SIGINT subdiscipline focused on non-communications electromagnetic emissions: radar, navigation beacons, weapons-system emitters, telemetry. ELINT supports order-of-battle, EW planning, and platform identification. (See ELINT.)
  • Entity Resolution — The methodology of unambiguously identifying a real-world entity (person, organization, vessel, aircraft, asset) across heterogeneous data sources and resolving variant references to a single canonical record. (See Entity Resolution Methodology.)
  • EXIF / Metadata — Embedded structured data accompanying a digital artefact. For images, EXIF can include camera make/model, timestamp, GPS coordinates, software, and editing history; for documents, author, organization, revision history, and software fingerprint. Routinely sanitized by social platforms on upload — a critical OPSEC fact for both collection and counter-OSINT.
  • Exploitation — The intelligence-cycle phase between collection and analysis in which raw material is processed into a usable form: translation, transcription, OCR, image enhancement, format conversion, indexing. In military doctrine, “processing and exploitation” (the PE in PED) is a distinct workflow with its own tooling and personnel.

F – G

  • Finished Intelligence — An analytical product that has passed through the full intelligence cycle and is ready for dissemination to a consumer (commander, policymaker, customer). Distinguished from raw or processed intelligence by the addition of analyst judgment, contextualization, and confidence assessment.
  • GEOINT (Geospatial Intelligence) — Intelligence derived from the exploitation of imagery and geospatial information about features and activities on Earth. Encompasses IMINT, mapping, terrain analysis, and spatial-temporal pattern analysis. (See GEOINT.)
  • Geolocation — The technique of determining the geographic location at which an image, video, or event occurred, using visible features, terrain, architecture, vegetation, signage, and reference imagery. A core OSINT tradecraft skill. (See Geolocation Methodology.)

H

  • Hash (SHA-256) — A cryptographic function producing a fixed-length, collision-resistant digest of an input file. In OSINT evidence handling, hashing an artefact at the moment of capture and recording the digest establishes that the file has not been altered downstream — a foundational element of chain of custody. SHA-256 is the contemporary minimum; MD5 and SHA-1 are deprecated for evidentiary purposes.
  • HUMINT (Human Intelligence) — Intelligence derived from human sources: clandestine agents, debriefings, liaison relationships, walk-ins. Largely outside the OSINT remit, but HUMINT tradecraft concepts (legend, cover, motivation models) inform parts of online investigative practice. (See HUMINT.)
  • Hunchly — A commercial browser extension for OSINT investigators that automatically captures, hashes, and indexes every page visited during an investigation, producing a defensible evidentiary record. The de facto standard tool for case-based OSINT chain of custody.

I

  • I&W (Indications and Warning) — The intelligence function focused on detecting precursors of hostile action — military mobilization, leadership signaling, diplomatic withdrawals — in time for decision-makers to respond. I&W operates on observable indicator sets tied to specific threat scenarios. (See Indications and Warning.)
  • IMINT (Imagery Intelligence) — Intelligence derived from visual representations of objects reproduced electronically or optically — satellite imagery, aerial photography, drone video, ground photography. A core component of GEOINT. (See IMINT.)
  • Indicator of Compromise (IOC) — In CTI, a forensic artefact — file hash, IP address, domain, registry key, mutex — observed on a network or system and associated with malicious activity. IOCs are the most tactical, perishable layer of cyber threat intelligence. (See Cyber Threat Intelligence.)
  • Intelligence Cycle — The doctrinal model of intelligence production: planning and direction → collection → processing/exploitation → analysis and production → dissemination → feedback. A simplification, but a useful schema for locating any given activity within the broader workflow. (See Intelligence Cycle.)
  • IOC half-life — The empirical observation that different categories of cyber-threat indicators decay at radically different rates. Network indicators (IPs, domains) rotate in days; file hashes in weeks; tools and infrastructure patterns in months; tactics, techniques, and procedures (TTPs) persist for years. Intelligence value scales inversely with rotation rate, but actionability often scales the other way.

L

  • LEI (Legal Entity Identifier) — A 20-character alphanumeric code uniquely identifying a legally distinct entity participating in financial transactions, administered under ISO 17442. The closest existing global standard for corporate entity resolution. (See Entity Resolution Methodology.)
  • Legend — In HUMINT tradecraft, the cover identity — biographical and documentary — constructed for an agent operating under a false name or affiliation. Legend integrity is one of the principal vulnerabilities exploited in counterintelligence; modern OSINT tooling (deep social-graph analysis, biometric matching, transaction trails) makes durable legends harder to maintain. (See Double Agents.)
  • Link Analysis — A structured analytic technique that represents entities (people, organizations, assets) as nodes and relationships (financial, communications, kinship, ownership) as edges, then exploits graph properties — centrality, clustering, shortest paths — to surface non-obvious connections. (See Link Analysis.)

M

  • MASINT (Measurement and Signature Intelligence) — Technically derived intelligence that quantitatively characterizes distinctive physical, chemical, or behavioral signatures of targets — acoustic, seismic, nuclear, chemical, biological, materials, electro-optical. Highly specialized; provides discriminative attribution where other INTs cannot. (See MASINT.)
  • Metadata — Broadly, structured data describing other data. In OSINT, encompasses EXIF (images), document metadata (authorship, revision history), email headers, file-system timestamps, and platform-level signals. Frequently the highest-yield element of an artefact for verification and attribution.
  • MICE / RASCLS — Models of human source motivation. MICE — Money, Ideology, Compromise/Coercion, Ego — is the classic CIA framework. RASCLS — Reciprocation, Authority, Scarcity, Commitment, Liking, Social Proof — borrows Cialdini’s influence principles and is associated with later HUMINT thinking. Both inform agent recruitment and counterintelligence vulnerability assessment. (See Counterintelligence.)
  • Mirror-imaging — An analytical bias in which the analyst unconsciously projects their own decision logic, values, and constraints onto an adversary, producing forecasts that describe what the analyst would do rather than what the target will do. Particularly dangerous in cross-cultural and asymmetric contexts. (See Cognitive Bias.)
  • MMSI / IMO — Vessel identification standards. The Maritime Mobile Service Identity (MMSI) is a 9-digit number assigned to a ship’s radio (and changeable with flag); the IMO number is a 7-digit hull identifier assigned for the vessel’s operational life and is the more reliable resolution key. (See Entity Resolution Methodology.)

O

  • OPSEC (Operations Security) — The discipline of protecting one’s own activities, methods, and identity from adversary detection or exploitation. In OSINT, OPSEC covers infrastructure (clean VMs, sanitized browsers, anonymizing networks), behavior (no logged-in pivots, no real-name interaction), and product (no leakage of collection methods, sources, or timing in disseminated material).
  • OSINT (Open-Source Intelligence) — Intelligence produced from publicly available information — published, broadcast, online, or otherwise lawfully accessible — that has been deliberately collected, exploited, and disseminated in a timely manner to address a specific intelligence requirement. The “intelligence” qualifier is doing real work: aggregated open data without analysis is not OSINT. (See OSINT.)
  • OSINT Framework — Justin Nordine’s widely cited taxonomic tree of OSINT tools and resources, organized by collection target (username, email, domain, image, etc.). A reference index, not an analytical methodology. (See OSINT Community Ecosystem.)

P

  • Passive DNS — Historical archives of observed DNS resolutions, captured by sensors at the resolver layer. Allows analysts to reconstruct what a domain resolved to over time, and to pivot from a known-bad IP to all domains that historically pointed at it — a foundational infrastructure-research technique in CTI and APT tracking.
  • PED (Processing, Exploitation, Dissemination) — The downstream workflow in military ISR doctrine following collection. Distinct from the broader intelligence cycle in that PED specifically describes the industrial-scale processing of sensor data (full-motion video, SAR, multispectral). (See Intelligence, Surveillance, and Reconnaissance.)
  • PEP (Politically Exposed Person) — In AML/KYC regimes, an individual holding (or recently holding) a prominent public function — and, by extension, their immediate family and close associates. PEP status triggers enhanced due-diligence requirements. (See Corporate OSINT and Due Diligence.)
  • Persona — A synthetic, anonymized, or pseudonymous identity used to conduct OSINT collection without exposing the analyst’s true identity or organization. Persona discipline — separated infrastructure, plausible biographical depth, behavioral consistency — is a core OPSEC requirement.
  • PIR (Priority Intelligence Requirement) — A formal, prioritized question for which the consumer requires intelligence to support a specific decision. PIRs drive collection tasking in the intelligence cycle; well-formed PIRs are the precondition for focused, evaluable collection.
  • PMESII-PT — Political, Military, Economic, Social, Infrastructure, Information — Physical environment, Time. A US doctrinal framework for systematically characterizing the operational environment across all relevant dimensions. (See PMESII-PT Framework.)
  • POI (Person of Interest) — An individual identified as a target of an investigation — not necessarily a suspect, but an entity around whom collection is directed. (See POI Profiling Methodology.)

R

  • Raw intelligence — Unprocessed, unanalyzed collection product as delivered by the collector. Raw intelligence has not been corroborated, contextualized, or evaluated for reliability; it is unsuitable for direct dissemination to decision-makers.
  • Record Linkage — Synonym for entity resolution in statistical and academic literature, emphasizing the matching of records across datasets without a common explicit key. (See Entity Resolution Methodology.)
  • Reverse image search — The technique of submitting an image to a search engine (Google Lens, Yandex, TinEye, Bing Visual Search) to find prior instances of the same or visually similar images on the web. Foundational for verifying claimed-original imagery, detecting recycled propaganda, and pivoting to source context.

S

  • SAR (Synthetic Aperture Radar) — Radar-based satellite imagery that synthesizes a large virtual antenna from the motion of a small physical one, producing high-resolution imagery independent of cloud cover or daylight. SAR has become a foundational GEOINT layer — particularly for monitoring activity under persistent cloud (Arctic, tropics) or at night. (See GEOINT.)
  • SIGINT (Signals Intelligence) — Intelligence derived from the interception of electromagnetic signals — COMINT (communications), ELINT (non-communications emissions), and FISINT (foreign instrumentation signals). Largely outside the OSINT remit, but unclassified SIGINT-derived products inform many open analyses. (See Signals Intelligence.)
  • SOCMINT (Social Media Intelligence) — A specialized OSINT subdiscipline focused on the systematic collection and analysis of social-media content, network structure, and behavioral signals. (See Social Media Intelligence.)
  • Source reliability vs. information credibility — The two-axis evaluation schema codified in NATO STANAG 2511 and the Admiralty Code. Source reliability is rated A–F (completely reliable → cannot be judged); information credibility is rated 1–6 (confirmed → cannot be judged). The two ratings are independent: a reliable source can carry uncorroborated information; an unreliable source can carry information confirmed by other means.
  • Stylometry — The application of statistical and linguistic analysis to authorship attribution, using lexical, syntactic, structural, and idiosyncratic features as a fingerprint. Used in counter-OSINT to defeat persona separation, and in attribution against anonymous leaks, manifestos, and ransomware notes. (See Counter-OSINT Methodology.)

T

  • TECHINT (Technical Intelligence) — Intelligence derived from the collection, processing, analysis, and exploitation of data and information pertaining to foreign equipment and materiel. Encompasses captured-weapons exploitation, foreign-systems analysis, and materiel reverse engineering. (See TECHINT.)
  • TLP (Traffic Light Protocol) — A four-tier (RED, AMBER, GREEN, CLEAR; with AMBER+STRICT as a refinement) information-sharing classification scheme used in the CTI and incident-response communities to indicate permissible redistribution scope. (See Traffic Light Protocol.)
  • TTP (Tactics, Techniques, and Procedures) — A layered characterization of adversary behavior. Tactics are high-level objectives (initial access, exfiltration); techniques are the methods used to achieve them; procedures are the specific implementations observed. The MITRE ATT&CK framework is the dominant TTP taxonomy. TTPs are the most durable layer of cyber-threat intelligence — harder to change than infrastructure or tooling. (See Advanced Persistent Threats.)

U – V

  • UBO (Ultimate Beneficial Owner) — The natural person who ultimately owns or controls a corporate entity, regardless of intermediate layers of ownership. Operationally synonymous with beneficial ownership in most regulatory regimes, with thresholds typically set at 25% direct or indirect control. (See Corporate OSINT and Due Diligence.)
  • UFLPA — The US Uyghur Forced Labor Prevention Act (2021), which establishes a rebuttable presumption that goods produced wholly or in part in Xinjiang are made with forced labor and are therefore inadmissible to the US. UFLPA enforcement has driven a substantial portion of contemporary supply-chain OSINT practice. (See Corporate OSINT and Due Diligence.)

W – Z

  • WHOIS / RDAP — Protocols for querying domain registration data. WHOIS is the legacy text-based protocol; RDAP (Registration Data Access Protocol) is its structured, JSON-based successor with standardized authentication and access controls. Both expose (with varying redaction) the registrant, registrar, registration and expiration dates, and nameservers of a domain — core inputs for infrastructure research.
  • Zero-day — A vulnerability for which no patch, mitigation, or public disclosure exists at the time of exploitation, leaving defenders with zero days of advance warning. Zero-days are high-value, perishable adversary capabilities, and their use is often a signal of resourced, strategic intent.

Key Connections

OSINT · Intelligence Cycle · OSINT Community Ecosystem · Entity Resolution Methodology · Attribution · Counterintelligence · Source Verification Framework · Intelligence Confidence Levels · OSINT Ethics · Advanced Persistent Threats · Cyber Threat Intelligence · POI Profiling Methodology

Graph View

Backlinks