Emoji Smuggling: Hiding Malicious Code in Plain Sight

by Daniel Collyer

February 18, 2026

Emoji smuggling represents an emerging obfuscation technique where attackers exploit Unicode encoding and emoji characters to conceal malicious code, bypass security filters, and evade detection systems. Whilst it may sound whimsical, this attack vector leverages legitimate Unicode functionality to create serious security challenges for organisations. Understanding how attackers weaponise these seemingly innocent characters helps us build better defences and recognise when something suspicious might be happening.

This post explores what emoji smuggling is, how attackers use it, and what organisations can do to protect themselves.

The Foundation: How Text Actually Works

Before we dive into the attack itself, we need to understand something fundamental about how computers handle text. When you type a letter, number, or emoji, your computer doesn’t actually store that visual symbol. Instead, it stores a number that represents that character. This system is called Unicode, and it’s what allows your computer to display everything from English letters to Chinese characters to emoji.

For example, when you use the fire emoji 🔥, your computer stores it as the number U+1F525. Every character you can type has its own unique number in the Unicode system. This is brilliant for international communication, but it also creates opportunities for attackers.

The key insight is this: many security systems were built to look for suspicious patterns in regular letters and numbers, but they often don’t scrutinise emoji and special Unicode characters as carefully. Attackers exploit this gap.

What Is Emoji Smuggling?

Emoji smuggling is the practice of using emoji, special Unicode characters, or look-alike characters to hide malicious content from security systems while keeping it functional for their purposes. Think of it as writing a secret message in invisible ink that only becomes visible when you want it to.

Attackers use several techniques:

Look-Alike Characters: Some characters from different alphabets look identical to English letters but are technically different. For instance, the Cyrillic letter ‘а’ looks exactly like the English ‘a’, but computers see them as completely different characters. An attacker might register a domain like “pаypal.com” (using a Cyrillic ‘а’) that looks legitimate to humans but directs to a phishing site.

Emoji as Code: This technique involves creating a substitution cypher where each emoji represents a command, function, or piece of data. Attackers establish a mapping system, similar to how spies might use a codebook. For example, they might decide that:

🔥 represents “delete”
📁 represents “file”
🌐 represents “download”
💀 represents “execute”

So a string like “🔥📁🌐💀” would decode to “delete file, download, execute”. To anyone glancing at log files or monitoring network traffic, this looks like someone simply sent some emoji in a message. Security systems scanning for dangerous keywords like “delete”, “execute”, or suspicious command patterns won’t flag it because they’re looking for text, not pictures.

The attacker’s malware or script includes a decoder that translates these emoji back into actual commands when executed. What makes this particularly effective is that emojis feel innocuous. We’re used to seeing them in messages and social media, so their presence doesn’t immediately raise suspicion the way a long string of seemingly random characters might.

Consider a real scenario: an attacker gains limited access to a system and needs to communicate instructions to their malware without triggering security alerts. They might send what appears to be a harmless message containing emojis through a chat system or email. The malware on the compromised system receives this message, decodes the emoji, and executes the hidden commands. To security analysts reviewing logs, it simply looks like someone sent some emoji.

Invisible Characters: This is perhaps the most insidious technique because it exploits characters you literally cannot see. Unicode includes several characters that have zero width, meaning they take up no visual space on screen. These include the Zero-Width Space (U+200B), Zero-Width Non-Joiner (U+200C), and Zero-Width Joiner (U+200D).

Here’s how this works in practice. Imagine a security system is configured to block any script that contains the text string “malicious_function”. An attacker can break up this string by inserting zero-width characters between the letters:

What you see: malicious_function()
What’s actually there: malicious_function() (contains invisible zero-width spaces)

To the human eye, even if you’re carefully reading through code, these look identical. But to a security scanner looking for the exact string “malicious_function”, the second version doesn’t match because those invisible characters break up the pattern. The scanner sees “mal[invisible]ici[invisible]ous[invisible]_fun[invisible]cti[invisible]on” and doesn’t recognise it as a threat.

However, when this code actually runs, many programming languages and interpreters ignore these zero-width characters during execution. The invisible spaces are stripped out, and the function executes normally. So the attacker has successfully hidden their malicious code from security scans whilst maintaining its functionality.

Attackers also use invisible characters to hide data within seemingly innocent text. Imagine you’re trying to smuggle a password out of a secure system. You could write a normal-looking sentence like “Please review the quarterly report”, but encode the password in invisible characters interspersed throughout. To anyone reading it, it’s just a mundane sentence. But someone with the right decoder can extract the hidden information.

This technique is particularly dangerous because it’s virtually impossible to detect through visual inspection alone. You need specialised tools that reveal invisible characters, and even then, you need to know how to look for them.

Direction Trickery: Unicode includes special characters that change the direction text flows (needed for languages like Arabic). Attackers use these to make filenames appear safe when they’re actually dangerous. A file might display as “document.txt” but actually be “tnemucod.exe” with a direction-reversal character hiding the true extension.

Why This Works

You might wonder why this is effective if it seems so simple. The answer lies in how security systems are designed.

Most security tools were built to detect patterns in regular ASCII text (the basic English letters, numbers, and symbols). They look for suspicious keywords, known malicious code patterns, or dangerous file types. But when attackers encode their attacks using Unicode tricks, these patterns become unrecognisable to the security system.

It’s similar to how a metal detector at an airport won’t find a ceramic knife. The detector is designed to find metal, and the knife is dangerous, but because it’s made of the wrong material, it slips through. Similarly, security filters are often designed to catch ASCII-based threats, so Unicode-based threats slip through.

Additionally, completely blocking Unicode would break legitimate functionality. Businesses operate globally, users have names in different languages, and emojis are a standard part of modern communication. Security teams can’t simply ban all non-English characters without severely impacting usability.

Real-World Examples

Understanding the theory is one thing, but seeing how this plays out in practice makes the threat more tangible.

Phishing Attacks: Attackers register domain names using look-alike characters. A company email might tell you to log in at “microṡoft.com” (note the dot over the ‘s’). To most people, this looks perfectly normal, but it’s not the real Microsoft. Users enter their credentials, and the attacker now has access to their account.

Bypassing Content Filters: Many organisations block certain words in emails or messages to prevent data leaks or inappropriate content. An employee trying to circumvent these filters might write “pаssword” using a Cyrillic ‘а’ instead of the English ‘a’. The filter doesn’t catch it because it’s technically a different word, but humans reading it understand the meaning perfectly.

Hidden Data Exfiltration: An attacker who has compromised a system needs to send stolen data out without triggering data loss prevention systems. They might encode credit card numbers using emoji: “4️⃣5️⃣3️⃣2️⃣ 1️⃣2️⃣3️⃣4️⃣ 5️⃣6️⃣7️⃣8️⃣ 9️⃣0️⃣1️⃣0️⃣”. Security systems looking for the pattern of a 16-digit number won’t detect this, but it’s trivial to decode on the other end.

Malware Obfuscation: Malware authors need to hide suspicious commands from antivirus software. They might write “powershell” with invisible zero-width spaces between letters. When a security researcher looks at the code, they see gibberish, and antivirus scans don’t recognise the command. But when the malware runs, it successfully executes PowerShell commands.

Code Injection: Web applications that don’t properly handle Unicode input can be vulnerable to injection attacks. An attacker might submit what looks like normal text but includes hidden direction-control characters that manipulate how the input is processed, potentially executing unauthorised database queries or commands.

The Impact on Large Language Models

As artificial intelligence and large language models (LLMs) become increasingly integrated into business operations and security workflows, emoji smuggling presents a unique and evolving challenge. These AI systems, designed to understand and process human language, can be vulnerable to Unicode-based attacks in ways that differ from traditional security systems.

Prompt Injection via Unicode: LLMs process text input and generate responses based on their training. Attackers can use Unicode tricks to bypass safety filters or inject malicious instructions that the model follows. For instance, an attacker might use invisible characters to break up prohibited phrases that the model has been trained to refuse, or use look-alike characters to make harmful instructions appear benign to content filters whilst remaining interpretable by the model.

Consider a scenario where an LLM-powered chatbot has been instructed never to provide information about bypassing security systems. An attacker might craft a prompt using Cyrillic characters that visually spell out the forbidden request but technically use different Unicode characters. The safety filter checking for specific English phrases might not catch it, but the LLM, trained on diverse text including multiple alphabets, might still understand and respond to the request.

Training Data Poisoning: If emoji-encoded malicious content makes it into an LLM’s training data, the model might learn to recognise and even replicate these encoding schemes. This could result in the model inadvertently helping attackers by generating emoji-encoded malicious payloads or failing to recognise them as threats when analysing suspicious content.

Context Window Manipulation: LLMs have limited context windows (the amount of text they can process at once). Attackers can use invisible Unicode characters to pad inputs, pushing important safety instructions or system prompts out of the model’s effective context whilst keeping malicious instructions within it. The model might then follow attacker instructions without the safeguards that should be governing its behaviour.

Output Encoding Attacks: Even if an LLM correctly identifies malicious content, attackers can request that the output be encoded using emoji or Unicode tricks. The model might comply, creating encoded malicious payloads that bypass downstream security filters. For example, asking an LLM to “translate this command into emoji” could result in the creation of an emoji-based encoding scheme that evades detection.

Jailbreaking and Safety Bypass: The LLM security community has documented numerous “jailbreaking” techniques where carefully crafted prompts cause models to ignore their safety training. Unicode tricks add another dimension to this. Attackers can use direction override characters, invisible spaces, or homoglyphs to craft prompts that appear innocent to automated safety systems but contain hidden instructions that the LLM interprets and follows.

Challenges for AI Security Teams: Defending LLMs against emoji smuggling is particularly challenging because these models are designed to be flexible and understand context across languages and writing systems. Blocking all Unicode would severely limit their utility for international users. Instead, organisations deploying LLMs need to:

Implement robust input normalisation before text reaches the model
Use multiple layers of content filtering that account for Unicode variations
Monitor model outputs for unusual Unicode patterns that might indicate encoding attempts
Regularly test models with Unicode-based attack vectors
Maintain updated safety training that includes awareness of these techniques

The Detection Problem: Traditional security tools can be configured to flag invisible characters or suspicious Unicode patterns. However, LLMs are probabilistic systems that generate novel outputs. This makes it harder to predict when they might be manipulated into producing emoji-encoded content or responding to Unicode-obfuscated instructions. Security teams need to think about both preventing malicious inputs and detecting problematic outputs.

Real-World Implications: As organisations increasingly rely on LLMs for tasks like code generation, content moderation, customer service, and security analysis, the stakes grow higher. An LLM that can be tricked into generating malicious code through Unicode manipulation, or that fails to identify emoji-smuggled threats in content it’s supposed to be moderating, becomes a liability rather than an asset.

The intersection of emoji smuggling and LLM security represents an emerging area of concern. As these AI systems become more capable and more widely deployed, attackers will continue to probe for weaknesses in how they handle Unicode and interpret encoded content. Organisations must stay vigilant and ensure their AI security strategies account for these evolving threats.

The Challenge for Defenders

Defending against emoji smuggling is tricky because it requires balancing security with functionality. Organisations face several challenges:

International Requirements: Businesses serve global customers and employ international staff. Blocking non-English characters would prevent people from using their actual names or communicating in their native languages. This isn’t just inconvenient; in many jurisdictions, it could be discriminatory.

Performance Concerns: Thoroughly inspecting every character of every piece of text for Unicode tricks requires significant computing power. For high-traffic websites or applications, this can slow things down noticeably.

Evolving Techniques: The Unicode standard contains over 140,000 characters and is regularly updated. Attackers constantly find new, creative ways to exploit this complexity. What works to block attacks today might not catch the techniques used tomorrow.

False Positives: Aggressive filtering can block legitimate content. An email from a Greek customer with a name containing Greek letters might be flagged as suspicious. A message containing many emojis (completely normal in casual conversation) might trigger alerts.

Defensive Strategies

Despite these challenges, organisations can implement effective defences against emoji smuggling. The key is taking a layered approach rather than relying on any single solution.

Input Validation and Normalisation: Systems should normalise Unicode input, converting visually similar characters to a standard form. This helps ensure that “pаypal” (with a Cyrillic ‘а’) and “paypal” (with an English ‘a’) are recognised as attempts to use the same string. For structured data like usernames or email addresses, systems can enforce stricter rules about which characters are allowed.

Context-Aware Security: Different fields need different levels of restriction. A username field might only allow basic English letters and numbers, whilst a comment field can permit a wider range of characters, including emojis. Security controls should adapt to the context rather than applying blanket rules.

Visual Similarity Detection: Advanced systems can detect when Unicode characters are being used to mimic legitimate domains or brands. If someone tries to register a domain that looks almost identical to a major company’s website, the system can flag it for review.

Invisible Character Removal: For most applications, there’s no legitimate reason to include invisible Unicode characters in structured data. Systems can strip these out or flag their presence as suspicious, particularly in fields like usernames, file names, or code inputs.

Monitoring and Anomaly Detection: Rather than trying to block everything suspicious at the gate, organisations can monitor for unusual patterns. A sudden spike in emoji usage in log files, the presence of mixed alphabets in a single field, or zero-width characters appearing in database entries can all trigger alerts for security teams to investigate.

User Education: Technical controls only go so far. Training staff to recognise suspicious URLs (by checking the actual address in their browser, not just what’s displayed), to be cautious about unexpected login requests, and to report unusual behaviour helps catch attacks that slip through automated defences.

Security by Design: When building new systems, developers should consider Unicode handling from the start. This includes using libraries that properly handle normalisation, implementing appropriate validation for each input field, and testing with Unicode attack vectors during security assessments.

What This Means for Different Audiences

For Security Professionals: Emoji smuggling should be part of your threat model. Include Unicode-based attacks in penetration testing, ensure your security tools can detect these techniques, and review how your applications handle Unicode input. This isn’t a theoretical concern; it’s being actively exploited.

For Developers: Don’t assume that checking for suspicious ASCII strings is sufficient. Implement proper Unicode normalisation, validate input based on context, and be aware of how your programming language and frameworks handle Unicode. What you see on screen may not be what’s actually stored or processed.

For Business Leaders: Understand that security isn’t just about detecting known malware signatures or blocking obvious threats. Modern attacks exploit subtle aspects of how systems work. Investment in security tools, training, and secure development practices pays dividends by preventing breaches that could damage reputation and finances.

For Everyday Users: Be sceptical of links, even if they look legitimate. When entering sensitive information, double-check that you’re on the correct website by examining the URL carefully. Be particularly cautious with messages that create urgency or ask you to log in via a provided link.

The Bigger Picture

Emoji smuggling is part of a broader category of attacks that exploit the gap between human perception and machine processing. We see what we expect to see, whilst computers process what’s actually there. Attackers exploit this disconnect.

This isn’t unique to Unicode. Similar principles apply to audio deepfakes (where we hear what sounds like a trusted voice), visual manipulations (where images appear legitimate but are fabricated), and social engineering (where contexts appear trustworthy but are manufactured). The common thread is exploiting trust and perception.

As systems become more sophisticated, so do attacks. The growth of international internet usage and the ubiquity of emoji in modern communication create both opportunities and challenges. We need security solutions that protect without stifling legitimate use, that adapt to new threats whilst maintaining usability, and that account for the complexity of human language and communication.

Conclusion

Emoji smuggling demonstrates that security threats don’t always come from sophisticated zero-day exploits or advanced persistent threats. Sometimes they come from clever misuse of legitimate functionality. A simple emoji or an invisible character can bypass expensive security systems if those systems aren’t designed to handle them.

The good news is that awareness and proper design can mitigate these risks. Organisations that understand the threat, implement appropriate controls, and maintain vigilance can protect themselves effectively. It requires thinking beyond traditional security approaches and considering how attackers might abuse features we take for granted.

As you think about your own organisation’s security, consider asking: How do our systems handle Unicode? Could someone use look-alike characters to impersonate our brand? Are we monitoring for unusual patterns in text input? Could malicious code be hiding in emojis or invisible characters?

These questions might reveal gaps in your defences, but identifying those gaps is the first step towards closing them. In security, the threats we understand and prepare for are far less dangerous than the ones we overlook.

Smiling emoji image photo by chaitanya pillala on Unsplash.

Header image photo by Shubham Dhage on Unsplash.

SOS Intelligence Webinar

SOS Intelligence platform updates and roadmap for 2026 webinar

by Amir Hadzipasic

January 29, 2026

Can you believe a month has already past this year?! Join us on February 12th at 1.30pm to learn about the updates that we have made for the SOS Intelligence platform plus a peek into what is planned in the coming months.

What we will discuss:

AI Analyst
CVE Intelligence
Telegram Research

Hosted by Jon Moss with SOS Intelligence Founder and CEO, Amir Hadzipasic and Threat Intelligence Analyst Daniel Collyer.

Sign up to the webinar to receive a recording via email if you cannot attend on the day. By signing up you will also receive our newsletter for future events. You can always unsubscribe with one click.

Looking forward to seeing you!

Stay safe,

Amir

Investigation, Opinion

Key Cyber Threat Intelligence Trends to Watch in 2026

by Daniel Collyer

January 15, 2026

Why 2026 Matters for CTI

As organisations enter 2026, cyber threat intelligence finds itself at a critical inflexion point. The threat landscape continues to expand in volume and complexity, but the pressures shaping it are no longer purely technical. Geopolitical instability, regional conflict, and sustained economic uncertainty are increasingly influencing who is targeted, why, and to what end. For businesses, this means cyber risk is now inseparable from broader strategic and operational risk.

At the same time, the pace of technological change continues to accelerate. Artificial intelligence is now firmly embedded on both sides of the threat equation. Adversaries are using AI to scale social engineering, automate reconnaissance, and rapidly adapt tooling, while defenders are racing to apply the same technologies to detection, analysis, and response. This arms race is generating more data, more alerts, and more intelligence than ever before.

Yet quantity is no longer the problem. Many organisations are experiencing intelligence overload, where feeds, reports, and indicators accumulate faster than they can be meaningfully consumed. Decision makers are not asking for more information, but for clearer insight. They want to understand which threats matter, how they are likely to manifest, and what actions should be prioritised in response.

As a result, 2026 represents a decisive shift for cyber threat intelligence. The focus is moving away from collecting more data and towards understanding it better. Success is increasingly defined by context, relevance, and the ability to translate technical detail into actionable judgment. This is less a year of entirely new threats and more a year defined by how existing threats are used, scaled, and adapted to specific targets and circumstances.

In this article, we explore the key trends shaping cyber threat intelligence in 2026, and what they mean for organisations seeking to make informed, risk-based decisions in an increasingly uncertain environment.

AI-Native Threat Actors Become the Norm

By 2026, the use of artificial intelligence by threat actors can no longer be described as experimental or emerging. For many adversaries, AI-enabled tooling is now embedded into everyday operations, shaping how attacks are planned, executed, and refined. Rather than creating entirely new categories of threats, AI is amplifying existing ones by increasing their speed, scale, and apparent sophistication.

One of the most visible impacts is in phishing, pretexting, and broader social engineering activity. AI-generated content allows attackers to produce convincing messages tailored to specific organisations, roles, or even individuals with minimal effort. Language quality is no longer a reliable signal of legitimacy, and pretexts can be rapidly adapted based on open source information, previous engagement, or real-time feedback. This has significantly reduced the cost and skill barrier traditionally associated with effective social engineering.

Malware development has also been accelerated. AI-assisted coding and analysis tools enable faster iteration, allowing threat actors to modify payloads, obfuscation techniques, and delivery mechanisms in near real time. Polymorphism and frequent recompilation mean that identical samples may exist only briefly, limiting the usefulness of traditional signature-based detection and static file indicators. The result is a faster-moving malware ecosystem that is harder to catalogue and track using conventional methods.

Reconnaissance and target profiling are increasingly automated. Threat actors can now use AI to process large volumes of leaked data, scraped content, and technical metadata to identify high-value targets and likely points of weakness. This automation enables more precise targeting while reducing the need for manual research, allowing even smaller or less experienced groups to operate with a level of efficiency previously associated with more capable actors.

Taken together, these developments are blurring traditional distinctions between high-skill and low-skill adversaries. Tools that once required significant expertise to develop or operate are becoming accessible through automation and commoditised services. As a result, lower capability actors can conduct campaigns that appear more polished, more targeted, and more persistent than their underlying skill level would suggest.

For cyber threat intelligence teams, this shift has important implications. Static indicators such as file hashes, domains, and IP addresses are ageing even faster than before, often becoming obsolete within hours or days. While such indicators still have operational value, they can no longer be the primary lens through which AI-enabled activity is understood.

Instead, there is a growing need to focus on behavioural patterns and campaign-level analysis. Understanding how attacks are structured, how lures evolve over time, and how infrastructure is deployed and rotated provides more durable insight than individual technical artefacts. Equally important is tracking the evolution of tradecraft. The key intelligence question is no longer which tool was used, but how it was applied, adapted, and combined with other techniques to achieve an objective.

In 2026, effective threat intelligence depends less on cataloguing tools and more on recognising patterns of behaviour. As AI continues to level the playing field for adversaries, the ability to identify and contextualise these patterns will be central to maintaining meaningful visibility into the threat landscape.

AI-Enabled Tradecraft in Practice

During 2024 and 2025, security researchers documented the use of generative AI tools such as WormGPT and FraudGPT in live phishing and business email compromise campaigns, enabling fluent, highly targeted lures at scale. Microsoft and Google both reported attackers using AI-assisted reconnaissance to tailor phishing based on user roles, organisations, and cloud environments. In parallel, Mandiant and Microsoft observed identity-focused intrusions where domains, payloads, and malware variants rotated faster than traditional indicators could be operationalised. While static indicators decayed rapidly, behavioural patterns such as role-based targeting, cloud-hosted delivery, MFA abuse, and living-off-the-land activity remained consistent.

Content and Format Abuse Outpaces Traditional Detection

As technical controls continue to improve, threat actors are increasingly shifting their focus away from exploiting software vulnerabilities and towards abusing trust in common content formats. By 2026, malicious activity is frequently concealed within files and data types that organisations are structurally inclined to allow, inspect lightly, or prioritise for usability over security.

Content-type smuggling and polyglot files are becoming more prevalent as attackers exploit discrepancies between how systems interpret file formats. A single file may present itself as benign to one control while being parsed differently by another, allowing embedded scripts or payloads to execute downstream. These techniques are not new, but they are now being applied more systematically and at greater scale, particularly in environments that rely on automated content handling.

Common formats such as PDFs, images, emojis, markdown, and compressed archives are increasingly abused as delivery vehicles. PDFs can carry embedded scripts or external references, images can contain hidden data or exploit parsing behaviour, and text-based formats can be manipulated to trigger unexpected interpretation by browsers, email clients, or automated analysis tools. Even elements designed for expression and accessibility, such as emojis, can be repurposed to carry hidden instructions or evade simple content inspection.

Delivery mechanisms are also evolving. Rather than relying solely on direct email attachments or malicious links, attackers are increasingly using trusted SaaS platforms and collaboration tools to distribute payloads. File sharing services, document collaboration platforms, and messaging tools provide a level of implicit trust and are often deeply integrated into business workflows. This makes it harder for both users and security controls to distinguish malicious activity from legitimate use.

These techniques are particularly effective at evading gateway and sandbox-based detection. Many security controls are optimised to analyse standalone files or clearly defined executables, not content that only becomes malicious when rendered in a specific context or combined with user interaction. Sandboxes may fail to replicate the precise conditions required to trigger malicious behaviour, while gateways may prioritise performance over deep inspection of complex or nested formats.

For cyber threat intelligence teams, this trend reinforces the importance of tracking delivery mechanisms as a primary tactic, technique, and procedure. Understanding how malicious content is introduced into an environment often provides more durable insight than focusing solely on the final payload. The same malware family may be delivered through multiple formats and channels, each tailored to exploit specific organisational habits or control gaps.

This also highlights the intelligence value of analysing how malware arrives, not just what it is. Patterns in file types, hosting platforms, and user interaction requirements can reveal actor preferences and campaign objectives that are not visible through static analysis alone. Such insights are particularly valuable for informing detection engineering and user awareness efforts.

Finally, this trend underscores the need for stronger collaboration between cyber threat intelligence teams and email and web security functions. Intelligence on emerging delivery techniques must be translated into practical guidance for those configuring and tuning controls. In 2026, effective defence against content and format abuse depends not only on identifying malicious artefacts, but on understanding and disrupting the pathways through which they are delivered.

Abuse of Trusted Formats and Platforms

During 2023–2025, multiple security vendors reported widespread abuse of PDFs and archive files to deliver malware while bypassing email and web gateways, including campaigns where malicious content was only revealed after user interaction. Microsoft and Google both documented attackers hosting payloads on legitimate SaaS platforms such as OneDrive, Google Drive, and Dropbox, exploiting implicit trust and integration with enterprise environments. Researchers also observed the use of HTML smuggling and polyglot files to evade content inspection by disguising executable behaviour within allowed formats. In many cases, sandbox detonation failed to trigger malicious activity due to environmental checks or delayed execution. These campaigns demonstrated that the most reliable intelligence signal was not the final payload, but the consistent delivery techniques and abuse of trusted platforms, reinforcing the value of tracking delivery mechanisms as a primary tactic.

The Continued Rise of Identity-Centric Attacks

As organisations continue to adopt cloud services and remote working models, identity has become the primary control plane for access to systems and data. In 2026, attackers are increasingly targeting identity directly, recognising that compromising credentials or sessions often provides broader and more durable access than exploiting a single technical vulnerability.

One of the most common techniques remains multi-factor authentication fatigue, often referred to as push bombing. By repeatedly triggering authentication prompts, attackers aim to exploit user frustration or inattention, eventually inducing approval of a fraudulent request. While awareness of this technique has grown, it remains effective in environments where controls are permissive or user training is inconsistent.

Token theft and session hijacking are also becoming more prevalent. Rather than capturing usernames and passwords, attackers increasingly seek to obtain valid session tokens, cookies, or authentication artefacts that allow them to bypass interactive login processes altogether. These techniques are particularly effective against cloud services and single sign-on environments, where a compromised token can provide access to multiple applications without further challenge.

The abuse of OAuth applications and cloud identities represents another significant area of risk. Malicious or compromised OAuth apps can be granted persistent access to user data and resources, often with limited visibility once approved. Attackers may also create or manipulate cloud-native identities, such as service principals or managed identities, to establish long-term access that blends into normal administrative activity.

Once access is obtained, many adversaries favour living-off-the-land techniques within cloud environments. By using legitimate tools, built-in administrative functions, and native APIs, attackers can move laterally, escalate privileges, and exfiltrate data while minimising the use of overtly malicious tooling. This approach reduces the likelihood of triggering traditional malware-focused detection and allows activity to appear operationally routine.

For cyber threat intelligence teams, these developments necessitate a shift in focus. Traditional indicators such as IP addresses and domains remain relevant, but they provide limited insight into identity-centric attacks that leverage legitimate infrastructure and services. Greater value lies in understanding patterns of authentication abuse, anomalous access behaviour, and misuse of identity features.

Tracking actor playbooks against identity and access management controls is becoming increasingly important. Intelligence that maps how specific adversaries exploit MFA configurations, token lifetimes, OAuth consent processes, or role assignment models can directly inform defensive priorities. This enables organisations to move beyond generic hardening guidance and focus on the controls most likely to be targeted.

In 2026, effective threat intelligence plays a critical role in shaping identity defence. By translating observed attack patterns into concrete recommendations, CTI teams can help organisations prioritise identity hardening efforts and reduce exposure at what has become the most frequently attacked layer of the modern enterprise.

Identity as the Primary Attack Surface

Between 2023 and 2025, Microsoft, Mandiant, and Okta documented a sustained rise in identity-centric intrusions involving MFA fatigue attacks, token theft, and session hijacking, particularly against cloud-first organisations. Campaigns attributed to financially motivated groups showed repeated push bombing attempts followed by abuse of valid sessions rather than credential reuse. Researchers also reported widespread misuse of OAuth applications, where attackers gained persistent access by tricking users into granting permissions to malicious or compromised apps. Once inside, adversaries frequently relied on living-off-the-land techniques, using native cloud tooling and APIs to blend into normal administrative activity. These cases highlighted the limited value of traditional IP- or domain-based indicators and reinforced the importance of tracking identity behaviour and attacker playbooks against IAM controls.

Ransomware Becomes a Business Model, Not a Malware Type

By 2026, ransomware will be best understood not as a single category of malware, but as a service-driven business model. The technical payload used to encrypt systems is often interchangeable, while the real differentiation lies in how operations are organised, monetised, and sustained. This shift continues to reshape both the threat landscape and the way organisations should approach ransomware risk.

Ransomware-as-a-service ecosystems continue to evolve and mature. Core developers provide tooling, infrastructure, and branding, while affiliates conduct intrusions and deploy payloads in exchange for a share of the proceeds. This model allows rapid scaling, frequent rebranding, and the replacement of disrupted components with minimal impact to overall activity. It also creates a steady flow of new and short-lived variants that complicate traditional tracking.

At the same time, ransomware operations are increasingly decoupled from encryption itself. Data theft and extortion-only models remain prevalent, particularly where reliable backups or operational resilience reduce the impact of encryption. Many campaigns now combine multiple pressure points, including data leaks, regulatory exposure, and direct contact with customers or partners. These hybrid approaches are designed to maximise leverage while reducing technical complexity.

Rebranding and fragmentation further obscure attribution. Groups regularly change names, infrastructure, and public-facing personas in response to law enforcement action or reputational damage. In some cases, operators deliberately adopt the branding or tactics of other groups to mislead victims and researchers. False-flag activity adds further noise, making it difficult to draw conclusions based solely on malware samples or ransom notes.

Targeting is also shifting. While large enterprises remain attractive, mid-sized organisations are increasingly in focus due to perceived gaps in security maturity and incident response capability. Supply chains continue to present valuable opportunities, allowing attackers to leverage trusted relationships to increase reach and impact. These campaigns often prioritise speed and disruption over long-term persistence.

For cyber threat intelligence teams, these trends present both challenges and opportunities. Actor clustering becomes more difficult as tooling and branding fragment, but it also becomes more valuable. Understanding how campaigns relate to one another through shared behaviours, infrastructure management, and operational patterns provides insight that individual malware labels cannot.

This reinforces the need to focus on who is behind an operation rather than which strain is used. Tracking negotiation behaviour, communication style, leak site activity, and pressure tactics can reveal consistent operator fingerprints even as technical components change. Such intelligence is particularly valuable for incident response planning, negotiation strategy, and executive decision-making.

In 2026, effective ransomware intelligence depends on moving beyond file-based analysis and towards a deeper understanding of adversary operations as businesses in their own right. Those who can identify and anticipate how these businesses operate are better positioned to disrupt them and reduce their impact.

Ransomware as an Operational Business

From 2023 to 2025, ransomware groups such as LockBit, ALPHV, and Cl0p were repeatedly observed operating as service-based ecosystems, with affiliates conducting intrusions while core teams managed tooling, infrastructure, and leak sites. High-profile campaigns, including the MOVEit and GoAnywhere mass exploitation events, demonstrated how data theft and extortion could be conducted at scale without relying solely on encryption. Researchers also documented frequent rebranding and fragmentation following law enforcement pressure, complicating attribution based on malware families alone. Across these campaigns, consistent behaviours such as negotiation style, leak site structure, and pressure tactics persisted even as payloads and infrastructure changed. These patterns underscore the value of actor-centric intelligence focused on who is operating, rather than which ransomware strain is deployed.

Geopolitics Drives Threat Actor Priorities

In 2026, the influence of geopolitics on the cyber threat landscape is more pronounced than ever. Nation-state and state-aligned actors are not only increasing in activity but are also shaping the broader ecosystem in which financially motivated and ideologically driven groups operate. Cyber operations are now a routine extension of geopolitical competition, conflict, and signalling.

One key trend is the spillover of geopolitical tensions into cyberspace. Regional conflicts, diplomatic disputes, and economic sanctions frequently coincide with surges in cyber activity, ranging from espionage and influence operations to disruptive attacks. These campaigns may not always be directly attributable to a single state, but they often align closely with national interests or strategic objectives.

Critical infrastructure and logistics networks are increasingly attractive targets. Energy, transport, telecommunications, and supply chain management systems offer opportunities for intelligence collection, disruption, and strategic pressure. Even limited or short-lived interference can have outsized economic and political effects, making these sectors a persistent focus for capable adversaries.

Hacktivism continues to play a prominent role, often blurring the boundary between grassroots activism and state-aligned activity. In some cases, hacktivist groups act as proxies or amplifiers, conducting operations that provide plausible deniability while supporting broader strategic aims. In others, state actors deliberately mimic hacktivist tactics to obscure attribution and complicate response decisions.

These dynamics contribute to increasingly blurred lines between cybercrime, espionage, and disruption. Financially motivated groups may be tolerated or tacitly supported when their activity aligns with national interests, while espionage operations may incorporate criminal techniques or infrastructure. This convergence makes simple categorisation of threats less meaningful and increases the risk of misinterpretation.

For cyber threat intelligence teams, this environment elevates the importance of strategic intelligence alongside tactical reporting. Understanding the geopolitical context in which activity occurs is often essential to interpreting intent, likely targets, and potential escalation. Mapping geopolitical events to observed cyber activity can help organisations anticipate periods of heightened risk and adjust their posture accordingly.

Equally important is the ability to communicate uncertainty and intent to leadership. Strategic intelligence rarely offers definitive answers, but it can provide informed assessments and plausible scenarios. In 2026, effective CTI is measured not only by technical accuracy but by its ability to support informed decision-making in a world where cyber activity is increasingly intertwined with global politics.

Geopolitics Shaping Cyber Operations

Between 2022 and 2025, geopolitical events including the war in Ukraine and heightened tensions in the Middle East coincided with spikes in cyber activity targeting government, energy, logistics, and telecommunications sectors. Security firms and government agencies reported coordinated campaigns involving espionage, disruption, and influence operations aligned with national interests. Hacktivist groups emerged rapidly around these conflicts, often amplifying or obscuring state-aligned activity through defacements, data leaks, and denial-of-service attacks. In several cases, financially motivated and politically aligned operations used overlapping infrastructure and techniques, blurring traditional threat categories. These trends highlighted the growing importance of strategic intelligence that links geopolitical developments to cyber activity and communicates intent and uncertainty to decision-makers.

Intelligence Consumers Demand Clarity, Not Just Alerts

As cyber threat intelligence becomes more widely consumed across organisations, expectations around how intelligence is delivered are evolving. In 2026, the challenge is no longer access to threat data, but ensuring that alerts and intelligence are timely, relevant, and actionable for their intended audience.

Security teams and decision makers are exposed to a growing volume of alerts, notifications, and intelligence updates. While this flow of information is essential for maintaining situational awareness, it can become difficult to distinguish between background noise and issues that require immediate attention. This has led to increasing demand for clarity alongside coverage.

Rather than simply asking what has been observed, intelligence consumers are asking more targeted questions. They want to understand why an alert matters, how it relates to their environment, and what actions should be considered next. Alerts that are enriched with context, confidence, and clear analytical judgment are far more likely to drive effective response than raw signals alone.

This has reinforced the importance of tying intelligence to risk and impact. When alerts are mapped to threat actors, campaigns, targeting patterns, or likely objectives, they become easier to prioritise and act upon. Intelligence that highlights relevance, such as sector targeting, geographic focus, or alignment with known tradecraft, enables organisations to make faster and more informed decisions.

Narrative also plays an increasingly important role. Even within alert-driven systems, structured explanations and concise assessments help consumers interpret activity and avoid misreading its significance. The ability to combine timely alerting with clear analytical framing is becoming a key differentiator in intelligence delivery.

For CTI providers, this reflects a broader maturity shift from delivering data alone to delivering understanding at scale. Alerts remain a critical mechanism for awareness and response, but their value is maximised when they are supported by consistent analysis and clear articulation of what the intelligence means. In 2026, the most effective intelligence services are those that help customers move confidently from notification to decision.

CTI Tooling Consolidation, Integration, and Automation

The CTI tooling landscape continues to evolve as organisations seek to simplify workflows and extract greater value from the intelligence they consume. By 2026, many teams are consolidating platforms and prioritising solutions that integrate cleanly into existing security operations rather than operating in isolation.

Overlapping tools and fragmented intelligence sources can make it difficult to maintain a coherent view of the threat landscape. As a result, there is growing emphasis on platforms and services that centralise intelligence, reduce duplication, and present information in a consistent and usable format. Integration with SIEM, SOAR, EDR, and email security tooling is increasingly expected rather than optional.

Automation plays a central role in enabling this consolidation. Automated enrichment, correlation, and triage allow large volumes of intelligence to be processed and surfaced rapidly. This is particularly important for alert-driven intelligence delivery, where speed and scale are critical. Automation ensures that alerts arrive with the context needed to support immediate action.

At the same time, expectations around automation are becoming more realistic. While machines excel at processing data and identifying patterns, analytical judgement remains essential for interpreting intent, assessing confidence, and identifying meaningful shifts in adversary behaviour. The most effective intelligence platforms combine automated processing with human-led analysis.

This balance also shapes discussions around return on investment. Customers increasingly expect intelligence tooling to demonstrate clear operational benefit, such as improved detection, faster response, or better prioritisation. Intelligence that is delivered in a form that integrates naturally into security workflows is more likely to achieve this impact.

For CTI teams and providers alike, a key consideration is deciding what should be automated and what should remain analyst-driven. Repeatable processes and large-scale data handling benefit from automation, while assessments of intent, relevance, and strategic significance continue to rely on human expertise.

In 2026, the enduring value of experienced analysts is not diminished by automation but amplified by it. By pairing scalable delivery mechanisms with consistent analytical oversight, CTI providers can deliver intelligence that is both timely and trusted. This combination is central to meeting rising customer expectations in an increasingly complex threat environment.

What This Means for CTI Teams in 2026

Taken together, these trends point to a clear evolution in how cyber threat intelligence teams must operate in 2026. The challenge is not a lack of data or tooling, but ensuring that intelligence capability is aligned with real organisational needs and outcomes. Teams that adapt their focus and ways of working will be best placed to deliver sustained value.

First, there is a renewed need to invest in analytical skills alongside technology. Tooling and automated alerting provide essential scale and coverage, but they do not replace the ability to assess relevance, weigh confidence, and draw meaningful conclusions. Developing analysts who can interpret complex activity, recognise patterns over time, and communicate insight clearly remains one of the most effective ways to improve intelligence outcomes.

Second, collection should be increasingly guided by clearly defined priority intelligence requirements. Rather than attempting to monitor everything equally, effective CTI teams focus on the threats, actors, and techniques most relevant to their organisation or customers. Well-defined PIRs help shape what data is collected, how it is analysed, and how it is delivered, ensuring that intelligence production remains purposeful rather than reactive.

Strong relationships across the security and business landscape are also essential. CTI does not operate in isolation, and its value is maximised when it is closely connected to security operations, incident response, identity and access management, and senior leadership. Regular engagement with these stakeholders helps ensure that intelligence outputs align with detection needs, response priorities, and strategic concerns.

Finally, success in 2026 is increasingly measured by influence rather than output. The most effective CTI teams are those that can demonstrate how intelligence has informed decisions, shaped defensive priorities, or enabled faster and more confident responses. Reports and alerts remain important delivery mechanisms, but their true value lies in the decisions they support.

For CTI teams navigating an increasingly complex threat environment, these principles provide a practical foundation. By combining strong analytical capability, focused collection, collaborative working, and outcome-driven measurement, intelligence teams can remain relevant and impactful in the year ahead.

Conclusion: The Evolution of CTI

Cyber threat intelligence in 2026 is evolving rapidly. What was once largely a support function is increasingly a strategic enabler, providing insight that shapes decisions across security operations and organisational leadership. Threats are faster, more complex, and noisier than ever, driven by automation, AI, and shifting geopolitical pressures.

In this environment, the differentiators for effective intelligence are context, clarity, and credibility. Understanding not just what is happening, but why it matters and how it affects the organisation, is what turns data into actionable insight. Teams that can provide this perspective, supported by robust analytical capability and integrated tooling, will be best placed to help organisations anticipate, prioritise, and respond to evolving threats.

2026 will not be defined by new types of threats alone, but by the ability of intelligence teams to interpret them, communicate their significance, and drive meaningful action. In this way, cyber threat intelligence will continue to move from reactive observation to proactive influence, ensuring its central role in organisational resilience and security strategy.

Investigation, Opinion

Behind the Mask: Creating and Maintaining Sock Puppet Accounts for Online Research

by Daniel Collyer

August 8, 2025

When conducting online research or gathering open-source intelligence (OSINT), it is often necessary to observe or interact with digital spaces without revealing your true identity. This is where sock puppet accounts come into play. A sock puppet is a fictitious online identity created to access information, join closed groups, monitor activity, or engage with targets while protecting the researcher’s real identity and intent.

Used properly, sock puppets are an essential part of an investigator’s toolkit. However, their creation and use come with both ethical and legal responsibilities. Misuse can lead to legal consequences, reputational damage, or compromised investigations. Practitioners must always follow legal guidance and act within clearly defined ethical boundaries.

In this blog, we will explore how to plan, create, and maintain effective sock puppet accounts for OSINT purposes. We will discuss key operational security (OPSEC) measures, common pitfalls to avoid, and strategies for maintaining a convincing online persona over time. Whether you are new to this practice or looking to refine your approach, this guide will help you lay a solid foundation for safe and responsible online research.

What Is a Sock Puppet Account?

A sock puppet account is a false or alternate online identity used to conceal the true identity of the user behind it. In the context of online investigations and intelligence gathering, sock puppets allow researchers to access and monitor digital spaces without drawing attention to their real-world affiliations or investigative purpose.

These accounts are beneficial in OSINT investigations where anonymity is critical. They may be used to:

Access private or semi-restricted forums and groups
Observe conversations on social media without alerting subjects
Collect threat intelligence from Dark Web marketplaces or closed communities
Engage with individuals or groups in a way that does not compromise operational security

While sock puppets can be powerful tools, their use must always be underpinned by legal and ethical awareness. Investigators should never use false identities to entrap, manipulate, or harass individuals. The goal is passive information gathering, not interference or provocation. Moreover, laws governing online impersonation, data protection, and computer misuse vary between jurisdictions, and it is the investigator’s responsibility to ensure compliance.

Wherever possible, work within organisational policies, maintain internal approval processes for sensitive research, and document all actions for accountability. Ethical OSINT hinges not only on what can be done, but on what should be done.

Planning Your Sock Puppet Strategy

Before creating a sock puppet account, it is essential to define a clear objective. What do you need the account to do? Your goal might be to passively observe a forum, monitor a social media group, or engage with a specific individual or community. The purpose of the account will shape every decision that follows, from the choice of platform to the construction of your online persona.

Understanding your target environment is a crucial part of this planning stage. Different platforms have different norms, verification processes, and levels of scrutiny. A persona that appears credible on Reddit might not be believable on LinkedIn. Consider regional factors as well: language, time zone, and cultural references all contribute to the authenticity of an account. An inconsistency in these details can quickly arouse suspicion.

With your objective and environment defined, you can begin to craft a suitable cover story. This should include a basic biography, a plausible location, interests relevant to the communities you plan to interact with, and a consistent tone of voice. Keep the persona simple, but detailed enough to withstand casual scrutiny. Avoid unnecessary complexity, which can increase the risk of contradictions or mistakes.

A well-planned sock puppet starts long before the account is created. By aligning your objectives with your operational context and building a realistic backstory, you lay the groundwork for a credible and sustainable online identity.

Creating the Sock Puppet Account

Once your planning is complete, the next step is to create the sock puppet account itself. This process involves selecting the right platform, crafting a believable identity, and ensuring that your setup maintains strong operational security from the outset.

Choosing the Right Platform

Select your platform based on the objective of the investigation. If you need to observe professional activity or gather company intelligence, LinkedIn might be appropriate. For community discussions, Reddit or Discord may be more useful. For threat intelligence gathering, forums or encrypted messaging apps could be more suitable. Each platform has its own registration process, verification requirements, and user expectations, all of which must be considered.

Crafting a Believable Identity

A convincing sock puppet needs to pass casual inspection. Start with a realistic username and a dedicated email address that fits your persona. Avoid using anything that resembles your real name or any identifiers linked to your organisation.

Profile photo: Use AI-generated images or copyright-free alternatives. Tools like ThisPersonDoesNotExist or Generated Photos can be helpful, but check for anomalies that might raise suspicion.
Biography and interests: Write a brief, plausible bio that fits the persona and platform. Add relevant interests or affiliations to make the account appear active and authentic.
Posting behaviour: Mirror the tone, grammar, and posting frequency typical for the platform and user type. If your persona is a 30-year-old from Manchester, for example, ensure the language and topics reflect that identity.
Language consistency: Stick to one language and dialect throughout. Switching between different styles or regions can be a clear indicator of inauthenticity.

Acquiring a Clean IP

To prevent your real identity or location from being linked to the sock puppet, use a clean and separate IP address. A reputable VPN or proxy service is essential, and in some cases, a dedicated virtual machine or separate device should be used. Avoid logging in to real accounts or using your usual browser within the same environment, as cross-contamination can compromise the entire operation.

Account creation is not just about filling in a form. Every detail, from your profile picture to your browser setup, contributes to the believability and security of the puppet. Take your time, document each step, and treat the identity as if it were real.

OPSEC Considerations

Operational Security (OPSEC) is critical to the effective use of sock puppet accounts. Without proper precautions, it is easy to leave digital traces that link back to your real identity or organisation. To maintain credibility and protect yourself, you must build strong habits around device use, network hygiene, and identity compartmentalisation.

Device and Network Isolation

Always use a dedicated environment for sock puppet activity. This might be a virtual machine (VM), a separate user profile, or an entirely distinct physical device. The key is to ensure that no personal data, saved credentials, or browsing habits from your real identity carry over into the puppet’s digital footprint. Similarly, connect via a trusted VPN or proxy with a location appropriate to the persona. Never use your home or work IP address when managing sock puppets.

Avoiding Contamination

Cross-contamination with real accounts is one of the most common OPSEC failures. Use a clean browser instance with no saved cookies, autofill data, or extensions that may reveal identifying information. Consider using privacy-focused browsers or containerised browsing sessions to isolate activity. Disable features like browser synchronisation or automatic logins, which could leak personal credentials.

Using Burner Phones and Anonymous Email

When platforms require phone numbers for verification, use a burner device or a secure, anonymised SMS service, provided it complies with legal and policy requirements. Similarly, choose privacy-conscious email providers such as ProtonMail or Tutanota. The email address should align with the puppet’s identity and not reference any real-world details.

Password and Account Recovery Separation

Treat sock puppets as standalone entities. Use unique, complex passwords for each account and manage them using a secure password manager. Keep recovery options consistent with the identity—never link your real email or phone number. If using recovery questions, invent answers that match the puppet’s backstory and document them securely.

Logging and Documentation

Maintain secure records of your sock puppets, including account details, access credentials, personas, activity logs, and creation dates. This helps track usage over time, identify potential compromises, and safely retire or rotate identities when needed. Store this information in an encrypted format or within a secure password management tool.

Sock puppet OPSEC is not about one-time precautions—it requires ongoing discipline. A single mistake can expose your identity or compromise the entire investigation. Take a cautious, methodical approach and revisit your OPSEC practices regularly.

Maintaining Sock Puppets Over Time

Creating a sock puppet is only the beginning. To remain credible and useful over time, the account must appear active, consistent, and authentic. Dormant or obviously artificial profiles are more likely to be flagged by platforms or ignored by the communities you are trying to observe. Maintaining a sock puppet means simulating the behaviour of a genuine user, without attracting unnecessary attention.

Simulating Real Behaviour

Regular interaction is key to building a believable presence. Depending on the platform, this might include:

Liking or sharing posts
Following relevant accounts or joining groups
Commenting or replying in a manner consistent with the persona

These interactions should be contextually appropriate and contribute to the puppet’s credibility. For example, a user who claims to be interested in cybersecurity might follow industry influencers, comment on relevant articles, or share news stories.

Scheduling Realistic Activity Patterns

Sock puppets should reflect normal online behaviour. Consider the timezone and daily schedule of the persona. If your puppet claims to be based in Berlin, it would be unusual for them to post at 3 a.m. local time. Avoid excessive or erratic posting, which can appear automated or suspicious. A light but consistent activity pattern over time is more convincing than bursts of high engagement.

Avoiding Automation Red Flags

Some platforms are aggressive in detecting and removing accounts that behave like bots. Avoid scripted or repeated actions, especially immediately after account creation. Do not mass-follow users or copy-paste identical comments across threads. Behave like a real person—slow, deliberate, and occasionally imperfect.

Regularly Updating Profile Content

Real users update their profiles from time to time. Refresh your puppet’s bio, add a new interest, or change a profile picture occasionally to reflect life events or shifting interests. These subtle changes reinforce the illusion of an active, evolving online identity.

Ultimately, a successful sock puppet account blends in. It should quietly accumulate a digital footprint that supports its cover story and gives you access to the information you need, without ever drawing attention to itself.

Risks, Red Flags, and Account Burnout

Even well-crafted sock puppets carry risk. Platforms continue to improve their ability to detect suspicious behaviour, and users themselves may flag accounts that appear inauthentic. Understanding common warning signs and knowing when to retire or rotate an identity is key to maintaining long-term operational capability.

Common Ways Sock Puppets Get Flagged or Banned

Sock puppets may be suspended or deleted for a range of reasons, including:

Logging in from multiple geographic locations in a short space of time
Sudden spikes in activity (e.g. mass liking, following, or posting)
Use of stock or AI-generated profile images that resemble known fake accounts
Repeated use of the same contact details, browser fingerprint, or device setup
Lack of meaningful interaction or organic growth over time

Even a single policy violation can draw scrutiny, particularly on mainstream social media platforms where automated systems are quick to act.

Avoiding Repetitive Patterns Across Accounts

If you operate multiple sock puppets, ensure that each has a unique and independent identity. Reusing the same backstory, writing style, or image sources across accounts can make them easier to detect and link together. Separate devices, email addresses, and behavioural traits help to isolate each puppet and reduce the risk of a cascading compromise.

When to Retire a Puppet and How to Replace It Safely

No sock puppet should be considered permanent. If an account is inactive, becomes untrustworthy, or begins attracting unwanted attention, it is often safer to retire it than to try and recover its credibility. Before deletion, remove any content that could be linked to other operations. Keep a log of why it was retired, and plan how a replacement will fill the same role with improved safeguards.

Having Backup Identities Ready

To ensure continuity, it is good practice to maintain a small number of standby identities. This is sometimes referred to as a “puppet farm”. These can be developed gradually in the background, gaining basic credibility over time, so they are ready to use when needed. In some cases, it may also be appropriate to establish layered personas, where one puppet supports or interacts with another to enhance realism.

Maintaining sock puppets is an operational task that requires regular attention. The digital landscape shifts constantly, and even the most convincing puppet may eventually outlive its usefulness. Being prepared to adapt is vital.

7. Tools and Resources

Successful sock puppet operations depend not only on planning and technique, but also on using the right tools to support anonymity, security, and realism. The following categories highlight essential resources for anyone managing online personas, with emphasis on privacy-focused solutions.

VPNs and Secure Browsers

To prevent IP address leaks or location-based flags, always connect through a reliable virtual private network (VPN). Services such as Mullvad or Proton VPN offer privacy-focused features without logging user activity. In addition, using secure or privacy-hardened browsers, such as Firefox with privacy containers, Brave, or Tor Browser, can help prevent tracking and cross-contamination between real and sock puppet identities.

For advanced operations, consider launching sock puppets within secure environments such as Tails OS or a hardened virtual machine to reduce the digital footprint even further.

Image Generation Tools

Choosing a believable profile image is vital. AI-generated photo tools like ThisPersonDoesNotExist or Generated.Photos create unique images that are not traceable to real people, reducing the risk of impersonation claims. However, these images should be reviewed carefully for visual anomalies that might suggest they are artificial. Alternatively, use licence-free photo repositories where permitted.

Secure Email Services

Every puppet should have its own email address from a secure, privacy-conscious provider. Services such as ProtonMail, Tutanota, or Mailfence are widely used for this purpose. Avoid mainstream providers that require phone verification or link accounts to existing profiles. Where possible, create the email account using the same VPN and device you plan to use for the puppet itself.

Password and Identity Managers

Managing multiple identities requires strict separation and secure record-keeping. Tools like Bitwarden, KeePassXC, or 1Password can be used to store login details, backstory notes, recovery options, and activity logs in an encrypted format. Avoid reusing passwords or security questions across accounts, and clearly label each identity to avoid mistakes.

Burner Phone and SMS Services

Some platforms require phone number verification. Where legally permitted, use burner phones or temporary SMS services to meet this requirement. Options include physical SIMs with disposable devices or online services such as MySudo or Silent Link, though reliability and legality vary by region. Never use your personal or work number under any circumstances.

A well-prepared toolkit makes managing sock puppets more secure, efficient, and scalable. Review your tools regularly, keep backups where needed, and ensure you remain up to date with changes in platform behaviour or verification processes.

Final Thoughts and Best Practices

Sock puppet accounts are powerful tools for legitimate online research. When used responsibly, they enable investigators, analysts, and researchers to access vital information, monitor digital threats, and engage with online communities without exposing their true identity. However, with this capability comes a significant ethical and operational responsibility.

These accounts should never be used to deceive, manipulate, or harm individuals. Their purpose is to observe, gather intelligence, and support investigations that serve the public interest or protect organisations from threats. Operating within legal boundaries and upholding professional standards is essential.

The digital landscape is constantly changing. Platforms evolve, detection methods improve, and user behaviour shifts. This means sock puppet strategies must also be regularly reviewed and refined. What works today may not be effective tomorrow, so ongoing learning and adaptation are key to maintaining both access and security.

Finally, any organisation or individual engaging in this kind of work should develop their own standard operating procedures (SOPs). These should include clear guidelines for planning, creation, use, and retirement of sock puppet accounts. Testing identities in controlled environments before deploying them for real investigations can also help identify weaknesses before they become liabilities.

Used with care, discipline, and a strong ethical framework, sock puppets can provide valuable insight while keeping investigators safe and discreet.

Red flag photo by Paolo Bendandi and sock puppet photo by Natalie Kinnear.

Investigation, Opinion

Beyond the Dark Web: Where Threat Actors Operate

by Daniel Collyer

July 18, 2025

The “dark web” has become something of a buzzword in recent years, often portrayed as the hidden underworld of the internet where cybercriminals operate in complete anonymity. For many, it conjures images of secret marketplaces, illicit data dumps, and hard-to-trace communications — all out of reach from the average internet user.

Because of this perception, it is a common misconception that all threat actor activity takes place exclusively on the dark web. While it certainly plays a role in enabling criminal operations, the truth is far more complex. Today’s threat actors are increasingly making use of platforms that are readily available, user-friendly, and in many cases, completely legal.

Much of their coordination, recruitment, and even data leakage now takes place in plain sight — across encrypted messaging apps, public forums, and mainstream social media platforms. Understanding where these actors truly operate is critical for any organisation looking to stay ahead of the threat landscape.

The Evolving Landscape of Threat Actor Platforms

The way threat actors communicate and coordinate has shifted significantly in recent years. Once heavily reliant on hidden services accessed through the Tor network, many cybercriminals are now embracing more accessible, mainstream platforms to conduct their activities.

This change has been driven by several key factors. One of the most prominent is the increased pressure from law enforcement. High-profile takedowns of dark web marketplaces such as AlphaBay and Hydra have disrupted long-standing criminal ecosystems, forcing actors to reconsider where and how they operate.

At the same time, modern platforms offer features that make them attractive to malicious users. Encrypted messaging apps provide a level of privacy that rivals, and in some cases exceeds, what is available on the dark web. Public forums and chat platforms are easy to access, require minimal technical knowledge, and can reach large audiences quickly.

For cybercriminals, scale and convenience matter. Hosting content on widely used services allows them to cast a broader net, whether they’re distributing stolen data, selling malware, or recruiting new affiliates. The lines between the open internet and covert criminal spaces are increasingly blurred, making it more difficult for defenders to track activity using traditional dark web monitoring alone.

Alternative Threat Actor Channels

While the dark web still plays a role in cybercriminal operations, many threat actors now prefer more accessible and user-friendly platforms. These alternatives offer speed, scalability, and often a surprising degree of anonymity — all without the need for specialised browsers or infrastructure. Below are some of the most commonly used non-dark web channels.

Telegram

Telegram has become a go-to platform for cybercriminals. With its end-to-end encryption, support for large group chats, and the ability to create private or public channels, it offers the ideal environment for discreet coordination at scale.

Threat actors use Telegram to:

Leak stolen data and documents
Advertise and sell credentials or access to compromised systems
Host scam pages or phishing kits
Organise affiliate networks or ransomware-as-a-service (RaaS) operations

Its minimal moderation and vast global user base make it a particularly attractive choice for cybercrime groups.

Discord and Other Chat Platforms

Originally designed for online gaming communities, Discord has evolved into a full-featured communication tool with support for text, voice, and private servers. Unfortunately, these same features have also made it a popular haven for fraudsters and cybercriminals.

Threat actors use Discord to:

Create closed communities centred around fraud, hacking tools, or data leaks
Share resources in “plug” communities — often focused on carding, identity theft, or botnet services
Coordinate attacks or distribute malware through seemingly innocuous links

Other platforms such as Tox, Matrix, and IRC-based services are also used, albeit with smaller user bases.

Surface Web Forums

Despite the risks of being in plain sight, many cybercrime forums continue to operate openly on the surface web. These forums are often language-specific or focused on particular sectors, such as financial fraud, social engineering, or credential stuffing.

They are typically used to:

Trade tools, tactics, and stolen data
Post tutorials or share exploit code
Vet and recruit participants for more private activities

Some forums operate with limited moderation or are hosted in jurisdictions with lax enforcement, allowing them to persist despite ongoing attention from security professionals.

Social Media (Twitter/X, Facebook, etc.)

Social media platforms remain surprisingly popular for certain types of threat actor activity. On services like Twitter/X, Facebook, and even LinkedIn, cybercriminals can quickly build audiences, push propaganda, or leak stolen information to make a statement.

Common uses include:

Publicly claiming responsibility for attacks or breaches
Promoting data leaks to gain notoriety or apply pressure to victims
Running influence campaigns or disinformation efforts
Recruiting low-level actors or collaborators

While these platforms generally respond quickly to takedown requests, the speed at which content can be published and spread makes them a persistent threat vector.

Paste Sites and Temporary File Hosts

Pastebin-style sites and ephemeral file hosting services continue to be used by cybercriminals to share content without needing to manage infrastructure. These services are often exploited to distribute:

Malware payloads
Indicators of compromise (IOCs)
Stolen credentials or internal documentation

Examples include Pastebin, Ghostbin, file.io, and anonfiles (when active). Their simplicity and temporary nature make them appealing for one-off drops or fast-moving campaigns.

Why the Shift Away from the Dark Web?

While the dark web once provided the primary infrastructure for cybercriminal marketplaces and forums, it has become a less attractive option for many threat actors. A combination of practical challenges and strategic advantages has led to a growing preference for mainstream and surface-level platforms.

One of the key drivers behind this shift is the increasing success of global law enforcement operations. High-profile takedowns such as AlphaBay, Hansa, and Hydra have not only dismantled major criminal marketplaces but also sown distrust within dark web communities. With undercover operations and seizures now a recurring threat, many actors perceive mainstream platforms as less risky in terms of operational security, particularly when combined with disposable accounts and encrypted messaging.

Technical reliability is another issue. Dark web services can suffer from poor uptime, slow performance, and hosting instability. These problems make it harder for threat actors to run consistent operations or maintain communication, especially when compared to the seamless experience offered by platforms like Telegram or Discord.

Accessibility also plays a major role. Mainstream platforms are far easier to use and require no special configuration or tools. Anyone with a smartphone can join a Telegram group or browse a fraud forum hosted on the surface web. This lowers the barrier to entry for newer or less technically skilled actors, fuelling growth in cybercriminal communities.

Finally, these platforms offer scale. Social media, public channels, and open forums provide instant access to large audiences, whether for pushing stolen data, coordinating campaigns, or recruiting collaborators. The potential for amplification far exceeds what is typically possible within the confines of the dark web.

For all these reasons, the dark web is no longer the sole or even primary location for cybercriminal activity. Threat actors are adapting to a broader, more dynamic digital environment, and defenders must do the same.

Implications for Threat Intelligence Teams

As threat actors diversify their platforms, the scope of effective cyber threat intelligence (CTI) must evolve accordingly. Relying solely on dark web monitoring is no longer sufficient. Instead, teams must broaden their visibility to include the various surface and semi-private spaces where cybercriminal activity increasingly takes place.

Monitoring closed channels such as Telegram groups, Discord servers, and niche forums has become essential. However, these spaces are often harder to access and require greater care in terms of operational security (OPSEC). Joining or observing these groups can carry significant risk if not done properly. Analysts must use hardened environments, anonymous accounts, and clear protocols to avoid detection or legal exposure.

Language skills and cultural awareness are also becoming increasingly important. Many cybercrime communities operate in non-English languages and use regional slang or coded terminology. Without this context, valuable intelligence can be missed or misinterpreted. Investing in native language analysts or translation tools can dramatically improve coverage and insight.

The scale and speed at which content is published across platforms make manual monitoring impractical. As such, automation is vital. Tools that scrape and index Telegram posts, track mentions on social media, or flag emerging IOCs can help intelligence teams respond quickly and reduce the chance of missing key developments.

Ultimately, the shift in threat actor behaviour demands a shift in defender strategy. The more fragmented and accessible the threat landscape becomes, the more agile and well-equipped CTI teams need to be in order to stay ahead.

Case Examples

LockBit’s Use of Telegram for PR and Leak Amplification (2024)

In early 2024, after suffering internal leaks and DDoS attacks against their dark web leak site, the LockBit ransomware group turned to Telegram to regain control of their narrative. The group created public Telegram channels to share statements, leak victim data, and coordinate with affiliates. This move not only ensured continuity during technical outages but also expanded their audience beyond the dark web’s limited reach.

Telegram’s encryption, ease of access, and built-in forwarding features allowed LockBit to amplify their message rapidly, including to journalists, researchers, and rival threat actors. It showcased a tactical shift: using mainstream tools as a parallel infrastructure for both influence and extortion pressure.

“Infinity Stealer” Malware Sold via Discord and GitHub (Mid–2023 Onwards)

Infinity Stealer, a malware strain targeting browser credentials and crypto wallets, began circulating heavily in 2023 via non-dark web platforms, notably Discord and GitHub. The malware was marketed in private Discord servers where prospective buyers were vetted and provided updates. GitHub repositories were used to host payloads, configuration templates, and instructions, often disguised as open-source tools.

This campaign highlights how cybercriminals are bypassing traditional marketplaces entirely, instead using legitimate platforms for both sales and delivery infrastructure. Discord’s private server structure and GitHub’s reputational cover enabled the operators to fly under the radar while still reaching a large pool of technically capable users.

Conclusion

The dark web remains a valuable source of cyber threat intelligence — but it is no longer the whole story. As cybercriminals adapt to a shifting digital landscape, they are increasingly leveraging open and semi-closed platforms like Telegram, Discord, and even mainstream social media to conduct and promote their activities.

For CTI teams, this evolution demands a broader approach. Effective monitoring now extends beyond Tor and onion domains to include a mix of channels, each with its own risks, nuances, and intelligence value. It also requires enhanced OPSEC, linguistic awareness, and the integration of automation tools to track activity at scale.

By recognising these trends and adapting monitoring strategies accordingly, defenders can stay better aligned with the current threat environment — one that is faster, more fragmented, and no longer confined to the shadows.

Investigation, Opinion

Mastering the Analysis of Competing Hypotheses (ACH): A Practical Framework for Clear Thinking

by Daniel Collyer

June 20, 2025

In an age of information overload, uncertainty, and complex decision-making, clear analytical thinking is more crucial than ever. The Analysis of Competing Hypotheses (ACH) is a structured method designed to cut through ambiguity and support objective, evidence-based conclusions. Originally developed by Richards J. Heuer, Jr., a veteran of the U.S. intelligence community, ACH was created to help analysts systematically evaluate multiple hypotheses without falling prey to cognitive biases and premature conclusions.

At its core, ACH shifts the analytical focus from proving a favoured hypothesis to disproving less likely alternatives, ensuring that conclusions are reached through a process of elimination rather than assumption. This approach is especially valuable in fields where decisions must be made in the face of incomplete or conflicting data, such as intelligence, cybersecurity, business strategy, and investigative research.

In this article, we’ll explore the foundational principles of ACH, guide you through its step-by-step methodology, and illustrate how to apply it in real-world scenarios. Whether you’re an analyst, decision-maker, or simply someone seeking to sharpen your critical thinking skills, this practical framework offers a powerful tool for navigating complexity with clarity and rigour.

What is the Analysis of Competing Hypotheses?

The Analysis of Competing Hypotheses (ACH) is a structured analytical technique that helps individuals and teams evaluate multiple possible explanations for an event, trend, or problem—all at the same time. Rather than focusing on finding evidence that supports a single favoured hypothesis, ACH encourages analysts to test all plausible alternatives and to prioritise disconfirming evidence over confirming data.

This method stands in contrast to traditional analysis, where there is often a tendency to latch onto the most obvious explanation early on and seek only evidence that backs it up. That approach, while intuitive, is prone to cognitive pitfalls such as confirmation bias, groupthink, and premature closure.

By explicitly laying out competing hypotheses and methodically evaluating each against the available evidence, ACH helps to minimise bias, highlight critical assumptions, and improve judgement, particularly in situations that are ambiguous, fast-moving, or laden with incomplete information.

Ultimately, ACH is less about finding the answer and more about narrowing down the field of possibilities through a process that is transparent, reproducible, and intellectually disciplined.

The ACH Process Step-by-Step

The Analysis of Competing Hypotheses is more than just a checklist—it’s a disciplined approach to structuring your thinking, challenging assumptions, and arriving at well-supported conclusions. Below is an expanded walkthrough of the seven core steps, each designed to promote clarity and rigour in decision-making.

1. Define the Question or Problem

A clear, unbiased problem statement is the foundation of effective analysis. This step is about narrowing the scope of inquiry and making sure the question does not contain built-in assumptions.

Tips for framing your question:

Avoid language that implies causality or blame
Be as specific as the data allows
Keep it neutral and open-ended

Example:
Why did a system failure occur in a secure network?
This framing encourages investigation without assuming intent, method, or actor.

A poorly worded question—e.g., “Who caused the attack on our network?”—limits thinking prematurely by assuming the event was malicious and externally driven.

2. List All Plausible Hypotheses

The goal here is to generate a comprehensive list of explanations for the issue. It’s critical to suspend judgment and avoid discarding possibilities too early, especially those that feel uncomfortable or less likely at first glance.

Use techniques like brainstorming, consultation with diverse stakeholders, and red teaming to uncover blind spots.

Example Hypotheses:

H1: Insider sabotage
H2: External cyberattack
H3: Configuration error
H4: Third-party service failure
H5: Power or environmental disruption

Even if some hypotheses seem implausible, including them ensures a more robust analysis, and sometimes the least obvious explanation turns out to be the correct one.

3. Identify Evidence and Arguments

At this stage, you gather all the information that could potentially support or contradict your hypotheses. This includes:

Observational data (logs, reports, witness accounts)
Technical indicators (malware signatures, access logs)
Expert assessments
Circumstantial clues

For each piece of evidence, evaluate two things:

Source reliability: How trustworthy is the origin (e.g., system logs vs. anonymous tips)?
Information credibility: How plausible or accurate is the content?

Also consider whether the evidence is:

Direct or indirect
Confirmed or unverified
Timely or outdated

Pro tip: Avoid cherry-picking. Include evidence that contradicts your initial instincts—this is where real insight often lies.

4. Analyse Consistency

This is the heart of the ACH method: building a matrix that compares each hypothesis against each piece of evidence.

You’ll mark whether each piece of evidence is:

Consistent with the hypothesis
Inconsistent (i.e., contradicts it)
Neutral (i.e., not relevant to that hypothesis)

Example Matrix:

Evidence	H1: Insider sabotage	H2: External cyberattack	H3: Configuration error
Admin account accessed remotely at 2am	✔️ Consistent	✔️ Consistent	❌ Inconsistent
No malware signatures detected	✔️ Consistent	❌ Inconsistent	➖ Neutral
Recent patch deployed without testing	❌ Inconsistent	➖ Neutral	✔️ Consistent
No third-party access in logs	✔️ Consistent	❌ Inconsistent	✔️ Consistent

This matrix helps you visualise the weight and distribution of evidence, especially in identifying which hypotheses have significant inconsistencies.

5. Refine the Matrix

Now that the matrix is populated, focus on evaluating the diagnostic value of each piece of evidence. Ask yourself:

Which pieces most clearly discriminate between hypotheses?
Are there patterns that suggest certain hypotheses are clearly weaker?

ACH places particular emphasis on inconsistencies rather than confirmations. A single strong inconsistency can eliminate a hypothesis, while consistent evidence might apply to multiple hypotheses and be less useful in narrowing options.

Refining may also involve revisiting earlier assumptions, adjusting hypotheses, or seeking new evidence to fill gaps.

6. Draw Tentative Conclusions

This is the interpretive phase—based on the refined matrix, identify which hypothesis is least burdened by inconsistent evidence. Remember, this doesn’t mean it has the most supporting evidence, but rather that it stands up better under scrutiny.

Be cautious not to overstate certainty. If multiple hypotheses remain viable, say so. ACH supports probabilistic thinking, not premature conclusions.

Key reminders:

Avoid selecting the “most comfortable” hypothesis
Document your reasoning and uncertainties
Stay open to revision as new evidence emerges

7. Identify Milestones or Indicators

ACH is not static. Situations evolve, and so should your analysis. Define a set of indicators—specific events, behaviours, or pieces of data—that, if observed, would confirm, challenge, or refine your conclusion.

Examples:

Discovery of malware indicating a known threat actor (would support H2)
Forensic evidence of misconfiguration traced to recent update (would support H3)
Repetition of similar failures in unrelated systems (might suggest a broader issue)

Establish a plan for ongoing monitoring. This step ensures your conclusions remain grounded in reality as the situation unfolds and prevents analytical drift over time.

Practical Example: ACH in Action

To demonstrate the practical value of the Analysis of Competing Hypotheses, let’s walk through a realistic scenario involving a suspected cybersecurity incident at a mid-sized financial services firm. This example illustrates each step of the ACH process in context, showing how structured analysis can lead to clearer conclusions—even in the face of ambiguity.

Scenario: Unexpected System Downtime in a Secure Network

Background:
At 03:15 on a Tuesday morning, the firm’s primary transaction server went offline, causing a six-hour disruption to client services. The network is normally robust and protected by multiple layers of defence. Internal monitoring systems flagged the event, but initial diagnostics were inconclusive.

The CTO initiates an ACH analysis to determine what caused the failure.

Step 1: Define the Question or Problem

The team agrees to frame the central question as:

What is the most plausible explanation for the unexpected system outage on the secure transaction server?

This wording avoids assumptions about cause or intent and invites multiple lines of inquiry.

Step 2: List All Plausible Hypotheses

The team brainstorms and agrees on the following hypotheses:

H1: External cyberattack (e.g., malware, DDoS)
H2: Insider sabotage (malicious insider or misuse)
H3: Configuration or patching error
H4: Hardware failure or infrastructure fault
H5: Scheduled maintenance error or oversight

The list is deliberately inclusive to prevent tunnel vision.

Step 3: Identify Evidence and Arguments

The team compiles evidence from logs, interviews, monitoring tools, and server diagnostics. Notable pieces of evidence include:

E1: Server logs show a reboot command issued remotely at 03:14
E2: No malware signatures or IOCs (Indicators of Compromise) detected
E3: A new patch was installed the day prior without full regression testing
E4: No external traffic spikes or anomalies around the time of the incident
E5: Access logs show a junior administrator logged in remotely at 03:12
E6: Server hardware passed all post-incident diagnostics
E7: Change management calendar incorrectly listed maintenance for the wrong server

Each item is tagged with a confidence rating and source reliability to support judgment later.

Step 4: Analyse Consistency

The team creates a matrix to compare each hypothesis against the evidence.

Evidence	H1: Cyberattack	H2: Insider Sabotage	H3: Config Error	H4: Hardware Fault	H5: Maintenance Error
E1: Remote reboot at 03:14	✔️ Consistent	✔️ Consistent	✔️ Consistent	➖ Neutral	✔️ Consistent
E2: No malware or IOCs found	❌ Inconsistent	✔️ Consistent	➖ Neutral	➖ Neutral	➖ Neutral
E3: Patch installed the day before	➖ Neutral	➖ Neutral	✔️ Consistent	➖ Neutral	➖ Neutral
E4: No external anomalies	❌ Inconsistent	➖ Neutral	➖ Neutral	➖ Neutral	➖ Neutral
E5: Junior admin logged in remotely	➖ Neutral	✔️ Consistent	✔️ Consistent	➖ Neutral	❌ Inconsistent
E6: Hardware passed diagnostics	➖ Neutral	➖ Neutral	➖ Neutral	❌ Inconsistent	➖ Neutral
E7: Calendar showed the wrong server	➖ Neutral	➖ Neutral	➖ Neutral	➖ Neutral	✔️ Consistent

Step 5: Refine the Matrix

Focusing on disproving hypotheses, the team notes:

H1 (Cyberattack) has two clear inconsistencies (E2 and E4)
H4 (Hardware fault) is contradicted by E6
H5 (Maintenance error) is weakened by E5, as the admin wasn’t scheduled to access that system

H2 (Insider sabotage) and H3 (Configuration error) remain more viable. The presence of an unscheduled login and recent patching suggests a blend of human and technical causes.

The most diagnostic evidence appears to be E2 (no malware) and E3 (untested patch), which significantly affect H1 and H3, respectively.

Step 6: Draw Tentative Conclusions

H1 (Cyberattack) and H4 (Hardware fault) are largely ruled out.
H5 (Maintenance error) is possible but lacks strong support and includes an inconsistency.
That leaves:

H2 (Insider sabotage): Plausible, especially with unexpected admin access
H3 (Configuration error): Strongly supported by evidence, with few inconsistencies

Given that the administrator may have unknowingly pushed a faulty patch, H3 is deemed the most probable hypothesis, with H2 remaining a secondary consideration requiring HR review.

Step 7: Identify Milestones or Indicators

To confirm or disprove the working conclusion, the team outlines the following future indicators:

Confirmation of the patch’s fault during follow-up testing (would support H3)
HR interview with the admin reveals intent or confusion (could support or refute H2)
Any signs of privilege misuse or unusual access patterns (would raise concern for H2)
Vendor advisory on the patch’s known issues (further supporting H3)

The analysis will be updated once these indicators are assessed. In the meantime, patching procedures are temporarily suspended, and access controls are reviewed.

Final Conclusion

The structured application of ACH helped the team reach a reasoned, defensible conclusion while keeping alternate hypotheses in play. Rather than jumping to the common assumption of a cyberattack, the analysis revealed a more mundane but equally critical root cause: likely misconfiguration following a poorly tested software update.

Real-World Reference: The Lucy Letby Case

The power of ACH is underscored by its implicit use in high-stakes investigations such as the Lucy Letby trial. Prosecutors highlighted that Letby was the only staff member present during every critical incident involving infant patients—a fact established through careful analysis of shift patterns and timelines. By systematically evaluating competing hypotheses about who could have caused harm, investigators effectively used the same logic underpinning ACH: disproving alternative explanations and focusing on the hypothesis best supported by consistent evidence. This approach helped build a compelling, structured case based on opportunity and timing, demonstrating ACH’s practical application beyond intelligence into criminal justice.

Benefits and Limitations of ACH

The Analysis of Competing Hypotheses (ACH) offers a powerful framework for navigating complex, ambiguous, or high-stakes problems. But like any method, it comes with both strengths and limitations. Understanding these helps practitioners apply it effectively and appropriately.

Benefits of ACH

1. Reduces Cognitive Bias
ACH is specifically designed to counteract common mental pitfalls, such as confirmation bias and premature conclusions. By forcing the analyst to evaluate all plausible hypotheses and focus on disconfirming evidence, it encourages objectivity and balance.

2. Encourages Structured Thinking
Rather than relying on intuition or fragmented information, ACH imposes a disciplined approach. Analysts must document each step, weigh evidence methodically, and justify conclusions. This structure makes reasoning transparent and defensible, especially important in intelligence, law enforcement, or regulatory settings.

3. Handles Ambiguity and Complexity Well
ACH is particularly effective when information is incomplete, uncertain, or contradictory. By assessing how each piece of evidence aligns (or doesn’t) with multiple hypotheses, it accommodates complexity without oversimplifying.

4. Improves Group Collaboration and Debate
In team settings, ACH helps avoid groupthink by providing a common analytical language and framework. It gives structure to collaborative analysis, enabling different perspectives to be tested against the same evidence matrix.

5. Highlights Gaps and Guides Collection
The process often reveals where evidence is weak or missing, helping analysts identify what further data needs to be gathered. Diagnostic indicators can also be flagged for future monitoring.

Limitations of ACH

1. Time-Consuming
ACH is not always suited to fast-moving or reactive situations. Building and refining matrices, especially for complex cases with numerous hypotheses, can be labour-intensive.

2. Dependent on Quality of Input
The effectiveness of ACH depends entirely on the quality and reliability of the evidence fed into it. Incomplete, misleading, or low-confidence data can skew conclusions, even if the process itself is rigorous.

3. May Oversimplify Nuance
Although ACH structures thinking, it can sometimes encourage a binary view of evidence (e.g. consistent/inconsistent/neutral). This may not capture subtleties, degrees of relevance, or contextual complexity unless analysts make an effort to interpret carefully.

4. Requires Analytical Discipline
The method assumes a willingness to challenge assumptions, avoid premature closure, and remain open to changing conclusions as new evidence arises. In practice, this intellectual discipline can be hard to maintain, especially under pressure.

5. Not a Substitute for Domain Expertise
ACH supports analysis, but it does not replace subject matter knowledge. Without expert insight to interpret evidence correctly, even a well-constructed ACH matrix can produce flawed conclusions.

ACH is a powerful complement to critical thinking, not a magic solution. Used thoughtfully, it strengthens the quality of judgment and provides a clear audit trail for how conclusions were reached.

Tools and Resources

While the Analysis of Competing Hypotheses (ACH) can be applied using simple pen-and-paper methods, various tools can help structure the process, especially when working with complex datasets or collaborating with others. Below are some practical tools that support ACH-style analysis.

Manual Tools

Spreadsheets (e.g., Excel, Google Sheets)
Spreadsheets remain a reliable and widely used method for building ACH matrices. Users can list hypotheses across the top, evidence down the side, and use consistent symbols or colour codes to mark whether each item of evidence is consistent, inconsistent, or neutral. This method offers full transparency and is easily adaptable for individual or team use.

Printable ACH Templates
Basic ACH grids are available as printable templates and can be useful in workshops, briefings, or offline environments. These encourage clarity of thought without requiring technical platforms.

Digital Tools

PARC ACH Tool
Developed by the Palo Alto Research Center, this free, downloadable tool guides users through the ACH process, including hypothesis generation, evidence scoring, matrix creation, and conclusion development. It’s well-suited for training and operational use.

IBM i2 Analyst’s Notebook
Though not purpose-built for ACH, Analyst’s Notebook allows for sophisticated mapping of relationships between people, events, and data, which can support structured hypothesis testing in investigative contexts.

Recommended Reading

Psychology of Intelligence Analysis – Richards J. Heuer Jr.
The original source text on ACH offers both theory and practical examples. Essential reading for analysts across sectors.
Tradecraft Primer: Structured Analytic Techniques for Intelligence Analysis – CIA (declassified)
A practical manual outlining ACH alongside other structured methods such as key assumptions checks and red teaming. Freely available online.

Conclusion

In a world increasingly defined by uncertainty, complexity, and competing narratives, the Analysis of Competing Hypotheses (ACH) offers a methodical way to cut through ambiguity. Originally developed for intelligence professionals, its value extends far beyond, offering anyone engaged in investigative work, cybersecurity, risk assessment, or strategic decision-making a practical framework for clearer thinking.

By focusing on disproving rather than confirming, ACH helps analysts avoid cognitive traps and build conclusions on firmer ground. It doesn’t guarantee certainty, but it does promote discipline, transparency, and intellectual honesty — qualities that are increasingly vital in high-stakes environments.

While the process may require time and rigour, the payoff is well-structured, defensible conclusions. Whether you’re a security analyst examining network breaches, a business leader weighing strategic options, or a researcher interpreting complex data, ACH provides a repeatable model for navigating complexity with confidence.

Incorporating ACH into your analytical toolkit is more than a method — it’s a mindset shift towards structured scepticism, clarity of thought, and resilient decision-making. The more widely it’s adopted, the stronger our collective reasoning becomes.

Header photo by Milad Fakurian on Unsplash.

Photo by fabio on Unsplash.

SOS Intelligence Webinar

Business Update Webinar – you’re invited!

by Amir Hadzipasic

May 21, 2025

A date for your diaries, or rather, your calendar 🙂 Please join us on Wednesday, June 4th at 4pm UK time for our third webinar of the year where I will be taking you through our platform updates, and there are many!

Look forward to seeing you and taking your questions.

Best wishes,

Amir

Who is this for?

Anyone in a business or organisation who has responsibility for online security
CTOs or senior managers who want to understand why there is a critical need for a service like SOS Intelligence
IT / Cyber Security teams
Business owners who are worried about the recent cyber attacks in the UK

What we will cover:

NEW Key Features

SSO
Better UX
Threat Tracker
Domain Monitor
DARKMAP rebuild and improvements
On demand RFIs
Vulnerability Intelligence

Our AI Analyst

Fully Integrated, private LLM agent
Alert Analysis
Content Analysis
Natural Language querying

Hosted by Jon Moss and SOS Intelligence Founder and CEO, Amir Hadzipasic

Photo by Headway on Unsplash

Opinion, OSINT, Tips

Evaluating OSINT: Why It Matters and How to Do It Right

by Daniel Collyer

April 22, 2025

Open Source Intelligence (OSINT) has become a cornerstone of modern intelligence work — from cyber threat analysis to corporate due diligence and investigative journalism. With a wealth of publicly available information just a few clicks away, the real challenge no longer lies in accessing data, but in determining its value.

Not all sources are equal, and not all information should be trusted at face value. In an age of misinformation, spoofed identities, and manipulated content, the ability to critically evaluate OSINT is essential. Whether you’re conducting research for a security operation or building a threat profile, understanding how to assess the credibility, accuracy, and relevance of your findings is what turns raw data into actionable intelligence.

In this blog, we’ll explore why evaluation is such a crucial stage in the OSINT process, introduce key criteria and techniques for assessing intelligence, and provide practical advice to help you strengthen your evaluation skills.

Why Evaluation Matters in OSINT

The open nature of OSINT is both its greatest strength and its biggest vulnerability. While the accessibility of public data allows for rich and diverse intelligence gathering, it also means the information collected can be incomplete, misleading, outdated, or deliberately false. Without rigorous evaluation, even the most promising-looking data can lead analysts down the wrong path.

In security contexts, acting on flawed intelligence can have serious consequences — from reputational damage and wasted resources to operational failure or legal risk. A single unverified claim from an untrustworthy source can compromise an entire investigation or response effort.

It’s also important to distinguish between data, information, and intelligence. OSINT collection yields data — raw, unprocessed facts. When those facts are organised and given context, they become information. But it’s only through evaluation — the process of assessing accuracy, reliability, and relevance — that information is transformed into intelligence that decision-makers can act on with confidence.

In short, evaluation is what separates noise from insight. It’s not just a good practice — it’s a critical step that determines the overall value and credibility of your intelligence output.

Core Evaluation Criteria

Evaluating OSINT effectively requires a structured approach. Rather than relying on gut instinct or assumptions, analysts should assess each piece of information against a set of established criteria. This ensures consistency, reduces bias, and increases the likelihood that your final intelligence product will be trusted and actionable.

Here are five key criteria that can guide your evaluation process:

1. Relevance

Does the information directly relate to your intelligence requirement or objective? OSINT can be full of interesting but tangential details. Focusing only on what is relevant ensures your analysis remains targeted and efficient.

2. Reliability

Is the source trustworthy? Consider the origin of the data — is it a reputable website, a verified account, or a known organisation? Or is it an anonymous post on a forum with no verifiable backing? The credibility of the source often dictates the reliability of the information it provides.

3. Accuracy

Is the information factually correct? Has it been corroborated by other sources? Are there inconsistencies, errors, or signs of manipulation? Verifying accuracy is especially important when dealing with fast-moving events or user-generated content.

4. Timeliness

Is the data current? Outdated information can skew your analysis, particularly in areas like cybersecurity or geopolitical monitoring where things change rapidly. Always check publication dates and consider whether the information still reflects the present reality.

5. Objectivity

Is the content neutral, or does it show bias? Be wary of emotionally charged language, persuasive tone, or content designed to provoke. Identifying whether the source has an agenda can help you judge how much weight to give the information.

Using the Admiralty Code

One widely recognised method for evaluating sources and information is the Admiralty Code, also known as the NATO Source Reliability and Information Credibility grading system. It uses a two-part alphanumeric rating to assess:

Source Reliability (A–F) – how dependable the source is based on past performance, access to information, and known biases.
Information Credibility (1–6) – how believable the information is, based on corroboration, plausibility, and consistency with known facts.

For example, a rating of A1 indicates a highly reliable source providing confirmed information, while E5 might flag a questionable source offering unconfirmed or implausible content. While originally designed for military intelligence, the Admiralty Code can be adapted to OSINT workflows to provide a quick yet effective way of scoring confidence in your findings.

By combining the Admiralty Code with the core evaluation criteria above, analysts can create a more transparent, defensible assessment process that supports better decision-making.

Source Evaluation Techniques

Once you’ve identified what you’re looking for and established your evaluation criteria, the next step is to put those principles into practice. Evaluating sources effectively requires both critical thinking and a methodical approach. Below are some techniques that can help analysts assess the credibility, authenticity, and relevance of open source material.

1. Corroboration Across Multiple Sources

One of the most effective ways to validate information is through corroboration. Can the same information be found across multiple independent, reputable sources? If different, unrelated sources are reporting the same facts, confidence in the information naturally increases. Be mindful, however, of information echo chambers — where multiple outlets are simply republishing or citing the same original (and possibly flawed) source.

2. Trace the Original Source

Always seek the original source of information rather than relying on summaries, screenshots, or secondary reporting. When analysing a news story, forum post, or leaked document, trace it back to its origin to assess context, authenticity, and potential manipulation. Metadata, timestamps, and file properties can offer valuable clues in verifying source integrity.

3. Use of Source Grading Systems

Incorporating a formal source grading system, such as the Admiralty Code, adds structure to your evaluation. Assigning a reliability and credibility rating to each source not only helps prioritise information but also makes your intelligence product more transparent and defensible.

4. Evaluate Digital Footprints

For online content, take time to assess the digital presence of the source. Does a social media profile show a consistent identity over time, or does it exhibit signs of automation or inauthentic behaviour? Techniques such as reverse image searches, domain registration checks (WHOIS), and historical snapshots (via the Wayback Machine) can help verify source history and legitimacy.

5. Consider the Source’s Motivation and Bias

Understanding why a source is publishing certain information can help contextualise its reliability. Is the content investigative, promotional, political, or satirical? Is it user-generated or professionally produced? Analysing tone, language, and publication history can reveal bias or intent that may affect credibility.

6. Balance Automation with Human Judgement

While automated tools like browser plugins, scraping utilities, and AI classifiers can assist in sorting and filtering OSINT, human evaluation remains essential. Algorithms can flag suspicious patterns, but they may miss nuance, satire, or contextual subtleties. The most effective OSINT analysts use tools to support — not replace — critical thinking.

By applying these techniques consistently, analysts can reduce the risk of misinformation, increase the quality of their assessments, and build intelligence that decision-makers can trust. Evaluation isn’t just a stage in the process — it’s an ongoing discipline throughout the lifecycle of any OSINT investigation.

Practical Tips for Evaluators

Even with a solid framework and a set of reliable techniques, OSINT evaluation often comes down to the fine details — the subtle clues, the consistency checks, and the instinct honed by experience. This section offers practical, hands-on advice to help you refine your evaluation skills and avoid common pitfalls.

1. Keep an Evaluation Log

Maintain a record of how you’ve assessed each source — including decisions around credibility, context, and any verification steps taken. This is especially important in collaborative environments or when intelligence may need to be defended later. Tools like analyst notebooks, spreadsheets, or structured databases can help you track this clearly.

2. Use Source Checklists

Create a simple checklist to run through each time you assess a source. This could include prompts like:

Does the source have a known history or digital presence?
Is the information supported by others?
Can I identify any potential bias?
What’s the Admiralty Code rating?
Having a repeatable checklist reduces oversight and builds consistency in your process.

3. Beware of Confirmation Bias

It’s easy to give more weight to information that aligns with your assumptions or desired outcomes. Make a conscious effort to challenge your own conclusions by seeking contradictory or alternative views. A good analyst considers what’s missing, not just what’s present.

4. Apply Lateral Reading

When evaluating websites or media content, use lateral reading — that is, open other tabs to research the author, domain, or claims from outside sources rather than staying within the original source’s ecosystem. This is especially useful when verifying unfamiliar outlets or detecting disinformation.

5. Factor in Context and Culture

Context matters. A piece of content that appears misleading may be satire, a mistranslation, or culturally specific. Understanding the context in which content was created — including language, location, and intended audience — can significantly impact how it should be interpreted and evaluated.

6. Treat OSINT Like Evidence

Approach OSINT evaluation with the same care and scrutiny as if you were handling physical evidence. Every claim should be backed by verification or flagged as unconfirmed. If there are gaps or assumptions, make them explicit. This rigour supports better intelligence products and protects your credibility as an analyst.

While critical thinking is at the heart of any good OSINT evaluation, the right tools can streamline your workflow, support verification, and uncover valuable context. These tools don’t replace human judgement — but they do enhance your ability to assess the reliability, credibility, and relevance of open source material.

Below is a selection of tools, grouped by function, that can support your evaluation efforts:

Source Verification and Reputation

WHOIS Lookup (e.g. Whois.domaintools.com, ViewDNS.info)
Check domain registration details to assess how long a site has been active and who owns it.
Wayback Machine (archive.org)
View historical versions of web pages to track changes or confirm the existence of content at a given time.
DomainTools Iris or RiskIQ PassiveTotal
More advanced tools for investigating infrastructure, subdomains, and digital footprints of websites.

Media and Content Verification

Google Reverse Image Search / TinEye / Yandex
Check whether images are original or reused across different contexts, possibly indicating misinformation.
InVID / WeVerify Toolkit
Useful for verifying videos and images from social media, checking for manipulation or date/location mismatches.
Metadata Extractors (e.g. ExifTool)
Analyse image and file metadata to identify origin, device, and timestamps — where available.

Social Media Evaluation

Account Analysis Tools (e.g. WhoisThisProfile, Social Searcher)
Evaluate the activity and legitimacy of social media accounts by checking post history, bio details, and follower patterns.
Hoaxy
Visualises how information spreads across Twitter — useful for identifying echo chambers, bots, or coordinated disinformation.

Information Cross-Referencing

Google Advanced Search / Operators
Use search modifiers (like site:, intitle:, or filetype:) to hone in on credible or official sources.
OSINT Framework (osintframework.com)
Not a tool itself, but a curated directory of tools and resources for various OSINT tasks — including evaluation and verification.

Structured Evaluation and Analysis

Maltego
Helps visualise and map relationships between entities (people, domains, IPs, etc.), useful for contextualising source networks.
Hunchly
A browser plugin that automatically captures and logs every page you visit, supporting transparency and traceability in your investigations.
IntelTechniques Workbook / Casefile
Structured templates and tools from the OSINT community that support methodical evaluation and reporting.

Case Study: Misidentification in the Boston Marathon Bombing

The 2013 Boston Marathon bombing provides a powerful example of how poor OSINT evaluation can lead to serious consequences. In the immediate aftermath of the attack, online communities — particularly Reddit — attempted to crowdsource intelligence to help identify the perpetrators.

The OSINT Effort

Amateur investigators analysed photos, videos, and social media posts to spot “suspicious” individuals in the crowd. One person in particular, Sunil Tripathi, a missing university student, was misidentified as a suspect based on vague visual similarities and unverified assumptions.

Reddit threads, Twitter posts, and even some journalists picked up on the speculation, causing his name and photo to circulate rapidly online. This led to distress for his family, public confusion, and the further spread of misinformation.

What Went Wrong?

No Source Validation: The photos used were low-resolution and out of context. No effort was made to verify the original source or timestamp.
Lack of Corroboration: Claims were amplified without independent verification or official confirmation.
Confirmation Bias: Users were looking for someone who looked like they could be a suspect, rather than critically evaluating the data.
Absence of a Structured Framework: There was no use of a system like the Admiralty Code to assess source reliability or information credibility.

The Impact

Authorities later confirmed that Tripathi had no involvement in the bombing — he had sadly died by suicide prior to the attack. The incident highlighted how untrained use of OSINT and failure to properly evaluate information can lead to serious reputational harm, emotional trauma, and the derailment of actual investigations.

This case shows that while open source intelligence can be powerful, it must be used responsibly. Without evaluation, it’s just noise — and in high-stakes situations, that noise can do real damage.

Conclusion: Evaluation Is the Heart of Effective OSINT

Open source intelligence has become a cornerstone of modern investigations, from cybersecurity and law enforcement to journalism and corporate risk. But the sheer volume of available information means that gathering data is no longer the hard part — evaluating it is.

As we’ve seen, the effectiveness of OSINT hinges not on what you collect, but on how you assess it. Poorly evaluated intelligence can mislead, cause harm, or result in missed opportunities. In contrast, well-evaluated OSINT builds clarity, confidence, and strategic value.

Whether you’re using the Admiralty Code, applying structured frameworks, or leveraging specialised tools, the goal remains the same: to produce intelligence that is accurate, reliable, and actionable. Evaluation isn’t a final step in the OSINT process — it’s woven throughout.

In an age where misinformation spreads faster than truth, the ability to critically evaluate open source material isn’t just a skill — it’s a responsibility.

Header Photo by Mike Kononov on Unsplash, balance Photo by Jeremy Thomas on Unsplash and tools Photo by Immo Wegmann on Unsplash.

OSINT, Tips

Operationalising OSINT: Turning Intelligence into Action

by Daniel Collyer

March 14, 2025

Open-Source Intelligence (OSINT) is a powerful asset in cybersecurity, providing insights into emerging threats, leaked credentials, and malicious activity across the Surface, Deep, and Dark Web. However, many organisations struggle to operationalise OSINT effectively—collecting vast amounts of data but failing to translate it into meaningful action.

Without a clear strategy, OSINT risks becoming an overwhelming information stream rather than a practical tool for threat intelligence and response. To maximise its value, security teams must structure their OSINT collection, verify sources, and integrate findings into their wider cybersecurity framework.

In this blog, we’ll explore how to transform raw OSINT into actionable intelligence, covering key steps such as defining intelligence requirements, identifying reliable sources, validating data, and responding to threats. By adopting a structured approach and leveraging automation tools like SOS Intelligence, businesses can enhance their cyber defences and stay ahead of potential attacks.

The Intelligence Cycle: Transforming OSINT into Actionable Intelligence

To effectively operationalise OSINT, organisations must follow a structured approach to intelligence gathering, analysis, and dissemination. This structured methodology is known as the intelligence cycle, which consists of five key stages:

Direction – Defining intelligence requirements based on security needs.
Collection – Gathering relevant OSINT from multiple sources.
Processing – Organising, filtering, and structuring raw data.
Analysis – Interpreting data to produce actionable intelligence.
Dissemination – Delivering intelligence to stakeholders in a usable format.

Understanding these stages helps security teams ensure that OSINT is not just collected, but effectively utilised in cybersecurity decision-making.

What is Information vs. Intelligence?

One of the biggest misconceptions about OSINT is that all collected data is immediately valuable. However, there is a crucial difference between information and intelligence:

Information: Raw data collected from public sources (e.g., leaked credentials, malware hashes, threat actor forum posts). By itself, this data lacks context and reliability.
Intelligence: Processed and analysed information that provides actionable insights (e.g., identifying a ransomware gang’s tactics, techniques, and procedures (TTPs) based on patterns in stolen data).

To bridge the gap between information and intelligence, organisations must follow a rigorous intelligence process.

Breaking Down the Intelligence Cycle

1. Direction: Defining Intelligence Requirements

Before OSINT collection begins, organisations must determine what intelligence they need. This step involves:

Identifying key risks: Credential leaks, fraud attempts, insider threats, ransomware activity.
Aligning intelligence efforts with business needs: Which threats pose the greatest risk to our organisation? What are our critical assets?
Establishing intelligence priorities: Focusing on threats that directly impact security operations.

Example: A financial institution may prioritise OSINT collection on dark web forums where banking trojans and phishing kits are shared.

2. Collection: Gathering OSINT from Multiple Sources

Collection involves retrieving data from publicly available, deep web, and dark web sources. This can include:

Surface Web: Public databases, news sites, social media, and forums.
Deep Web: Subscription-based services, closed forums, restricted-access platforms.
Dark Web: Criminal marketplaces, hacking forums, ransomware leak sites, stealer logs.
Technical OSINT: Malware indicators, leaked credentials, threat intelligence feeds.

Automated tools like SOS Intelligence can streamline OSINT collection, enabling real-time threat monitoring.

3. Processing: Structuring and Filtering Data

Once data is collected, it must be cleaned, categorised, and structured to remove irrelevant information and identify meaningful patterns. Processing methods include:

Parsing large datasets to extract key indicators (e.g., IP addresses, domain names, email addresses).
Cross-referencing leaks with known threat intelligence feeds.
Using machine learning to classify phishing campaigns, ransomware tactics, and fraud patterns.

Example: Instead of manually reviewing thousands of leaked credentials, an automated system can compare them to internal employee accounts and flag potential exposures.

4. Analysis: Producing Actionable Intelligence

This is where raw OSINT is transformed into intelligence. Analysts examine the data to:

Identify emerging threats (e.g., a new ransomware gang targeting specific industries).
Assess credibility (e.g., verifying if a dark web database leak is legitimate).
Determine impact (e.g., assessing the risk of a phishing kit targeting a company’s domain).

Example: A security team monitoring a dark web forum might detect threat actors discussing exploits for a recently disclosed vulnerability, allowing them to preemptively patch affected systems.

5. Dissemination: Delivering Intelligence to Key Stakeholders

Intelligence is only useful if it reaches the right people in the right format. Different stakeholders require different intelligence products, including:

Strategic Intelligence (for executives & CISOs): High-level reports on cybercrime trends, attack motivations, and geopolitical risks.
Operational Intelligence (for SOCs & threat analysts): Indicators of compromise (IoCs), malware signatures, and active threats.
Tactical Intelligence (for security engineers): TTPs of adversaries, detailed technical analysis, and defensive measures.

Example: After detecting an impending ransomware campaign, intelligence teams may send a threat bulletin to CISOs, detailed IoCs to SOC teams, and patching recommendations to IT administrators.

Dissemination doesn’t always require a complex report or a polished intelligence briefing—an intelligence product can be as simple as an email confirming or disproving a security concern, backed by reliable sources. In many cases, speed is more important than presentation; a short, well-referenced message to a security team can provide critical insights faster than a detailed report. Similarly, a single-slide deck summarising key OSINT findings or a quick Slack message with verified indicators of compromise (IoCs) can be just as valuable as a full intelligence dossier. The key is to ensure that the right information reaches the right people in a format that supports quick decision-making and response.

Defining OSINT in CTI

Open-Source Intelligence (OSINT) refers to the collection, analysis, and interpretation of publicly available information to identify risks, emerging threats, and potential cyberattacks. Within Cyber Threat Intelligence (CTI), OSINT serves as a critical tool, helping security teams detect indicators of compromise (IOCs), monitor threat actor activity, and mitigate cyber risks before they escalate.

Unlike classified intelligence or internal telemetry from security tools, OSINT draws from external sources that are freely accessible or require minimal authentication. This allows organisations to gain a broader view of their threat landscape, including potential data leaks, phishing campaigns, and adversarial planning occurring in criminal forums.

By leveraging OSINT, organisations can move from a reactive security approach—responding only after an incident occurs—to a proactive one, where threats are identified and mitigated before they cause harm. However, the real challenge lies in filtering out irrelevant data and transforming raw OSINT into meaningful intelligence that informs decision-making.

Key Sources of OSINT

OSINT can be gathered from a vast array of sources, but in cybersecurity, these are typically categorised into three main areas:

1. Surface Web

The Surface Web consists of publicly accessible online content that does not require special permissions or anonymity tools to access. Key sources include:

Social Media – Threat actors often discuss hacking methods, share leaked credentials, or advertise illicit services on platforms like Twitter, Telegram, and Discord.
Company Websites & Job Listings – Publicly available employee details, technology stacks, and even misconfigured web servers can expose an organisation to risk.
News & Security Blogs – Reports on data breaches, ransomware attacks, and emerging vulnerabilities provide valuable intelligence on ongoing cyber threats.
Paste Sites & Code Repositories – Platforms like Pastebin and GitHub can be used to share stolen data, leaked API keys, or exposed credentials.

2. Deep Web

The Deep Web refers to content that is not indexed by standard search engines but is still accessible with proper credentials. Important OSINT sources here include:

Subscription-Based Threat Intelligence Feeds – Industry reports and commercial CTI feeds provide detailed insights into threat actors and attack trends.
Restricted-Access Forums – Cybercriminals and hacking communities operate in invite-only forums where malware is traded, vulnerabilities are discussed, and attack methods are refined.
Breach Notification Services – Platforms like Have I Been Pwned or commercial alternatives notify organisations of exposed credentials or sensitive data leaks.

3. Dark Web

The Dark Web consists of anonymised networks, primarily accessed via Tor, I2P, or other privacy-preserving technologies, where cybercriminals operate under pseudonyms. Key OSINT sources here include:

Criminal Marketplaces – Sites where stolen credentials, malware, ransomware-as-a-service (RaaS), and hacking tools are bought and sold.
Hacking Forums & Telegram Channels – Underground communities where cybercriminals share tactics, discuss vulnerabilities, and coordinate attacks.
Stealer Logs & Leaked Databases – Credentials harvested from infostealers (such as RedLine or Raccoon) often appear in logs before being used for account takeovers.

The Importance of OSINT in Cybersecurity

OSINT is particularly valuable for:

Early Threat Detection – Identifying phishing domains, leaked credentials, or chatter about an organisation on cybercriminal forums before an attack takes place.

Attack Surface Management – Understanding what an attacker can see about your organisation, from exposed assets to employee data, allowing for proactive risk reduction.

Incident Response & Attribution – OSINT can help trace an attack’s origins, uncover associated threat actors, and provide indicators of compromise (IOCs) for defence strategies.

However, the sheer volume of OSINT data—combined with the difficulty of verifying its accuracy—poses a challenge for security teams.

How to Structure an OSINT Collection Plan

A well-structured OSINT collection plan is essential for transforming scattered pieces of information into actionable intelligence. Without a clear strategy, organisations risk gathering vast amounts of raw data without meaningful insights or direction. A systematic approach ensures that OSINT efforts align with an organisation’s security priorities and can be effectively used to mitigate threats.

An effective OSINT collection plan involves five key steps:

Step 1: Define Intelligence Requirements

Before collecting any OSINT, it’s crucial to determine what intelligence your organisation actually needs. This involves asking:

What threats matter most to our business? – Are you concerned about credential leaks, phishing campaigns, ransomware threats, insider threats, or data exfiltration?
What assets need protecting? – This could include sensitive customer data, employee credentials, proprietary technology, or intellectual property.
Who are the likely threat actors? – Understanding whether you are at risk from nation-state actors, cybercriminal gangs, or hacktivist groups helps prioritise intelligence collection.

Once intelligence requirements are defined, they should be documented as part of an Intelligence Collection Plan (ICP), ensuring all OSINT activities are targeted and relevant.

Step 2: Identify Reliable OSINT Sources

Not all OSINT sources are equally valuable, and using unverified or low-quality sources can lead to false positives and wasted resources. Identifying trusted and relevant OSINT sources is crucial.

Key OSINT sources for cybersecurity include:

Dark Web & Criminal Marketplaces – Where stolen credentials, payment data, and hacking tools are traded.
Threat Actor Forums & Telegram Channels – Used for planning attacks, recruiting insiders, and sharing breach information.
Phishing Intelligence Feeds – Monitoring domains impersonating your organisation can help detect phishing attacks before they spread.
Leaked Databases & Stealer Logs – If employee or customer credentials are compromised, they may appear in breach dumps or logs from infostealer malware.
Surface Web & Social Media – Cybercriminals often use social media to promote attacks or expose sensitive data inadvertently.

The Importance of Verification

Intelligence is only useful if it is accurate. Before acting on OSINT, it’s important to:

Cross-check information across multiple sources to ensure reliability.
Verify the credibility of the source—for example, distinguishing between a legitimate data breach and a false claim made by a threat actor.
Use automation tools (such as SOS Intelligence) to filter out noise and prioritise high-risk intelligence.

Step 3: Collect and Process the Data

Once the right sources are identified, the next step is collecting and structuring the data for analysis. Effective OSINT collection should focus on:

Automating Data Collection – Given the vast amount of OSINT available, manual collection is inefficient. Using tools like SOS Intelligence allows for continuous monitoring of the Dark Web, phishing domains, and threat intelligence feeds.
Prioritising Data – Not all OSINT is immediately actionable. Prioritisation is essential based on factors like credibility, relevance, and urgency. For example, leaked employee credentials from a stealer log require immediate action, whereas general discussions about vulnerabilities may require further investigation.
Structuring Findings – OSINT should be documented in a format that facilitates analysis, such as:
- Indicators of Compromise (IOCs) – IP addresses, domains, hashes, and file signatures linked to attacks.
- Threat Actor Profiles – Identifying who is behind the attack, their motives, and their previous activities.
- Risk Level & Impact Assessment – Determining the likelihood and potential damage of a threat.

Step 4: Validate and Cross-Reference Intelligence

Not all OSINT findings will be immediately actionable, and some may even be misleading. Before taking action, intelligence should be verified by:

Comparing with known threat intelligence feeds – Are other security researchers reporting similar findings?
Checking for corroborating evidence – A leaked credential may be fake or outdated; checking other sources can confirm if it’s a real compromise.
Assessing the credibility of the source – Some threat actors exaggerate their claims to gain notoriety.

Step 5: Convert OSINT into Actionable Intelligence

The final step is ensuring that OSINT findings lead to tangible security improvements. This involves:

Reporting Intelligence to the Right Stakeholders

Security Operations Centre (SOC): To monitor and respond to active threats.
Chief Information Security Officer (CISO): For strategic threat awareness and risk assessment.
Incident Response Teams: To take immediate action against identified threats.

Developing an Action Plan Based on OSINT Findings

If a phishing domain is detected, block it and alert employees to prevent credential theft.
If leaked credentials are found, reset affected passwords and enforce multi-factor authentication (MFA).
If cybercriminals are discussing an upcoming attack, enhance monitoring and prepare defences before it happens.

Real-World Example: OSINT in Action – The Sony Pictures Hack (2014)

The 2014 cyberattack on Sony Pictures Entertainment remains one of the most high-profile examples of how Open-Source Intelligence (OSINT) can be leveraged in both cyber offence and defence. The breach, attributed to the North Korean-backed hacking group “Guardians of Peace” (GOP), led to the leak of highly sensitive data, including employee records, internal emails, and unreleased films.

How OSINT Played a Role in the Attack

The Sony Pictures hack was not an opportunistic attack; it was meticulously planned. The attackers used OSINT techniques to gather intelligence on Sony’s infrastructure, personnel, and security posture before launching their destructive campaign.

1. Employee Profiling & Social Engineering

Hackers scanned social media sites such as LinkedIn, Twitter, and Facebook to gather information on Sony’s employees, particularly those in IT and security roles.
Publicly available resumes, job postings, and tech conference presentations gave insights into the software, systems, and security solutions Sony was using.
This information helped the attackers craft highly convincing phishing emails and pretext phone calls, tricking employees into revealing credentials or installing malware.

2. Mapping Sony’s Digital Infrastructure

OSINT sources such as Shodan (a search engine for internet-connected devices) allowed the attackers to identify exposed servers, outdated software, and misconfigured systems.
DNS records and WHOIS lookups provided information on Sony’s network architecture.
Discussions on public technical forums and GitHub repositories revealed additional details about Sony’s internal systems.

3. Third-Party Exploitation

Sony’s vendors and contractors also became intelligence targets.
By identifying Sony’s external partners through press releases and LinkedIn, the attackers could exploit weak security measures in third-party networks to gain indirect access.

The Attack Execution

Armed with this OSINT, the attackers deployed a sophisticated wiper malware that:

Destroyed over 3,000 computers and servers, wiping hard drives and making recovery difficult.
Exfiltrated terabytes of data, including unreleased films, salary details, and executives’ private emails.
Leaked damaging internal emails, causing reputational harm and leadership changes.
Displayed a threatening message on employees’ screens, warning them not to work for Sony.

Impact & Aftermath

Sony suffered an estimated $35 million in IT damage and over $100 million in indirect costs, including legal fees and security overhauls.
The attack was politically motivated, reportedly in response to Sony’s release of the film The Interview, which depicted North Korea’s leader in a negative light.
The FBI officially attributed the attack to North Korea, marking one of the first major cyber incidents linked to a nation-state actor.
Sony had to completely rebuild its IT infrastructure and implement more robust security measures, including OSINT-driven threat intelligence monitoring.

Lessons for Cyber Threat Intelligence (CTI)

The Sony hack underscores the critical importance of OSINT in cybersecurity—both as a weapon for attackers and a defensive tool for organisations. Key takeaways include:

Proactive OSINT Monitoring: Organisations must regularly monitor their exposed attack surface—social media, public records, and open databases—for sensitive information that could aid attackers.
Employee Cyber Hygiene: Training staff to recognise phishing attempts, social engineering tactics, and OSINT-driven reconnaissance is essential.
Third-Party Risk Management: Companies should enforce strict security standards on vendors and partners, ensuring that weak links in the supply chain do not become entry points.
Network Hardening: Regular audits of publicly exposed assets, DNS records, and internet-facing infrastructure can help detect and patch vulnerabilities before they are exploited.

Conclusion & Key Takeaways

The Sony Pictures hack serves as a stark reminder that OSINT is a double-edged sword—while cybercriminals and nation-state actors use it to plan sophisticated attacks, organisations can harness the same intelligence to defend themselves proactively.

To operationalise OSINT effectively, businesses must move beyond passive collection and integrate OSINT into their threat detection, risk management, and incident response strategies. The key to success lies in structuring intelligence workflows to ensure that OSINT is verified, actionable, and timely.

Key Takeaways

OSINT is only valuable when it leads to action. Raw data without context or validation is just noise. Organisations must refine and interpret OSINT to extract meaningful insights.
A structured OSINT collection plan is essential. By defining intelligence requirements, identifying reliable sources, and validating findings, organisations can ensure that their OSINT efforts are aligned with real security needs.
Automation enhances OSINT effectiveness. Given the sheer volume of open-source data, automated tools—such as SOS Intelligence—can help streamline collection, filtering, and analysis, ensuring that security teams focus on the most relevant threats.
Threat actors are already using OSINT against businesses. The Sony hack, among many other incidents, demonstrates how attackers leverage public information to conduct reconnaissance. Organisations must proactively monitor their attack surface to reduce exposure.
OSINT should be integrated into cybersecurity operations. Security teams, CISOs, and SOCs must incorporate OSINT insights into threat intelligence feeds, SIEM systems, and response workflows to improve incident detection and mitigation.

Final Thoughts

In today’s evolving threat landscape, cyber resilience requires intelligence-led security strategies. Open-Source Intelligence is no longer optional—it is a critical component of modern cybersecurity and threat intelligence. By leveraging automated solutions like SOS Intelligence, organisations can transform OSINT from an underutilised resource into a powerful tool for threat detection and risk mitigation.

The key question isn’t whether OSINT can help your organisation—it’s whether you are using it effectively.

Automating OSINT Collection with SOS Intelligence

Manually tracking and analysing OSINT sources is time-consuming, especially when dealing with fast-moving threats on the Dark Web. Automation is essential for transforming OSINT from passive intelligence into an actionable security asset.

SOS Intelligence provides the tools to help automate your OSINT collection. Our platform continuously monitors Dark Web marketplaces, leaked credential databases, and phishing intelligence sources and makes that data readily available for analysis. By using real-time threat intelligence feeds, organisations can:

Detect leaked credentials before they are weaponised.
Identify phishing sites impersonating their brand.
Identify intelligence regarding threats targeting their industry.
Streamline OSINT analysis by filtering noise and focusing on relevant intelligence.

With the right approach, OSINT can become an integral part of an organisation’s cyber defence strategy—helping security teams stay ahead of attackers rather than merely reacting to threats.

Photo by Christopher Burns on Unsplash

SOS Intelligence Webinar

From Data to Decisions – Using OSINT and CTI for Threat Detection

by Amir Hadzipasic

March 13, 2025

How to turn open-source intelligence into actionable cybersecurity insights

For our second webinar of 2025 we are going to be discussing the using OSINT and CTI for Threat Detection.

What are these we hear you say!? Read on and sign up!

——

Join us on Wednesday March 26th – 4pm UK time

Who is this for?

Anyone in a business or organisation who has responsibility for online security.
CTOs or senior managers who want to understand these key threats
IT / Cyber Security teams

What we will cover:

OSINT in Cyber Threat Intelligence (CTI)
Why Structured OSINT Collection Matters
Operationalising OSINT – The Intelligence Workflow
Define Intelligence Requirements
Identifying & Verifying OSINT Sources
Collecting & Processing OSINT Data
Validating & Acting on Intelligence
Reporting OSINT to Security Teams
Dark Web OSINT – The Hidden Cybercrime Marketplace
What’s Sold on the Dark Web?
Safe & Ethical Dark Web Monitoring
Case Studies
Automating OSINT & Dark Web Monitoring
Best Practices for Integrating OSINT into Security

Photo by Gregoire Jeanneau on Unsplash

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

cyber threat intelligence

Planning Your Sock Puppet Strategy

Crafting a Believable Identity

Risks, Red Flags, and Account Burnout

The Evolving Landscape of Threat Actor Platforms

Alternative Threat Actor Channels

Why the Shift Away from the Dark Web?

Implications for Threat Intelligence Teams

Case Examples

Conclusion

What is the Analysis of Competing Hypotheses?

The ACH Process Step-by-Step

Practical Example: ACH in Action

Benefits and Limitations of ACH

Tools and Resources

Conclusion

Who is this for?

What we will cover:

Why Evaluation Matters in OSINT

Core Evaluation Criteria

Source Evaluation Techniques

Practical Tips for Evaluators

Case Study: Misidentification in the Boston Marathon Bombing

Conclusion: Evaluation Is the Heart of Effective OSINT

The Intelligence Cycle: Transforming OSINT into Actionable Intelligence

Breaking Down the Intelligence Cycle

Defining OSINT in CTI

Developing an Action Plan Based on OSINT Findings

How OSINT Played a Role in the Attack

Conclusion & Key Takeaways

Final Thoughts

How to turn open-source intelligence into actionable cybersecurity insights

What we will cover:

Recent Posts

Recent Comments