OSINT & Reconnaissance

MC-07

Passive reconnaissance, Shodan, Maltego, WHOIS, Google Dorks, people and company intelligence gathering.

12 lessons3 modulesBeginnerShodan + Maltego

Start Learning ← All Courses

kali@cyby-lab: ~

$ theHarvester -d target.com -b google,linkedin

[*] Searching Google...

[+] [email protected]

[+] dev.target.com (subdomain)

[+] api.target.com (subdomain)

$ █

+120 XP

Why this matters right now

OSINT — the first step of any cyberattack and investigation

93%of breaches start with OSINT reconnaissance

2.5Bdevices indexed in Shodan

73%of passwords can be found in leaked databases

OSINTis used in 100% of Red Team operations

After the course you will be able to

Not abstract knowledge — concrete skills you can demonstrate in an interview

🔍Google Dorks: advanced search with site, filetype, inurl operators

📡Shodan: find vulnerable devices, cameras and servers worldwide

✉️theHarvester: collect email addresses and subdomains of a target

🕸️Maltego: build a relationship graph map between entities

🌐WHOIS and DNS recon: domain history and infrastructure

🔎SubFinder and Amass: target subdomain discovery

📋Certificate Transparency: find subdomains via SSL certificates

📝Write a professional OSINT report

Real investigations in the course

Every lesson is built on real investigations and Bug Bounty cases

Real case2020

Twitter Bitcoin Scam 2020

OSINT investigators uncovered the identities of hackers who compromised accounts of Obama, Musk and Biden by tracing digital footprints in Discord, GitHub and public records.

Module 02 · OSINT Tools

Real case2018

Bellingcat: identifying GRU agents

Bellingcat identified GRU agents through flight tickets, hotels, phones and leaked databases. Only public data — no hacking involved.

Module 01 · Passive Reconnaissance

Success story2023

Bug Bounty: $15k for SubDomain Takeover

A researcher found a forgotten company subdomain pointing to a non-existent S3 bucket via OSINT, claimed it and received a $15,000 reward.

Module 03 · Active Reconnaissance

Course Program

3 modules · 12 lessons · from Google Dorks to Maltego and the final OSINT report

Where this course leads

MC-07 — a foundational skill for three in-demand cybersecurity specializations

$1,500 — $4,000/mo

OSINT Analyst

Gather intelligence on targets from open sources for pentests and investigations.

MaltegoShodantheHarvesterOSINT Framework

Track:FC-01 → MC-07 → Threat Intel

$2,500 — $6,000/mo

Threat Intelligence

Analyze threats, track APT groups and provide analytics for SOC and management.

MISPCTIOSINTDark Web monitoring

Track:MC-07 → FC-06 → Threat Intel

$2,000 — $5,000/mo

Pentester

Use OSINT as the first phase of a pentest to gather target information and find entry points.

ReconnaissanceSubDomain enumGoogle DorksShodan

Track:MC-07 → FC-03 → MC-01

Who this course is for

🔍

OSINT Analysts

Want to systematize your knowledge and master professional reconnaissance tools

🌐

Pentesters

Want to strengthen the recon phase and find more attack surface before active engagement

🏆

Bug Bounty

Looking for subdomains, leaks and forgotten company assets to find vulnerabilities

Master OSINT
and target recon
today

12 lessons, Shodan, Maltego and hands-on practice on real targets.

Start Learning ← All Courses

MC-07● Available

Level: beginner

12 lessons

video + practice

3 modules

by topic

Beginner

difficulty level

Shodan + Maltego

core tools

Google Dorks and Shodan

Maltego: relationship graph

SubFinder and Amass

Professional OSINT report