MC-07

Passive reconnaissance, Shodan, Maltego, WHOIS, Google Dorks, people and company intelligence gathering.

12 lessons3 topicsBeginnerShodan + Maltego

Start Learning ← All Courses

kali@cyby-lab: ~

$ theHarvester -d target.com -b google,linkedin

[*] Ищу через Google...

[+] [email protected]

[+] dev.target.com (поддомен)

[+] api.target.com (поддомен)

$ █

Why this matters right now

OSINT — the first step of any cyberattack and investigation

93%of breaches start with OSINT reconnaissance

2.5Bdevices indexed in Shodan

73%of passwords can be found in leaked databases

OSINTis used in 100% of Red Team operations

After the course you will be able to

Not abstract knowledge — concrete skills you can demonstrate in an interview

Google Dorks: advanced search with site, filetype, inurl operators

Shodan: find vulnerable devices, cameras and servers worldwide

theHarvester: collect email addresses and subdomains of a target

Maltego: build a relationship graph map between entities

WHOIS and DNS recon: domain history and infrastructure

SubFinder and Amass: target subdomain discovery

Certificate Transparency: find subdomains via SSL certificates

Write a professional OSINT report

Real investigations in the course

Every lesson is built on real investigations and Bug Bounty cases

Real case2020

Twitter Bitcoin Scam 2020

OSINT investigators uncovered the identities of hackers who compromised accounts of Obama, Musk and Biden by tracing digital footprints in Discord, GitHub and public records.

Topic 02 · OSINT Tools

Real case2018

Bellingcat: identifying GRU agents

Bellingcat identified GRU agents through flight tickets, hotels, phones and leaked databases. Only public data — no hacking involved.

Topic 01 · Passive Reconnaissance

Success story2023

Bug Bounty: $15k for SubDomain Takeover

A researcher found a forgotten company subdomain pointing to a non-existent S3 bucket via OSINT, claimed it and received a $15,000 reward.

Topic 03 · Active Reconnaissance

Course Program

3 topics · 12 lessons · from Google Dorks to Maltego and the final OSINT report

Google Dorking: advanced search operators

DNS records and WHOIS analysis

Finding data leaks and email addresses

Social media and metadata reconnaissance

Where this course leads

MC-07 — a foundational skill for three in-demand cybersecurity specializations

$1,500 — $4,000/mo

OSINT Analyst

Gather intelligence on targets from open sources for pentests and investigations.

MaltegoShodantheHarvesterOSINT Framework

Track:FC-01 → MC-07 → Threat Intel

$2,500 — $6,000/mo

Threat Intelligence

Analyze threats, track APT groups and provide analytics for SOC and management.

MISPCTIOSINTDark Web monitoring

Track:MC-07 → FC-06 → Threat Intel

$2,000 — $5,000/mo

Pentester

Use OSINT as the first phase of a pentest to gather target information and find entry points.

ReconnaissanceSubDomain enumGoogle DorksShodan

Track:MC-07 → FC-03 → MC-01

Who this course is for

OSINT Analysts

Want to systematize your knowledge and master professional reconnaissance tools

Pentesters

Want to strengthen the recon phase and find more attack surface before active engagement

Bug Bounty

Looking for subdomains, leaks and forgotten company assets to find vulnerabilities

Master OSINT
and target recon
today

12 lessons, Shodan, Maltego and hands-on practice on real targets.

Start Learning ← All Courses

MC-07● Available

OSINT & Reconnaissance

Level: beginner

12 lessons

video + practice

3 topics

by topic

Beginner

difficulty level

Shodan + Maltego

core tools

Google Dorks and Shodan

Maltego: relationship graph

SubFinder and Amass

Professional OSINT report