Billy O'Sint
@billy-o-sint.bsky.social
Thinking out loud about OSINT, threat assessment, and investigative research. Cleared security background. Open to new opportunities
8/ Final takeaway
OSINT isn’t about loyalty to a search engine.
It’s about perspective.
Different engines show different versions of the same internet.
Good analysts compare them.
OSINT isn’t about loyalty to a search engine.
It’s about perspective.
Different engines show different versions of the same internet.
Good analysts compare them.
February 5, 2026 at 3:01 PM
8/ Final takeaway
OSINT isn’t about loyalty to a search engine.
It’s about perspective.
Different engines show different versions of the same internet.
Good analysts compare them.
OSINT isn’t about loyalty to a search engine.
It’s about perspective.
Different engines show different versions of the same internet.
Good analysts compare them.
7/ Regional engines matter
Looking into non-U.S. activity?
Try engines popular where the subject lives.
Local indexing often reveals:
• forums
• marketplaces
• news coverage Google barely surfaces
Looking into non-U.S. activity?
Try engines popular where the subject lives.
Local indexing often reveals:
• forums
• marketplaces
• news coverage Google barely surfaces
February 5, 2026 at 3:01 PM
7/ Regional engines matter
Looking into non-U.S. activity?
Try engines popular where the subject lives.
Local indexing often reveals:
• forums
• marketplaces
• news coverage Google barely surfaces
Looking into non-U.S. activity?
Try engines popular where the subject lives.
Local indexing often reveals:
• forums
• marketplaces
• news coverage Google barely surfaces
6/ DuckDuckGo: perspective check
DuckDuckGo pulls from multiple sources with lighter filtering.
It’s useful for:
• reducing personalization bias
• sanity-checking narratives
• seeing how topics appear without heavy ranking influence
DuckDuckGo pulls from multiple sources with lighter filtering.
It’s useful for:
• reducing personalization bias
• sanity-checking narratives
• seeing how topics appear without heavy ranking influence
February 5, 2026 at 3:01 PM
6/ DuckDuckGo: perspective check
DuckDuckGo pulls from multiple sources with lighter filtering.
It’s useful for:
• reducing personalization bias
• sanity-checking narratives
• seeing how topics appear without heavy ranking influence
DuckDuckGo pulls from multiple sources with lighter filtering.
It’s useful for:
• reducing personalization bias
• sanity-checking narratives
• seeing how topics appear without heavy ranking influence
5/ Yandex: image & pattern recognition
Yandex shines with:
• reverse image search
• alternate image crops
• non-Western sources
If you’re doing image-based attribution, Google isn’t always the best first stop.
Yandex shines with:
• reverse image search
• alternate image crops
• non-Western sources
If you’re doing image-based attribution, Google isn’t always the best first stop.
February 5, 2026 at 3:01 PM
5/ Yandex: image & pattern recognition
Yandex shines with:
• reverse image search
• alternate image crops
• non-Western sources
If you’re doing image-based attribution, Google isn’t always the best first stop.
Yandex shines with:
• reverse image search
• alternate image crops
• non-Western sources
If you’re doing image-based attribution, Google isn’t always the best first stop.
4/ Bing: surprisingly useful
Bing often indexes:
• older pages
• edge-case domains
• content Google quietly drops
If something “used to exist,” Bing is often worth a check.
Bing often indexes:
• older pages
• edge-case domains
• content Google quietly drops
If something “used to exist,” Bing is often worth a check.
February 5, 2026 at 3:01 PM
4/ Bing: surprisingly useful
Bing often indexes:
• older pages
• edge-case domains
• content Google quietly drops
If something “used to exist,” Bing is often worth a check.
Bing often indexes:
• older pages
• edge-case domains
• content Google quietly drops
If something “used to exist,” Bing is often worth a check.
3/ Google’s strengths (and limits)
Google excels at:
• polished content
• mainstream sites
• SEO-optimized material
It struggles with:
• archived content
• regional platforms
• anything deliberately de-ranked or removed
Google excels at:
• polished content
• mainstream sites
• SEO-optimized material
It struggles with:
• archived content
• regional platforms
• anything deliberately de-ranked or removed
February 5, 2026 at 3:01 PM
3/ Google’s strengths (and limits)
Google excels at:
• polished content
• mainstream sites
• SEO-optimized material
It struggles with:
• archived content
• regional platforms
• anything deliberately de-ranked or removed
Google excels at:
• polished content
• mainstream sites
• SEO-optimized material
It struggles with:
• archived content
• regional platforms
• anything deliberately de-ranked or removed
2/ Why this matters
Search engines filter differently.
They index differently.
They remove content differently.
That means what you don’t see can be just as important as what you do.
Search engines filter differently.
They index differently.
They remove content differently.
That means what you don’t see can be just as important as what you do.
February 5, 2026 at 3:01 PM
2/ Why this matters
Search engines filter differently.
They index differently.
They remove content differently.
That means what you don’t see can be just as important as what you do.
Search engines filter differently.
They index differently.
They remove content differently.
That means what you don’t see can be just as important as what you do.
11/
One warning:
If you interact with what you find, you may change the environment.
Search operators are about observation, not engagement.
OSINT isn’t about fancy tools.
It’s about asking better questions of data that already exists.
Google just happens to answer very honestly.
One warning:
If you interact with what you find, you may change the environment.
Search operators are about observation, not engagement.
OSINT isn’t about fancy tools.
It’s about asking better questions of data that already exists.
Google just happens to answer very honestly.
February 4, 2026 at 9:21 PM
11/
One warning:
If you interact with what you find, you may change the environment.
Search operators are about observation, not engagement.
OSINT isn’t about fancy tools.
It’s about asking better questions of data that already exists.
Google just happens to answer very honestly.
One warning:
If you interact with what you find, you may change the environment.
Search operators are about observation, not engagement.
OSINT isn’t about fancy tools.
It’s about asking better questions of data that already exists.
Google just happens to answer very honestly.
10/
This is especially useful for:
– Threat assessments
– Due diligence
– Pre-incident context
– Executive protection research
– Corporate investigations
This is especially useful for:
– Threat assessments
– Due diligence
– Pre-incident context
– Executive protection research
– Corporate investigations
February 4, 2026 at 9:21 PM
10/
This is especially useful for:
– Threat assessments
– Due diligence
– Pre-incident context
– Executive protection research
– Corporate investigations
This is especially useful for:
– Threat assessments
– Due diligence
– Pre-incident context
– Executive protection research
– Corporate investigations
9/
You can chain operators together:
site:gov filetype:pdf intext:"risk assessment"
Now you’re not browsing — you’re collecting.
You can chain operators together:
site:gov filetype:pdf intext:"risk assessment"
Now you’re not browsing — you’re collecting.
February 4, 2026 at 9:21 PM
9/
You can chain operators together:
site:gov filetype:pdf intext:"risk assessment"
Now you’re not browsing — you’re collecting.
You can chain operators together:
site:gov filetype:pdf intext:"risk assessment"
Now you’re not browsing — you’re collecting.
8/
Quotation marks matter more than people think.
"incident response plan"
vs
incident response plan
One finds a phrase. The other finds vibes.
Quotation marks matter more than people think.
"incident response plan"
vs
incident response plan
One finds a phrase. The other finds vibes.
February 4, 2026 at 9:21 PM
8/
Quotation marks matter more than people think.
"incident response plan"
vs
incident response plan
One finds a phrase. The other finds vibes.
Quotation marks matter more than people think.
"incident response plan"
vs
incident response plan
One finds a phrase. The other finds vibes.
7/
intext: looks inside page content.
Example:
intext:"confidential"
intext:"do not distribute"
This is how you find things people assumed no one would search for.
intext: looks inside page content.
Example:
intext:"confidential"
intext:"do not distribute"
This is how you find things people assumed no one would search for.
February 4, 2026 at 9:21 PM
7/
intext: looks inside page content.
Example:
intext:"confidential"
intext:"do not distribute"
This is how you find things people assumed no one would search for.
intext: looks inside page content.
Example:
intext:"confidential"
intext:"do not distribute"
This is how you find things people assumed no one would search for.
6/
inurl: searches for keywords inside the URL itself.
Example:
inurl:admin
inurl:login
inurl:backup
Not exploitation — just visibility into exposed surfaces.
inurl: searches for keywords inside the URL itself.
Example:
inurl:admin
inurl:login
inurl:backup
Not exploitation — just visibility into exposed surfaces.
February 4, 2026 at 9:21 PM
6/
inurl: searches for keywords inside the URL itself.
Example:
inurl:admin
inurl:login
inurl:backup
Not exploitation — just visibility into exposed surfaces.
inurl: searches for keywords inside the URL itself.
Example:
inurl:admin
inurl:login
inurl:backup
Not exploitation — just visibility into exposed surfaces.
5/
Common high-value filetypes to try:
– pdf
– xlsx / csv
– docx
– pptx
– txt
Each tells a different story about how an org handles information.
Common high-value filetypes to try:
– xlsx / csv
– docx
– pptx
– txt
Each tells a different story about how an org handles information.
February 4, 2026 at 9:21 PM
5/
Common high-value filetypes to try:
– pdf
– xlsx / csv
– docx
– pptx
– txt
Each tells a different story about how an org handles information.
Common high-value filetypes to try:
– xlsx / csv
– docx
– pptx
– txt
Each tells a different story about how an org handles information.
4/
Next: filetype:
This one’s gold in investigations.
Example:
site:company.com filetype:xlsx
You’d be surprised how many spreadsheets were never meant to be public.
Next: filetype:
This one’s gold in investigations.
Example:
site:company.com filetype:xlsx
You’d be surprised how many spreadsheets were never meant to be public.
February 4, 2026 at 9:21 PM
4/
Next: filetype:
This one’s gold in investigations.
Example:
site:company.com filetype:xlsx
You’d be surprised how many spreadsheets were never meant to be public.
Next: filetype:
This one’s gold in investigations.
Example:
site:company.com filetype:xlsx
You’d be surprised how many spreadsheets were never meant to be public.
3/
Let’s start simple: site:
This limits results to a specific domain.
Example:
site:company.com security
Great for finding forgotten pages, old policies, or exposed portals.
Let’s start simple: site:
This limits results to a specific domain.
Example:
site:company.com security
Great for finding forgotten pages, old policies, or exposed portals.
February 4, 2026 at 9:21 PM
3/
Let’s start simple: site:
This limits results to a specific domain.
Example:
site:company.com security
Great for finding forgotten pages, old policies, or exposed portals.
Let’s start simple: site:
This limits results to a specific domain.
Example:
site:company.com security
Great for finding forgotten pages, old policies, or exposed portals.
2/
Most people Google like this:
company name breach
Investigators Google like this:
site:example.com filetype:pdf "internal use only"
Very different outcomes.
Most people Google like this:
company name breach
Investigators Google like this:
site:example.com filetype:pdf "internal use only"
Very different outcomes.
February 4, 2026 at 9:21 PM
2/
Most people Google like this:
company name breach
Investigators Google like this:
site:example.com filetype:pdf "internal use only"
Very different outcomes.
Most people Google like this:
company name breach
Investigators Google like this:
site:example.com filetype:pdf "internal use only"
Very different outcomes.
8/
Lesson learned:
Sockpuppets aren’t just about hiding you.
They’re about not becoming part of the story.
Sometimes the best OSINT move is the least exciting one:
No comments.
No reactions.
No footprint.
Just patience.
Tools don’t ruin investigations.
Unclear purpose does.
Lesson learned:
Sockpuppets aren’t just about hiding you.
They’re about not becoming part of the story.
Sometimes the best OSINT move is the least exciting one:
No comments.
No reactions.
No footprint.
Just patience.
Tools don’t ruin investigations.
Unclear purpose does.
February 4, 2026 at 2:50 PM
8/
Lesson learned:
Sockpuppets aren’t just about hiding you.
They’re about not becoming part of the story.
Sometimes the best OSINT move is the least exciting one:
No comments.
No reactions.
No footprint.
Just patience.
Tools don’t ruin investigations.
Unclear purpose does.
Lesson learned:
Sockpuppets aren’t just about hiding you.
They’re about not becoming part of the story.
Sometimes the best OSINT move is the least exciting one:
No comments.
No reactions.
No footprint.
Just patience.
Tools don’t ruin investigations.
Unclear purpose does.
7/
End result?
– Lost visibility
– Contaminated timeline
– No clean baseline of intent
Not because the sockpuppet failed — but because it worked too well.
End result?
– Lost visibility
– Contaminated timeline
– No clean baseline of intent
Not because the sockpuppet failed — but because it worked too well.
February 4, 2026 at 2:50 PM
7/
End result?
– Lost visibility
– Contaminated timeline
– No clean baseline of intent
Not because the sockpuppet failed — but because it worked too well.
End result?
– Lost visibility
– Contaminated timeline
– No clean baseline of intent
Not because the sockpuppet failed — but because it worked too well.
6/
Worse: a few members got suspicious. They didn’t know who the sockpuppet was — but they knew it didn’t belong. The group fragmented, moved platforms, and went quieter.
Worse: a few members got suspicious. They didn’t know who the sockpuppet was — but they knew it didn’t belong. The group fragmented, moved platforms, and went quieter.
February 4, 2026 at 2:50 PM
6/
Worse: a few members got suspicious. They didn’t know who the sockpuppet was — but they knew it didn’t belong. The group fragmented, moved platforms, and went quieter.
Worse: a few members got suspicious. They didn’t know who the sockpuppet was — but they knew it didn’t belong. The group fragmented, moved platforms, and went quieter.
5/
Except… they weren’t.
They were seeing reaction — not reality.
Later review showed several users were responding to the sockpuppet itself. Trying to impress. Trying to provoke. The presence of the account changed the behavior being measured.
Except… they weren’t.
They were seeing reaction — not reality.
Later review showed several users were responding to the sockpuppet itself. Trying to impress. Trying to provoke. The presence of the account changed the behavior being measured.
February 4, 2026 at 2:50 PM
5/
Except… they weren’t.
They were seeing reaction — not reality.
Later review showed several users were responding to the sockpuppet itself. Trying to impress. Trying to provoke. The presence of the account changed the behavior being measured.
Except… they weren’t.
They were seeing reaction — not reality.
Later review showed several users were responding to the sockpuppet itself. Trying to impress. Trying to provoke. The presence of the account changed the behavior being measured.
4/
The sockpuppet engaged.
A like here. A supportive comment there. Nothing aggressive — just enough to seem real.
Within days, the tone of the group shifted. Members started posting more extreme takes. More bravado. More performative threats. The analyst thought: “Great, we’re seeing escalation.”
The sockpuppet engaged.
A like here. A supportive comment there. Nothing aggressive — just enough to seem real.
Within days, the tone of the group shifted. Members started posting more extreme takes. More bravado. More performative threats. The analyst thought: “Great, we’re seeing escalation.”
February 4, 2026 at 2:50 PM
4/
The sockpuppet engaged.
A like here. A supportive comment there. Nothing aggressive — just enough to seem real.
Within days, the tone of the group shifted. Members started posting more extreme takes. More bravado. More performative threats. The analyst thought: “Great, we’re seeing escalation.”
The sockpuppet engaged.
A like here. A supportive comment there. Nothing aggressive — just enough to seem real.
Within days, the tone of the group shifted. Members started posting more extreme takes. More bravado. More performative threats. The analyst thought: “Great, we’re seeing escalation.”
3/
The account looked fine on paper:
– Realistic name
– Old profile photo
– Some filler posts
But the mistake wasn’t the setup. It was what came next.
The account looked fine on paper:
– Realistic name
– Old profile photo
– Some filler posts
But the mistake wasn’t the setup. It was what came next.
February 4, 2026 at 2:50 PM
3/
The account looked fine on paper:
– Realistic name
– Old profile photo
– Some filler posts
But the mistake wasn’t the setup. It was what came next.
The account looked fine on paper:
– Realistic name
– Old profile photo
– Some filler posts
But the mistake wasn’t the setup. It was what came next.