STRATEGIC THREAT ANALYSIS CONSOLE

Situational Awareness & Resource Hub

Core Doctrine & Frameworks

This section establishes the foundational principles for all operations, ensuring every action is legally compliant, operationally secure, and strategically sound.

Critical OPSEC Best Practices

A non-negotiable checklist for maintaining operational integrity and security.

  • Isolated Environments: All OSINT activities must be conducted from dedicated, hardened virtual machines (VMs).
  • Prioritize Self-Hosting: Use self-hosted tools for sensitive investigations to prevent data leakage.
  • Network Obfuscation: All traffic must be routed through approved, non-attributable infrastructure (e.g., VPNs).
  • Secure API Key Management: Use a centralized, secure system for API keys.
  • Secure Evidence Handling: Maintain a clear chain of custody and handle exploit code on sandboxed systems.

UK Legal Framework

Direct links to the governing legislation that provides the legal basis for and boundaries of your work.

Computer Misuse Act 1990 Investigatory Powers Act 2016 College of Policing - Cybercrime APP

Software License Implications

A quick-reference guide to understanding the legal obligations of the open-source tools being used.

  • Permissive (MIT, Apache 2.0): Ideal for government use; allows modification and internal use without restriction.
  • Copyleft (GPL): Internal use is fine. Distribution of modified versions requires source code release.
  • Strong Copyleft (AGPL): If a modified version is provided as a network service, source code must be released.
  • Custom (NPSL): Prohibits redistribution within proprietary software without an OEM license.

Phase 1: Passive Reconnaissance & Footprinting

Gather a broad baseline of intelligence without directly interacting with the target's infrastructure, ensuring maximum stealth.

theHarvester

A classic command-line tool for passive reconnaissance, gathering emails, subdomains, and employee names from over 40 public sources like search engines and breach datasets. It aggregates a wide spectrum of digital footprint data into a single report.

  • Type: Passive OSINT
  • OPSEC: Queries to public sources originate from the operator's IP; must be run from a non-attributable network for covert engagements.
View on GitHub

SpiderFoot

An automated OSINT reconnaissance tool that queries over 200 data sources to build a comprehensive profile of a target (IP, domain, email, etc.).

  • Type: Automated OSINT
  • OPSEC: Use the self-hosted version for maximum data control and to eliminate third-party exposure risk.
Project Home

Social-Analyzer

A powerful tool to find user profiles across more than 1,000 social networks and websites, using multi-layer detection like OCR and string analysis.

  • Type: Username Search (SOCMINT)
  • OPSEC: Self-host to ensure sensitive search queries are not logged by a third party.
View on GitHub

Wayback Machine

An invaluable internet archive for viewing historical versions of websites. It can reveal old pages, files, or staff directories that have since been removed from a target's site.

Access Archive

ExifTool

A tool to scrape documents and images for hidden metadata, which can expose valuable intelligence like author usernames, software versions, and GPS coordinates.

Project Home

Phase 2: Network & Signals Intelligence (SIGINT)

Listen to and analyze signals and network traffic to gather deeper intelligence. This phase is passive but may require a degree of proximity or privileged access.

WIGLE

A global, crowdsourced database of Wi-Fi access points and their GPS locations, essential for identifying a target organization's wireless networks without physical surveying.

Access WiGLE

Kismet

A renowned open-source wireless sniffer and intrusion detection tool that passively monitors and logs Wi-Fi and Bluetooth signals, detecting all networks (including hidden SSIDs).

Project Home

Wireshark

The world's most widely used network protocol analyzer for capturing and interactively browsing network traffic. It can decode thousands of protocols and is invaluable for inspecting captured communications in detail.

  • Type: Passive
  • OPSEC: A purely passive tool that does not generate network packets, making it highly stealthy for covert intelligence gathering on a network segment.
Project Home

Phase 3: Active Analysis & Vulnerability Discovery

[!] WARNING: Actions in this phase are OVERT and will be detected by target systems. Proceed only with full authorization.

Nmap

The global standard for active network discovery and security auditing. It sends packets to discover open ports, running services, and OS versions on target hosts. Its power is extended by the Nmap Scripting Engine (NSE) which can check for specific vulnerabilities.

  • Type: Active
  • OPSEC: Inherently overt; generates significant, detectable network traffic to the target.
  • License: NPSL, which prohibits redistribution in proprietary products without an OEM license.
Project Home

Shodan

An internet-wide search engine for discovering connected devices like IoT, webcams, databases, and ICS/SCADA systems. It scans for open ports and banners, helping to identify unsecured services or unpatched systems.

Access Shodan

OWASP ZAP

An essential tool for finding vulnerabilities in web applications. It acts as a man-in-the-middle proxy to inspect and modify traffic, and includes powerful active and passive scanners to find flaws like SQL injection.

  • Type: Active Scanner / Proxy
  • OPSEC: Active scanning is an overt attack and must be authorized. Passive scanning mode is much lower risk.
OWASP Project Page

Phase 4: Prioritization, Exploitation & Analysis

Make sense of discovered vulnerabilities, validate their impact using threat intelligence, and analyze potentially hostile code.

CISA KEV Catalog

The definitive, government-backed list of vulnerabilities that are not just theoretical risks but are proven to be actively exploited by malicious actors in the wild.

  • Type: Intelligence Database
  • Use Case: This is the primary tool for prioritizing efforts. A vulnerability on the KEV list is a far more urgent threat than one with a high CVSS score but no known exploits.
Access Catalog

Exploit-DB

One of the largest and most respected public archives of exploit code, shellcode, and proofs-of-concept (PoCs). It is the primary resource for finding functional code to demonstrate a vulnerability's impact.

  • Type: Intelligence Database
  • OPSEC: All exploit code must be treated as malicious and handled only in a dedicated, sandboxed environment.
Access Exploit-DB

Ghidra

A powerful, NSA-developed suite of software reverse engineering tools for deep analysis of malicious code and discovering vulnerabilities.

Project Home

Specialized Investigation Theaters

Tools and workflows for specific, complex operational environments like the dark web and for synthesizing large amounts of data.

Dark Web Workflow

A tiered approach for dark web investigations, moving from broad discovery to deep analysis.

  • Discovery: Use Ahmia.fi as a search engine to find .onion sites. Must be accessed via its .onion address.
  • Targeted Analysis: Use OnionScan to probe a specific hidden service for OPSEC weaknesses.
  • Mass Collection: Use OWASP TorBot to crawl and scrape data from thousands of sites.
Access Ahmia

Maltego

The industry standard for graphical link analysis, creating interactive maps to visualize and discover complex relationships between hosts, people, and other data points gathered throughout an investigation.

  • OPSEC: High Risk. Queries are processed through Maltego's commercial servers, exposing investigation metadata. Best suited for the final analysis phase when data points are less sensitive.
Access Platform