Matthias Wilson, Intelligence Trainer and Consultant in the OSINT industry, joins us on the latest episode of From the Source—The Blackdot Podcast. He discusses practising OSINT outside of work, running artificial intelligence (AI) locally, and digital hygiene for personal security.
With experience that spans the military, Allianz, BMW Group and founding his own OSINT consulting company, Matthias shares his wealth of knowledge and insight. You can read the highlights below or listen to the full episode here: From Military Intelligence to OSINT Expert.
Matthias first became interested in Open-Source Intelligence (OSINT) as a teenager, although at the time, he only used it to find message boards to help him with school essays. Eventually, he began working in military intelligence, where he stayed for 17 years before moving into the private sector. He spent three years at BMW, working on digital personal security and technical surveillance countermeasures (TSCM). Now, he has his own consulting business, PLOSINT, which provides OSINT training, primarily to law enforcement.
When asked about AI in OSINT, Matthias explained that he is trying to run an AI model locally (directly within his computer) instead of using commercial chatbots. Using common local AI clients, like AnythingLLM and GPT4All, he aims to run a local Agentic Retrieval-Augmented Generation (ARAG) system to query his data. However, he has found that it isn’t easy to do this if you’re using older hardware or standard business laptops without dedicated GPU power or VRAM.
“The other day, I uploaded a couple of documents that were 200 megabytes, and that took like an hour to ingest before I could even do anything,” explains Matthias. “And then every time I would query the local AI on that data, it would take between two and five minutes for it to make up its mind and come back with an answer.”
He adds that everything you put online can be intercepted, so you should be careful with online AI tools. If you’re working with sensitive data, such as in an intelligence agency or law enforcement, it is important to refrain from using AI designed for consumers. However, he also explains that Google provides biased results and remembers what we previously searched for, so questions whether there’s a huge difference in security.
Before AI, something as simple as geolocating an image would take time and analysis, and wouldn’t generate an immediate result. Matthias worries that in addition to security concerns, AI can also make us lazy.
“With a lot of these tools and platforms, they might immediately come back with a good result,” explains Matthias. “And that's great. If it works, it's fine. Please use it! But if they don't come back with a good result, then, again, you have to do this yourself and invest the time.”
He believes that manual OSINT work is vital to improving one's skills, comparing it to driving a car.
“You're going to work, coming back, and there's nothing special about it,” he explains. “So, what is the difference between the daily commuter and a race car driver? They're testing themselves on different tracks with different techniques in various scenarios.”
When applying this to OSINT, he believes that investigators and analysts must try a lot of different scenarios and investigations where they stumble upon roadblocks and don't have an answer. This way, he considers that they can challenge themselves and get better.
“So it's not just practice or a lot of practice. It's also what you practice on,” he adds.
Matthias explains that you must always distinguish between the information and the source in any intelligence work.
“Is it AI-generated? Is it maybe propaganda, fake news, whatever you want to call it,” he begins. “But this immediately leads back to the point... Who spread this information, and how credible are they? Are they a reliable source or not?”
It’s not just about verifying the information but also about investigating the entity that shared it. This translates to the Admiralty Code that Matthias used in military intelligence. He explains that OSINT professionals often miss the step of assessing a source's credibility.
When Matthias worked at BMW, his job was to ensure the safety and security of the board members. This included ensuring what he called ‘digital hygiene’: being careful about what you share online, and what other people share about you. While this sounds simple, it’s easy to underestimate the capabilities of OSINT investigators, especially with geolocation skills. For example, a child uploading content to TikTok or Instagram that they don’t realise can be geolocated may lead back to a private address.
“The bottom line is, just be sure of what you are sharing online or people close to you are sharing online,” he says. “Try to get a feeling for how this can impact my life, my personal security, my digital security.”
Matthias explains that those interested in OSINT must understand the fundamentals of intelligence analysis, which many courses can provide. Then, it’s about getting better at what you do. He suggests sitting down and building your own case from time to time. For example, understanding who is behind a website.
“Is this a legit shop or is it a fake shop? Where is the company registered?” He begins. “And, all of a sudden, you're in an OSINT investigation where you can get into like a more technical domain-based OSINT research, but at the same time, also company research. So that's just one example. Constantly practise this.”
Listen to From Military Intelligence to OSINT Expert with Matthias Wilson in full and stay tuned for even more OSINT insight on Blackdot’s next podcast episode.