In this episode, Matthew Stibbe interviews Alex Lozano, CEO of Cibergy and OCINT professor at UAB in Barcelona. They discuss the integration of OSINT (Open Source Intelligence) into corporate security. They explore the evolving role of AI in OSINT, the challenges posed by over-reliance on technology, and the importance of a structured approach to teaching OSINT methodologies. The conversation also highlights the necessity for companies to adapt to new social media platforms and the critical need for OSINT specialists in corporate security teams.
Matthew Stibbe (00:02.094) All right, Well, hello there. Welcome to From the Source, the Blackdot podcast. I'm your host, Matthew Stibbe and today I'm talking to Alex Lozano, who is CEO at Cibergy and OSINT professor at UAB in Barcelona, right?
Yes, thanks so much for having me, Matthew. I really like the work you do, and I'm very excited to talk about OSINT today.
And we're delighted to have you on the show. And I'd like to start by asking, what in the world of OSINT are you geeking out about at the moment?
There are a lot of things going on in the world of OSINT nowadays. I see artificial intelligence on the one hand that it's catching a lot of our attention, new capabilities, new ways of doing things. I also like the way, and that's where my expertise relies on, on how we can adapt these both OSINT and artificial intelligence into corporate security.
So I'm working different projects related to both of these things that I'm sure we will be able to talk more about them through the session.
Matthew Stibbe (01:15.072) I think we're going to talk a bit about AI. So before we get there, though, tell me a little bit about Cybergy and the work that you do there.
Cibergy was born, three years ago. I used to work as a private investigator and an OSINT analyst, in another company. We're based in Barcelona. I'm from Barcelona. I used to work there and I worked there for around eight years until at some point I decided I, I got into OSINT a lot. started studying. I did some courses. I even did a master's in cyber intelligence and then
I was ready or I thought I was ready to create Cibergy. So Cibergy starts as an investigation firm. We were helping our clients in gathering information, analysing that information and just solving or trying to give as much intelligence as possible for different reasons, different problems they have.
Slowly we have been evolving. We created recently, last year, we created what's called OSINT Excellence, which is an online academy. And then we are working more and more into the corporate security space, adapting how OSINT, how can we use OSINT methodologies, tools and techniques into the security environment. So that's what Cybergy is.
And that's where I'm working 100%. Then I also teach at the Universidad Autónoma Barcelona. I'm an OSINT professor and that's my work right now.
Matthew Stibbe (03:06.978) And when you talk about corporate security, what sort of things does that mean and how does OSINT play a part in that?
Alex Lozano (04:00.942) OSINT can be used in a lot of ways. Basically, what we're trying to do with integration of OSINT into corporate security is to update the field. For example, we have a lot of the things that happen nowadays happen on the online space. We have to be ready to protect both the companies and the employee through, for example, digital risk assessments, and to be able to monitor and to detect all those threats and risks that happen in the digital world and that can affect in a bad way our company and the security of our company. What other types of services or solutions can OSINT provide to the corporate security? Well, background checks, understanding what we have in front of us, who are we hiring? Who is attacking us? Who is the vendor that we have in front of us? And that combined with other due diligence methods is super important right now. We also have to manage our reputation and how the public opinion has an impact into our company or maybe our executives. We do that through social listening.
Also corporate investigations. All the companies have problems. Thus we have to develop and we must be ready to conduct the proper investigations, know where to find the information, who's behind that information, and we can only do that through OSINT. And also monitoring. In some cases we just need to monitor what's going on, what is the public talking about us, and if we can find any threats, any actors, malicious actors that can harm us in the future and all of those things that at some point can affect our company.
Matthew Stibbe (06:09.964) And how is AI affecting that kind of work? How are companies using AI for their corporate security in OSINT?
AI is something that is kind of new. Like five years ago, we weren't thinking about artificial intelligence, but right now everyone is thinking about it. So how is artificial intelligence and OSINT working together? I can see at least three big benefits, which are, first, it's giving us a huge capacity of analysing
and organising all the information we gather. Remember that the OSINT is a discipline, an intelligence discipline, thus it follows the intelligence cycle. A big step in this cycle is information gathering. Once... and that's another problem we have, sometimes this information is huge. Let's go back to the example of social media monitoring for corporate security.
We can find thousands of accounts, mentions, keywords, topics that may or may not be important for our company with the help of artificial intelligence. And even though this hasn't been developed fully, I can see in the next years a lot of advances in which artificial intelligence is going to help us organise this information, pick up
what information is the most relevant. We can see this a little bit with sentiment analysis, for example, we have tools that detect sentiment analysis, positive, negative, neutral, and then we can just focus on the negative stuff so that we can optimise our resources, our time, and our effort. So that's the first thing that I can see, big improvement in analysing and organising the information we gather.
Alex Lozano (08:21.022) A second thing which is related is the velocity or the speed in which we can do things. We don't need... and more if we mix it with advanced platforms such as Blackdot Solutions... we don't need 10 analysts. Maybe we need the half.
AI, I have to say, is replacing those analysts in some ways, but it's enabling us to gather so much information and organise it in a way that those analysts, more than replacing, they are starting to do other functions. And as a result, intelligence improves. So we're combining technology with humans
with intelligence analysts in a way that we're improving the whole system exponentially. We can do things faster. And the third thing I see are new features. New features that, again, five years ago, we couldn't think about. Let's say, for example, someone screenshots our faces right now. They can use that screenshot.
of our face to identify all of the content or a lot of content related to us on the surface web. How? Through facial recognition. We can use the same face to identify social media profiles through facial recognition, which is supported by artificial intelligence technology.
We can do that also with objects, we can do that with words, we can do that with pretty much any element that some time ago we had to do all of these manually. These new features or for example geolocation, geolocation I know some very good tools that with an image and that can help us, can help law enforcement a lot, can help human trafficking a lot.
Alex Lozano (10:31.298) can help private investigators a lot with just an image of a specific place. We can in seconds identify where was that picture taken. So those new futures are also exciting and very interesting to follow up and see what's going to come because I believe a lot of new things are going to come.
It is a period of rapid and extraordinary change. But what do you think the dangers or the challenges are with AI?
What I can see is that we are over-relying on AI and that's going to be very harmful both for our minds and for the projects we develop. Why? Because it seems like the answer AI is giving us is the correct answer or is the ideal answer and it's not. At least right now, I think that
we are smarter than AI in many things. I mentioned before the way analysing and organising things is getting better and better, but it's not perfect. In some cases, what I will say... in all the cases, we should be behind AI, use it as something that can help us and not something that can replace it or can do
all the work for us. That's one problem I can see, but I can see another problem that I'm sure you will agree with me, is that we're doing things even like everyone is doing the same. For example, if you go to social media to LinkedIn where I spend, well, I just have one LinkedIn profile... one social media profile and it's on LinkedIn. I deleted it all.
Alex Lozano (12:32.502) All the other social media just because I just want to focus on this one and I just use them for investigative purposes. But for example, you go to LinkedIn and you see the same post, the same formats or just with emails. Everyone is doing the same. I can tell you, I'm a professor at school and I can see the projects being done, assignments being done in the same exact way
with the same arguments, same format, and that's a big problem.
Well, I wanted to ask you how is it affecting the world of education? it's a... that seems to be a very worrying thing. Or are we worrying too much? mean, I remember when I was at school, we were told not to use calculators, right?
It's affecting in both ways, both positive and negative. I will start with the negative. Again, everyone's trying to do the same. They are over-relying and as a professor, if you see 20 assignments that look the same, and we're talking about, for example, executive protection, how do you associate for executive protection? And you see simple,
non-analytical answers that come from a chatGPT prompt, you start to worry and you have to fail them. Students are over-relying on artificial intelligence or in this case, chatGPT. On the other side, the access to information is huge, like...
Alex Lozano (14:14.702) the ones that really want to take advantage of artificial intelligence have improved with regards to students I had two years ago a lot. Like you can see, but I would say that's like 20%. Let's go with the 20, 80%. 20 % are using artificial intelligence in a very positive way.
and I can see those improvements.
This is a very interesting observation. It also affects my world in marketing. And I think the 20 % of people who use AI really effectively and really well to enhance their work are going to be better. And the 80 % or perhaps 60%, and then there's 20 % who are just using it to be lazy. How... I'm interested in your work at UAB, not so much now with the AI.
Exactly.
Alex Lozano (15:08.686) Take a sec.
Matthew Stibbe (15:16.482) But how do you teach people OSINT? I mean, what are the... how do you go about building a curriculum and training people?
It's not that easy. will say the challenges I have are staying updated because many of the tools we... in OSINT we have, you we have two, three, I will say two different tools. We talk in big terms. First, we have three tools developed by colleagues that are
that love to develop tools or just wanted to share with the community their work. And some of them are really awesome and have been super helpful. And on the other hand, we have advanced tools, which teams and companies spend their resources and effort to develop them. So we have these two types of tools. However, at school, again, 80 % of the tools we teach are the free ones.
Thus, you have to keep updated because one day they are going to work, the next day they are not. That's a problem I see in the OSINT world again. We talk a lot about tools, but we have to teach the concepts. What do we want to do for this? Example, executive protection. What are the steps we must follow
to protect an executive or a company? Once we know those steps and we have a checklist with everything we must do, we can associate each one of these steps to a tool. That's what I try to teach to my students. First the steps, then the tools. Why? Because we don't know if you're gonna work by yourself or you're gonna end up working in a big international company with
Alex Lozano (17:18.626) thousands of dollars of capital to invest in the best tools. It doesn't really matter if you know what are the steps you want to take. And then you can adapt to the tool and learn the tools. Of course, we do teach tools, but I say always first methodology and next tools.
It's very common in the world of OSINT, I think, for people to teach themselves or to go into the OSINT community. And I'm wondering, is there a common, I don't know, curriculum, a common set of core knowledge that everybody can learn that maybe, or is it always going to be largely self-taught and self-developed?
I can tell you about the way I started, but I believe this is developing so that you can understand. What usually we do, or people that want to start in OSINT, is just like at some point of their lives, they find out what OSINT is. Probably they have been doing OSINT for a while.
they start investigating, trying, reading about these tools, about how to do that, about how to, I don't know, extract followers from Instagram, how to geolocate images. And we have a very big and helpful community which shares a lot of this knowledge. We can find a lot of articles. We can find
videos on YouTube. So it's self-taught at the beginning. There are people that just like don't want to professionalise their... they just keep like that, just learning and learning. That's essential to keep learning. And there are others that try to just like to get a degree, related degree or to
Alex Lozano (19:41.774) study a course from, for example, SANS Institute or OSINT Academy or different institutions that we have out there. And then they are able to improve or to see at least different points of view. The problem with self teaching is that you will always, you will depend on your thoughts on the way you learn. If someone else is teaching you, you can at least improve.
Or, find a different way of doing things. In my case, I was self-taught. Then I did a course, just like a 10-hours course I found on the internet. And I ended up doing a master's in cyber intelligence, which structured... And that's why I believe also teach, unless you have been a lot of years in the field, structuring this knowledge through, for example, books or formal education.
is important for the same reasons I was mentioning before, because you need a methodology and you need a way of doing things that other individuals have proved and done before.
I'd like to move on to a different topic. I know you spent some time working with social media platforms and you told me you only now use LinkedIn, so you've deleted the other ones. How do OSINT practitioners keep up with all the new platforms that are coming out? What are the latest things that are proving useful? Where do they go to find the new insights, the new social media platforms?
Yes, so I do believe that you, unless you're working by yourself, it's impossible, but someone in your team must be a social media geek, the typical friend that has all these social media profiles and that knows everything that's going on in each one. I like to have this junior profile in my team. And then,
Alex Lozano (21:49.582) It gets to a point, for example, when I started in OSINT I had Facebook, we had Twitter, we had Instagram, we even had MySpace, or we had LinkedIn, Reddit. And now we have Discord, we have Blue Sky, we have Twitch, we have
so many things, new things coming up. I of course advise to, I said I didn't have, my only personal account was on LinkedIn, but I like to play a little bit with these platforms in some cases. What I do mostly is for example, if there's some topic that is interesting to me, I try to find that topic using these different social media platforms.
And see what type of results each one of them and in what format they give me. And that's, even though you're not an active user, it's a way to keep it updated. And always, again, we have a big community that is very helpful. So staying updated with articles, with videos, with maybe short courses.
is also very helpful to stay updated and to learn things that maybe you have skipped by yourself.
I'm kind of interested in Bluesky. Is that something that is becoming important or useful for OSINT?
Alex Lozano (23:23.072) It is because a lot of users that use Twitter are now using Bluesky and the conversations are very similar. Also, the ideology on Bluesky is kind of different from the one in Twitter, which in an OSINT standpoint, it's important and interesting to have those
points of view and I will say lastly that it's it's important because Twitter before Elon Musk and and even before him and just like I will say five years ago had the API, the access to Twitter, was huge. Like, we we could we could extract followers. We could extract conversations. We could do
a lot of things we had tools like Tweetbeaver that enabled us to to gather information to compare users. All of these things that we do in OSINT. With Elon Musk it changed... they changed. They restricted the way the way we can access to their information. However, on Bluesky this hasn't happened and and a lot of things a lot of features that enable us to gather information from Twitter that we cannot do now or at least
easily, we can do them through BlueSky. So it's an alternative.
Yes, the same thing happened in marketing. We could use the API to do quite a lot of automated things on Twitter and that's been locked down quite a lot. Good. Well, we're almost out of time, but there's one last area I would like to talk to you about. I'm interested in how organisations, businesses can integrate OSINT into their security operations, particularly if they haven't thought about it very much before.
Matthew Stibbe (25:24.524) So what is the path to integrating OSINT into corporate security?
I will say any medium to large companies should have an OSINT specialist into their security team. Because security is one thing and OSINT is another thing. You must have someone that understands OSINT, that understands the way we can gather this information and turn it into intelligence. That's essential. Depending on the budget you have, I would create a team.
And that team must be equipped and also depending on the sector you're working at. There are, for example, critical sectors such as medicine, oil, water, energy. These are big companies behind these industries.
And they must have a team, an OSINT team that protects their interests 24-7. How can we do that? With a little bit more of budget and by implementing advanced tools to our systems. Why? Because we must be able to monitor, we must be able to detect, we must be able to investigate. And in the same way, you have the best tools for
constructing a building, you need the best tool for collecting your investigations and protecting your assets, your company and your employees.
Matthew Stibbe (27:08.142) What's your sense in the corporate world about how widely used OSINT is? What percentage of companies have the right tools and the right people to integrate OSINT?
I will say right now the implementation of OSINT into the corporate world, I will say 80% of large companies, meaning large, large companies are integrating OSINT. Some of them are doing it better or worse, or at least they externalise these services to consulting companies such as mine.
It's good because cybersecurity is demanding the OSINT role and they are seeing the way they need this OSINT specialist within the cybersecurity....
Cybersecurity ...is the sort of gateway drug for OSINT more widely. yeah, I understand. Yes, I could imagine that. good. Well, that's a fascinating insight. And I think that's a good place for us to bring this episode to a finish. Alex, thank you so much for being such a great guest. It's been really interesting talking to you.
Thank you, Matthew. I had a great time. Bye bye.
Matthew Stibbe (28:25.294) And well, so that is the end of this episode. And if you listening, watching would like more practical data insights and want to learn more about OSINT or about Videris or about Blackdot, please visit blackdotsolutions.com. Thank you for listening and goodbye.