Listen to this episode:
In this episode, Matthew Stibbe interviews Nico Dekens from ShadowDragon, also known as Dutch_OsintGuy, discussing the current trends and challenges in Open Source Intelligence (OSINT). Nico shares his journey from law enforcement to teaching OSINT, emphasising the importance of a mindset focused on clear goals and ethical practices. The conversation delves into the role of AI in OSINT, highlighting both its potential benefits and pitfalls. Nico also discusses the evolving landscape of OSINT, the need for professional standards, and offers advice for those looking to enter the field.
AI-generated transcript
Matthew Stibbe (00:01) Hello and welcome to From the Source, the Blackdot podcast. I'm your host Matthew Stibbe and today I'm talking to Nico Dekens from ShadowDragon.io, otherwise known as Dutch_OsintGuy. Great to have you on the show Nico.
Nico Dekens | Dutch_OSINTguy (00:16) Thank you. Thanks for having me.
Matthew Stibbe (00:18) Well, so, before we get into your career and your current work, I'd like to start with a very practical question. What's the most exciting thing in OSINT right now for you? What are you geeking out about?
Nico Dekens | Dutch_OSINTguy (00:31) That's a really good question that I never had before. So what I'm currently geeking out on, I think it's mostly on new technology. So of course, we will probably talk about that a little bit later. Everything that has to do with artificial intelligence. So I'm trying to understand that, trying to get the most out of it, but also trying to raise awareness for users to understand the risks that are coming out of forms of AI. So that's mostly my current jam. And of course, within my company,
I get real excited when we find new publicly available sources that we can easily make available to clients for them to leverage to search on.
Matthew Stibbe (01:11) Can you give me an example of something that you found recently that would be interesting?
Nico Dekens | Dutch_OSINTguy (01:16) I think a lot of our customers are very interested in ⁓ being able to search someone by a phone number. So they just have a phone number and I'm just trying to find sources from all over the world ⁓ where you can input a phone number into our tool and it will tell you, this user account exists because it has been set up with this phone number on this platform. So I'm spending a lot of time trying to look at these apps and trying to see how we can, without hacking, without breaking violations, without so purely legal and ethical, obtain as much information as we can from publicly available information.
Matthew Stibbe (01:54) We're going to definitely come back to AI, I think, for almost every conversation I have these days. But let's tell me a little bit about your background and career in OSINT for the few people out there who don't know you.
Nico Dekens | Dutch_OSINTguy (02:08) Yeah, so, I started around 25 to 30 years ago at Dutch government, Dutch law enforcement. ⁓ Back then the internet was like this small, so there was not that much, so I could do everything manually and I became an analyst very quick. So I first was a street cop, but I very soon figured out that ⁓ solving big puzzles is my jam. So you have to become an analyst if you want to do that. So I became an analyst and I started looking at criminal youth gangs.
And this really opened up my eyes how open source intelligence or publicly available information can and should be leveraged to find a deeper understanding on certain criminal targets most of the time. So I spent more than two decades doing that, ⁓ looking into criminal groups, looking into hacking groups, looking into all kinds of fraud, ⁓ mostly from a law enforcement intelligence perspective. Then I ⁓ slowly started educating people about Open Source Intelligence because again, 20 years ago, was little to no one practicing OSINT. ⁓ It wasn't even an official term within most governments yet, ⁓ but they asked me to teach people. So I started teaching people internally how I use tools, how I use techniques, how I use certain approaches and methodologies. And that ended up me with me ending up at the SANS Institute where I teach two OSINT courses and I offer one.
Now I'm traveling basically all the world teaching people or building tools for people purely when it comes to open torsion shells. So there's a very short condensed version of what I did in the past 25 to 30 years.
Matthew Stibbe (03:49) I know I was researching, was open source researching you yesterday to prepare for this and it's an amazing and storied career and anyone who's listening to this should definitely go look Nico up. Let's drill into this teaching thing. You clearly spend a lot of time teaching and evangelising for open source intelligence. And I'd love to know what are some of the biggest challenges you find with both the people you're teaching, but also the people who ought to be sending people to your courses but are not.
Nico Dekens | Dutch_OSINTguy (04:23) Yeah, So teaching can be very challenging because sometimes, just like you said, sometimes you have people in your class that don't want to be there because they were sent to be there. Those are the biggest challenge, but those are very often for me the most fun challenge because I'm the person that needs to get them excited into this profession, Open Source Intelligence. So I always take an approach where I try to teach every technique and tool based upon practical real world stories.
So I'm trying to basically tell them, hey, this is how I approach this. So maybe looking at this information, I will show them a real world case example that I worked on or that we can replicate from somewhere else and just tell them, no, this is where you click on a tool, but more importantly, this is how your brain should work to take these steps. And more importantly also trying to identify false positives or information gaps because that's what I think is the biggest challenge when you're trying to teach people about ocean it's not just fancy googling there's so much more when it comes to that of course we need Google we need being unique search engines but if you don't know how to ask the right question you won't always get too much noise and that's what I think the big is the biggest challenge for most people when you're trying to teach other people you want to teach them how to gethighly accurate, highly targeted results based upon well formulated searches.
And that could be coming from anywhere nowadays because we have social media, we have forums, have deep web, dark web, and basically every layer of the internet needs its own approach. And there's not always one standard approach. And I also try to teach people that OSINT will always equal change tool that works now is not guaranteed to work tomorrow because if the platform, for example a platform like Facebook or a forum, changes something in their backend, now the entire tool might be broken. So you now need to be able to figure out how can I get it working again? And if you cannot do that, because that's also something that happens every now and then, can I find another route, another way to the same information? Because it's still valuable information that I need to obtain.
That's what I mostly do. Another thing that I always try to do when, well, you just mentioned that I'm kind of an O-Sint evangelist. When I give talks or lectures, I always hope to convince, let's say, leadership and decision makers for companies why open source intelligence is so important for them, because every form of investigation or research doesn't have to be, let's say, a government-oriented research. Let's say you're in an insurance company or
You just have your own shop and you need to do some due diligence on a potential client or a customer or something else. Or you just are going to do online shopping and you end up on a webpage and you have some doubts. Is this a legit webpage? All those things you can use and leverage open source intelligence techniques to understand more about your investigative needs. So if you're only using internal data from your company, your vision is basically limited. And when you look at the internet in its whole, there is so much information. And this is why I think I'm always advocating for everybody, every company around the world could and should leverage open source and challenge techniques just to get the most out of your business.
Matthew Stibbe (07:57) That's a fascinating thing. I saw on one of your talks that you describe OSINT as a mindset or a state of mind almost more than a set of tools and techniques. Can you unpack that a little bit for me? What is the OSINT state of mind? How do you apply that?
Nico Dekens | Dutch_OSINTguy (08:18) Yeah, that's a good question. So it was actually the first blog I ever wrote. is a state of mind. People can look it up. Just look up those words and you will find it. ⁓ And it's more about that. I work for a tool company, a tool vendor. We build OSINT tools. Yeah, ShadowDragon, yeah. And tools can do a lot. But if you don't know again how to ask the right question, ⁓ you will not get the most out of a tool, which means that you will need to come up with a plan and that plan comes back to the traditional intelligence cycle. And the intelligence cycle always starts with, you need to have a goal. What do you need versus what is nice to have? So need to have versus nice to have, which means that you need to be capable in formulating, let's say in that main research question, which I like to translate into a answerable research question. So if I were to ask you now, look up everything about Nico Dekens.
You could go online and start looking for Nico Dekens, but I think a better approach should be is first of all, who is Nico Dekens? Because there might be two, three or five people that have the same name. So what specific Nico Dekens are we talking about? What do you know about him? Oh, I already know his phone number. I know his email address. So we have a starting point. And then the next question, what do you really need to know?
So my question would always be to when I do what I like to call an intake with a client, what would be the most desired outcome from this research? What are you looking for? And sometimes they will simply say, hey, I want to know if Matthew spent time in London in March 2022 because we have some allegations that he did something nefarious around that time. That's an answerable question because now I've basically containerized, I've restrained myself to look in a certain direction in a certain time frame. And then based upon that, you do your collection part. So you have a starting point with clear goals, with clear limitations, you set rules and boundaries, also legal boundaries, how far can I go and may I go from a legal perspective. And then you start collecting and collection for me is the easy part. That's just collecting data.
Think of it as a haystack of information, but you want to create your own little haystack, a tailored haystack, because then it makes it easier to find that needle in that haystack. And to find that needle in the haystack, you need to process and export and analyze the data that you've collected based upon your research question. And again, you will...
Matthew Stibbe (10:54) It's really easy to search a haystack for a needle if you only look in the bit where the needle is, right?
Nico Dekens | Dutch_OSINTguy (11:01) Exactly, or at least where it should be. Or it could be very easy to understand, hey, I've created my own haystack, I cannot find it. Maybe I need to broaden my scope or I didn't look, let's say, in the right direction. Maybe I now need to pivot into a different direction to get a little bit more information that could help me find that answer. And sometimes not finding an answer may also be the answer. Because some people hide. Some people take great pride in with their operational security for not being found, but that by itself could also be an answer. I've had numerous occasions where I needed to look into, let's say, very hardcore, high-placed figures in criminal cocaine cartels. They don't want to be found, but the fact that I cannot find anything, knowing that typically about any individual around the world, I can always find something, but if I can't find nothing, that by itself can be very meaningful information for an investigation. Exactly.
Matthew Stibbe (11:55) The dog that didn't bark.
Nico Dekens | Dutch_OSINTguy (11:58) Exactly. That's basically, and this comes back to what we discussed earlier, I could leverage a tool that works now, but if the tool breaks, again, I can always fall back to my rigid process. And that process is knowing where to look and how to look at a certain amount of ⁓ time, on your information need. You always need a need first with a clear goal and constraints. Then you go out, collect the information, analyze the information, and hopefully, you will be able to produce a report that creates what we like to call within my world actionable intelligence. So I can present you something that you can take away and take new decisions upon or follow up upon. Otherwise, it's just information. We need to make sense of that information. What does this mean to you? And that's basically the OSINT state of mind. The OSINT state of mind is not necessarily about, hey, you can go visit this webpage and look up something and look at this source. No.
It's more about, hey, you have a goal. How can we get the most out of this goal? And if we stick to a process that I wrote up in the blog, you should almost always be golden in your end results.
Matthew Stibbe (13:12) And where does ShadowDragon fit into the tools thing? What does ShadowDragon do?
Nico Dekens | Dutch_OSINTguy (13:18) So ShadowDragon, we by the way integrate into Blackdot, but ShadowDragon is a platform, a suite of tools where everything that you can do manually in a browser, we basically simplify for you. We give you non-attribution capability so no one knows that you are you. And that's also very important for investigators. You don't want an alarm at target that you're looking at it. So we will allow you to search in over...
I think almost I need to check. Think it's around 500 plus sources. So think of all the social media platforms where you can either input as username or phone number or an email address. And we will show you, hey, this is what connects to that username. Doesn't always mean that username is your target. It's just showing you that this username is in use on that platform. And then you take a next step. What can I learn from that account? Can I validate information that ties back to my target individual or groups or whatever? So we basically give you scalability and speed. So I always make the analogy that I remember vividly when I was in Dutch law enforcement and I was doing a counterterrorism case and I was working for almost two weeks straight, 10 hours a day, trying to paint a picture of a certain terrorist cell. Just imagine Nico behind the computer with four screens, 25 tabs open, trying to find the information that we're looking for. And that for two weeks straight. That creates a picture. Pieces of the puzzle that you need to put together. Now I can achieve the same thing within ShadowDragon in, let's say, under half a day. So it's speed, which gives you more time for the in-depth analysis. So we make the collection part easily, but also easy, but then afterwards you have more time for the analysis part, which we also give you tools and capabilities for.
Matthew Stibbe (14:57) Yes. Thank you. That sort of brings us, I think, to the question of AI, because that is perhaps a thing that helps with speed and collection. Tell me, is AI a blessing or a curse for OSINT?
Nico Dekens | Dutch_OSINTguy (15:30) I think it's a blessing and a curse. So let's start with the negative first and then the positive. I think the curse is that, and this is also something that I wrote about recently, is I'm noticing that it makes people lazy.
When people use tools like Google's Gemini or Entropix Cloud or OpenAI's ChatGPT, they just take these answers for granted. So they put in a question, they get an answer, and they just assume that the information coming out of that, what I still like to call black box, is accurate. So they don't take, I see a lot of investigators don't even take the time to validate the outcomes out of that. And that's what I think is now, the negative impact of artificial intelligence. First of all, you're using a black box. So when I need to show up in court and pinky promise to a judge, this is how I obtained this information. There's no way for me in a lot of these large language models to fully explain where the information came from. So you will need to do that manually. Also, the way how these chatting boxes formulate their output, their words, is so convincing. So the way how they choose their words, how they set up their phrases and sentences looks like it's the real deal. But if you read between the lines or if you're capable of validating, very often you will see that it made up stuff or that it made connections that are in the real world and are not accurate connections.
So I think from that perspective, I think AI is negative for open source intelligence. A positive thing is is you don't know how to program or code in a specific programming language, and you need, let's say, a quick tool that can do something for you, ⁓ it's perfect for that. I was working this morning on something where I obtained a very large data set that was publicly available. But just imagine, I've got 10 million lines now with records and information, but I was only interested in certain pieces of that information. I used to have to program a little Python script.
That could see through that data and extract the information that I wanted to see because that could help me take a next step, for example, in another tool. But I know how to program in Python, but I'm not, let's say, a professional. But chat GPT, on the other hand, I can tell it exactly what I want it to do and what makes it so powerful for us in this. Now we get a little Python script, but at least now I can review that Python script and make absolutely sure that it's not doing something that I don't want it to do, that is not communicating to something that I don't want to communicate. So I still have control. It just, I look at it as having a junior developer sitting next to me, building code for me based upon IDs. And these IDs are prompts, just little IDs that you type in. So that's what I leverage AI for the most for quick and dirty one-liner Python scripts or coding scripts. I rarely use it to do research because... until this moment today, we're talking about early May 2025.
It's not trustworthy enough. There's too many false positives, but there's also a lot of limitations. A lot of these large language models are being blocked by certain web pages, which means that they're not capable of looking and obtaining information from these sources, which means information gaps for me. So how trustworthy is the information? How complete is the information? So for doing real research, I don't use it that often because there's too many false positives. There's too much bias in there. There's too much... untransparent information coming out of it. For coding purposes or data processing, I use it very often because then at least I can quickly validate it.
Matthew Stibbe (19:27) That's interesting. What would it take for you to have confidence in an AI system to do research if that's even possible?
Nico Dekens | Dutch_OSINTguy (19:36) Yeah, I'm heavily experimenting with that. So the first thing that I would always encourage people to do if you have a computer or let's say a graphics card that is powerful enough, try to run things locally. So you're no longer reliant on, let's say, a third party. So everything runs locally. So if things go sideways, it still stays on your local machine, which also gives you now the capability, if you are technically technical enough, to look in these large language models that you can download to see what data is in there, how is it trained? So read up on how is it trained because you need to understand what its capabilities are, but more importantly, you need to understand what its limitations are. And if you understand both, then I think you could potentially use it a little bit more. Maybe to, let's say you did a week's worth of research. You've got a bunch of write-ups yourself that are quick and dirty raw write-ups of reports.
Then, maybe compile a report using AI by feeding it your raw data and saying, hey, this is all running locally. This is validated information. You can only use this validated information and then output a report in a format that I will tell you how it should look. That's something that I anticipate will become better in the very near future. At this point, it's not yet where I want it to be, but I have seen examples from other companies that have experimented with this a little bit longer, that it is getting there. But again, most of the people that I do business with or talk to are government or large organisations that can and never will use commercially available AI, because simply they're not allowed to upload and share their own intellectual property to a third party. So you want to be in control.
Matthew Stibbe (21:20)
Yeah, that's clearly, there's some really compelling thoughts and issues that I have, some of which I hadn't considered. ⁓ I'm interested in, I've been doing a little bit of experimentation in my world of marketing with Manus and some other sort of agentic type things so that they spin up a little bit of compute and they can go and look at websites and things. We do it for compiling reports of top 50 websites in a sector we're interested in.
Do you think if AI starts developing or they start releasing more ability for it to go and do things and act on the internet that that has an impact in OSINT or in what you do?
Nico Dekens | Dutch_OSINTguy (22:09) Yeah, for sure. You see now it's more more people talking about MCP. So basically, let AI control your computer. That's, think, the most easy way to explain that. So you can then tell it in the form of a prompt. And for people who don't know what a prompt is, basically asking a question. ⁓ Hey, ⁓ look up these two companies and compare them against each other when it comes to pros and cons. It will go out, then open up a tab on your computer and it will basically perform a Google search, a Bing search on your behalf, scrape the results, analyze the results and present an outcome to you. That's something that I anticipate that will become better. But again, I also see that a lot of platforms nowadays are starting to block connections from MCPs, from artificial intelligence providers. They're simply blocking that IP range or that domain. So again, it's...
It's always a rat race.
Matthew Stibbe (23:09) Yeah, it is. I'm speaking as a content creator, a lifelong writer. I'm in two minds about, I don't know if I want a lot of AI tools taking what I've written and using it for their own purposes without paying me. And on the other hand, a lot of our clients are very keen to be found by search, AI search, right? They think it's the new Google. there's fast moving environment. And I'm curious how you think...
Nico Dekens | Dutch_OSINTguy (23:25) Yep.
Matthew Stibbe (23:38) OSINT generally, not just with the AI, but OSINT generally will evolve over the next year. What are the ⁓ new trends and developments?
Nico Dekens | Dutch_OSINTguy (23:47) Yeah, of course, AI is the big buzzword, ⁓ which always makes me giggle a little bit because everybody asks for AI. But when you ask a follow up question, what do want the AI to do? Then they say, I want them to find the suspect. Would you feel comfortable letting a tool do the collection part, the analysis part, and then point out? Basically, everybody asked for that one button that finds the criminal.
Matthew Stibbe (24:03)
Yeah.
Nico Dekens | Dutch_OSINTguy (24:14) First of all, will tell you that will never happen, but also I would feel highly uncomfortable if an algorithm, because that's basically what we're talking about when it comes to forms of AI, starts pointing out suspects. Because what didn't they take into account? Can they read between the lines? Can they ⁓ understand sarcasm, ⁓ figure of speech, idioms, that kind of stuff? And at this point, they're just not good enough at it. So ⁓ it will evolve.
I think overall the ocean landscape, what I am really happy with, is finally starting to professionalise a little bit more, which means that more and more governments, but also more and more, let's say Fortune 500 companies, are starting to really leverage the ocean. But also it means now we finally get rules and regulations and policies around it. And that is happening worldwide. And that's very needed because there are too many people out there that are self-proclaimed OSINTers, but they don't stick to rules of engagement. They basically violate terms of services and or laws and they basically are busy with illegal activities because open source intelligence is powerful, but it does mean that you still need to basically obey to all the rules and regulations that are all around the world.
Matthew Stibbe (25:37) Are there emerging or existing credentials or professional standards or certifications that people can do to say, no, I'm going to follow the rules or going to, I've got skills, relevant skills?
Nico Dekens | Dutch_OSINTguy (25:57) Yeah, not really. Well, of course, there are courses that will hand out certifications that at least you have certified yourself within this course and that you know about other rules and regulations. When you look at, for example, the course that I teach, they come with certifications, which again are not a guarantee that people will stick to the rules. That's mostly their own responsibility or the company's responsibility. But the good thing is that I see the more more people are implementing these blueprints that are being set up, for example, in the US, they have set up a basically a blueprint on rules of engagement for OSINT. You also have the Berkeley Protocol that has kind of similar rules of engagement. But the hard part for OSINT is since it's such an international landscape, to standardize that from an international perspective is very difficult when you compare, for example, United States versus Europe with GDPR, they don't have.
Matthew Stibbe (26:56) Yes.
Nico Dekens | Dutch_OSINTguy (26:56) So that immediately implies discrepancies in rules and regulations. So how do you deal with that?Yeah, well, and that's very hard and very challenging. I'm just very happy to see that it's expanding, but also from a legal perspective. Finally, the lawyers and judges and legal departments are no longer thinking against this profession because they used to really approach it like you're collecting all the information from the world, which, pardon my French, is BS.
Because when you look at something like Google or Bing, they're also collecting all the information from the world. But they're doing it untargeted. We are at least doing it targeted with a clear goal and restrictions. So I'm finally seeing that from a legal perspective, we're getting more backup, which means that we now get more official policies and rules and regulations. And that's good thing.
Matthew Stibbe (27:43) Yes. Yes.
Nico Dekens | Dutch_OSINTguy (27:58) We also see that larger companies are stepping up their game like Blackdot is doing, like ShadowDragon is doing. We are professionalising, we are giving more training, we're talking more about ethics, we're talking more about what you can do, but more importantly what you should not do when it comes to this profession.
Matthew Stibbe (28:15) This is an interesting thing I'm thinking about. It's not only what you do, we collect this information, but why you're doing it or what the intention is that sets the legitimacy of what you're doing. Sorry, if you're listening to this and you're hearing whining, my dog is down here very eager to be let out. So it's not me or my stomach, it's my Labrador. Maybe you can't hear it because of the noise cancellation. Let me ask you a question.
If for someone like me who is interested in OSINT but new to the field, where would I start to learn more? What are reputable sources of online training or information or learning?
Nico Dekens | Dutch_OSINTguy (29:01) Yeah, well, first of all, I would start by reading Blackdot’s blogs. I would start by reading ShadowDragon’s blogs. ⁓ You could follow my account. I very occasionally give in-depth tips and blogs and write-ups and webinars and trainings on OSINT. ⁓ There's also a lot of communities out there. ⁓ For example, my old crew, Ocean Curious, there's still a webpage, oceancurio.us, where we do in-depth write-ups on
tools, techniques and approaches, but also from a legal perspective, but also how to keep yourself sane because lot of oceanters are looking at very horrific things that they cannot see when you look at, for example, things going on in Gaza or Ukraine. So there's a lot where you can get started. I think my biggest tip would be start looking for these industry leader figures, follow them. Because they will point you to sources that I think you should know about to learn. And if possible, go to these local conferences, attend these meetings, because networking within OSINT is very important. If you know people, they will start sharing information and knowledge with you. And OSINT is, again, as long as you have an internet connection and motivation and time, everybody can learn it, but it takes time. It really takes time to get this under your skin, this profession.
Matthew Stibbe (30:25) Well, so as we're approaching the end of our conversation, can I ask one last question? If people want to find out more about Dutch Ossint guy, where should they go?
Nico Dekens | Dutch_OSINTguy (30:36) Well, biggest tip is just Google Bing Yandex DuckDuckGo search engine Dutch underscore OsintGuy or my first and last name Nico Dekens D-E-K-E-N-S. ⁓ You should find enough. I'm active on almost every social media platform. have my own webpage, so I'm write blogs. So I'm more than happy to hear some feedback from folks.
Matthew Stibbe (31:02) Certainly I found you very easy to find it that I didn't need to deploy a lot of OSINT skills to track you down. But there's a lot of very interesting material. So I urge people to go and go look Nico up and engage with his amazing content. And that brings us to the end of this episode. If you'd like more practical insights about OSINT, if you want to learn about Blackdot or their Vidaris product.
Please visit black.solutions. Nico, thank you very much for being with us today. Really enjoyed the conversation.
Nico Dekens | Dutch_OSINTguy (31:33) Thank you and thanks for having me on.
Matthew Stibbe (31:35) and everyone at home thank you ⁓ and goodbye.
