Layer 8 Podcast

Kirby Plessas is an OSINT pioneer, US military veteran, business owner, board member, is OSC certified and podcast host. Kirby was an Arabic linguist in the military who started sharing what she knew with team members in a newsletter and it grew from there.

She is the founder of the Plessas Experts Network which offers training, classes and webinars in OSINT investigations. She also co-hosts the OSINT Cocktail podcast where they talk about investigations and techniques seen in movies and television shows.

Craig Taylor is the founder and CEO of CyberHoot a security awareness company that focuses on positive reinforcement and gamification. Craig studied psychology and used that knowledge when creating CyberHoot, which he offers for free.

Craig also set up a challenge specifically for listeners of the Layer 8 Podcast, if you'd like to test your ability to identify a phish and the parts of a phish quickly. It's even free! You can try that out here: https://cps.cyberhoot.com/hootphish-challenge/?hash=65199056c6edbc93f2755078a5b15743

There will be a leaderboard, and you can check your status on the leaderboard here: https://cps.cyberhoot.com/hootphish-challenge/shared-results/?hash=8b7f346b97c7dd027215d741f0ae36fb

This free challenge will end on May 31, 2025.

Tim Farmer is the OSINT Training Lead for Dark Blue at CACI. He performs investigations along with teaching OSINT classes with a focus on the deep and dark web. (Don't know the difference? We discuss that in this episode.) Tim has his own podcast with Chris, titled The OSINT Output. Tim has achieved the OSC certification from Osmosis Academy and will be presenting at the Layer 8 Conference this year with a talk titled "Deanonymizing Dark Web Hidden Services: Capitalizing on User Mistakes and Querying Internet of Things Databases"

Dorota Kozlowska is a social engineer and penetration tester for Black Hills Information Security. She has her own podcast which can be found on Twitch and YouTube and recently presented at the Disobey conference in Finland.

On this episode, she talks about how to get into social engineering as a job, some techniques for elicitation, what skills one needs to be a social engineer and the all-important sympathy vs. empathy.

Sho Luv, aka Leon Johnson is a ninja, a hacker, a penetration tester and a computer security expert. Leon has performed all types of testing engagements and has mentored many other aspiring pentesters. On this episode, Leon talks about what it takes to be a tester along with some of his own stories of social engineering engagements and his thoughts on being a Black man while doing covert entry engagements.

If you want to try your hand at the hacker box Leon created, titled Mr. Robot, have at it: https://sholuv.net/

How does a man living in England trace the history of Compton, California and the evolution of gangs across the country? And then evolve to tracking financial crimes? By using his OSINT skills! In this episode, Brett Redman the Head of Intelligence at Blackdot Solutions takes us through where he started with tracking this information and also some discussion of OSINT differences between the US and UK, with an emphasis on investigational ethics.

Olie Brown is a self-described hacker and the creator of the penetration testing company CC Labs. In this episode, Olie tells us of some social engineering exploits he has pulled off with some very simple techniques. He also stresses the social in social engineering with his tips on how people can get started and how to get better at social engineering. He also talks about why he is constantly learning and hasn't slowed down.

Dmitry Danilov, aka Soxoj is an OSINT investigator and CPO for Social Links. In this episode, we talk about his Substack where he shares his methodology and his incredibly helpful "4P Method" of doing investigations. We also talked about some of the tools he works with and created, which you can find in his github: https://github.com/soxoj

• https://soxoj.com/
  

• 
  https://t.me/soxoj_insides
  

• 
  https://github.com/soxoj/maigret
  
• Presentation at LeHack: https://www.youtube.com/watch?v=0yQRf0Mx-hc
  

• 
  https://sociallinks.io/products/sl-crimewall

Jeff Tomkiewicz, aka The Gh0stface Killer is a social engineer who is employed but a health services company. He will also be teaching a pretexting workshop at the Layer 8 Conference! You can find out more about that here: https://layer8conference.com/training-at-layer-8-conference-2025/

In this episode, we learn how Jeff moved from the military to becoming a social engineer where he does red team engagements for his company. He also penned a great article about social engineering and pretexting here: https://heyzine.com/flip-book/8467826462.html

Let's talk covert entry, vishing, phishing and how to get into the field with Jeff!

My OSINT Training is a company created by Griffin (@hatless1der) Glynn and Micah (@webbreacher) Hoffman. Their goal was to create affordable high quality OSINT training, and they'll be offering that at the Layer 8 Conference in June! You can sign up today for their class!

In this episode, we also spoke about the National Child Protection Task Force (NCPTF) and how Micah and Griffin conduct investigations along with how others can help and how ethics play a huge part in their investigations. Griffin also runs a hugely popular page of OSINT tools at The Ultimate OSINT Collection

In this episode, we're joined by Nico Dekens, aka Dutch_OSINTGuy where he talks about lessons in OSINT including the value of operational security, ethics and classes he teaches. He also tells us about his 5W1H method of performing an investigation. We also discussed some blog posts he wrote for ShadowDragon, including one about OSINT on people in heightened emotional states.

Aidan Raney is the founder of Farnsworth Intelligence, an OSINT company that focuses on due diligence investigations, among others. Aidan freely shares content and tools, has been a volunteer with Trace Labs, teaches OSINT and OpSec.

He presented at both BSidesSF and ShmooCon about "Catching Some Phisherman" where he exposed a large phishing organization.

Aidan has experience with using Artificial Intelligence (AI) in OSINT and has also helped to catch vishing scammers.

Brian Harris from the Covert Access Team is a social engineer, a physical pentester and a member of the black team. If you've heard of blue team, purple team and red team but not black team, you can hear what that is about in this episode!

Brian explains why all businesses should have their physical access tested, regardless of whether they believe the tester would be successful. Also, is it fair to test the third party cleaning crew during a test? We talk about this and a lot more!

Nathaniel Fried is the CEO of OSINT Industries. He's also one of the founding members and current chair of UK OSINT, a non-profit public meetup group.

In this episode, we talk about ways to perform OSINT with only a single selector, such as an email address, a phone number or a username.

We also discussed how he discovered that Donetsk was using western-based IT tools, in spite of sanctions. Nathaniel walked through this investigation with his OSINT methods.

He explained his thoughts on how to get started in the OSINT world, recommendations on areas to focus on and also told us a brief story of how he did not get extradited to the Philippines.

Matt Linton (@0xMatt)is a Googler and former NASA employee and red teamer. He has some opinions on the way we do phishing testing today with comparisons to how fire safety evolved. Even better, he offers solid solutions on how we can do better phishing testing so that people better understand the expectations of them and to still keep the enterprise protected.

In this episode, we discuss a blog post that he wrote for Google. You can read the blog post here: https://security.googleblog.com/2024/05/on-fire-drills-and-phishing-tests.html

Phil Eil is an investigative journalist who has written for publications such as Vice, Huffington Post, the Boston Globe and the Providence Phoenix. But there was always one story he wanted to write.

In his new book, Prescription for Pain, Phil documents the story of Dr. Paul Volkman, a midwestern physician who was convicted of distribution of a controlled substance resulting in death, plus additional charges.

Phil tells us about the story but also describes the various less-common investigative (OSINT) tools that he used to tell the story.

This is the second part of a two-part podcast episode with Alethe Denis. If you missed the first part, you'll want to go back and listen to that first as this episode picks up, mid-story where Alethe has just caught the eye of a security guard during a social engineering engagement. Can she evade the guard or will the job come to an end?

Alethe is a senior security consultant with Bishop Fox, has given presentations to multiple conferences, including a keynote on redteaming. Alethe was also the featured guest on one of the most popular episodes of Darknet Diaries.

For this episode, we're joined by Cynthia Navarro and Bret Anderson from OsmosisCon. They are the two people that head up the annual OSINT conference in Las Vegas. The conference will be October 20-22 and can be attended in person or remotely.

Cynthia and Bret tell us about the origins of Osmosis, the certification they offer and we also talk about some methods, ethics and share some fun investigation stories.

Andreas Heideck, the CEO of the Germany-based Impossible Security, joined the show to tell some incredible social engineering stories. The part that is different about his stories is the simplicity of his pretexts and thought process. As we tend to overthink these engagements, Andreas shows us how to stay in the moment, choose pretexts that make sense, are very simple and very successful.

This episode is a great discussion with Justin Seitz (@jms_dot_py) and Kennedy Chappell (@kcath23) of Permanent Record Research. They also write the free Substack newsletter https://www.bullshithunting.com/ along with its fun weekend edition, For the Weekend Warriors, Weirdos & Whackjobs, where you can get even more fun insight into the work they do and the lives they lead.

In this episode, Justin and Kennedy talk about how they "unf**k" things like junk science and pseudo-experts in courtrooms. Kennedy also talked about how she has helped friends by doing some OSINT on their online dating lives. Justin also talks about the importance of getting an investigation right, especially when you feel in your gut that you have it wrong.

Bluma Janowitz, aka @x25Princess is a social engineering instructor and one of the original phone phreaking hackers. She has also worked as a phone sex operator and as a dominatrix. Her work in these areas, as well as her own personal survival, has taught her the social engineering skills she uses today. She also wrote some interesting blog posts about various aspects of social engineering and rapport building, which can be found at https://blumajanowitz.com/?blog=y

Alex Lozano is the founder and CEO of the Barcelona-based Cibergy and is a professor of OSINT at the University of Autonoma de Barcelona. In this episode, Alex talks about the role of OSINT in corporations and businesses. How it can enhance the business and also show trends and potential threats. We also discussed the future of OSINT and how Artificial Intelligence (AI) may be able to help and where it might come up short.

At the Layer 8 Podcast, we aim to get a global perspective on social engineering and OSINT topics. For this episode, we spoke with Ajaka Shamsudeen, also known as @Mydeen4u on Twitter. Ajaka is a part of the SE awareness and education community in Nigeria and here he shares his perspective of the state of social engineering in Nigeria.

Ajaka is also an alumnus of Cyblack, an organization that is building the next generation of Black and African cybersecurity talent.

Hervé is the creator of the non-profit and non-governmental organization OpenFacto in France. This organization teaches investigational skills to journalists to help them find the truth in facts.

We also talk about using OSINT for good and in this episode, Hervé tells a story about how he did exactly that and very likely saved lives with one specific investigation and how he performed it.

OpenFacto offers their training to all French-speaking individuals and more information can be found on their site at https://openfacto.fr/

Bex Markwick joins us today to tell us what she feels is wrong about the way we do phishing testing today. We'll talk about some of the areas where those might not go in the right direction and why, but also how we can do them better and what we should be focusing on.

Bex has presented twice at PancakesCon and gave a keynote presentation at BSides Basingstoke. You can find all of Bex's presentations at https://infobex.co.uk/speaking/

Tom Hocker is the Director at Trace Labs. Trace Labs is a non-profit organization who crowdsources OSINT skills from the public to find information and clues on people in missing persons cases.

As mentioned in this episode, you can get more information about Trace Labs, get in contact with Tom and jump into a Search Party all by joining their Discord channel here: https://discord.gg/tracelabs

Chris Pritchard is a UK-based social engineer with Lares Consulting. He has accessed some of the most secure facilities, sometimes seemingly too easily. In this episode, Chris (aka @Ghostie_) talks about what was his process to access seemingly secure facilities like airports and casinos. He also gives his thoughts on dealing with the adrenaline rush of getting in and also has advice on how to get started in the industry.

Rae, aka @Wondersmith_Rae is back! After chatting about maritime OSINT in episode 75, Rae came back to discuss her book "Deep Dive - Exploring the Real World Value of Open Source Intelligence" and to talk about what skills or mindset is important in the OSINT world. We also talked about how to practice your OSINT skills in a realistic way by using Kase Scenarios, a learning site she built along with Espen Ringstad.

This episode is brought to you by Compass Cyber Guard. To find out more about Cyber Guard's social engineering or pentesting services, contact ⁠info@layer8podcast.org

Ritu Gill is back! A return guest who first appeared on episode 20, Ritu (also known as OSINT Techniques) is back to talk about Operational Security, about how to create and curate sock puppets, how to keep the integrity of an investigation and to tell us about Forensic OSINT, a Chrome extension that can easily help with investigations!

This episode is brought to you by Compass Cyber Guard. To find out more about Cyber Guard's social engineering or pentesting services, contact ⁠info@layer8podcast.org

This episode is brought to you by Compass Cyber Guard. To find out more about Cyber Guard's social engineering or pentesting services, contact info@layer8podcast.org

Charles Shirer, aka @BSDBandit is the part of the internet that exudes positivity and happiness. He frequently posts happy and affirming messages for people to enjoy. He's also a self-taught OSINT expert. In this episode, he'll explain how he learned OSINT, projects he took on and give suggestions and advice for others who might look to follow in his path. 

Dr. Abbie Maroño is the Director of Education at Social Engineer, LLC. She earned her PhD in Behaviour Analysis from Lancaster University in the UK. In this episode, we talk about human lie detection and that everything we learned on Lie to Me might be a lie! How can we discern good scientific information from bad, so we can learn the skills of social engineering and Dr. Maroño also talks about her own new podcast where she goes into the detail of the science and research behind many social engineering topics! 

Venessa Ninovic is @Intel_Inquirer on Twitter and frequently posts her findings and research at https://intel-inquirer.medium.com/ She has been on the OSINT Curious podcast and presented at the 2022 SANS OSINT Summit. In this episode, she tells us how much OSINT one can find just in dating apps. She explains how some military members failed so badly at OpSec that they were forced to delete their social media applications and she digs into the exercise app Strava. Strava can reveal quite a bit about the person exercising, even as much as where they live! 

Alan Neilan is a security analyst who searches for phishing kits in his spare time, using x0rz's Phishing Catcher. Alan often tweets out his work at @aneilan and he also posts his findings under the title "Crap I Found on the Internet" on his blog at aneilan.github.io. In this episode, Alan talks about how he uses certificate transparency certstreams to feed the analysis tool and tells some of his experiences with reporting the kits he's found.

John TerBush, known as TheGumshoo on Twitter joins us to talk about his previous life as a private investigator and how he merged into the information security world. He, like so many others, was doing OSINT before we called it OSINT and he describes some of the locations and techniques. John is also a founding member of OSINT Curious and a course developer/instructor for the SANS SEC 487 and SEC 587 OSINT courses. He is also a threat researcher for Recorded Future. John has some great advice for getting started in the OSINT world and some fun stories of life on the job.

On this episode, we speak with Dalin McClellan, a penetration tester and social engineer for NetSPI. The idea for this episode came from a blog post that Dalin wrote here: Not Your Average Bug Bounty: How an Email, a Shirt and a Sticker Compromised a High Security Datacenter. Dalin explains the preparation necessary for an on site physical penetration test when the location is highly secured with barbed wire fencing, human guards 24x7, retinal scanners and mantraps. Sometimes very simple solutions can be used to bypass highly technical controls. Just ask. 

Sylvain Hajri, aka Navlys_ on Twitter created Epieos.com a freemium site that lets you perform passive OSINT with just an email address. Sylvain wears an incredible number of hats as the creator of not just Epieos but also MyOSINTJob, OSINTFr, the SpyingChallenge and is also an organizer of LeHack in France and also the OSINTVillage. 

In this episode, Sylvain has great advice on how to use passive OSINT, on how he created his company and whether people should focus on tools and learn python to get better at OSINT, plus even more!

When we think of phishing attacks, we immediately think of email. In this episode, Chris Cleveland, the Founder and CEO of Pixm Security walks us through a massive phishing attack that his company discovered. In this attack, millions of Facebook credentials were stolen using multiple layers of trusted environments. Have you ever gotten contacted by a friend in Facebook messenger with a link to check out a funny video? After this episode, you might be a little more careful with those. 

If you want to read the blog post that we discuss: https://pixmsecurity.com/blog/blog/phishing-tactics-how-a-threat-actor-stole-1m-credentials-in-4-months/

You can find the Fake PhD Investigator on twitter at FakePhD_reveal. 

Jason Downey is a penetration testing security consultant with Red Siege and is known as HackAndBackpack on Twitter. In this episode, we talked with Jason about phishing, vishing and on-site physical social engineering engagements. He talked about some of the tools he uses, some of his successes and some campaigns that might not have gone exactly to plan. Plus, find out how the Legend of Zelda's Triforce can help people understand a path into this industry. 

More information about Jason can be found on his web site, https://hackandbackpack.com 

We talk with Steven Harris, aka @nixintel who is an Executive Board Member with @OSINTCurious and is currently employed by Qomplx to perform investigations. He also teaches SEC 487 for SANS. In this episode, we walk through some of the Quiztime investigations that he did on his web site (https://nixintel.info) and another where he was able to figure out exactly who was plagiarizing his content. Steven gives great advice for people starting out, what they should focus on and the value of learning Python.

Griffin is also known online as @hatless1der. You can find his tips and blog articles at hatless1der.com and at the Ultimate OSINT Collection. Griffin is also a part of the National Child Protection Task Force (NCPTF) where he is a speaker at their conference. He also speaks at the ConINT conference. In this episode, Griffin discusses how to do OSINT investigations that require pivoting off data, how to find people who really don't want to be found, and some great ways to get started in the field of OSINT, plus a whole lot more! 

Josten Peña is a Human Risk Analyst at Social Engineer, LLC. Josten performs risk testing with contracted company employees via phone calls and email. In this episode, Josten focuses on various shortcuts our brains use, commonly known as biases, that can help in some situation, but can also be detrimental in others. Josten describes these biases and how a social engineer might use them to achieve the desired goals.

In this episode, we talk with Erich Kron from KnowBe4. We go into a number of topics, but mainly focus on phishing. Erich talks about phishing as a service, ransomware as a service and gives recommendations on how to best perform your own phishing engagements within your company. 

Oliver Lebhardt is the creator and CEO of Complytron, a tool used for OSINT investigations to determine if seemingly unrelated websites are actually related. In addition, Complytron has data about politically-exposed people (PEP), people who have been sanctioned and who are on government watchlists. The data can be heavily used in anti-money laundering situations, but is also valuable for human intelligence.
Oliver's background is in investigative journalism and has paired his investigatory skills with code developers who have built this powerful database that offers free trials. He originally created the Source Code Leak Project which received funding from Google's Digital News Innovation Fund in 2019. 

Chris Russell, the CISO of tZero, is @cr00ster on twitter and https://github.com/cr00ster, joins us today to talk about his experience in the military and how he obtained intelligence during the Iraq War. Chris talks about some of the techniques used to help determine when people were telling the truth and when some might have just been looking for a payday. He also talks about his biggest social engineering concern from a CISO's perspective, and why we should focus on treating developers well. 

Known online as @LockDownUrLife, we talk about how she helps people who have been a victim of online scams and harassment. She also talks about ways we can protect our own privacy, and what you can do when you are threatened or harassed. Her web site with a lot more information can be found at https://LockDownYourLife.com