OPSEC Basics for Security Researchers
Table of Contents
What OPSEC Actually Means
OPSEC (Operational Security) is a process for identifying, controlling, and protecting information that could be used against you. The term comes from military intelligence, specifically from a Vietnam War-era program called Purple Dragon, where U.S. forces realized the enemy was anticipating their operations not by breaking encryption but by analyzing patterns in unprotected operational details.
The core principle has not changed since the 1960s: your adversary does not need to break your strongest defense if they can extract what they need from your weakest one. In security research, this means that using Tor and encrypted messaging means nothing if your research pseudonym shares a username with your personal Reddit account.
OPSEC is not a tool or a product. It is a discipline. It requires you to think about what information you are generating, who might want that information, how it could be collected, and what steps you can take to deny it to adversaries. For security researchers, this discipline is not optional - it is the difference between doing controversial research safely and waking up to a legal notice or worse.
Threat Modeling for Researchers
Before you can practice OPSEC, you need to know what you are protecting against. A threat model answers four questions: What are you protecting? Who are you protecting it from? How likely is it that you will need to protect it? What are the consequences if protection fails?
graph TD
subgraph Threat_Model["Threat Model Components"]
A[Assets] --> B{What could go wrong?}
C[Adversaries] --> B
B --> D[Likelihood Assessment]
D --> E[Consequence Analysis]
E --> F[Countermeasures]
end
subgraph Assets_Detail["Researcher Assets"]
G[Real identity]
H[Physical location]
I[Research methodology]
J[Unpublished findings]
K[Source relationships]
end
subgraph Adversary_Tiers["Adversary Capability Tiers"]
L[Tier 1: Curious individuals]
M[Tier 2: Targeted companies]
N[Tier 3: Law enforcement]
O[Tier 4: Nation-state actors]
end
G --> A
H --> A
I --> A
J --> A
K --> A
L --> C
M --> C
N --> C
O --> C
A threat model maps your assets against adversaries and their capabilities to determine appropriate countermeasures
A bug bounty hunter reporting XSS vulnerabilities through HackerOne has a very different threat model than a researcher analyzing nation-state malware. The bug bounty hunter probably needs to protect their identity from irritated sysadmins and potential legal gray areas. The malware researcher might need to protect themselves from the actual operators of the malware infrastructure they are investigating.
Your OPSEC measures should be proportional to your threat model. Over-engineering your OPSEC wastes time and adds friction that makes you less productive. Under-engineering it leaves gaps that matter. The key is to be honest about who your adversaries are and what resources they can bring to bear.
Identity Separation
The single most important OPSEC practice for security researchers is maintaining strict separation between your research identity and your personal identity. This sounds straightforward, but it breaks down in subtle ways that most people do not anticipate.
A research identity requires its own email address (created over Tor, not linked to a phone number), its own social media accounts, its own handles on forums and IRC/Matrix channels, and its own payment methods if you need to register domains or purchase services. None of these should share any identifier with your personal identity - no shared usernames, no shared email providers, no shared phone numbers, no shared IP addresses during creation.
Writing style is a frequently overlooked vector. Stylometry (the statistical analysis of writing patterns) can link anonymous texts to known authors with high accuracy. If you write research blog posts under a pseudonym but also have a public Twitter account, an adversary with sufficient motivation can compare the writing patterns. Mitigation includes varying your sentence structure deliberately, having someone else proofread and edit public posts, and being aware that distinctive phrases and punctuation habits are fingerprints.
Timezone leaks are another common failure. If your research pseudonym posts consistently between 9 AM and 5 PM Eastern time, you have narrowed your likely location to the Eastern timezone. Commit timestamps in Git repositories are a particularly common leak. Configure your Git client to use a consistent timezone offset that does not match your real location, or normalize all timestamps to UTC.
Secure Communication Channels
Communication is where most OPSEC failures occur, because maintaining operational security requires constant vigilance during conversations that are inherently casual and trust-building.
Signal is the baseline for secure messaging. End-to-end encrypted, minimal metadata retention, disappearing messages. But Signal requires a phone number, which creates a registration identity link. A dedicated prepaid SIM purchased with cash and registered through a secondary device is the minimum for high-threat-model situations.
For asynchronous communication, PGP-encrypted email remains useful despite its many UX problems. The important thing is understanding what PGP encrypts (the message body) and what it does not (the subject line, the sender, the recipient, and the sending/receiving times). These metadata fields are visible to the email provider and to any network observer.
Matrix with cross-signed device verification provides end-to-end encryption for group communication. Unlike Slack or Discord, Matrix can be self-hosted, giving you control over the server-side metadata. The Tor-accessible Matrix homeserver at the Tor Project demonstrates this use case.
In-person communication remains the gold standard for sensitive discussions. Radio frequency communication using devices like the BLEShark Nano in mesh networking mode (Shiver protocol, ESP-NOW, 20-50 meter range) can provide local, off-internet communication channels that leave no server-side trace. This is relevant for conference environments where secure local communication between team members is needed without relying on conference WiFi or cellular networks.
Metadata: The Silent Leak
Content encryption solves one problem. Metadata solves a completely different problem, and most encryption tools do not address it. Metadata is information about the communication rather than the communication itself: who talked to whom, when, for how long, how frequently, and from where.
Former NSA Director Michael Hayden said plainly: "We kill people based on metadata." This is not hyperbole. Metadata reveals patterns of life, social networks, timing of activities, and location - often enough to draw actionable conclusions without ever reading a single message.
Documents are rich metadata sources. Word documents contain author names, revision history, and sometimes tracked changes with earlier drafts. PDFs contain author fields, creation software identifiers, and timestamps. Images contain EXIF data with camera model, GPS coordinates, timestamps, and sometimes unique camera sensor patterns.
Before publishing any document or image as part of your research, strip metadata. On Linux, exiftool -all= filename removes EXIF data from images. For PDFs, qpdf --linearize input.pdf output.pdf strips some metadata, though a more thorough approach uses mat2 (Metadata Anonymisation Toolkit). For maximum safety, convert documents to plaintext or recreate them from scratch rather than trying to sanitize originals.
Air-Gapped Research Environments
An air-gapped computer has no network connection - no WiFi, no Ethernet, no Bluetooth. It is physically separated from the internet and from any network that connects to the internet. For analyzing malware or handling sensitive data, an air gap provides assurance that compromised software cannot phone home.
graph TD
subgraph Connected_Environment["Connected Research Environment"]
A[Research Laptop] -->|Internet| B[ISP]
B --> C[Malware C2 Server]
A -->|WiFi| D[Local Network]
A -->|Bluetooth| E[Other Devices]
C -->|Alert!| F[Threat Actor Knows]
end
subgraph Air_Gapped["Air-Gapped Environment"]
G[Isolated Workstation] -->|No network| H[Nothing]
I[Data Transfer] -->|Write-once USB| G
G -->|Reviewed files only| J[Separate Transfer Station]
J -->|After sanitization| K[Connected Network]
end
subgraph Best_Practice["Data Transfer Protocol"]
L[Write files to USB]
M[Review on transfer station]
N[Sanitize metadata]
O[Copy to connected system]
L --> M --> N --> O
end
An air-gapped research environment prevents compromised malware from communicating with command and control infrastructure
Building an effective air gap requires more than unplugging Ethernet. Remove the WiFi card physically. Disable Bluetooth in BIOS/UEFI, or better yet, use hardware that has no wireless interfaces. Intel Management Engine (IME) and AMD Platform Security Processor (PSP) present theoretical out-of-band communication channels - systems with these components disabled (like certain Purism or System76 machines) provide stronger assurance.
Data transfer to and from an air-gapped system requires a protocol. Use write-once media (like CD-Rs) or dedicated USB drives that never touch internet-connected systems. Boot the transfer media on a dedicated intermediate machine that reviews files before they cross the gap. Never plug a USB drive from the air-gapped machine directly into an internet-connected system without reviewing its contents on an intermediate machine first.
Virtual machines can approximate some benefits of air-gapping through network isolation. Whonix and Qubes OS provide compartmentalized environments where virtual machines have strictly controlled network access. This is less secure than a true air gap (because the hypervisor is a shared trust boundary) but far more practical for day-to-day research.
Hardware and Physical OPSEC
Your hardware can identify you even when your software OPSEC is perfect. Every network interface has a MAC address that is broadcast on local networks. WiFi probe requests can reveal the SSIDs of networks your device has previously connected to. Bluetooth devices broadcast discoverable names and MAC addresses.
Use a dedicated research device that has never been associated with your real identity. Purchase it with cash. If you need to analyze wireless traffic, use tools like the BLEShark Nano that are designed for security research and provide capabilities for BLE sniffing, WiFi analysis, and IR operations without tying your analysis to a personal device.
Physical security matters too. If your research laptop is at risk of physical seizure, enable full-disk encryption with a strong passphrase. LUKS on Linux, FileVault on macOS, and BitLocker on Windows all provide disk encryption, but they only protect you when the device is powered off. A running or sleeping device with a decrypted disk provides no protection against physical access.
For high-threat situations, consider devices with hardware kill switches for the microphone, camera, and wireless interfaces. These provide physical assurance that the components are disconnected, rather than relying on software controls that malware could override.
Financial OPSEC
Payment methods create identity links that are surprisingly difficult to sever. Credit cards and bank transfers are tied to your real name and address. PayPal, Venmo, and similar services maintain detailed transaction histories.
For registering domains, purchasing hosting, or buying services under a research identity, use Monero (XMR) rather than Bitcoin. Bitcoin is pseudonymous but not anonymous - blockchain analysis can trace transactions, and exchanges require identity verification. Monero's ring signatures, stealth addresses, and confidential transactions provide meaningfully stronger privacy, though even Monero has known weaknesses against certain analysis techniques.
Cash-purchased prepaid debit cards and gift cards provide another option, but availability varies by jurisdiction and many online services reject prepaid cards. Privacy-focused virtual card services exist but require careful evaluation of their own logging practices.
Common OPSEC Mistakes
The most common OPSEC failures among security researchers are not technical. They are human.
Talking about ongoing research too early. Excitement about a finding leads to casual mentions on Twitter, in Discord servers, or at meetups. Even vague references can tip off an adversary that their systems are being examined, leading to rapid patching, infrastructure takedown, or worse.
Using the same device for research and personal activities. Browser history, cookies, DNS cache, and file system artifacts create cross-contamination between identities. Use separate devices, or at minimum, separate bootable operating systems on the same hardware.
Trusting screenshots without considering metadata. Screenshots from some tools include timestamps, window titles, or desktop environment details that reveal the operating system, installed software, and timezone.
Forgetting about DNS. Your DNS queries reveal every domain you visit. If you are researching malware infrastructure while using your ISP's DNS resolver, your ISP has a record of every malware domain you queried. Use encrypted DNS (DoH or DoT) through a privacy-respecting resolver, or route DNS through Tor.
Version control leaks. Git commits include author name, email, and timestamp by default. Public GitHub repositories expose the full commit history, including any credentials, API keys, or identifying information that was committed and later removed (it remains in the git history). Use git filter-repo to clean history before publishing, and configure research repositories with pseudonymous author information from the start.
When OPSEC Actually Matters
Not every research activity requires paranoid-level OPSEC. Writing a blog post about publicly known CVEs does not demand an air-gapped machine and Tor routing. Responsible disclosure through established bug bounty programs, where the program operator knows your real identity and has legal safe harbor provisions, requires minimal OPSEC.
OPSEC becomes critical when your research could provoke a response from capable adversaries, when you are investigating active threat actors, when your research involves legal gray areas specific to your jurisdiction, or when the safety of sources or collaborators depends on anonymity.
The time to implement OPSEC is before you need it. Retroactively trying to separate a research identity from a personal identity after they have been linked is extremely difficult. Creating OPSEC habits early, even for low-stakes research, builds the muscle memory you need when the stakes increase.
Good security research tools help with physical-layer OPSEC. The BLEShark Nano provides wireless analysis capabilities (BLE 5.0 sniffing, WiFi monitoring, IR transceiving) in a pocket-sized device that can be part of a dedicated research kit, separate from your personal electronics.
Get the BLEShark Nano - $36.99+