Investigator Use
IRWatch (irwatch.org) is an OSINT platform focused on monitoring and reporting on Iran-linked activities, infrastructure, and entities across cybersecurity and geopolitical domains. It aggregates intelligence about Iranian state-sponsored threat actors, sanctioned entities, infrastructure used in Iranian cyber operations, and related geopolitical developments.
For OSINT investigators working on Iran-related threat intelligence, sanctions compliance, or national security investigations, IRWatch provides a focused intelligence feed that covers a domain often underrepresented in general-purpose threat intelligence platforms.
Iranian cyber threat actors — including groups tracked as APT33, APT34, APT39, Charming Kitten, and others — represent persistent threats to government, defense, energy, and financial sector targets globally. IRWatch's threat actor tracking helps analysts understand the current activity, tooling, and infrastructure associated with these groups.
For sanctions compliance investigations, IRWatch provides intelligence about sanctioned Iranian entities and their digital infrastructure — domains, IP ranges, email patterns, and operational behavior — that helps compliance teams identify potential sanctions exposure in financial or business relationships.
The platform's infrastructure monitoring provides indicators of compromise (IOCs) associated with Iranian operations: malicious domains, C2 infrastructure, phishing campaigns, and malware families. These indicators can be directly incorporated into network defense rules or used to contextualize incidents involving Iranian-origin infrastructure.
Geopolitical reporting on IRWatch covers developments in Iranian cyber and information operations, providing the strategic context that technical indicators alone cannot provide. Understanding campaign motivations, targeting patterns, and geopolitical triggers helps analysts anticipate and interpret technical findings.
For attribution investigations, IRWatch's aggregated intelligence about Iranian threat actor infrastructure, tooling, and operational patterns provides a reference baseline for comparing technical indicators found in an incident against known Iranian capabilities.
Always verify IRWatch intelligence against additional authoritative sources including CISA advisories, DOJ indictments, and vendor threat intelligence reports. Document the specific indicators sourced from IRWatch with retrieval dates.
Before You Pivot
Record Context
Capture the target, search terms, and why this source is relevant before you leave the page.
Preserve Evidence
Archive volatile pages, save screenshots, and keep timestamps for anything that may change.
Corroborate
Treat one tool as a lead source. Confirm important findings with independent sources.
Related Tools
CellMapper 2/4G
Geolocation OSINT
CellMapper is a crowd-sourced cellular tower and coverage mapping service.
Dual Maps
Geolocation OSINT
Dual Maps combine synchronized Google Maps, Aerial Imagery and Google Street View into one embeddable control
Earth Explorer
Geolocation OSINT
USGS Earth Explorer provides access to satellite imagery, aerial photographs, and cartographic products for geospatial OSINT research.
Flash Earth
Geolocation OSINT
Flash Earth provides interactive satellite imagery with weather and radar overlays for geolocation verification and location intelligence.
GeoPlaner
Geolocation OSINT
GeoPlaner is a free GIS web tool for coordinate conversion, UTM-Lat/Lon transformation, geocoding, and waypoint editing for OSINT.
Geodetic Calculators
Geolocation OSINT
Geoscience Australia's geodetic calculators convert between coordinate systems and geographic datums for precision geolocation analysis.