"OSINT framework" is a vague category. The tools that fall in it range from simple aggregators to full investigation platforms. Three frameworks dominate the space for serious investigative work: Maltego, SpiderFoot, and Recon-ng. They have meaningfully different philosophies, strengths, and operating models. Understanding which is suited to which task is one of the more useful pieces of practical OSINT knowledge.
A direct comparison.
Maltego
Maltego, by Paterva (now Maltego Technology), is the visual link-analysis platform. Its primary mode is graph-based: nodes are entities (people, domains, IP addresses, social-media accounts, organisations), edges are relationships, and "transforms" are operations that take an existing entity and produce related entities. Right-click a domain, run "To DNS Name [Subdomain]" transform, and a graph of subdomains appears connected to the parent.
Strengths:
Visual investigation at scale. Complex investigations with many entities benefit from a graph layout that makes relationships visible.
Mature transform marketplace. Hundreds of transforms covering DNS, WHOIS, social media, threat intelligence, breach data, and a long list of commercial data sources.
Workflow for analysts. The graph format is good for collaborative investigation, presentation to non-technical stakeholders, and iterative deepening of investigations.
Active commercial backing and continued development.
Weaknesses:
Cost. The Community Edition is free with restrictions; the Pro and CE+ tiers and many transforms have substantial costs. Serious commercial use lands at thousands of dollars per analyst per year.
Not optimal for automation. Maltego is fundamentally interactive; running large-scale automated reconnaissance is not its primary use case.
Closed source. Trust in the platform is trust in Paterva.
When to use Maltego: investigations with many connected entities, work that benefits from visual representation, contexts where presenting findings to others is part of the work, situations where you want to use commercial data sources via their hub.
Documentation at maltego.com.
SpiderFoot
SpiderFoot, originally by Steve Micallef and now maintained at spiderfoot.net with a HX commercial version, is the automated reconnaissance engine. Give it a target, domain, IP, person’s name, email address, phone number, and it runs a comprehensive set of modules to gather everything publicly available. The output is a structured database of findings rather than a visual graph.
Strengths:
Comprehensive automation. SpiderFoot has 200+ modules covering DNS, certificates, social media, breach data, threat intelligence, search engines, and many more. A single scan produces extensive coverage.
Open-source core. The community edition is fully open-source. The HX commercial offering has additional features (cloud hosting, more frequent updates, advanced visualisations) but the core is auditable.
API integration. Scripted into automated workflows or CI/CD-style continuous monitoring of an attack surface.
Lightweight. Runs on modest hardware; can be deployed on a VPS for ongoing scanning.
Weaknesses:
Output is structured but not naturally visual. Some teams build their own visualisation on top of SpiderFoot’s output.
Quality varies by module. Some are excellent; some return little useful data; some require API keys to be most effective.
Less interactive than Maltego. A SpiderFoot scan is "submit and review"; iterative deepening is less natural.
When to use SpiderFoot: continuous attack-surface monitoring, comprehensive initial recon of a new target, automated workflows where scans need to run on a schedule, situations where output will be consumed by another tool.
The CLI version, the web UI, and the SpiderFoot HX cloud service all provide different experiences.
Recon-ng
Recon-ng, originally by Tim Tomes (lanmaster53) and at github.com/lanmaster53/recon-ng, is the modular CLI framework. Designed in the style of Metasploit, modules, workspaces, structured commands, it provides a programmatic environment for OSINT investigations.
Strengths:
Programmable and scriptable. The CLI interface is composable; complex multi-step investigations can be encoded as resource files.
Open-source and extensible. Writing new modules is straightforward; the community has produced hundreds.
Workspace model. Investigations are stored in workspaces; you can switch between them and resume later.
Strong for technical investigators. Familiar paradigm for anyone who has used Metasploit-style frameworks.
Weaknesses:
CLI-only by default. No native graph visualisation; output is tables and CSV.
Module quality is uneven. The flexibility comes with maintenance burden; some modules atrophy.
Steeper learning curve than Maltego or SpiderFoot. Effective use requires comfort with the framework.
When to use Recon-ng: technical investigators comfortable in CLI, situations where automation and reproducibility matter, custom modules that integrate proprietary data sources, environments where the GUI of Maltego or the cloud-only HX of SpiderFoot are unwelcome.
Beyond these three
Several other tools deserve mention as alternatives or complements:
OSINT Framework (osintframework.com). Not a framework in the software sense; a curated tree of OSINT resources organised by category. Useful as a starting point for "what tool do I use for X."
theHarvester (github.com/laramies/theHarvester). Email and subdomain harvester from search engines and other sources. Narrower scope than the three frameworks above; lighter weight.
Buscador / Trace Labs OSINT VM. Pre-configured Linux VMs with OSINT tooling installed. Useful for getting a complete environment quickly.
OSINT Industries (osint.industries). Commercial; specialised in social-media account discovery from email addresses and phone numbers.
IntelTechniques tools and the broader ecosystem maintained by Michael Bazzell. Many are web-based query interfaces to underlying APIs.
Custom Python with libraries like dnspython, python-whois, requests, beautifulsoup. Many advanced practitioners build their own tooling on top of these primitives.
A practical workflow combining frameworks
A real investigation often uses multiple tools at different stages:
Initial comprehensive scan. SpiderFoot to broadly gather everything publicly available about a target.
Manual review and pivot. Examine SpiderFoot output, identify interesting findings, decide what to investigate further.
Visual link analysis. Import key findings into Maltego, run additional transforms specific to the line of investigation, and build a visual representation of the relationships.
Targeted technical recon. Use Recon-ng or specific tools (Amass for subdomains, Censys for infrastructure, etc.) to deepen specific elements.
Verification and documentation. Cross-check findings, document sources, build a final report with methodology, findings, and confidence levels.
The frameworks complement each other. Choosing only one limits the investigation; using all three (or multiple equivalents) gives the broadest coverage.
Operational considerations
A few things worth noting:
API keys and rate limits. Many OSINT frameworks integrate with third-party APIs (Shodan, Censys, VirusTotal, HaveIBeenPwned, SecurityTrails, etc.). Effective use requires API keys and respect for rate limits.
Cost accumulation. Commercial data sources (Maltego transforms, SpiderFoot HX, premium APIs) add up. A serious investigative practice often spends thousands per month on data feeds.
Data hygiene. OSINT investigations accumulate data quickly. Organising it (Maltego graphs, SpiderFoot scans, Recon-ng workspaces) is part of the discipline.
Tracking attribution. The data you gather has provenance; documenting where each finding came from is essential for any output that will be reviewed or published.
OPSEC for the investigator. Some queries reveal interest in the target. Sensitive investigations may require operating from non-attributable infrastructure (covered in the OSINT fundamentals post).
The 2026 picture
The OSINT framework category continues to evolve:
Maltego has expanded into integrated investigation case management, threat-intelligence integration, and AI-assisted analysis features. Pricing and complexity have grown.
SpiderFoot’s open-source core remains the workhorse for many practitioners; the HX cloud version is increasingly capable.
Recon-ng is steady, actively maintained, popular among technical investigators, holding its niche.
New entrants are emerging. The OSINT-as-a-service market has grown substantially; several startups offer SaaS investigation platforms with various focuses.
AI integration is starting to appear. LLM-assisted summarisation of findings, automated correlation suggestions, and natural-language query interfaces are being added across the category.
For a practitioner choosing where to invest learning effort:
If you are doing investigative work with stakeholders and need visual presentation, learn Maltego. The CE+ tier is reasonable for initial investment.
If you are doing technical recon at scale or attack-surface management, learn SpiderFoot.
If you are a security technician comfortable in CLI and want maximum scriptability, learn Recon-ng.
The category has matured to the point where there are credible options for any reasonable workflow. The choice is matching tool to use case rather than picking the "best." OSINT, like most investigative disciplines, rewards practitioners who know multiple tools and can choose appropriately.