There’s a particular kind of email I get every few weeks. It comes from someone who just discovered that "OSINT" is a real job, watched two Bellingcat videos on YouTube, and now wants to know which tool they should download first. The honest answer is "none of them, yet." But that’s a terrible newsletter, so here’s the longer version.
OSINT, open-source intelligence, is the practice of finding answers to questions using only information that’s publicly available. Journalists do it. So do cybersecurity teams, due-diligence analysts, recruiters, fraud investigators, lawyers, academics, and an increasing number of bored people on Twitter. The tools below are the ones I actually open in a working week. I’ve tried to flag the rough cost, the use case, and the trap that catches first-time users.
The free starter pack
OSINT Framework. Not a tool, more like a Yahoo directory from 1998 that aged unexpectedly well. It’s a tree of links to specialized search services, organized by what you’re looking for: usernames, IP addresses, public records, image search, and so on. When you don’t know what tool exists for a particular question, this is where you start.
Bellingcat’s Online Investigation Toolkit. The actual spreadsheet that the Bellingcat training program uses. It’s better-curated than OSINT Framework and gets updated more often. If you’re going to bookmark one resource on this list, make it this one.
Hunchly. Capture-as-you-browse. Every page you visit while a Hunchly case is open gets archived locally with a hash, so you have a record of exactly what you saw at the moment you saw it. This is the boring tool that separates serious investigators from people doing screenshots in Discord. Free trial; about $130/year if you keep it.
SpiderFoot CE. The community edition of SpiderFoot is a self-hosted automation platform. Point it at a domain, an email, or a person and it runs a few hundred passive collectors against the target and graphs the results. Steep learning curve and noisy output, but powerful once you’ve tuned it. Get it from the project’s GitHub.
Recon-ng. Console-style framework for people who like the command line. Modular, scriptable, and free. Lower production-readiness than SpiderFoot, but if you’re already living in a terminal you’ll prefer it.
The paid tools that earn their license fee
Maltego. The graph-based investigation tool everyone has heard of. Community Edition is free with limits; the commercial tiers buy you data integrations from Have I Been Pwned, OpenCorporates, Pipl, and a dozen other providers. The visual graph format genuinely changes how you think about a case. Worth it for analysts running multi-entity investigations; overkill for "find this one username."
OSINT.industries. A people-search aggregator that takes an email or username and returns the platforms it’s registered on, plus available metadata (display name, profile picture, registration date, etc.). Useful for due diligence and journalism. Around $30 per month last time I checked. The legitimate-use framing matters here: an OSINT.industries query against a person you have no professional reason to investigate is a privacy violation regardless of whether the data is technically public. I have a separate piece on the workflow.
Babel X or its competitors for multilingual social-media monitoring. Niche, expensive, brilliant if your investigation crosses language lines. You probably don’t need this on day one.
The category-specific tools
For images: TinEye, Yandex, Google Lens, and PimEyes (the last one with extreme caution; see the reverse-image-search piece for why). For domains: WHOIS history at SecurityTrails, DomainTools, or ViewDNS. For corporate filings: OpenCorporates is free for most jurisdictions. For maritime: MarineTraffic and AIS Hub. For aviation: ADS-B Exchange. For archived web: the Wayback Machine first, then archive.today as a fallback for anything Wayback won’t fetch.
What I’d skip on day one
Anything that markets itself as "AI-powered OSINT" with no specifics. Anything that asks for your full name, employer, and a credit card before showing you a sample report. Anything that returns "1,000 free leads" of contact data; that’s an ad-tech database with an OSINT label.
The trap
The trap is buying tools before you have a process. Tools amplify whatever workflow you already have, including the bad parts. Spend the first month of doing OSINT seriously building a habit of: writing down the question before you start, capturing every page you visit, noting your confidence level for each finding, and reviewing your work the next morning. Once that’s automatic, the tools will pick themselves; you’ll know exactly what gap you’re trying to fill.
The Bellingcat workshop I sat through in 2023 made the same point three different ways. I have not had reason to disagree with it since.
Further reading
- The OSINT Curious Project, community blog, frequent how-to posts
- SANS SEC487: Open-Source Intelligence (OSINT) Gathering and Analysis, the canonical paid training
- IntelTechniques, Michael Bazzell’s tools and books
- Bellingcat, investigations and method posts
If you read three pieces from those four links you’ll be more useful than half the people who claim "OSINT analyst" on LinkedIn. That is, sadly, not a high bar.