The 2026 OSINT analyst’s stack has converged. For breach search and paste-site enumeration, IntelX dominates. For automated multi-source correlation, SpiderFoot. For graph-based analysis and reporting, Maltego. Used together they turn what used to be a week of investigation into a day. This tutorial walks through the workflow.
Step 1: IntelX for breach data and paste sites
IntelX indexes paste sites (Pastebin and dozens of clones), Tor pages, breach datasets, leak-site dumps, and a number of harder-to-reach sources. Their search UI takes an email, domain, IP, hash, or freetext and returns matches with date, source, and snippet preview.
Free tier gives limited daily searches. Professional tier (~$2,000/year) lifts the cap and unlocks bulk export. For active practice the professional tier is justified; for occasional research the free tier covers most needs.
Typical query: drop in a target domain (e.g., example.com). IntelX returns every paste, leak, and indexed Tor page that contains the domain. Sort by date. Read the most recent ones first, those are the active threats.
Step 2: SpiderFoot for breadth
SpiderFoot is the automation layer. Give it a target (domain, email, person’s name, IP) and it runs ~200 modules across dozens of OSINT data sources, correlating findings into a single report. The open-source version is free; SpiderFoot HX is a hosted SaaS at $50-$300/month for higher query volumes and team features.
Install:
git clone https://github.com/smicallef/spiderfoot.git cd spiderfoot pip3 install -r requirements.txt python3 sf.py -l 127.0.0.1:5001
Open http://127.0.0.1:5001. Configure API keys for the modules that need them, Shodan, VirusTotal, Have I Been Pwned, AbuseIPDB, IntelX. Most have free tiers sufficient for occasional use.
Start a scan with the target domain. Choose “All” modules for the first run. Plan on 30-60 minutes for a thorough scan. The output is a tagged graph: domains, subdomains, employees, exposed services, breach hits, social profiles.
Step 3: Maltego for the narrative
SpiderFoot generates raw data; Maltego is where you turn it into something a human (a client, a court, a publication) can follow. Maltego’s strengths are graph visualisation, controlled transform application, and the ability to manually annotate the chain of reasoning.
Community Edition is free with limits. Professional is ~$1,000/year. For a single investigation Community is fine; for an investigations team, Professional pays for itself in the third case.
Workflow: import SpiderFoot’s findings (export as CSV, then import as Maltego entities). Centre the graph on the primary subject. Add transforms manually for any thread that needs deeper digging. Annotate every edge with the source and date. The final graph is your investigation memo.
Step 4: A worked example
Investigation: confirm whether a specific email is operating a fraud-related domain.
1. Plug the email into IntelX. Note any breach hits, those give you historical passwords and other accounts that share the password (account-correlation goldmine if you have legal authority to use it). Note paste-site appearances.
2. Run SpiderFoot with that email as the target. The “Email Address” entity type triggers modules across breach search, social-platform existence checks, and reverse-WHOIS lookups. The Have I Been Pwned and EmailRep modules are most useful for first-pass triage.
3. If SpiderFoot reveals a domain registered to that email (via reverse WHOIS), pivot, re-run SpiderFoot on the domain. Now you get every other domain registered by the same email.
4. Build the Maltego graph. Email at the centre, domains as one branch, social accounts as another, breach hits as historical evidence. Print or export as PDF for the writeup.
Step 5: Free fallback tooling
Budget zero? theHarvester for email/subdomain enumeration. SpiderFoot Community on local. Bellingcat’s Online Investigation Toolkit for the link-by-link approach. crt.sh for certificate-transparency searches. The skill is the same; the time taken is longer.
The discipline that makes the tools work
Tools surface candidate evidence; the human applies judgment. Two-of-three corroboration before publishing. Persona discipline so you don’t burn your real identity into the investigation. Every claim links back to a source in your graph. The Maltego file is the audit trail.
Done well, this stack delivers investigations that hold up to legal review. Done badly, single-source claims, confirmation bias, missing notes, it produces work that gets retracted. The difference is process, not budget.