Chaos and Order

💡 왼쪽 원문을 읽으면서 오른쪽에 따라 써보세요. Tab 키로 힌트를 받을 수 있습니다.

원문 렌더가 준비되기 전까지 텍스트 가이드로 표시합니다.

Intro — In May 2026, OSINT Has Become a Cross-Discipline Skill

Five years ago, OSINT (Open Source Intelligence) was largely the domain of intelligence agencies, a handful of investigative outlets, and some security teams. In May 2026, that boundary has all but dissolved. **Investigative journalism** (Bellingcat, OCCRP, ProPublica, Newstapa in Korea, OCCRP Japan), **threat intelligence** (Recorded Future, Mandiant, Group-IB), **due diligence** (Sayari, Kharon, Castellum.AI), **missing-person response** (the Trace Labs CTF format), **AML and sanctions**, **fraud investigations**, and **social media monitoring** all share roughly the same tool stack now.

This post is not a marketing matrix. It is an honest accounting of what fits where as of this date — Maltego 4.6 shifts, the Spiderfoot HX SaaS tier, Recon-ng 6.x, the limits of theHarvester, premium aggregators like OSINT Industries, Epieos, and Pimeyes, AI geolocation models such as GeoSpy AI, OCCRP's Aleph Project, the Trace Labs CTF format, and post-EU-AI-Act facial recognition restrictions.

OSINT in 2026 — Who Uses It and for What Cases

In May 2026, OSINT users fall into six broad groups.

1. **Investigative journalism**: Bellingcat, OCCRP, ICIJ, ProPublica, Newstapa. MH17, Syrian chemical weapons, the Ukraine war, the Panama/Pandora/Pluto Papers.

2. **Cyber threat intelligence (CTI)**: Mandiant, Recorded Future, the Microsoft Threat Intelligence Center (MSTIC), Group-IB. Domain, IOC, and infrastructure tracking.

3. **Financial and sanctions compliance**: Sayari, Kharon, Castellum.AI, Refinitiv World-Check, Dow Jones Risk. UBO (ultimate beneficial owner) research, sanctions-evasion investigations.

4. **Missing persons and trafficking response**: the Trace Labs CTF, NCMEC, Polaris Project. Volunteer-driven citizen OSINT.

5. **Law enforcement and government**: Europol, Interpol, Korea's NIS, JPCERT/CC, NICT NICTER, Japan's PSIA. Within the lawful collection envelope.

6. **Private investigations and brand monitoring**: Mintel, Kroll, K2 Integrity, Hill & Knowlton. M&A diligence, reputation monitoring.

The workflows differ but the tool stack overlaps by roughly 90 percent. **Link analysis (Maltego / Aleph)**, **automated recon (Spiderfoot / Recon-ng)**, **people tracking (Sherlock / Epieos)**, **infrastructure lookups (Shodan / Censys)**, **breach databases (HIBP / DeHashed)**, **geolocation (GeoSpy / Mapillary)**, and **the dark web (Tor / Ahmia)** form the seven standard layers.

Link Analysis — Maltego, Lampyre, i2 Analyst's Notebook, Cytoscape, Aleph

Link analysis is OSINT's signature visualisation. You graph data as "entities (nodes) and relationships (edges)" and look for patterns.

- **Maltego 4.6**: The de facto standard. Built by Paterva and now run by Maltego Technologies (Germany). The Community Edition is free but limited to 12 entities per graph, with **Maltego Professional** around 999 EUR per year, and **Classic** and **XL** as the enterprise tiers. The plug-in ecosystem of "Transforms" is the real moat — as of 2026 the Transform Hub lists more than 400 transforms.

- **Lampyre**: A Windows desktop tool from the Russian OSINT Academy. Strong on geospatial, infrastructure, and people analytics with bundled data sources, so it works as a standalone product. The visuals are rougher than Maltego's, but the pricing is far lower.

- **IBM i2 Analyst's Notebook**: The government and law-enforcement standard. Older than Maltego, with a heavy LE market share. Expensive and closed, so citizen-OSINT circles barely touch it.

- **Cytoscape**: Open source. Originally for bioinformatics, but more than capable for OSINT graph work. The strong JSON import makes it easy to ingest Spiderfoot output.

- **Aleph Project (OCCRP)**: The investigative-journalism standard. A platform for searching and graph-exploring leak datasets (the Panama Papers, Pandora Papers, Russian-asset data). ICIJ member outlets pair it with ICIJ Datashare as their default workflow.

A typical Maltego flow looks like this:

1. Create New Graph

2. Drag a Domain entity onto the canvas, enter the domain (e.g. example.com)

3. Right-click > Run Transform > "To DNS Name [Robtex]"

4. Chain additional transforms across the new nodes

5. Tidy with Layout > Block Layout or Hierarchical

6. Record hypotheses with Notes / Bookmarks

7. Save as Maltego Graph (.mtgx)

Maltego is powerful but the learning curve is steep, and the Community license is in practice a training license. The 2026 majority view is that **practical OSINT entry is faster via Spiderfoot than via Maltego**.

Automated Recon — Spiderfoot HX, Recon-ng, theHarvester, OSRFramework

Automated reconnaissance tools take a single target (a domain, an email, a person's name) and fan out across every available OSINT source.

- **Spiderfoot HX**: Built by Steve Micallef. The open-source Spiderfoot CE is free on GitHub, while **Spiderfoot HX** (SaaS) starts around 79 USD per month. It ships over 200 modules across passive, investigate, and footprint scan modes, and from a single seed (domain, IP, email, name, or hash) it expands the target graph automatically.

- **Recon-ng 6.x**: Tim Tomes's Python-based modular reconnaissance framework. The CLI UX echoes Metasploit. There are about 80 modules in the base ship and more from the marketplace.

- **theHarvester**: One of the oldest OSINT tools, specialised for email, domain, and subdomain harvesting. It cross-queries search engines like Google, Bing, LinkedIn, GitHub, Shodan, and Censys. The limits are obvious, so it lives in the "first 5 minutes of recon" slot.

- **OSRFramework**: A username and profile enumeration suite — usufy, mailfy, searchfy, phonefy, and entify. In 2026 it has largely been displaced by Sherlock and Maigret.

- **OSINT-SAN**: Part of the Adrian Lamo Tribute Project lineage. An integrated OSINT framework.

- **DataSurgeon**: A Rust-based regex IOC extractor. It rips emails, URLs, phone numbers, hashes, and Bitcoin addresses out of PDFs, HTML, and logs at speed.

A typical theHarvester invocation looks like this:

theHarvester -d example.com -l 500 -b bing,duckduckgo,crtsh

Spiderfoot CE is self-hosted: stand it up as an HTTP server and drive it from the web UI.

git clone https://github.com/smicallef/spiderfoot

cd spiderfoot

pip3 install -r requirements.txt

python3 sf.py -l 127.0.0.1:5001

Recon-ng is an interactive CLI.

[recon-ng][default] > marketplace install all

[recon-ng][default] > workspaces create demo

[recon-ng][demo] > modules load recon/domains-hosts/hackertarget

[recon-ng][demo][hackertarget] > options set SOURCE example.com

[recon-ng][demo][hackertarget] > run

The shared weakness of automated recon tooling is "API keys and cost". The Shodan, Censys, and SecurityTrails free tiers are so tight that serious work requires paid keys.

People and Accounts — Sherlock, Maigret, WhatsMyName, OSINT Industries, Epieos

The first move when tracking a person is usually checking which sites a given username has been registered on.

- **Sherlock**: The best-known username-enumeration tool. Written in Python, it checks 400+ sites in parallel. Free and open source.

- **Maigret**: The de facto Sherlock successor. More sites (2500+), Tor support, and richer metadata extraction.

- **WhatsMyName**: Web-based and run by WebBreacher. Punch in a username from your browser and see which sites have an account.

- **OSINT Industries**: A premium SaaS aggregator. Submit an email, phone, or username and it returns a single view of every commercial-and-internal-dataset hit — linked social accounts, registered services, exposed metadata. Roughly 0.5 to 2 USD per query. Many of its licenses go to law enforcement and investigative firms.

- **Hunter.io and Snov.io**: Email recon. Give them a domain and you get back the staff email pattern. Primarily B2B sales tooling, but heavily used in OSINT.

- **Epieos**: Email and phone reverse-search. From a Gmail account it surfaces the linked Google ID's public traces (reviews, Maps activity, calendar metadata).

- **Spy Dialer and TruePeopleSearch**: US-centric people-search services. Almost no use cases inside Korea, but standard fare for US-subject investigations.

Sherlock is trivially simple to run.

pip install sherlock-project

sherlock johndoe

OSINT Industries ships both a web console and a CLI / API. Results come back as JSON and feed naturally into Maltego and Aleph.

The biggest concern in this category is **privacy and stalking risk**. The same tools can power stalkerware, so vendors have moved toward attestation and revocation when usage logs, consent, or legitimate purpose are not on file.

Image and Reverse Search — Yandex, Bing, Google Lens, TinEye, Pimeyes, FaceCheck.ID

Image OSINT is the fastest-moving category in 2026.

- **Google Lens**: Strong on generic object and text recognition. Face search is policy-restricted.

- **Yandex Images**: The OSINT community's favourite reverse-image engine. It is uniquely strong on face-based matching and is the de facto first tool in Russia-Ukraine war OSINT.

- **Bing Visual Search**: Microsoft's option. Good on generic objects, restricted on faces.

- **TinEye**: The oldest reverse-image service. Specialised for exact-image matching and does not do face recognition.

- **Pimeyes**: A Polish service specialised in **face search**. Upload one face and it surfaces other web-exposed photos of the same person. Subscription pricing. In 2026, GDPR enforcement and the EU AI Act forced policy changes that block unrestricted searches against EU citizens.

- **FaceCheck.ID**: A more aggressive face-search latecomer than Pimeyes. The ethical controversy around it is significant.

- **InVID and WeVerify**: A browser extension. Bundles video keyframe extraction, metadata analysis, and reverse search behind a single UI (covered in detail in the iter94 fact-checking post).

Standard OSINT practice is to throw any image at three or more engines (Google Lens, Yandex, Bing) at once. "Match in Yandex but no match in Google" is a common pattern.

Geolocation — SunCalc, GeoGuessr Technique, Mapillary, GeoSpy AI

Inferring where a photo or video was taken is the marquee OSINT discipline.

- **SunCalc / SunCalc.org**: Plug in latitude, longitude, date, and time to compute the sun's position and shadow direction. The standard tool for back-solving time of day or facing direction from shadows.

- **GeoGuessr plus community technique**: Nominally a game, but heavy-duty OSINT training. It teaches the per-country signals — road signs, license plates, bollard shapes, road-marking patterns — that ground geolocation.

- **Mapillary, KartaView, Google Street View**: Street-view comparison. Mapillary is a Meta subsidiary; KartaView is part of Grab. Both lean heavily on user-contributed imagery for non-urban areas.

- **GeoSpy AI**: The 2024 wave of AI geolocation models. Returns an estimated lat / lon plus a confidence interval from a single landscape photo. Bellingcat and OCCRP adopted it through 2025. Free tier and paid API both exist.

- **Telegram and GeoChat-style bots**: Chat-room bots that take a location prompt and return nearby mapping and social-media hits. Accuracy varies wildly.

For geolocation, **methodology drives 80 percent of the result, not the tool itself**. The Bellingcat standard flow is (1) terrain cues (mountains, rivers, coastline) -> (2) artefacts (buildings, signage, roads) -> (3) shadows and sun -> (4) vehicles and vegetation -> (5) final cross-check against Street View or Mapillary.

Social Media OSINT — X, Telegram, Discord, Reddit, Mastodon, LinkedIn

OSINT friendliness varies sharply by platform.

- **X (Twitter)**: The 2023 API price increase wiped out a large slice of free OSINT capability. In 2026, the X Premium API starts at roughly 5000 USD per month. Unofficial tools (Nitter, snscrape) break constantly because of blocking and rendering changes.

- **Telegram**: The hottest OSINT target. Channel and group monitoring runs on services like TGStat, Telemetr.io, and Tgstat.ru, which provide message search, top-channel ranking, and timing analysis.

- **Discord**: Bot-based monitoring is the norm. Discord ToS forbids automated scraping, so lawful OSINT is limited to data accessible after the bot is invited to a server.

- **Reddit**: The 2023 sunset of the Pushshift API was a major OSINT loss. From 2024 to 2026 unofficial replacements emerged under names like r/PushshiftReplacement, but historical coverage is patchy.

- **Mastodon and the ActivityPub federation**: A major OSINT target since 2024. Discovery is harder because instances are decentralised, but ActivityPub-wide search tools have multiplied.

- **LinkedIn**: PhantomBuster, Apollo.io, and Lusha are the staples for person and company extraction. LinkedIn ToS and GDPR / CCPA exposure are the dominant risks.

The platform-OSINT trend line is consistent: **API prices climb, unofficial scraping erodes**. The money flows toward commercial aggregators like OSINT Industries.

Domain and Infrastructure — Shodan, Censys, SecurityTrails, DomainTools, VirusTotal

This is the threat-intel core.

- **Shodan**: The original "search engine for the internet". It indexes exposed services, ports, and banners. Roughly 99 USD per year for student and researcher tiers; business pricing climbs from there.

- **Censys**: Shodan's strongest competitor, with academic roots at the University of Michigan. Its TLS certificate search is uniquely strong. The free tier is 250 queries per month.

- **ZoomEye**: Run by China's Knownsec. Strong coverage of APAC IP space.

- **Fofa**: Another Chinese option, in the same niche as ZoomEye.

- **SecurityTrails**: Specialised for domain history, subdomain enumeration, and DNS-change tracking.

- **DomainTools**: The WHOIS-history standard. Expensive, but effectively mandatory in LE and CTI work.

- **PassiveTotal (RiskIQ -> Microsoft Defender Threat Intelligence)**: Folded into MDTI after Microsoft acquired RiskIQ. Domain, IP, SSL, WHOIS, and PDNS in a single console.

- **VirusTotal**: A Google subsidiary. Files, URLs, domains, and IPs run against 70+ AV and threat-intel sources at once. The CTI default.

- **URLscan.io**: Loads a URL in a headless browser and records screenshots, DOM, network activity, and linked domains. Free public scans plus a Pro tier.

- **Any.Run**: Interactive malware sandbox. Standard fare in CTI.

- **OTX AlienVault**: AT&T Cybersecurity's IOC sharing community. Free.

- **GreyNoise**: Specialised for triaging internet noise (scanners, bots). Quickly tells you whether an IP is a generic scanner or a targeted actor.

A typical Shodan CLI session looks like this:

pip install shodan

shodan init <YOUR_API_KEY>

shodan search 'product:nginx country:US port:443' --limit 20

shodan host 1.2.3.4

The biggest shift in this category has been **PassiveTotal's absorption into Microsoft**. Pricing and licensing tightened versus its independent-SaaS days, and many mid-sized investigative outfits substituted a Censys + URLscan + VirusTotal combo.

Breach and Leak Databases — HaveIBeenPwned, DeHashed, Intelligence X, LeakIX

Breach data is the most ethically and legally contested category.

- **HaveIBeenPwned (HIBP)**: Run by Troy Hunt. The most legally and ethically safe option. It only tells you whether an email or phone appeared in a known breach, never the plaintext or hash. Free.

- **DeHashed**: Searches leaked credentials (email plus password hash or plaintext). Lives in a legal grey zone, including a 2023 FBI seizure-and-restoration episode. In 2026 it leans heavily on its lawful-OSINT positioning.

- **Intelligence X**: A massive index that combines breaches, dark-web data, historical Telegram channels, and archived pastebins. Free tier plus commercial licenses, with strong government and investigative uptake.

- **LeakIX**: Indexes exposed databases, Elasticsearch instances, and S3 buckets. Often the route by which citizen OSINT first spots a fresh exposure.

- **WikiLeaks and DDoSecrets**: Activism-and-press oriented leak archives. DDoSecrets has been particularly active since 2020 with BlueLeaks and many government, corporate, and Russian datasets.

This category is **highly jurisdictional**. Downloading, holding, and using leaked data must be cleared against GDPR, Korea's Personal Information Protection Act, and Japan's privacy law before any operational use.

Documents and the Dark Web — Tor Browser, Ahmia, OnionScan, Dark.Fail

Dark-web (Tor onion services) OSINT is its own specialty.

- **Tor Browser**: The standard access tool. Current 11.x line.

- **Ahmia**: The most trustworthy onion search engine. Maintains a filtered index that excludes the worst material.

- **OnionScan**: Scans Tor hidden services for misconfigured metadata, image EXIF data, and SSH key fingerprints. Standard fare for OPSEC analysis.

- **Dark.Fail**: Tracks onion service uptime and mirrors verified PGP keys. Standard for identifying scam onion services such as dark-market phishing.

- **Recorded Future Dark Web Intelligence**: Commercial. Continuous monitoring of the dark web, Telegram, and criminal forums for IOCs, asset exposure, and brand mentions.

In practice, 90 percent of dark-web OSINT lives in **criminal forums and Telegram channels**, not on onion services proper. From the late 2020s onward, trade and crime traffic increasingly migrated to Telegram and Discord.

Visual Investigation — Bellingcat Method and Forensic Architecture

Methodology matters as much as tooling. In 2026, two organisations set the visual-investigation standard.

- **Bellingcat (Eliot Higgins)**: The face of citizen OSINT. Established credibility through MH17, Syrian chemical weapons, GRU identification, and Ukraine-war reporting. Runs free workbooks, training programmes, and a YouTube channel.

- **OCCRP and Aleph**: A global consortium focused on organised crime and corruption. Aleph is their data platform.

- **Forensic Architecture (Goldsmiths, University of London)**: Specialised in 3D reconstruction of human-rights abuses and war crimes — the Hrant Dink assassination, strikes on Gaza, attacks on the White Helmets.

The Bellingcat standard visual-investigation flow is (1) verify the source video's metadata -> (2) extract keyframes -> (3) estimate geolocation -> (4) estimate time (shadows, weather) -> (5) cross-check against Street View or Mapillary -> (6) cross-check against Twitter / Telegram posts at the same timestamp -> (7) document hypotheses and explicitly consider falsification.

Korean OSINT Ecosystem — KISIA, NIS, FIU

Korea's OSINT scene is small but growing fast.

- **KISIA (Korea Information Security Industry Association)**: Korea's information-security industry body. Runs OSINT training and certifications. Internationally, SIS and OSCP are common; domestically the Cybersecurity Engineer certificate is the local standard.

- **KISA (Korea Internet & Security Agency)**: Operates KrCERT/CC. The national incident-response baseline; OSINT is one component.

- **National Intelligence Service (NIS) Open Source Intelligence Section**: The official OSINT organisation chart is not public, but analytic functions sit under the National Cyber Security Center (NCSC).

- **Korea Financial Intelligence Unit (KoFIU)**: Anti-money-laundering OSINT. Pairs OSINT-based suspicious-activity monitoring with virtual-asset operator reporting obligations.

- **Private sector**: AhnLab, SK Shieldus, RaonSecure, and ESTsecurity all run in-house OSINT / CTI teams. On the press side, Newstapa, Sherlock (the Korean media outlet, not the tool), and reporters at Sisa-IN are active OSINT practitioners.

In Korea, OSINT operates under heavy gravity from the **Personal Information Protection Act**. Collecting, retaining, or using usernames, emails, or phone numbers all require either subject consent or a statutory basis. Legitimate journalistic or academic purposes are partial exemptions, but the boundary is fuzzy.

Japanese OSINT Ecosystem — NICT NICTER, JPCERT/CC, PSIA

Japan's OSINT ecosystem leans more on government and academia than Korea's.

- **NICT (National Institute of Information and Communications Technology) NICTER**: A cyber-attack observation and analysis project. Publishes regular attack-landscape reports based on darknet traffic monitoring.

- **JPCERT/CC**: Japan's CERT. Incident response plus OSINT analysis. The CSIRT baseline.

- **Public Security Intelligence Agency (PSIA)**: An intelligence service under the Ministry of Justice. The agency does not publicise its OSINT footprint, but its reports cite OSINT material regularly.

- **NHK Investigative and Tokyo Shimbun**: The journalistic anchors for OSINT in Japan. They lean on OSINT for Fukushima, political-funding, and Self-Defense Force coverage.

- **Private sector**: NTT Security, IIJ, LAC, and Trend Micro Japan run in-house OSINT and CTI capabilities.

In Japan, OSINT lives under the **Act on the Protection of Personal Information**. It is less strict than Korea or the EU, but the 2022 amendments tightened cross-border transfer rules and consent requirements.

CTF and Training — Trace Labs CTF, OSINT Dojo, HackTheBox

OSINT learning is hands-on more than book-driven. The 2026 standard path is roughly as follows.

- **Trace Labs Global OSINT Search Party CTF**: A quarterly event built around real missing-persons casework. The largest citizen-OSINT gathering, and winning teams routinely field recruitment offers from real-world intelligence shops.

- **OSINT Dojo**: A free CTF platform with strong beginner-to-intermediate content. Its "Twelve Days of OSINTmas" event is well known.

- **HackTheBox and TryHackMe**: Security-CTF platforms with dedicated OSINT tracks. Rooms like OhSINT and Sakura are the standard onboarding.

- **Cyber Detective CTF (Bristol)**: Hosted by the University of Bristol. Free OSINT challenges.

- **DEFCON Recon Village**: The OSINT village at the annual DEFCON conference in Las Vegas. CTF plus talks.

A common progression: (1) OSINT Dojo beginner -> (2) Cyber Detective CTF -> (3) Trace Labs CTF participation -> (4) HackTheBox / TryHackMe OSINT rooms -> (5) self-directed case studies following the Bellingcat workbook.

Law and Ethics — GDPR, EU AI Act, Korean and Japanese Privacy Law

The legal and ethical environment for OSINT shifted faster between 2024 and 2026 than in any prior stretch.

- **GDPR (EU General Data Protection Regulation)**: In force since 2018. Processing EU residents' data without a lawful basis (legitimate interest, public-interest journalism, etc.) is unlawful. Pimeyes and Clearview AI have absorbed multiple GDPR enforcement actions.

- **EU AI Act (2024)**: Generally prohibits real-time facial recognition in public spaces, with narrow exceptions such as serious-crime searches. Pimeyes, FaceCheck.ID, and Clearview AI all operate on restricted terms in the EU.

- **Korea's Personal Information Protection Act**: Consent plus purpose appropriateness plus proportionality. Legitimate journalism and research are partially exempt, but anything indexable on the open web becomes re-identifiable once combined, so OSINT carries persistent re-identification risk.

- **Japan's Act on the Protection of Personal Information**: The 2022 amendments restricted cross-border transfers and third-party-cookie-style identifiers.

- **US CCPA / CPRA**: California-resident opt-out rights. Many states have followed with their own laws.

- **Stalkerware concerns**: The same OSINT tools can power stalking, so commercial vendors like OSINT Industries and Epieos have tightened terms with clauses such as "no divorce or family use" and "law-enforcement-or-security only".

The standard practitioner checklist looks like (1) confirm a lawful basis -> (2) minimise data collection -> (3) assess anonymity and re-identification -> (4) declare retention periods -> (5) record source, time, and confidence -> (6) assess disclosure risk before sharing externally.

AI Augmentation — Claude / ChatGPT, LangChain plus Maltego Transforms, GeoSpy AI

The biggest 2025-2026 change has been LLM augmentation.

- **Claude / ChatGPT for triage**: First-line tools for summarising and entity-extracting unstructured text — Telegram channel captures, dark-web forum posts, PDF reports. In 2026, Claude 3.7 Opus, GPT-4 Turbo, and Claude Sonnet 4 cover this slot.

- **LangChain plus Maltego transforms**: Maltego transforms that invoke an LLM to convert unstructured data into graph nodes and edges. Community-maintained transforms multiplied through late 2025.

- **GeoSpy AI**: Returns latitude, longitude, and a confidence interval from a single landscape photo. Bellingcat ran a pilot and folded it into their standard toolkit.

- **The OSINT-GPT / FraudGPT dynamic**: Malicious LLMs (FraudGPT, WormGPT) drive fraud and phishing, and defenders have responded by adopting LLMs heavily for OSINT triage.

- **Clustering and translation**: Multilingual Telegram / X auto-translation and clustering pipelines, typically Hugging Face Inference Endpoints plus sentence-transformers, have standardised.

LLMs still **hallucinate**, so OSINT practice has settled on a firm rule: every LLM-extracted entity must be human-verified.

TheHive and MISP — Collaborative IR Platforms

OSINT work that needs team sharing requires a collaboration platform.

- **TheHive 5.x**: A Security Incident Response Platform (SIRP) from StrangeBee. Case management plus IOCs, observables, and tasks. OSS Community Edition plus Enterprise.

- **MISP (Malware Information Sharing Platform)**: An OSS project with CERT-EU roots. The standard for IOC sharing, classification, and federated indexing — by 2026, MISP instances in more than 70 national CERTs federate with each other.

- **Cortex**: TheHive's sister project. Modularises observable analysers, so VirusTotal, Shodan, and MISP plug in as analyser modules.

- **YETI**: A threat-intelligence platform. IOCs, TTPs, and actor graphs.

- **OpenCTI**: Run by Filigran (France). Built around MITRE ATT&CK and STIX 2.1. Heavily adopted by European government CERTs.

This layer is what moves OSINT output from "ad-hoc analysis" to "organisational asset". Solo investigators can skip it, but team OSINT almost always deploys MISP or OpenCTI.

Workflow Standardisation — A Seven-Step OSINT Cycle

As of 2026, citizen OSINT and CTI converge on a seven-step cycle.

1. **Planning**: What, why, and for whom — including the legal and ethical basis.

2. **Collection**: Passive (open-source lookup) first. Active (interactive) steps are minimised.

3. **Processing**: Cleaning unstructured data and extracting IOCs and entities from PDFs, images, and HTML.

4. **Analysis**: Graphing, visualisation, timeline construction — Maltego, Aleph, Cytoscape.

5. **Verification**: Multiple sources, cross-checking, and explicit falsification — Bellingcat standard.

6. **Reporting**: Document hypotheses, evidence, and confidence together, attaching source and timestamp.

7. **Retention**: Data minimisation, retention windows, deletion, and access control.

This is the intelligence-community OSINT cycle adapted to a citizen-OSINT context, and it has become the formal curriculum for most OSINT training programmes in the late 2020s.

Tool Selection Guide — Where to Start

A recommended sequence for newcomers.

1. **Start with free tools**: Sherlock, theHarvester, Spiderfoot CE, Maigret, Cytoscape. Spend a week trying each.

2. **Search and reverse-search**: Pin Yandex, Google Lens, and TinEye to your bookmarks. Every case starts with five minutes of reverse image search.

3. **Infrastructure**: Shodan (student tier), the Censys free tier, URLscan, VirusTotal. The first stop for any domain or IP enquiry.

4. **People and accounts**: OSINT Industries is expensive. Start with Epieos plus Sherlock and Maigret.

5. **Breach databases**: HIBP is free and lawful. DeHashed and Intelligence X only after a legal review.

6. **Link analysis**: The Maltego Community Edition is for learning. Move to Professional or Aleph only when the work demands it.

7. **Automated recon**: Self-host Spiderfoot CE. Add Recon-ng if you prefer a CLI.

8. **CTF practice**: OSINT Dojo -> Cyber Detective -> Trace Labs CTF.

9. **Collaboration**: Notes are fine solo. For a team, deploy TheHive plus MISP.

10. **AI augmentation**: Use Claude / ChatGPT for unstructured triage. Human verification is non-negotiable.

The biggest trap is "installing every tool from day one". Spending a week deep on a single category (people search, say) builds skill faster than juggling thirty tools.

Outro — OSINT in May 2026: Democratised, but with Heavier Responsibility

Two conclusions. First, OSINT has democratised in a way that would have been hard to imagine five years ago. Free tooling plus LLM augmentation puts serious investigative capability in the hands of citizens, journalists, and analysts. Second, the responsibility scales with that capability — the EU AI Act, GDPR, Korean and Japanese privacy law, and stalkerware concerns push back on the old "search anything" reflex.

Methodology beats tool selection. Working through one or two chapters of the Bellingcat workbook by hand is worth far more than installing thirty OSINT tools. Whatever tool you use, never log a result without the three metadata tags — source, timestamp, confidence. That single habit handles 90 percent of OSINT.

References

- Maltego docs: https://docs.maltego.com/

- Spiderfoot: https://www.spiderfoot.net/

- Recon-ng on GitHub: https://github.com/lanmaster53/recon-ng

- theHarvester on GitHub: https://github.com/laramies/theHarvester

- Sherlock on GitHub: https://github.com/sherlock-project/sherlock

- Maigret on GitHub: https://github.com/soxoj/maigret

- WhatsMyName web: https://whatsmyname.app/

- OSINT Industries: https://www.osint.industries/

- Epieos: https://epieos.com/

- Hunter.io: https://hunter.io/

- TinEye: https://tineye.com/

- Pimeyes: https://pimeyes.com/

- Yandex Images: https://yandex.com/images/

- SunCalc: https://www.suncalc.org/

- Mapillary: https://www.mapillary.com/

- GeoSpy AI: https://geospy.ai/

- Shodan: https://www.shodan.io/

- Censys: https://censys.io/

- SecurityTrails: https://securitytrails.com/

- VirusTotal: https://www.virustotal.com/

- URLscan.io: https://urlscan.io/

- HaveIBeenPwned: https://haveibeenpwned.com/

- DeHashed: https://www.dehashed.com/

- Intelligence X: https://intelx.io/

- LeakIX: https://leakix.net/

- Bellingcat: https://www.bellingcat.com/

- OCCRP Aleph: https://aleph.occrp.org/

- Forensic Architecture: https://forensic-architecture.org/

- Trace Labs: https://www.tracelabs.org/

- OSINT Dojo: https://www.osintdojo.com/

- TheHive Project: https://thehive-project.org/

- MISP Project: https://www.misp-project.org/

- OpenCTI: https://www.filigran.io/en/products/opencti/

- EU AI Act text: https://artificialintelligenceact.eu/

- Korean PIPC: https://www.pipc.go.kr/

- Japan PPC: https://www.ppc.go.jp/

- JPCERT/CC: https://www.jpcert.or.jp/

- NICT NICTER: https://www.nicter.jp/