If you’ve ever wanted to play online detective, OSINT, or open-source intelligence, is the way to go. But what exactly is it, and how can it help your business? Let’s find out. 

What Is Open Source Intelligence (OSINT)?

Open Source Intelligence, abbreviated as OSINT, is a process involving the collection of information that is publicly available or open-source. The goal of OSINT is mainly to learn more about someone or a business. 

While performing an online search with a search engine is a form of OSINT, investigators will often rely on third-party tools. They also do their best to access information that isn’t indexed by search engines – for instance, information only available on the dark web. 

According to former Google CEO Eric Schmidt, over 99% of the internet’s data cannot be accessed by major search engines. 

The key for OSINT researchers is to combine multiple tools and techniques in order to cross-reference information – and to gain a source of truth.

What Are Open Source Intelligence (OSINT) Techniques?

The key idea behind OSINT techniques is to use information that is:

• published or broadcast (news, media, online posts, etc.)
• available by public request (e.g. government census information)
• available by subscription or purchase (paywalled publications, whitepapers)
• publicly searchable (clear web)

While there is no shortage of places to search, the challenge is to find tools that accelerate your investigation. You can search multiple databases at once, or leverage specialist Google search techniques (see Google dorking below).

In fact, one of the key challenges of OSINT is to avoid information overload. Because there are so many places to search and so many potential databases to scan through, it’s important to have a clear strategy and framework in place.

That is to say, you must have an idea of what you’re looking for before you begin. The sheer volume of information can drown signals in the noise, and send you on the wrong path. 

Broadly speaking, there are then two kinds of tactics: active and passive open-source intelligence tools:

• Passive: The most common way of digging for information. An investigator will enter the data they already have into a search tool, and gain extra information. This is akin to fishing with a wide net.
• Active: A more focused way of acquiring data based on information that may be initially hidden. For instance, befriending a target’s acquaintance on Facebook to learn more about them in the long run. Going back to the fishing analogy, this is more like spearfishing.

Once your goals and techniques are established, you will have to select the right open-source intelligence tools to seek out the information you’re after. 

Why Do We Need OSINT Tools?

OSINT tools and techniques are common in cybersecurity, where they are used to identify external threads or for ethical hacking and penetration testing. 

Law enforcement agencies, private investigators, and journalists also rely on the same techniques to learn more about a crime, suspect, organization, or person of interest. 

Similarly, HR professionals can perform searches on potential candidates by conducting background checks on open source directories.

Marketing and sales teams can use OSINT tools when they need to target a specific user, or simply need to check if an email address is valid.

Sadly, it should also be acknowledged that fraudsters and criminals can use the same tools and techniques for exploits. For instance, when building a synthetic ID, a fraudster can stitch data they have acquired from a darknet marketplace, and combine it with data acquired through public records.

In the context of fraud detection, OSINT helps make decisions relating to: 

• accepting a transaction in a CNP (card not present) scenario
• onboarding a new user on a platform (neobank, financial institution, iGaming)
• accepting a withdrawal (iGaming, crypto exchange)
• performing a credit check for a loan (fintech, microfinancing)

The 10 Best OSINT Tools

Disclaimer: Everything written about the companies mentioned in this article was gleaned from online research, including user reviews. We did not have time to manually test all the tools. However, we ensured the information was correct as of Fall 2021. Feel free to contact us to request an update/correction.

SEON

Confirming IDs by checking for linked social media and online platform accounts is becoming increasingly popular for a number of good reasons:

• It’s a high barrier of entry for fraudsters, who don’t have the time or resources to create fake profiles.
• It’s a fantastic way to gather a user’s digital footprint.
• It can help establish an idea of someone’s socioeconomic background, even in markets where financial information is scarce.
• The type of social media linked to the user can also reveal more about who they are.

Of course, you can manually search directly into your target network, by typing a name into LinkedIn, Facebook, or Twitter. For scalability reasons, however, it’s easier to use a specialist solution. This is where SEON shines.

SEON is the only fraud prevention tool that checks more than 35 social and online signals. These checks are based on an email address or phone number. 

Because they’re part of our email and phone data enrichment modules, you’ll get a lot more information, including a risk score. The other good news is that you do get complete flexibility in how you query the service: manually, via API, or through a Google Chrome extension.

SEON pricing:

• Starts at $99 per month.

Google

Search engines such as Google, Bing, or DuckDuckGo are perfectly adequate free OSINT tools. That is, if you know how to use advanced filters. In short, it’s about refining your search to benefit from the indexing power of some of the best algorithms on the planet.

Over the years, talented investigators have learned how to reverse-engineer search engines. The method is called Google dorking, or Google hacking, and it uses search operators or functions to expand the capacity of the tools (it works with search engines beyond Google, too).

The method is controversial, because it may cross the line in terms of how “public” the information is. 

For instance, you may find a link to a PDF file containing a list of passwords, but downloading it may be a prosecutable offense.

Examples of search operators include: 

• specific file types
• searching for terms on a specific site
• finding RSS feeds related to a term
• finding files created between specific dates
• etc.

An example of Google dorking would be to search, e.g. company.website.domain for PDF files, which you would do by typing “site:company.website.domain filetype:pdf”. You’d be surprised at the number of documents that are openly available if you know how to get Google to fetch them for you. 

You can read more about known Google Dork operators here.

Google Pricing:

• It’s completely free (but comes with concerns about your personal data).

Lampyre

Lampyre is a paid application designed specifically for OSINT. It’s particularly useful for due diligence, cyber threat intelligence, crime analysis, and financial analytics. You can install it on your PC or run it online.

The key selling point of Lampyre is that it’s a one-click application. Start with single data points such as a company registration number, full name, or phone number, and Lampyre will sift through huge amounts of data to extract interesting information.

The company automatically processes 100+ regularly updated data sources, and you can access them via PC software or API calls if needed. The SaaS product is called Lighthouse, and you pay per API call.

An important point here: As with many OSINT tools, you have to perform your due diligence to check if the databases are really open source. Lampyre may automate searches, but you may still have to double-check where the information comes from, as well as who exactly it is that is sourcing it for you, as one researcher found out.

Lampyre pricing:

• Lampyre is affordable. You can try a one-year demo license, which then turns into a standard $32/month subscription. You can also purchase a $313 yearly version. SaaS pricing is via the Lighthouse subscription, priced $3.25-$130 per month, depending on the number of calls you make.

Maltego

Maltego is a Java application that claims to simplify and expedite your investigations. How exactly? Thanks to its fantastic access to databases and visualization tools. 

Whether you’re in trust and safety, law enforcement, or cybersecurity, the company lets you run one-click investigations that deliver easy-to-understand results.

At the time of writing, Maltego lets you view up to 1 million entities on a graph, with access to 58 data sources. You can even connect your own public databases and upload data sources manually.

Once all the information is loaded in the program, you can choose from different visualization layouts, such as blocks, hierarchical, or circular, using weights and notes to adjust the graphs.

Finally, Maltego isn’t just a great tool; the company also has a fantastic collection of hand-picked resources on OSINT tools and techniques to help you get even more from their product. In fact, there is even a Maltego foundations course you can purchase online. 

Maltego pricing:

• Maltego offers online courses which vary in price. There is a free personal plan for limited searches, but the pro version of the software costs around $1100 per year. 

Recon-ng

Recon-ng initially started as a free and open-source script for gathering technical information about website domains. Since its creation, it has evolved into a full framework, which you can access via a command-line interface on Kali Linux, or as a web application.

Its interface is similar to Metasploitable, another computer security project designed for penetration testing, and has similar goals: to assess and identify web vulnerabilities. Its features include GeoIP lookup, DNS lookup, and port scanning, among others.

While it’s certainly one of the more technical tools featured on this list, you’ll find plenty of resources online to learn how Recon-ng can locate sensitive files such as robots.txt, identify hidden subdomains, look for SQL errors, and get information about a company’s CMS or WHOIS. 

Recon-ng pricing:

• It’s free and open source – but obviously limited in the type of information it can return for you.

SpiderFoot

SpiderFoot is an OSINT tool designed specifically for investigation professionals. It’s loved by cybersecurity intelligence experts who need to perform regular asset discovery or attack surface monitoring. 

The tool can access hundreds of open data sources and monitor the results in real-time. The key difference with other OSINT tools, however, is how you can use SpiderFoot. 

You can choose to self-host it as a true open-source version. You can also purchase the hosted version, which is completely managed by SpiderFoot.

There are numerous advantages to the latter. For instance, you’ll get better performance, full team collaboration, and the ability to see correlations in your investigation. All the modules and third-party tools will come preinstalled and preconfigured.

Spiderfoot pricing:

• If you’re going down the hosted route, SpiderFoot offers a three-tiered membership. There’s the Freelancer plan ($79 per month), the Business plan ($249 per month), and a price-upon-request-only Enterprise plan. Yearly plans also come with a 20% discount. 

Spokeo

When it comes to checking US citizens’ records, there are plenty of services offering more or less the same features at the same price range. You might hear of BeenVerified, Pip, or Intelius. 

Spokeo offers an easy-to-use interface and the results seem to be more accurate upon testing. You can also use Spokeo as a reverse email lookup, phone lookup tool, and postal address lookup, to get info based on a single datapoint. 

The service is available online, and there’s even an Android app to perform searches directly from your smartphone.

You’ll be able to access billions of records such as property deeds, court records, and even historical records and social networks. 

The only downside is that it tends to be very US-centric, so if you’re looking for someone located elsewhere, you might have to use another tool.

Spokeo pricing:

• Spokeo lets you perform one search as a free trial, and you’re then invited to purchase a monthly subscription. They’ve hidden the pricing from their website so you’ll need to contact them directly for a quote, but expect to pay between $8-$15 per month depending on the features you choose.

Have I Been Pwnd?

We’ve previously written about how you can use a data breach for user verification, but it’s particularly useful when looking at whether an email address exists or not. In fact, you can even infer how mature the address is depending on which data breach it’s been found in. 

And Have I Been Pwned? is still the best site to quickly search for email addresses that appear in said data leaks (you can now also do the same with phone numbers). Best of all, it’s completely free. 

Have I Been Pwned? pricing:

• $0 for manual checks. Using its API comes with a $3.5 monthly fee.

PhoneInfoga

You may need to brush up on your Python to run PhoneInfoga, but you’ll be hard-pressed to find a better open-source tool for OSINT for phone numbers. 

The tool squeezes as much information as you can imagine from a phone number, and it works for every location worldwide. 

Note, however, that unlike with SEON’s tool, you don’t get reverse social media lookup to learn which networks the user has registered to with their phone number.

PhoneInfoga pricing:

• Free.

Email Hippo

Email Hippo, which you can also access through VerifyEmailAddress.io, has been operating since 2009. 

Sure, some might say it looks like the website hasn’t been updated since, but the fact is that it works. Simply type in an email address, and the service will check MX records to confirm whether it exists or not.

What Email Hippo lacks in features, it makes up for in speed and ease-of-use. Type in an address, press GO and that’s it.

EmailHippo pricing:

• It’s free to use.

Choosing the Best OSINT Tool

Open-source intelligence is a broad topic. Investigators rely on its techniques for a variety of reasons, and there it’s easy to go down a rabbit hole of advanced, very technical tools. 

This is why we hope this post offers a good primer on the best OSINT tools you can start using today. That’s true whether your aim is to find marketing leads, solve a crime, secure a website, or reduce fraud rates. 

Frequently Asked Questions about OSINT Tools

Sources

Google CEO Eric Schmidt – 99% of the Internet’s data cannot be accessed by major search engines