Offensive OSINT Methodology
Workflow
- Define target scope (domain, org, person, crypto address, or geo subject)
- Select applicable categories below based on scope
- Work top-down within each category; pivot on discovered artifacts
- Archive every key artifact: URL + timestamp + screenshot (PNG) + hash (SHA-256)
- Log findings in JSONL with a
run_idand tool versions for reproducibility - Suggest next steps based on what each tool returns
General OSINT
- Bookmarks — Comprehensive OSINT bookmarks
- OSINT Framework — Tool/resource directory
- IntelTechniques Tools — Suite of investigative tools
- Bellingcat Toolkit — Investigative journalism tools
- CyberSudo OSINT Toolkit — OSINT websites list
- Google Dorks — Efficient Google searching
- Distributed Denial of Secrets — Leaked data
- Country-Specific Resources — Country-targeted OSINT
Search Engines
| Tool | Notes |
|---|---|
| Carrot2 | Clusters results by topic |
| etools | Metasearch engine |
| Kagi | Privacy-first, non-personalized results |
| Brave Search | Independent index; Goggles for custom ranking |
| PDF Search | Search PDF files and view table of contents |
| Google Fact Check Explorer | Cross-site fact-check search |
Username & Email Investigation
| Tool | Purpose |
|---|---|
| Sherlock | Username search across social networks |
| Maigret | Collect profiles by username from many sites |
| What's My Name | Username search across platforms |
| Holehe | Check if email is registered on platforms |
| Epieos | Email address pivots and metadata |
| OSINT Industries | Email/username/phone lookups |
| Hunter.io | Find email addresses for a domain |
| EmailRep | Email reputation and associated data |
| Emailable | Verify email existence |
| Mugetsu | X/Twitter username history |
| RocketReach / Apollo | Email enrichment and pattern guessing |
| PhoneInfoga | Phone number intelligence framework |
Browser extensions: GetProspect, SignalHire
People Search
- TruePeopleSearch — Free U.S. people search
- WhitePages — Contact information
- Spokeo — People search engine
- Webmii — People search
- Pipl — Deep web people search (paid)
- Clearbit — Company/individual data enrichment
- FaceCheck / FaceSeek — Reverse face search
Phone Number OSINT
- TrueCaller — Caller ID and spam blocking
- ThatsThem — Reverse phone search
- Infobel — Phone search outside USA
- FreeCarrierLookup — Carrier/type lookup (US)
- NumlookupAPI [Freemium] — Programmatic carrier/line-type checks
- CallerIDTest — Phone search
- Advanced Background Checks — All people linked to a number
Social Media
| Platform | Tool |
|---|---|
| Picuki — view profiles without account | |
| X/Twitter | snscrape — preferred CLI scraper; use Twint only as fallback |
| Graph Search, sowsearch.info, lookup-id.com, whopostedwhat.com | |
| Facebook (research) | Meta Content Library — CrowdTangle successor (researcher-gated) |
| YouTube/Twitch | Social Blade — analytics |
| TikTok | Tokboard — trend and profile analytics |
| Reveddit — removed content; RedTrack.social — user history | |
| Bluesky | Firesky — real-time firehose; SkyView — follower graphs |
| Mastodon | FediSearch — cross-instance search; Fedifinder — find Twitter users on Mastodon |
| Faces | Search4Faces |
Public Records & Company Information
- OpenCorporates — World's largest open company database
- SEC EDGAR — U.S. company filings
- OpenOwnership Register — Beneficial ownership datasets
- MuckRock — FOIA repository and request tracking
- EU Tenders (TED) — EU procurement notices
- World Bank Projects — Project and procurement records
RU/CN Registries
Russia: Rusprofile, Kontur.Focus (freemium), zakupki.gov.ru (procurement), EGRUL/EGRIP (official, captcha-gated)
China: GSXT (National Enterprise Credit), Qichacha/Tianyancha (freemium), MIIT ICP/Beian (ICP filings)
Sanctions & Compliance
- OFAC SDN List
- EU Sanctions Map
- OpenSanctions — Aggregated persons/entities datasets
- OCCRP Aleph — Investigative documents, leaks, company records
Breach & Leak Data
- Have I Been Pwned — Breach lookup; Pwned Passwords API (k-anonymity)
- Dehashed — Credential search
- IntelX — Data intelligence
- LeakCheck — Breach lookups
- Snusbase — Database breach lookups
- BreachDirectory — Recent breach credentials
- Scattered Secrets
- Cavalier (Hudson Rock) — Infostealer lookups
- Phonebook
- LeakPeek
Infrastructure & Attack-Surface OSINT
- Shodan — Internet-connected device/service search
- Censys — Host and certificate enumeration
- GreyNoise — Distinguish background noise from targeted scans
- SecurityTrails — Passive DNS and asset discovery
- SpiderFoot — Automated recon and correlation
- theHarvester — Subdomain, email, metadata harvesting
- Recon-ng