The OSINT Toolkit: 15 Tools Every Researcher Should Know

How to use this list

No single OSINT tool covers everything. Professional practitioners combine 5–10 tools per investigation, with each producing one piece of the picture. This list is organized by category — pick the right tool for the question you're trying to answer, then cross-verify findings across multiple sources.

All tools listed are accessible without illegal access or paid private feeds. Many have free tiers; serious work usually requires paid access to at least one or two.

Search & discovery

1. Google, Bing, DuckDuckGo, Yandex

The starting point for nearly every investigation. Use advanced operators (our Google Dorks guide) and check at least two engines — different indexes surface different content. Yandex for Eastern European topics, Baidu for Chinese-language content.

2. Shodan, Censys, ZoomEye

Internet device search engines. Find what's exposed on any IP or network. Our Shodan deep dive covers the query syntax. Run at least two in parallel and reconcile differences.

Technical reconnaissance

3. WHOIS & passive DNS

Domain registration data and historical DNS records. whois.domaintools.com, securitytrails.com, and viewdns.info are common starting points. Passive DNS reveals what hostnames an IP has hosted over time and what IPs a domain has resolved to.

4. crt.sh and certificate transparency logs

Every TLS certificate issued by major certificate authorities is logged publicly. Searching crt.sh for a domain reveals every subdomain that ever got a certificate — a fantastic way to discover infrastructure the owner didn't intend to advertise.

5. BuiltWith and Wappalyzer

Identify the technologies a website uses — CMS, frameworks, analytics, payment processors. Useful for vendor mapping and competitive research.

6. SecurityTrails

Historical DNS, WHOIS, and infrastructure data with a usable interface. Free tier limited; paid tier indispensable for serious work.

Identity & people search

7. Have I Been Pwned

The defensive starting point for any email-based investigation. Tells you which known breaches included a given email or phone number. Use it on your own accounts first; it's also the foundation for email OSINT.

8. Username-search aggregators

Tools that check a username against hundreds of platforms simultaneously — open-source options include sherlock and maigret. Surfaces accounts a target may have forgotten about. Detailed in our username & email OSINT post.

9. Public records aggregators

Property records, court filings, professional licenses, business registrations. The US has thousands of jurisdictional databases; some aggregators consolidate them. Use with care — accuracy varies wildly.

10. SEC EDGAR

The definitive source for US public company filings. Free, comprehensive, and surprisingly under-used. Forms 10-K, 10-Q, 8-K, proxy statements, insider trades — all there.

Geospatial & imagery

11. Google Earth, Bing Maps, Yandex Maps

Different satellite providers, different update cadences, sometimes very different imagery for the same location. Cross-checking is standard practice. Yandex is particularly strong outside the US/EU. Detailed in our geolocation OSINT post.

12. Wikimapia and OpenStreetMap

Crowdsourced map data, often with labels and metadata commercial maps don't have. Useful for identifying landmarks, military installations, and lesser-known infrastructure.

13. Reverse image search

Google Images, Yandex Images, TinEye. Used to verify whether a photograph has appeared elsewhere online (often it has). Yandex has historically been the strongest for face matching across platforms.

Archives & deleted content

14. Internet Archive Wayback Machine

Historical snapshots of websites. Critical when a target has scrubbed content. Coverage is not complete — pages may have been snapshotted only sporadically — but enough to recover substantial deleted material.

Archive.today (archive.ph)

An alternative to the Wayback Machine with different coverage. Manually-triggered snapshots, often used to preserve content that's actively being edited or removed.

Link analysis

15. Maltego

The dominant visual link-analysis tool for OSINT. Lets you build graphs of entities (people, domains, IPs, social media accounts) and the relationships between them. Free Community Edition is sufficient for most individual research; commercial editions add automation and broader data integrations.

Alternatives worth knowing: SpiderFoot (automated OSINT collection), Recon-ng (CLI framework for security recon), Mihari (open-source IOC tracking).

Aggregator frameworks

Two meta-resources keep current lists of OSINT tools by category:

• OSINT Framework (osintframework.com) — a categorized, browsable tree of tools and resources. Updated regularly.
• Bellingcat's Online Investigation Toolkit — a curated, journalist-oriented list of techniques and tools with usage notes.

Don't try to learn all 15+ tools at once. Pick three from the categories most relevant to your work, get fluent in those, and extend the toolkit as specific investigations demand. The methodology (see our OSINT introduction) matters more than tool breadth.

For specific tool deep dives: Shodan · Google Dorks · username & email · geolocation. For the broader methodology, see our OSINT introduction.