OSINT Tools
Open-source intelligence (OSINT) focuses on collecting and analyzing publicly available information from the internet, infrastructure, and open data sources. These tools help analysts, investigators, and defenders understand exposure, map attack surfaces, and uncover relationships between people, systems, and organizations.
OSINT Framework
OSINT Framework is a curated collection of links and resources for open-source intelligence gathering. It organizes tools and services by category, making it easy to discover options for people search, domain research, social media, and more.
Why it’s useful: Great starting point for learners to understand the breadth of OSINT capabilities and discover specialized tools.
Difficulty: Beginner
SpiderFoot
SpiderFoot is an automated OSINT collection and analysis tool that can gather data from dozens of sources. It supports scanning domains, IPs, emails, and more, correlating results into a unified view.
Why it’s useful: Helps learners see how automated recon works and how disparate data points can be linked together for investigations.
Difficulty: Intermediate
Shodan
Shodan is a search engine for internet-connected devices, indexing banners and metadata from exposed services worldwide. It allows searching by IP, port, protocol, organization, and more.
Why it’s useful: Teaches how exposed services and misconfigurations can be discovered at scale, reinforcing the importance of attack surface management.
Difficulty: Intermediate
Censys
Censys is an internet-wide scanning and search platform that maps hosts and services across the public internet. It provides rich filtering and aggregation for security research and asset discovery.
Why it’s useful: Useful for understanding how attackers and defenders both use large-scale scanning data to identify vulnerable assets.
Difficulty: Intermediate
Have I Been Pwned
Have I Been Pwned (HIBP) is a breach notification and credential exposure lookup service. Users can check if email addresses or passwords appear in known data breaches.
Why it’s useful: Illustrates the real-world impact of breaches and credential reuse, and is a powerful teaching tool for password hygiene.
Difficulty: Beginner
Hunter.io
Hunter.io is an email discovery and verification service focused on domains and organizations. It helps identify likely email formats and associated contacts.
Why it’s useful: Demonstrates how attackers perform pretexting and targeted phishing preparation using publicly available email patterns.
Difficulty: Intermediate
theHarvester
theHarvester is a command-line OSINT tool for gathering emails, subdomains, hosts, and employee names from public sources. It integrates with search engines and other services to collect recon data.
Why it’s useful: Shows how simple automation can quickly build a profile of an organization’s external footprint and personnel.
Difficulty: Intermediate
Maltego CE
Maltego Community Edition is a link analysis and graphing tool for OSINT investigations. It allows visual exploration of relationships between entities like domains, people, IPs, and infrastructure.
Why it’s useful: Helps learners think in graphs and relationships, which is critical for complex investigations and threat attribution.
Difficulty: Advanced