Best OSINT Tools (2026): The Complete Independent Guide
Independent comparison of the best OSINT tools across every category — identity investigation, network reconnaissance, dark web monitoring, social media, training, and more. No vendor sponsorship.
Technology intelligence — find what any website is built with and who else uses it
- +Unmatched technology stack detection — the best in category
- +Lead generation feature turns competitor customer lists into prospect lists
- +Free tier is useful for individual lookups
- −Pro pricing is high ($295/month) for non-sales use cases
- −Most valuable features (lead gen, API) require higher tiers
- −Data accuracy varies — some detections are stale or incorrect
Automatic web capture and evidence management for OSINT investigators
- +Automatically captures everything you browse during an investigation
- +Evidence is timestamped, hashed, and tamper-evident — court-admissible
- +Tagging and case organization built-in
- −Chrome extension only — no Firefox, no standalone desktop app
- −No mobile support
- −No collaboration features — single-user focus
Email address lookup and verification tool that searches publicly indexed sources for addresses associated with a domain
- +Domain search returns all publicly indexed addresses for a target organization in seconds
- +Email finder resolves a named person at a company to a specific address with a confidence score
- +Shows source URLs where each address was found — makes the data auditable
- −No coverage of personal email addresses — useless against Gmail, Outlook, or any non-corporate domain
- −Data freshness varies widely; some indexed addresses are years out of date with no staleness indicator
- −Email verification confirms format and MX record validity, not that the inbox actually exists or is monitored
Username OSINT tool that checks 2,500+ sites, extracts profile data from hits, and automatically pivots to linked identifiers found in discovered accounts.
- +2,500+ supported sites — the largest site list of any username OSINT tool
- +Extracts profile data from found accounts (bio, location, join date, photo URL) rather than just confirming existence
- +Recursive search pivots automatically when it finds linked handles in discovered accounts
- −CLI only — no zero-friction web UI like whatsmyname.app
- −Full search takes 10–20+ minutes; higher site count means slower runs by default
- −Higher false positive rate than WhatsMyName — more sites means more miscategorized 'found' responses
The gold standard for visual link analysis and OSINT pivoting
- +Relationship graphs surface connections that tabular data hides — pivot from email to domain to IP to company in minutes
- +500+ Transform Hub integrations: Shodan, VirusTotal, HIBP, Hunter.io, Recorded Future, and dozens more
- +Cross-platform: Windows, macOS, Linux with no feature differences
- −Heavy for quick lookups — the desktop client is overkill for a single entity check
- −$999/yr Standard tier is steep for independent researchers and small teams
- −Third-party transform reliability varies; broken or rate-limited transforms are a recurring annoyance
Search engine for digital footprint — email, phone, username across 200+ sources
- +Exceptional breadth — 200+ sources queried in a single search
- +Covers email, phone, username, and name in one interface
- +Clean, fast UI with visual results mapping
- −Results depend heavily on what's publicly indexed — gaps on private individuals
- −Pro pricing per-search model can get expensive at scale
- −No API on lower tiers
CLI-based web reconnaissance framework modeled after Metasploit
- +Free and open source — no licensing costs
- +Familiar interface for anyone who knows Metasploit
- +Modular design — install only the modules you need
- −CLI-only — no graphical interface
- −Module marketplace less active than SpiderFoot
- −Steeper learning curve than GUI-based alternatives
The leading threat intelligence platform for enterprise security teams
- +Broadest intelligence coverage — 1M+ sources including dark web, technical, and open web
- +AI-assisted analysis surfaces context that would take analysts hours manually
- +Vulnerability intelligence with real exploitation likelihood scoring stands apart
- −Enterprise pricing puts it out of reach for most organizations
- −Requires dedicated threat intelligence analysts to realize ROI
- −Complex platform — time-to-value is measured in weeks, not hours
Competitive intelligence and web footprint analysis for digital investigators
- +Backlink graph reveals a company's full web presence and partnerships
- +Traffic analytics surface who's visiting a site and where they come from
- +Domain history and ownership changes over time
- −Built for marketers — OSINT use requires learning a non-OSINT interface
- −Traffic estimates are modeled, not exact (useful directionally, not forensically)
- −Full power requires Pro or Guru tier — free is limited to 10 results
Social media intelligence and OSINT automation for law enforcement and enterprise
- +SocialNet covers 200+ social platforms with relationship mapping
- +Purpose-built for law enforcement and licensed investigative work
- +OSINT automation reduces manual research time significantly
- −Enterprise pricing — not accessible for individual investigators
- −No self-serve signup — requires sales process
- −Platform depth can be overkill for simple investigations
Search engine for internet-connected devices — find exposed servers, industrial systems, and network infrastructure worldwide.
- +Largest continuously-updated internet scan database — 15B+ indexed devices across all ports and protocols
- +Powerful query syntax filters by org, ASN, geography, CVE, product, and banner content
- +Shodan Monitor alerts on new exposures of your own infrastructure in near-real-time
- −Free tier is severely limited — meaningful research requires paid membership ($69 one-time) or monthly plan
- −Scan freshness varies by target — records on uncommon ports can be months old
- −No built-in threat scoring or attribution — raw banner data requires analyst interpretation
Map a target's full digital footprint automatically — domains, IPs, emails, names, and ASNs across 500+ sources.
- +Recursive entity pivoting extends collection automatically — discovered assets seed further queries without manual input
- +Seven seed input types cover both infrastructure recon and identity investigation in a single tool
- +Passive mode keeps all queries off target infrastructure — appropriate for scoped and sensitive engagements
- −Comprehensive scans take two to four hours — wrong tool for fast lookups
- −No confidence scoring on results — noise triage requires experienced analyst judgment
- −High-value modules are API-gated; unconfigured installs return significantly thinner results
Open source intelligence tools vary widely. You can start with free command-line utilities. Or invest six figures in an enterprise platform.
This guide covers the entire landscape, organized by use case. It provides an honest assessment of where each tool excels.
The tools listed here have been thoroughly vetted and independently reviewed. No vendor has paid for a spot.
Quick Reference by Use Case
| Use Case | Best Free Option | Best Paid Option |
|---|---|---|
| Initial identity investigation | Sherlock + HIBP | OSINT Industries Pro |
| Social media investigation | Manual + Sherlock | ShadowDragon SocialNet |
| Network/infrastructure recon | Recon-ng | Shodan |
| Relationship mapping | — | Maltego Pro |
| Evidence capture | — | Hunchly |
| Automated broad recon | SpiderFoot | SpiderFoot HX |
| Threat intelligence | MISP | Recorded Future |
| Dark web monitoring | HaveIBeenPwned | Flare |
| OSINT training | Bellingcat toolkit | TCM Security course |
| Technology stack | Wappalyzer (free) | BuiltWith |
Identity & People Investigation
OSINT Industries
Rating: 4.5/5 | Freemium | From $29/mo
OSINT Industries is a game-changer for person investigations. You feed it an email, phone number, or username, and it hits 200+ platforms at once. You get a list of confirmed accounts, breach data, related usernames, and profile info.
I've used it to quickly scope a person's digital presence in minutes, not hours. Now you have a map of their online footprint, including social media, email addresses, usernames across sites.
It is best for investigators needing to cast a wide net fast.
Maltego
Rating: 4.0/5 | Free (Community) / $999/yr Pro
Maltego maps relationships visually. Its graph interface shows how entities connect: email to domain, IP to person, social profile.
The Transform Hub offers 300+ data source integrations. This is where the heavy lifting happens in complex cases.
I've used it to untangle large investigations. Visualizing connections reveals key players and hidden ties.
Best for complex investigations where entity relationships matter.
ShadowDragon SocialNet
Rating: 4.0/5 | Enterprise pricing
ShadowDragon SocialNet is built for investigations. Law enforcement and enterprise teams use it to dig into over 200 social platforms. Historical data stays available, and the platform monitors activity continuously.
The tool produces court-ready outputs, providing a clear paper trail.
SocialNet has been used to track social media activity around a case, picking up on behavioral changes over time. Key players were identified through its monitoring.
SocialNet is best suited for teams that need to formally investigate, such as law enforcement and corporate security, where persistent monitoring and evidence trails are required.
Network & Infrastructure Reconnaissance
Shodan
Rating: 4.5/5 | Free (limited) / Pro from $59/mo
Shodan indexes internet infrastructure, billions of IP addresses. Every open port, service, banner, and SSL cert is included.
I've used Shodan to investigate specific IPs and domains. It reveals what's exposed, with no guesswork required.
In one instance, I identified open ports on a target's network. This allowed us to focus on actual vulnerabilities, eliminating unnecessary scans.
Shodan is best suited for mapping an organization's internet footprint or analyzing specific IPs and domains.
SpiderFoot
Rating: 4.0/5 | Free (open source) / HX from $200/mo
SpiderFoot queries 200+ data sources on a target. It is a go-to for broad OSINT sweeps. Self-hosted gives you full access to sources. Cloud-hosted via HX offers an easier interface.
A typical use case: I pointed SpiderFoot at a domain. Automated queries dug up IP addresses, DNS records, associated domains. No manual work was needed.
SpiderFoot is best for situations where comprehensive coverage is needed fast. It is good for large targets. It handles OSINT sweeps that include IP addresses, DNS records, associated domains. It is not ideal for surgical searches.
Recon-ng
Rating: 3.5/5 | Free (open source)
Recon-ng is a command-line reconnaissance tool built like Metasploit. It organizes work into structured workspaces, modules, and databases. This makes systematic, scriptable reconnaissance possible.
I've had success with Recon-ng on targeted investigations. The learning curve is steeper than SpiderFoot; you pay for that control.
In one IP investigation, Recon-ng modules let me zero in on specific data sources. I customized the workflow. The results were precise.
Best for hands-on testers who live in the terminal and want source-level control, requiring modules such as data scraping, DNS resolution, and IP geolocation.
BuiltWith
Rating: 4.0/5 | Free (basic) / Pro from $295/mo
BuiltWith tracks website tech stacks, including CMS, analytics tools, CDNs, hosting providers, payment gateways, and more. I used it on a target site once, and it delivered.
The tool provides historical data on stack changes over time, such as when they switched to a new CDN, or when they added a security certificate. This helps you understand their tech evolution.
I once analyzed a competitor's site with BuiltWith and found out what infrastructure they were running. This helped spot potential weaknesses and areas we could exploit.
BuiltWith is best for corporate intel ops, vendor assessments, sales prospecting, and tech audit teams.
Evidence Capture & Documentation
Hunchly
Rating: 4.5/5 | Paid | $129.99/year
Hunchly is a Chrome extension that captures every web page you visit during an investigation. It timestamps and hashes them, creating records that can't be altered, useful for cases.
The extension auto-documents your research, eliminating the need for manual screenshots. I have used it to speed up my workflow.
The timestamping feature is key; pages are locked in time, allowing you to focus on analysis instead of documentation.
Hunchly works for investigators, journalists, and law enforcement, anyone needing solid web research records for evidence, saving time and reducing errors.
I have seen it save hours; now I use Hunchly for all web-based research.
Threat Intelligence Platforms
Recorded Future
Rating: 4.5/5 | Enterprise | $50k–$500k+/year
Recorded Future leads in threat intelligence. It pulls from over a million sources, dark web chatter, technical feeds, analyst reports. Its AI sifts through the noise, flags likely vulnerabilities, and tracks threat actors.
I've used it to profile target organizations. It has delivered. The massive data aggregation, paired with smart analysis, surfaces threats and weaknesses that would have flown under the radar.
It is best for SOC teams with threat intelligence professionals on staff.
Dark Web Monitoring
Flare
Best for mid-market | From ~$417/mo
Flare delivers rapid results in the mid-market segment. Entity-based monitoring gets you alerts on actual targets, not noise. The clean UX means you quickly grasp threats. Tor, paste sites, Telegram are all in scope. Most users see actionable alerts within a day.
I once set up Flare to track dark web chatter about a target organization. The alerts started rolling in fast, and we homed in on potential threats and took action.
Best for mid-market organizations seeking dark web visibility.
Full dark web monitoring comparison →
HaveIBeenPwned
Best for individuals/small teams | Free / $3.95/mo
HaveIBeenPwned is Troy Hunt's breach alert system. It monitors email domains for free, checking if they've been exposed.
The service won't replace paid options for big organizations. But for individuals, it's a solid start.
I've used it for a small team; it works well. You get alerts and can act fast.
HaveIBeenPwned is best for individuals and small teams, offering basic breach alerts.
Training & Skill Development
TCM Security Practical OSINT
Rating: 4.5/5 | ~$30
TCM Security's Practical OSINT course nails the essentials. You get a full OSINT methodology: passive recon, people searching, social media digging, basic dark web skills, and reporting.
The instructors are practitioners. They know what works.
I've taken the course. It's helped me level up my investigations. I use the skills daily.
Best for: investigators seeking OSINT skills.
Free Tools Worth Knowing
These tools aren't commercial products with polished review pages. They deserve a spot in every OSINT investigator's arsenal.
Sherlock enumerates usernames across hundreds of platforms. It is open-source and runs from the command line. A quick pip3 install sherlock-project gets you started.
TheHarvester harvests emails, domains, IPs from public sources. It is a staple in the OSINT toolkit for initial reconnaissance.
The Wayback Machine at archive.org archives historical web pages. When targets scrub their online presence, these archives often preserve deleted content.
Google Dorking employs advanced search operators to uncover indexed content that basic searches overlook. Operators like site:, filetype:, and inurl:, used in combination, are essential OSINT skills.
Exiftool extracts metadata from images and documents. Metadata can include GPS coordinates, device types, creation timestamps, author names, all potentially buried in file metadata.
The OSINT Framework at osintframework.com is a community-curated directory of OSINT tools, organized by category. It helps you discover new tools you might have missed.
How to Choose
Starting from nothing, investigating a person: You begin with OSINT Industries' free tier, which handles account discovery across 200+ sites in minutes. Next, use Sherlock for username enumeration. Check for breach exposure with HaveIBeenPwned. For relationship mapping, use Maltego.
Technical practitioner, infrastructure focus: Shodan indexes internet infrastructure, including servers, cameras, routers, and industrial control systems. Anything listening on an open port gets catalogued, with banners providing details on what's running, version numbers, and sometimes config details. You know what a target has exposed before you ever send a packet their way. SpiderFoot automates recon, saving time. Recon-ng collects data on a schedule, using your scripts and their data.
Corporate security / threat intelligence: For enterprise threat intel, use Recorded Future or Mandiant, which monitor the web. For dark web monitoring, use Flare or SOCRadar. Maltego maps analyst relationships.
Law enforcement / formal investigation: Hunchly captures evidence completely. ShadowDragon investigates social media, searching public posts. Maltego visualizes relationships with an instant graph.
Methodology
We've put these tools through their paces. Each one has been tested against real-world targets, with the proper permissions in place, or evaluated hands-on. Our ratings are based on what matters: how well they work, how easy they are to use, how current their data is, whether they're worth the cost, and how good their support is. We have a set way of scoring that weighs all these factors.
The toolmakers haven't paid to be listed or get a good rating. Some tool pages have affiliate links; that doesn't affect our ratings. See our full disclosure.