Tools
T1596OSINT Tools
Essential open-source intelligence tools for SOC analysts --- from domain reconnaissance and IP reputation to email header analysis and credential leak monitoring.
View on Graph
What OSINT Is and Why Analysts Need It Daily
OSINT (Open-Source Intelligence) is the collection and analysis of publicly available information to produce actionable intelligence. MITRE ATT&CK maps information gathering to T1596 (Search Open Technical Databases) and T1593 (Search Open Websites/Domains).
For SOC analysts, OSINT is a daily operational requirement. Every phishing triage, every suspicious connection in a SIEM, every alert about a domain you’ve never seen — all of these require OSINT validation. A good analyst goes into an investigation knowing which tool answers which question. Combine OSINT findings with MISP for structured threat intel sharing.
OSINT Tool Reference by Category
File and Hash Analysis
| Tool | URL | Best For | Example Query / Use Case |
|---|---|---|---|
| VirusTotal | virustotal.com | File and URL reputation. Scans submitted files against 70+ antivirus engines. | Submit a hash from a Sysmon Event ID 1 alert. If 5/70 engines detect it, it’s suspicious. If 0/70 and the file was downloaded from a newly registered domain, it’s likely custom malware. Use CyberChef to decode embedded payloads found during OSINT. |
| Hybrid Analysis | hybrid-analysis.com | Deep file sandbox analysis. Submits files to a controlled sandbox and reports behavior (process creation, network connections, registry writes). | Paste a URL from a phishing email. The sandbox visits the URL and shows exactly what happens — redirect chain, payload download, file system changes. |
| Any.Run | any.run | Interactive online malware sandbox. Watch malware execution in real-time via a browser. | Submit a suspicious .exe from an email attachment. The sandbox shows processes spawned, network connections made, and files created — with a browser recording of the execution. |
| MalShare | malshare.com | Malware sample repository. Download known malware samples for analysis. | Search by hash to find related samples from the same family or author. |
| Triage (ReversingLabs) | tria.ge | Automated malware analysis with behavioral and static reporting. | Fast sandbox with good detection of LOLBin usage and process injection techniques. |
Domain and DNS Reconnaissance
| Tool | URL | Best For | Example Query / Use Case |
|---|---|---|---|
| crt.sh | crt.sh | Certificate Transparency log search. Find all SSL/TLS certificates issued for a domain. | %.wyzsec.com shows every subdomain with a certificate — useful for discovering unknown or forgotten subdomains. For phishing investigations, search a lookalike domain to see certificate issuance patterns. |
| SecurityTrails | securitytrails.com | Historical DNS data. Shows current and historical A, AAAA, MX, NS, TXT records. | Find what IPs a domain resolved to over time. If a malicious domain changed IPs 5 times in 3 days, that’s fast flux infrastructure. |
| DNSDumpster | dnsdumpster.com | DNS recon and domain mapping. Shows MX, TXT, and subdomain enumeration in a visual map. | ”Run DNSDumpster on a phishing domain” — reveals all DNS records and builds a map of the domain’s infrastructure. |
| MXToolbox | mxtoolbox.com | Email server and DNS diagnostics. DNS lookup, blacklist check, SMTP test. | Check if an IP is on any blocklists (Spamhaus, Barracuda, etc.). Analyze email delivery issues. MX record lookup for a domain. |
| URLScan.io | urlscan.io | Website screenshot and HTTP analysis. Visits a URL and captures the full page, redirect chain, HTTP headers, resources loaded. | ”Enter the URL from a phishing email” — urlscan shows the rendered page, all loaded resources, redirect chain, and domains contacted. Essential for determining if a phishing site is active or defanged. |
| DomainTools | domaintools.com | Comprehensive domain intelligence. WHOIS history, registrar info, domain age, reverse IP. | Check domain age (registered 3 days ago = almost certainly malicious). Reverse IP search shows all other domains hosted on the same server. |
| WhoisXMLAPI | whoisxmlapi.com | WHOIS data and domain intelligence. | Domain registration data, owner contact info (where available), registrar details. |
| BuiltWith | builtwith.com | Technology profiling. Shows what web technologies a site uses (CMS, frameworks, analytics, CDN). | Profile a phishing site’s tech stack to identify common hosting providers or vulnerable plugins. |
IP Address and Network Intelligence
| Tool | URL | Best For | Example Query / Use Case |
|---|---|---|---|
| Shodan | shodan.io | Internet device search. Scans all public IPs and catalogs open ports, services, banners. | Search an attacker IP — what ports are open? What service banners? Is there a web server hosting a C2 panel? Shodan queries: port:3389 country:RU (RDP servers in Russia), org:"Amazon" vuln:CVE-2023 (AWS-hosted servers with a specific CVE). |
| Censys | censys.io | Internet host and certificate search. Similar to Shodan with stronger certificate transparency data. | Search for all hosts using a specific TLS certificate — identifies phishing infrastructure sharing the same certificate. |
| GreyNoise | greynoise.io | Internet noise classification. Tells you if an IP is a known scanner, botnet node, or benign internet background radiation. | ”I see a connection from IP X. Is this targeted?” — GreyNoise tells you if the IP is a known mass-scanning host (internet background noise) or an uncommon/unseen IP (likely targeted). |
| IPinfo | ipinfo.io | IP geolocation, ASN, company, and hosting provider. | ipinfo.io/203.0.113.55/json returns JSON with location, ASN, carrier. Is the IP from a known cloud provider? Is it residential (VPN/proxy indicator)? |
| AbuseIPDB | abuseipdb.com | IP reputation database. Reports of malicious activity tied to an IP. | Search an IP — has it been reported for SSH brute force, spam, malware hosting? Confidence score indicates how reliable the reports are. |
| ThreatCrowd | threatcrowd.org | Threat intelligence correlation. Links domains, IPs, hashes, email addresses associated with a threat actor. | Enter an attacker IP and see all related domains, file hashes, and email addresses — building a picture of adversary infrastructure. |
| RiskIQ (PassiveTotal) | passivetotal.com | Threat intelligence and infrastructure mapping. Passive DNS, WHOIS, certificate correlation. | Passive DNS shows which IPs a domain has resolved to historically — essential for infrastructure pivoting. |
Email Analysis
| Tool | URL | Best For | Example Query / Use Case |
|---|---|---|---|
| MXToolbox | mxtoolbox.com | Email header analysis, MX record lookup, blacklist check. | Paste email headers from a suspicious message. Validate the SPF/DKIM/DMARC results, trace the sending server IP, check if it’s on any blacklists. Use Wireshark for deep packet-level email traffic analysis. |
| Have I Been Pwned | haveibeenpwned.com | Credential breach monitoring. Check if an email address or phone number appears in known data breaches. | ”Did a user’s credentials leak?” — Enter the corporate email. Returns a list of breaches exposing that address. HIBP also provides domain-level monitoring for breaches affecting your organization. |
| Epieos (formerly GHunt) | epieos.com | Email address intelligence. Find social media accounts, Google services, and Gravatar tied to an email. | Investigate an attacker email address — what accounts are linked? What online presence exists? |
| PhishTool | phishtool.com | Phishing email analysis platform. Parse email headers, extract URLs/attachments, threat intel enrichment. | Paste a phishing email. PhishTool extracts URLs (defanged), attachments, SPF/DKIM results, and checks URLs against multiple threat intel feeds in one click. |
Credential Leak Monitoring
| Tool | URL | Best For | Example Query / Use Case |
|---|---|---|---|
| Have I Been Pwned | haveibeenpwned.com | Domain breach monitoring. Register your corporate domain to get notified when employee emails appear in breaches. | Configure domain monitoring for yourcompany.com. Weekly digest of newly discovered breaches containing your email addresses. |
| DeHashed | dehashed.com | Credential search engine. Search across multiple breach databases. | Search a username or email — returns cracked passwords, IPs, and breach metadata. Paid but essential. |
| IntelX | intelx.io | Intelligence search across dark web, paste sites, breach data, and public sources. | Search for corporate domains on paste sites. Monitor for mentions of your company in leaked databases. |
| Snusbase | snusbase.com | Data breach search engine. | Quickly check if a set of credentials appears in known breaches. |
Social Media and Persona Intelligence
| Tool | URL | Best For | Example Query / Use Case |
|---|---|---|---|
| SpiderFoot (HX) | spiderfoot.net | Automated OSINT framework. Runs 200+ modules across multiple data sources. | ”Investigate an IP address” — SpiderFoot runs all OSINT modules (WHOIS, DNS, Shodan, Have I Been Pwned, etc.) and correlates results into a graph. |
| theHarvester | GitHub | Email and subdomain enumeration from public sources (Google, Bing, LinkedIn, PGP keys). | theHarvester -d wyzsec.com -l 500 -b google,linkedin — harvests email addresses, subdomains, and employee names associated with the domain. |
| Recon-ng | GitHub | Full-featured reconnaissance framework with modular workflow. | Automated workflow for domain reconnaissance: discover subdomains → resolve IPs → query Shodan → find related domains. |
| Sherlock | GitHub | Social media username search across 400+ platforms. | sherlock attacker_handle — find all social media accounts tied to a username. |
| WhatsMyName | GitHub | Similar to Sherlock — username lookup across services. | Cross-reference account creation across platforms for persona mapping. |
Automated OSINT Platforms
| Tool | URL | Best For | Example Query / Use Case |
|---|---|---|---|
| OSINT Framework | osintframework.com | Visual directory of OSINT tools organized by category. | If you don’t know which tool to use for a specific question, the framework shows all options by category (email, domain, IP, social media, etc.). |
| Maltego | maltego.com | Graphical link analysis for OSINT. Build entity relationship graphs with transforms. | Start with a domain, apply transforms to find all related infrastructure — IPs, subdomains, email contacts, related domains. |
| OpenCTI | opencti.io | Open-source threat intelligence platform. Aggregate and correlate threat data. | Centralize all your OSINT findings. Ingest from MISP, STIX/TAXII feeds, and manual analysis into a single knowledge graph. |
OSINT Triage Workflows
Phishing Domain Investigation
- Enter the URL into URLScan.io — see the rendered page, loaded resources, redirect chain
- Check the domain on crt.sh — find all subdomains and certificate issuance dates
- Query SecurityTrails for historical DNS — when was the domain first seen?
- Check DomainTools WHOIS — who registered it? How old is the domain?
- Submit any file downloads to VirusTotal — hash check and sandbox analysis
- Check Have I Been Pwned — is the targeted email in any breaches?
- AbuseIPDB — is the hosting IP known for malicious activity?
Expected output: A report containing the domain registration details, hosting infrastructure, active URL state (live/defanged), malware detection rates (if any), and a confidence score for maliciousness.
Malicious IP Investigation
- IPinfo for geolocation, ASN, and hosting provider
- GreyNoise for classification (internet noise or targeted?)
- Shodan for open ports and services on the IP
- AbuseIPDB for report history
- VirusTotal (IP tab) — has this IP been associated with malware samples?
- SpiderFoot — run automated OSINT for deep correlation
- Passive DNS via SecurityTrails — what domains resolve to this IP?
Expected output: A determination of whether the IP is hostile infrastructure (C2 server, phishing host, scanner) or benign background noise, with supporting evidence.
Credential Leak Assessment
- Enter the email address on Have I Been Pwned
- Search the leak context — was it a service breach (company SaaS account) or a paste dump?
- Check DeHashed for associated passwords (if authorized)
- Review the breach details — what data was exposed (password, credit card, SSN)?
- Alert the affected user to reset credentials
- Monitor for subsequent login attempts using the leaked password (password spray)
Expected output: A list of affected accounts, the data exposed, and recommended actions (password reset, MFA enable, account review).
OSINT Ethics and Operational Security
- Stay within legal boundaries. OSINT means using publicly available data. Do not attempt to access private accounts, exploit vulnerabilities, or engage in social engineering without explicit authorization.
- Use research-only infrastructure. Create separate accounts for OSINT work — do not use your corporate identity on reconnaissance tools. Be aware that Shodan, crt.sh, and VirusTotal track queries.
- Document your sources. Every finding must be traceable to a specific tool query at a specific time. “VirusTotal 3/72 detection on 2026-05-22 at 14:30 UTC” is evidence. “VirusTotal flagged it” is not.
- Be aware of OPSEC. Attackers also use these tools. They monitor crt.sh and Shodan for new infrastructure. They check if their C2 IPs are on blocklists. Your OSINT queries may be visible.
Related
- Kill Chain — covers the kill chain concepts
- Azure Sentinel — detection and response for T1654 techniques
- BloodHound — detection and response for T1087 techniques