THE OSINT VAULT™

Certificate Transparency log search. Find all subdomains by looking up TLS certificates. Great for mapping web infrastructure.

Programmatic access to CT logs. Use SSLMate's certspotter API or Google's CT API to automate subdomain discovery.

RIPE NCC's data service. Look up IP addresses, ASNs, prefixes, and abuse contacts. Essential for network attribution.

BGP routing data and ASN relationships. See who peers with who, upstream providers, and network topology.

Historical snapshots of websites. See what a site looked like years ago. Recover deleted content, find old contact info, track changes.

Multi-engine OSINT search tool for running queries across multiple platforms and discovering indexed data variations.

Search engine for Internet-connected devices. Find exposed services, open ports, vulnerable systems. Free tier has limited searches.

Note: Essential for finding what's actually exposed, not what should be exposed.

Add /robots.txt or /sitemap.xml to any domain. Reveals hidden directories, admin panels, API endpoints that site owners don't want crawled.

Historical DNS records and subdomain discovery. Track domain changes over time. Free tier provides limited lookups per month.

Historical and current WHOIS registration data for domains. Supports infrastructure attribution and domain pivoting with extensive historical records.

Best Used For: Domain ownership research and infrastructure pivot analysis.

DNS reconnaissance and domain infrastructure mapping. Identifies subdomains, DNS records, and related hosts tied to a domain. Generates visual network diagrams. No registration required.

Best Used For: Subdomain discovery and DNS infrastructure analysis.

Reverse DNS lookup, reverse WHOIS, and DNS history. Multiple DNS intelligence tools in one interface.

Internet-wide scanning data. Certificate searches, device fingerprinting, and exposure mapping. More structured than Shodan for research.

Crowdsourced IP reputation database used to identify malicious IP addresses. Aggregates abuse reports and assigns confidence scores. Community-driven threat intelligence with API access.

Best Used For: Validating suspicious IPs and identifying malicious infrastructure.

IP geolocation, ASN details, and company information. Clean API for programmatic lookups. Free tier available.

Identifies internet background noise vs targeted attacks. Determines if IP scanning is mass scanning or targeted activity.

Open threat intelligence platform. Community-contributed indicators of compromise, malicious IPs, and threat data.

Threat intelligence search engine. Query IPs, domains, and URLs for threat indicators. Clean interface with API access.

Analyzes files, hashes, domains, and IPs using multiple antivirus engines and threat intelligence feeds. Aggregates detection data and behavioral analysis from 70+ security vendors.

Best Used For: Malware analysis, IOC validation, and infrastructure reputation checks.

Website technology profiler. Identifies frameworks, analytics, hosting providers, and tech stack. Free basic lookups, paid for historical data.

Search engine for exposed databases, API keys, and configuration files. Scans the internet for data leaks and misconfigurations.

Internet scanner and data platform. Maps exposed services, vulnerabilities, and hosts. API access for automated queries.

Cyber defense search engine. Collects data on exposed assets, threat intelligence, and internet infrastructure. Free tier available.

Search engine for publicly exposed AWS S3 buckets. Find misconfigured cloud storage containing sensitive files and data.

Chinese internet asset search engine similar to Shodan/Censys. Scans global internet for exposed services, devices, and vulnerabilities. Strong coverage of Asian infrastructure with advanced query syntax.

Internet intelligence platform with attack surface discovery. Searches DNS, WHOIS, SSL certificates, and exposed services. Includes historical data and API access. Alternative to Shodan with different data sources.

Source code search engine. Search for specific HTML, JavaScript, or CSS patterns across millions of websites. Find sites using same tracking codes, widgets, or templates. Useful for attribution and infrastructure mapping.

Website scanner and sandbox. Submit URLs to see live screenshots, DOM content, network requests, and technology fingerprints. Search historical scans by domain, IP, or content. API available.

Chinese internet search engine for exposed services and infrastructure. Query syntax similar to Shodan. Strong global coverage with different indexing approach. Good for cross-referencing Shodan/Censys results.

Searches across 2000+ platforms simultaneously. Includes social networks, forums, dating sites, and gaming communities. Designed for broad username reconnaissance.

Open-source username enumeration tool that checks hundreds of platforms for account presence tied to a single username. Web-based with no registration required. Enter a username, receive structured results showing platform presence.

Best Used For: Username reconnaissance and account discovery across platforms.

Check username availability across social networks and domain names. Includes less common platforms.

Lightning-fast username checking. Focuses on major platforms but updates frequently.

People search engine that locates publicly available information connected to an individual's online presence.

Note: Good for quick identity pivots when you need a fast starting point.

AI-powered facial recognition search engine. Upload a face photo and find where that face appears across the public internet. Identifies social media profiles, news articles, and websites containing matching faces.

People search engine aggregating data from public records, social profiles, and online activity. Returns comprehensive identity profiles including contact info, social media, and professional history. Enterprise/API-based pricing.

Email OSINT tool. Links email addresses to Google accounts, profile pictures, Google Maps reviews, and YouTube channels.

Find professional email addresses by company name. Verify email deliverability. Free tier allows limited monthly searches.

Note: Fast for building target lists when you need valid corporate contacts at scale.

Reverse phone lookup. Identify spam callers, see caller ID info, and find who owns a phone number.

Advanced phone number information gathering. Identifies country, carrier, line type, and scans for online footprints.

Email reputation lookup. Checks if an email address is associated with data breaches, disposable services, or suspicious activity.

Email-based intelligence lookups to identify associated accounts and metadata. Assists in uncovering digital identity links and account correlations.

Best Used For: Email pivoting and digital identity correlation.

Check if an email or phone number appears in known data breaches. Maintained by Troy Hunt. API available for automated queries.

Email server diagnostics. SPF, DMARC, MX record lookups, blacklist checks, and DNS validation for email infrastructure.

Contact intelligence platform. Find email addresses, phone numbers, and social profiles for professionals. Ideal for investigative research and contact discovery.

Reverse phone, VOIP, address, name, and email lookup. Includes voicemail preview without calling the device. High accuracy for basic consumer-level OSINT.

Python-based CLI tool. Queries a phone number across multiple online services. Includes sources such as Instagram and Snapchat. Best used for quick command-line checks and automation.

Web-based OSINT lookup tools. Phone number section allows simultaneous searches across many services. Results displayed in separate tabs per service. Also available through OSINT virtual machines built using Michael Bazzell's OSINT Techniques books. Best used for broad, multi-source phone number investigations.

Online phone number verification service. Provides basic metadata and validation information. Best used for initial number validation and formatting checks.

Breach data search engine. Search by email, username, IP, name, or password hash to find leaked credentials from data breaches. Returns associated accounts and exposure details across billions of records.

Breach data search platform. Search billions of leaked records by email, username, IP, name, phone, VIN, or address. Returns plaintext passwords when available. Used by security researchers and investigators.

Enterprise breach detection platform. Monitors dark web for compromised credentials and PII. Provides actionable alerts for exposed employee/customer data. Used by security teams and investigators.

OSINT tool for investigating Google accounts. Extract name, profile photo, Google Maps reviews, YouTube channels, Google Calendar events, and more from a Gmail address. Powerful for mapping Google ecosystem activity.

A free threat intelligence toolset from Hudson Rock that can check whether a specific domain, username, or email address was compromised by Infostealer malware.

The FBI Vault is the FBI’s online FOIA reading room, providing public access to thousands of FBI records, investigations, and historical documents.

Command-line tool for username enumeration across 400+ social networks. Automated search with structured output. Commonly used for identity mapping.

Note: Best first step for username recon before manual verification.

Advanced phone number information gathering tool. Scans international phone numbers to identify carrier, location, and online presence.

Gather emails, subdomains, IPs, and URLs from public sources. Uses search engines, PGP servers, and Shodan.

Note: Run this early for domain recon before touching the target directly.

Collect dossier on a person by username. Checks 3000+ sites, extracts personal info from profiles.

Check if an email is used on different sites like Twitter, Instagram, Imgur without notifying the user.

Subdomain discovery tool. Passive reconnaissance using certificate transparency, DNS, and search engines. Fast and reliable.

Note: Fastest passive subdomain enum, use this before active scanning.

In-depth DNS enumeration and network mapping. Active and passive subdomain discovery. Maintained by OWASP.

Note: More thorough than Subfinder but slower, use when you need deep enumeration.

Fast web crawler designed for OSINT. Extracts URLs, emails, social media accounts, and files from websites.

Note: Fast crawler for extracting all discoverable content from a target site.

Read, write, and edit metadata in images, videos, PDFs. Extract GPS coordinates, camera info, timestamps, author names.

Open-source geospatial investigation tool that extracts metadata from images and maps GPS coordinates locally. Processes images in batch mode and reconstructs movement timelines without cloud dependency.

Best Used For: EXIF extraction, geolocation clustering, and timeline reconstruction from images.

Identify hash types. Determines what algorithm generated a hash string. Essential for password cracking and forensics.

Command-line interface for Censys internet scanning data. Query certificates, hosts, and services from the terminal.

Full-featured web reconnaissance framework. Modular design with 80+ modules for passive recon: domains, contacts, credentials, hosts, ports. Database-backed with workspaces for organized investigations.

OSINT tool for finding profiles by username across 350+ platforms. Fast multi-threaded scanning with export options. Designed for quick identity reconnaissance and persona mapping.

OSINT-focused virtual machine maintained by TraceLabs for missing persons investigations and CTF events.

Cyber Security Investigator Linux distribution designed for digital forensics, OSINT, and incident response.

DFIR and OSINT Linux distribution with comprehensive toolset for digital forensics and investigations.

Industry-standard penetration testing and security auditing distribution with extensive OSINT tools pre-installed.

Arch Linux-based distribution for penetration testers and security researchers with over 2800 tools.

Linux distribution specifically designed for OSINT investigations and open source intelligence gathering.

Ubuntu-based Linux distribution designed for penetration testing and security assessment.

Containerized OSINT environment with pre-configured tools for investigations.

Arch Linux-based distribution for security professionals with curated penetration testing tools.

OSINT-focused distribution with automated tool installation and configuration.

OSINT distribution designed for investigators with pre-configured investigative tools.

Debian-based distribution focused on privacy and anonymity with Tor integration.

Gentoo-based security-focused LiveCD distribution for penetration testing.

Arch Linux-based distribution optimized for security testing and OSINT.

Fedora spin providing a safe test environment for security auditing and forensics.

Real-time social media search. Monitor mentions across Twitter, Facebook, Instagram, YouTube, Reddit, and more.

Search engine for data leaks, breaches, and the darknet. Paid subscription for unlimited searches and exports.

Twitter analytics and search. Find people by bio keywords, compare followers, analyze activity patterns.

Advanced Twitter scraping tool. Bypass API limits, scrape tweets, followers, following, likes without authentication.

API-driven OSINT platform. Accessible via the Horizon web portal. Integrates with tools such as Maltego and i2. Best suited for structured social network analysis and API-based correlation.

Track statistics and analytics for YouTube, Twitch, Instagram, Twitter creators. View subscriber counts, follower growth history, estimated earnings, channel rankings. Useful for verifying influencer claims and tracking account growth patterns.

AI-powered research platform that enhances OSINT investigations. Track, annotate, and enrich research through intelligent automation, searchable archives, and private server deployment.

Professional OSINT and data analysis platform. Automated data collection from 100+ sources including social media, company registries, breach databases. Link analysis visualization with graph-based entity mapping. Used by LE and corporate investigators.

Cloud-based automated OSINT reconnaissance platform. Correlates data from 200+ modules: domains, IPs, emails, names, phone numbers. Generates investigation graphs and exportable reports. Self-hosted open-source version also available.

AI-powered predictive intelligence platform designed for behavioral modeling and analytical forecasting. Leverages machine learning to identify patterns across datasets and generate probabilistic insights.

Best Used For: Behavioral forecasting, risk modeling, and predictive investigative analysis.

Enhances investigative search capabilities using AI-driven contextual understanding. Refines queries to uncover hidden relationships, semantic links, and pattern-based correlations beyond traditional keyword search.

Best Used For: Advanced semantic search and uncovering non-obvious data relationships.

AI-driven Reddit intelligence tool that analyzes user behavior, post history, sentiment, and subreddit network mapping. Processes billions of posts to identify behavioral patterns and community affiliations.

Best Used For: Reddit profile investigations, sentiment analysis, and subreddit ecosystem mapping.

Client-side investigation notebook for structuring raw notes into entities, timelines, sources, and conflict alerts. Deterministic processing with no external dependencies.

Built within The OSINT Vault

Direct access to U.S. federal court documents, case filings, and dockets. Official government system. $0.10 per page, free up to $30 per quarter.

Access to millions of U.S. court records, including civil, criminal, and federal filings. Aggregates court data from multiple jurisdictions into a searchable interface.

Best Used For: Searching U.S. court cases, litigation history, and legal records.

Access to federal and state court opinions, oral arguments, and PACER data. Widely used for legal research and judicial analysis. Maintained by Free Law Project.

Best Used For: Case law research, judicial opinion tracking, and federal court monitoring.

Python-based tool that automates extraction of structured data from court websites. Supports analysts performing large-scale judicial record collection.

Best Used For: Bulk scraping and structured extraction of court records.

Most U.S. states maintain free searchable databases for criminal and civil cases. Search by name, case number, or party. Each state operates its own system.

Official U.S. government registry. Search registered sex offenders across all states. Includes photos, addresses, and conviction details.

Most counties provide free online access to property ownership records, tax assessments, and sale history. Direct access to assessor databases.

World's largest open database of companies. Search 200+ million companies across jurisdictions. Track officers, filings, ownership.

The Center for Public Accountability provides investigative research into corporate and institutional influence. Offers transparency data useful in financial and influence investigations.

Best Used For: Corporate transparency research and institutional investigation.

Each U.S. state maintains official business entity databases. Search LLC registrations, corporation filings, and registered agent information.

Public data aggregation platform. Search phone numbers, emails, usernames across multiple open-source intelligence databases.

Global sanctions database. Search politically exposed persons (PEPs), criminal watchlists, and anti-money laundering data from official sources worldwide.

Professional-grade OSINT and risk-analysis platform used by investigators to aggregate public data across multiple sources. Subscription-based investigative tool.

Read, write, and edit metadata in images, videos, PDFs. Extract GPS coordinates, camera info, timestamps, author names.

Crawl websites and extract metadata from Office documents, PDFs. Finds usernames, software versions, network paths.

Online metadata viewer. Upload images, documents, or videos to extract hidden data. No installation required. Works in browser.

Google Dorking uses advanced operators in Google Search to narrow results based on file type, page content, title, URL structure, and more. Used correctly, it can surface hidden data, public records, login portals, forgotten documents, and exposed endpoints.

Limits results to specific file types like PDF, DOC, XLS, TXT, SQL, and more.

Finds pages with specific keywords in the URL structure.

Searches for keywords within page content/body text.

Matches specific keywords in page titles.

Shows pages that link to a specific URL.

Limits search to a specific domain or extension (.edu, .gov, etc.).

Shows Google's cached version of a page.

Finds websites similar to the specified URL.

Displays information about a specific URL.

Returns definitions from various sources.

All specified words must appear in the page title.

All specified words must appear in the URL.

Target educational institutions for publicly exposed contact info and directories.

Find login pages and admin portals on specific domains.

Locate vBulletin-powered forums on educational, government, and military domains.

Find forum registration pages on institutional domains.

Google can help surface public Facebook profiles using key identifiers like usernames, emails, or name + location.

Facebook's old Graph Search is gone, but some URL patterns still work for public search.

Pair phone numbers with context phrases to surface exposed contact data on Facebook.

Key use cases for Google Dorking in professional contexts:

• Cybersecurity testing: Locate exposed backups, misconfigured directories, hidden endpoints
• OSINT & investigations: Pull public records, deleted pages, leaks, uncached data
• Journalism & research: Surface archived info, forgotten content, open databases
• Web development: Check indexing issues, mislinked content, external references

Identifies technologies used on websites - CMS, frameworks, analytics tools, server software, CDN, payment processors. Essential for profiling target infrastructure.

Reveals website technology stack including widgets, analytics, hosting, CMS, advertising networks. More comprehensive than Wappalyzer for some categories.

View image metadata directly in your browser. Right-click any image to see EXIF data including camera model, GPS coordinates, timestamps, and software used.

Right-click any image to instantly search it on Google, Yandex, TinEye, Bing, and Baidu. Save time by accessing multiple reverse image search engines from one menu.

Reverse image search across 30+ search engines with one click. Supports Google, Bing, Yandex, TinEye, plus region-specific engines. More comprehensive than RevEye.

Spoof your browser's user agent to appear as different browsers, devices, or bots. Useful for accessing mobile-only content or bypassing basic detection.

Quickly access archived versions of any webpage. See historical snapshots, track changes over time, and recover deleted content from Internet Archive.

Highlight and analyze text on any webpage. Extract emails, IP addresses, phone numbers, cryptocurrency addresses. Includes instant lookups and pivot tools.

Context menu with 150+ OSINT tools. Highlight text (usernames, emails, IPs, domains) and right-click to instantly search across multiple platforms.

Created by Michael Bazzell. Collection of custom search engines for Facebook, Twitter, Instagram, LinkedIn, and more. Includes advanced query builders.

Displays detailed information about websites - IP address, location, hosting provider, domain registrar, DNS records. One-click access to WHOIS data.

Search IOCs (indicators of compromise) directly from selected text. Supports IP addresses, domains, URLs, hashes, CVEs, Bitcoin addresses across 70+ engines.

Extract all links from a webpage into organized lists. Filter by domain, file type, or pattern. Export to CSV or clipboard for further analysis.

Automatically detect and extract data from web pages into structured tables. Scrape listings, profiles, search results without coding. Export to CSV or Excel.

Block trackers, force HTTPS connections, see website privacy ratings. Useful for understanding what data websites collect during investigations.

Mass download manager. Download all images, videos, or files from a page with filters. Essential for archiving evidence or collecting media from targets.

Download videos from websites including YouTube, Facebook, Twitter, Vimeo. Capture video evidence that might be deleted later. Supports 1000+ sites.

Save complete web pages as single HTML files including CSS, images, fonts. Perfect for preserving evidence - everything is embedded, no external dependencies.

Capture full-page screenshots even on long scrolling pages. Save as PDF, PNG, or JPEG. Annotate screenshots before saving. Essential for documenting investigations.

Official Shodan browser extension. Shows IoT devices, open ports, vulnerabilities, and historical data for any IP you visit. Requires paid Shodan account for full features.

Extract all email addresses from any webpage instantly. Export to CSV or copy to clipboard. Useful for contact discovery and lead generation.

Open multiple URLs at once from a list. Paste dozens of links and open them in separate tabs. Speeds up investigation workflows significantly.

Copy URLs of all open tabs to clipboard with one click. Export tab lists for documentation or sharing with team members. Various format options.

Automatically remove tracking elements from URLs. Clean links before sharing or archiving. Prevents tracking parameters from revealing your investigation.

View, edit, create, and delete cookies. Essential for session analysis, understanding tracking mechanisms, and testing authentication flows.

GeoSpy is an advanced AI-powered geolocation platform designed for enterprise and law enforcement use. It delivers meter-level accuracy using state-of-the-art computer vision, even with low-context images.