You have been redirected from is the new home for all information regarding Maltego products. Read more about this in a message from the Paterva team and in this blog post and FAQ. close

What is Open Source Intelligence (OSINT) & How to Conduct OSINT Investigations in Maltego

If you are just getting started in infosec or cybersecurity, you have probably heard of the term OSINT. OSINT plays a crucial role in all sorts of investigations. If investigating means to move from a question to an answer, OSINT can often be employed to find the answer.

Many tools and databases allow users to query OSINT data. Maltego is one of them. Integrated with various OSINT data sources, Maltego gives users the ability to access these data and map the data relationships into a graph.

In this infographic blog, we will give you a brief overview of OSINT, how investigators use it in a practical case, and the types of OSINT data queryable in Maltego.

What is Open Source Intelligence (OSINT)? 🔗︎

OSINT is an intelligence-gathering method used to collect and analyze publicly available information and data for investigative purposes. OSINT data sources encompasses pretty much anything you can find on the internet, from an IP address to public governmental records.

In a very broad sense, OSINT gathering can even encompass performing a Google search or reading through a public forum about learning how to fix a leaking pipe.

Who Uses OSINT? 🔗︎

OSINT techniques are practiced by all sorts of investigators and analysts across a range of industries—cybersecurity operations analysts, law enforcement officers, fraud investigators, threat hunters, researchers, investigative journalists, and many more.

who uses OSINT

This means that OSINT practices can be applied to a wide range of use cases, especially those involving network infrastructure footprinting, malware and threat analysis, person of interest investigations, phishing attacks, and fraudulent activities.

OSINT use cases illustration

Two Types of OSINT Approaches: Offensive vs. Passive 🔗︎

There are two types of approaches when it comes to OSINT information gathering: offensive and passive. As the terms suggest, the main difference between the approaches lie in whether contact is made with the target.

offensive and passive OSINT illustration

Offensive OSINT 🔗︎

Offensive OSINT approach, also called active OSINT approach, makes contact with the target in order to gather real-time or more accurate data. However, this also exposes the investigators to a higher risk of detection by the target. Once the target is alerted and becomes aware that someone is trying to gather intelligence about them, they would very likely shut down external access to the data or try to trace the source to the investigators for counter attacks.

An example of offensive OSINT would be scanning a target website.

Passive OSINT 🔗︎

Passive OSINT approach is a comparatively safer practice that gathers historical data or data hosted by third-party sources. Although the data retrieved might not be 100% up-to-date, investigators remain distant from the target and thus have a lower risk of being detected. Historical data also comes in handy when real-time data is not available anymore—such as after the malicious actors remove the website.

An example of passive OSINT would be looking up historical DNS records.

Which OSINT Approach does Maltego Use? 🔗︎

Maltego offers a number of Transforms from various OSINT data integrations. Ranging from infrastructure data to threat intelligence, person of interest information, and to cryptocurrency activities, these Transforms query data both actively and passively.

However, it does not mean that Maltego users are at risk of exposing their IP addresses or identities when performing active OSINT queries. Since all the Transform queries run through Maltego’s public server by default (except for certain deployment options), even when the target under investigation notices these data query requests, they would only be able to see that Maltego is querying such data.

OSINT Framework in Maltego: What OSINT Data is Queryable in Maltego 🔗︎

As you start exploring OSINT practices in your investigations, you will start hearing more about the term “OSINT Framework.” OSINT Framework is a collection of tools for OSINT information gathering and investigations. While some of the data are hosted on third-party sites or governmental databases, some of the data sources are integrated into Maltego and can be queried by Maltego Transforms.

As mentioned before, OSINT covers numerous types of data, which means there are also numerous tools and services one can use to gather information. In Maltego alone, users can query all types of data thanks to data integrations with Shodan, WHOIS, TinEye, The Wayback Machine, VirusTotal, ATT&CK and MISP, Pipl, Orbis, and more.

This makes Maltego a powerful link analysis tool for investigators from various fields and industries who can leverage Maltego and its data integrations to conduct all sorts of investigations—network footprinting , cybersecurity research, threat analysis , POI investigation, fraud investigation, IoT vulnerabilities analysis , and more.

In the graph below, you can find an overview of Maltego’s OSINT capabilities:

OSINT framework in Maltego

Get Started with OSINT Investigations in Maltego! 🔗︎

We hope you find this infographic and blog useful for you to get a better understanding of what OSINT is and how to use OSINT for investigations.

Feel free to download the infographic here to share it with your teams and colleagues!

Use Cases & Tutorials: OSINT with Maltego 🔗︎

If you want to learn more about real-life investigations using OSINT and Maltego, here are a few of our favorite use cases:

Uncovering Hidden Internet Relationships Using Only Two Maltego Transforms 🔗︎

In this blog post, we will demonstrate how to easily trace internet relationships by spidering out relevant links to a website with only a couple of Maltego Transforms.

Maltego Dorking: More Precise Search Engine Investigations with Bing Transforms 🔗︎

In this tutorial, our guest author, Andrew Fordred, shows how Maltego users can increase the precision of the results returned by Maltego’s search engine Transforms by using a few Dorking techniques.

Wayback Machine Transforms: Querying Historical Website Snapshots 🔗︎

The Wayback Machine is a digital archive of the World Wide Web. With these Transforms, users can now query historical website snapshots within Maltego.

Mapping Visual Disinformation Campaign with Maltego and TinEye 🔗︎

Maltego’s TinEye reverse image search Transforms provide journalists, researchers, and investigators with the ability to easily map the spread of imagery online.

In-Depth Guide: How to Use Maltego Transforms to Map Network Infrastructure 🔗︎

In this tutorial, we detail a network footprinting methodology while demonstrating how investigators can use Maltego to implement it.

Make sure you follow us on Twitter and LinkedIn and subscribe to our email newsletter to stay updated on new use cases, tutorials, and product development.

Happy investigating!

Pick the right product and get started.