OSINT Tools in 2026: The Search-Engine Reconnaissance Layer (and Where It Fits)
On this page
Open source intelligence is the oldest discipline in security wearing new tooling every year. IBM defines it as “the process of gathering and analyzing publicly available information to assess threats, make decisions or answer specific questions.” The information was always there. What changes, year over year, is which OSINT tools turn that public information into a structured picture fastest.
This post maps the 2026 landscape honestly. It categorizes the tools that matter, shows where each fits in a reconnaissance workflow, and is clear-eyed about one layer the standard listicles underuse: the search engines themselves, and now the AI engines that answer questions about your organization. cloro lives in that layer, and this post says exactly where — and where it doesn’t.
One boundary before the tools. Everything below is scoped to legitimate, authorized investigation — security research, due diligence, and journalism against organizations and public entities. OSINT aimed at private individuals is the misuse vector, so it is out of scope here entirely.
What OSINT tools actually do (and the one boundary that matters)
OSINT tools automate reconnaissance: the phase where you gather everything publicly knowable about a target before any deeper work begins. MITRE ATT&CK’s Reconnaissance tactic captures the adversary’s version bluntly — “the adversary is trying to gather information they can use to plan future operations.” Defenders run the same collection against their own org, first, to find what an attacker would.
The reason this matters is that the attacker and the defender use identical techniques. IBM notes that “cybercriminals and hackers also use OSINT techniques for social engineering, phishing and exposing targets for cyberattacks.” If a public source can hand your exposed footprint to an adversary, you want to have seen it first.
So the honest framing for every tool below is footprinting for defenders. You read public records about assets you own or are authorized to assess. You do not probe systems you have no right to touch.
That boundary is also the legal one. Scoped to organizations and public entities, run passively against public data, OSINT is routine security hygiene. Pointed at private individuals, or used to access data that was never truly public, it crosses into misuse. Every recipe in this post stays firmly on the defensive side of that line.
With that settled, here is the landscape.
The OSINT tools landscape: a categorized map
No single tool sees everything. The reason experienced investigators run a stack is that each category of OSINT tools answers a different question — who connects to whom, what infrastructure exists, what has leaked, and what the public index already holds.
Here is the map, by the job each tool does.
| Layer | What it answers | Representative OSINT tools |
|---|---|---|
| Link analysis / all-in-one | How do entities connect? | Maltego, SpiderFoot, Recon-ng |
| Infrastructure & attack surface | What hosts and services exist? | Shodan, Censys, OWASP Amass |
| Domain & footprint | What emails, subdomains, and assets belong to a domain? | theHarvester, Amass |
| Identity & username | Where does a handle appear? | Sherlock |
| Directory / technique map | Which resource fits this step? | OSINT Framework |
| Search-engine & AI-answer | What has been indexed or said publicly? | Google dorking, cloro |
Choose OSINT tools by the layer you need to cover, not by a top-15 ranking. A username investigation and an exposed-service audit call for entirely different tools. The sections below walk each layer in the order a defensive recon workflow usually runs them.
Link analysis and all-in-one investigation
Link-analysis tools turn scattered facts into a graph. Maltego is the reference here — an all-in-one investigation platform built to “conduct deep investigations into complex OSINT cases and cyber threats,” visualizing how people, domains, and infrastructure connect. It is the tool most analysts reach for when a case has more than a handful of entities.

SpiderFoot is the automation engine of this category. It describes itself as “an open source intelligence (OSINT) automation tool,” and it ships with over 200 modules that correlate names, emails, IPs, and leaks into one view. Point it at a domain you own and it runs the collection for you.

Recon-ng rounds out the group as a “full-featured reconnaissance framework” that runs modular collection the way Metasploit runs exploits — repeatable, scriptable, and consistent across engagements. These three OSINT tools are the backbone of most defensive programs.

Infrastructure and attack-surface search
The infrastructure layer answers a different question: what is exposed on the public internet? Shodan pioneered it as “a search engine for Internet-connected devices,” indexing open ports, banners, and running services across the internet. Censys does the same at scale, maintaining “the authoritative map of global Internet infrastructure used by organizations worldwide to uncover risks faster, respond more effectively, and prevent breaches before they happen.”


Searching these technical databases is a recognized recon technique, not a trick. MITRE catalogs it as search open technical databases, where adversaries “search freely available technical databases for information about victims.” Defenders query the same indexes for their own IP ranges to find forgotten, exposed services.
OWASP Amass sits between infrastructure and footprinting. The project “performs network mapping of attack surfaces and external asset discovery using open source information gathering and active reconnaissance techniques” — the go-to for enumerating a domain’s full host inventory. These infrastructure OSINT tools are what turn a domain name into a full, current inventory of exposed hosts and services.

Domain footprinting and identity
theHarvester is the classic first move against a domain. It “performs open source intelligence (OSINT) gathering to help determine a domain’s external threat landscape,” pulling names, emails, IPs, subdomains, and URLs from dozens of public sources in one pass.

For identity, Sherlock enumerates a username across the web — its one job is to “hunt down social media accounts by username across 400+ social networks.” Used defensively, it maps an organization’s official accounts and surfaces impersonation handles, which ties directly into brand protection monitoring.

The directory: OSINT Framework
The OSINT Framework is not a scanner — it is the map. It organizes free OSINT tools and resources by category into a clickable tree. An investigator uses it to find the right resource for a given step rather than memorizing hundreds of OSINT tools. It is where many analysts start, then hand the actual collection to the tools above. Think of it as the index to the toolkit, not a tool in its own right.

The search-engine reconnaissance layer (where cloro fits)
Here is the layer the standard OSINT tools roundups underuse. Search engines run the most aggressive, most persistent crawler on the internet, and they have been indexing your organization’s assets for years. That makes the public index a uniquely honest view of what has actually been made public.
Using search engines this way is a documented method. OWASP’s Web Security Testing Guide states plainly that “testers can use search engines to perform reconnaissance on sites and web applications.” The technique has a name in the adversary playbook too — MITRE tracks it as MITRE ATT&CK (T1593), where “adversaries may search freely available websites and/or domains for information about victims that can be used during targeting.”
The sharpest form of this is the search operator, or “dork.” A site:-scoped query against a domain you own retrieves only your own indexed footprint — exposed staging pages, config files, leaked documents, and directory listings a crawler found. The Google Hacking Database is the public catalog of these queries: “a categorized index of Internet search engine queries designed to uncover interesting, and usually sensitive, information made publicly available on the Internet.” Attackers keep that catalog. Defenders should run it against themselves first, and our Google search operators guide covers the exact syntax.
Doing this by hand does not scale past one domain and one run. The programmatic version treats each dork as a monitored query and re-runs the set on a schedule. cloro’s SERP API returns the parsed organic results for a query as structured JSON, so you can diff today’s indexed URLs against yesterday’s and alert on the delta.
curl -X POST https://api.cloro.dev/v1/monitor/google \
-H "Authorization: Bearer sk_live_your_api_key_here" \
-H "Content-Type: application/json" \
-d '{
"query": "site:yourdomain.com filetype:env",
"country": "US",
"device": "desktop"
}'
The response returns the indexed URLs matching that dork. Store the set per query, schedule the whole dork set to re-run daily or weekly, and fire an alert whenever a new URL appears. That new-URL event is the signal — a page you own just became publicly indexed, and someone should decide whether it should be. The same feed powers continuous attack surface management on the indexed layer.
To be explicit about scope: every query here is site:-locked to a domain you control. Extend it to a domain you do not own only with written authorization, and if a query surfaces a third party’s exposed asset, the correct move is responsible disclosure — not access.
AI-answer reconnaissance: the new OSINT surface
Now the genuinely new layer, and the reason this post exists. People no longer only search — they ask. When someone asks ChatGPT, Perplexity, or Google’s AI answers about an organization, the engine returns a synthesized answer and, increasingly, the sources it drew from. That answer is a reconnaissance surface, and no traditional OSINT tool can see it.
AI-answer recon asks a different question than any tool above: not “what is indexed about this org” but “what will an AI engine tell someone about it, and on what evidence.” The answer shapes how customers, journalists, and adversaries perceive the target before they ever visit a site.
A sanitized example makes the layer concrete. Ask a model, “what security incidents has [public company] had?” The engine returns a synthesized narrative and a list of cited sources. Traditional OSINT tools would surface the underlying pages one by one; the AI layer shows you the assembled story and which sources the model weighted most. For a defender, that is early warning about how a target org is being characterized. For a due-diligence analyst, it is a first-pass risk summary with its sources attached.
Three things make this a first-class OSINT layer. First, it reveals narrative exposure — what the models assert about an org, accurate or not. Second, it reveals which sources the models trust, because the cited pages are the ones shaping the story; understanding how AI engines cite sources is what turns a raw answer into intelligence. Third, it is the safest layer to run, because it operates entirely at the public-entity, organizational level.
No other OSINT tools can read this layer. It is exactly the layer cloro is built to structure — capturing what AI engines say about a target org and which sources they cite, as scheduled, diffable data.
Wiring the search + AI layer into a Maltego or SpiderFoot workflow
The search and AI-answer layer is an input, not a replacement for your graph tools. It slots into an existing investigation at two clean points.
As a data source. Feed the structured SERP and AI-answer results into the same case that Maltego or SpiderFoot is building. Indexed URLs, exposed paths, and AI-cited sources become entities in the graph, correlated with the hosts theHarvester and Amass already surfaced.
As a monitor. Schedule the dork set and the AI-answer queries to re-run on a cadence, and route new findings into your threat intelligence collection. The graph tools show relationships at a point in time; the scheduled search-and-AI feed keeps that graph current and alerts you when something new appears.
The design principle is meet the analyst where they work. The best OSINT tools stack does not ask you to abandon Maltego. It feeds Maltego a layer it could not collect on its own. For regulated due-diligence teams, that same feed supports adverse media screening, where what search and AI engines surface about an entity is the signal.
In practice, most teams already run OSINT tools like SpiderFoot or Recon-ng on a schedule. Adding the search-and-AI feed is a matter of registering a few queries and diffing the results. No rip-and-replace, no new console to learn — one more structured source flowing into the graph and the alert queue you already watch. Your existing OSINT tools stay put. The feed is purely additive.
Legal and ethical boundaries for OSINT tools
Because these are powerful tools, scope discipline is not optional. The workflows in this post are defensible precisely because they hold three lines.
Keep collection organizational and authorized. Assess assets you own or are explicitly cleared to assess. Written authorization comes before you point any of these OSINT tools at infrastructure you do not control.
Keep collection passive and public. Reading a public index, a certificate log, or an AI engine’s answer is reconnaissance. Accessing a system, brute-forcing a login, or retrieving data that was never truly public is not — and no “it was findable” argument changes that.
Respect privacy and disclosure. OSINT on private individuals for stalking or harassment is the misuse this discipline is defined against; keep examples to organizations and public entities. Honor privacy law such as GDPR, and if you incidentally surface a third party’s exposure, disclose responsibly rather than access it.
Held to those lines, the OSINT tools stack — from Maltego to the search-engine and AI-answer layer — is what lets a defender see their own organization the way an outsider already can. That is the whole point. If you want the search-indexed and AI-answer layer of your own footprint monitored continuously — scheduled site: sweeps, structured results, and a view of what AI engines say about your org — that is the feed cloro supplies. New accounts get 500 free credits to baseline their domains. Start at cloro’s threat intelligence use case.

About the author
Ricardo Batista
Founder, cloro
Ricardo is one of the founders and engineers behind its SERP and AI-search scraping infrastructure. Before cloro he scaled a financial comparison site to $7M ARR and ran the full-country operations of a unicorn to $65M ARR, then went back to building. He writes about search engine scraping, generative-engine optimization, and turning live search and AI-answer data into something teams can act on.
Frequently asked questions
What are the best OSINT tools?+
There is no single best tool — the best OSINT toolkit is a stack, because each tool covers a different layer of reconnaissance. For link analysis and all-in-one investigations, Maltego and SpiderFoot dominate. For infrastructure and attack-surface search, Shodan, Censys, and OWASP Amass lead. theHarvester and Recon-ng handle domain footprinting, and Sherlock covers username enumeration. The search-engine and AI-answer layer — what Google and ChatGPT have already indexed or will say about an organization — is the newest layer, and it feeds structured recon data into all of the above. Pick tools by the layer you need to cover, not by a ranking.
Is OSINT legal?+
Collecting open source intelligence from genuinely public sources is legal in most jurisdictions when it is scoped to authorized, legitimate purposes — security research on your own assets, due diligence, and journalism. The legal and ethical line is crossed when collection targets private individuals for stalking or harassment, accesses systems or data that are not actually public, or breaches a platform's terms or applicable privacy law. Keep OSINT work scoped to organizations and public entities you are authorized to assess, respect privacy law such as GDPR, and follow responsible disclosure if you incidentally surface someone else's exposure.
Is there a free OSINT tool?+
Most of the core OSINT tools are free and open source. SpiderFoot, theHarvester, Recon-ng, OWASP Amass, and Sherlock are all free to install and run, and the OSINT Framework is a free directory that maps techniques to tools. Shodan, Censys, and Maltego offer free tiers with paid plans for heavier use. The search-engine reconnaissance layer is where costs usually appear, because querying search and AI engines at scale needs an API — cloro provides that layer with 500 free credits to start.
What is the OSINT Framework?+
The OSINT Framework is a free, web-based directory that organizes open source intelligence resources by category — usernames, email addresses, domain names, IP addresses, social networks, and more — as a clickable tree. It is not a scanner or an automation tool; it is a map that points you to the right resource for a given investigation step. Investigators use it to discover which tool or data source fits a task, then run the actual collection in a tool like SpiderFoot, Maltego, or the search-engine layer.
Related reading

Attack Surface Management: The Search-Indexed Layer Most EASM Tools Underuse
In an own-scope study of cloro.dev, Certificate Transparency surfaced 15 hostnames but only 3 were search-indexed — while a defensive site: sweep found ~20 exposed URL paths host enumeration never sees. The two layers are complementary, not redundant.

Brand Protection in 2026: Monitoring Search — and Now the AI Answer Layer
Across 40 major brands × 60 prompts × 6 AI engines, 31%–72% of triggered answers cited only third-party domains — never the brand's own site. On Perplexity, the brand's own domain is cited in ~0% of answers. Trustpilot, BBB, ConsumerAffairs, and Reddit narrate your brand when you're absent.

Google Search Operators: Complete List and Examples
Use Google search operators to find exact phrases, PDFs, indexed pages, mentions, and competitor content. Includes examples and power-search workflows.