18 Best Free OSINT Tools for Cyber Investigations

There are plenty of free or almost-free OSINT tools you can find online — ChatGPT can provide you with quite a list. But, as often happens with ChatGPT, some of those tools simply don’t exist, some don’t work anymore, and some provide low-quality data. 

In this post, we have collected several OSINT tools that actually work quite well for different cyber research purposes, grouped according to their primary use cases. All of these tools could be very handy for different tasks such as cybercrime investigation, threat hunting, offensive cybersecurity exercises, and more.

OSINT Toolboxes

1. Maltego

Maltego is a multipurpose OSINT pivot engine and a visual investigation platform. It takes "entities," such as people, organizations, domains, or IP addresses and uses "transforms" to gather related information and present it in an interactive graph. 

Maltego’s key features include:

• “Transforms” — automated queries that fetch data from open data sources and APIs.
• Various entities or data points that can be linked and analyzed.
• Visual link analysis in an interactive graph, limited to 24 results per “transform” for free accounts.
• Preconfigured sets of transforms called “machines” that automate common investigation workflows.
• Prebuilt connectors that enable you to integrate with more than 100 data sources, with limited access for free accounts.

Maltego is not completely free, but it has a free tier called Basic, that provides you with core features and a couple of hundred credits per month to use the powerful engine for occasional small OSINT investigations.

2. SpiderFoot

SpiderFoot is an OSINT automation tool for threat intelligence and attack surface mapping. You can gather and correlate information from over 200 data sources (some open, some paid) about targets like domain names, subdomains, IP addresses, personal or company names, email addresses, subnets, Bitcoin addresses, and usernames.

Among SpiderFoot’s key features are:

• More than 200 modules or integrations that either don’t require API keys or have free tiers.
• Both a web-based GUI and a command-line interface.
• Modules that search the Tor network (dark web) for mentions of targets.

SpiderFoot is available on GitHub for free. Or rather, there’s a version that hasn’t received updates for two years and with more than two dozen pull requests awaiting acceptance and over a hundred issues awaiting triage. That probably has something to do with the fact that SpiderFoot was acquired by Intel 471 in 2022. The terms of the deal were not disclosed, but seemingly, since then, the open-source part of the project has been abandoned.

3. OSINT Framework

OSINT Framework was developed to help users find free OSINT resources, although some data sources might still require registration or provide more data for a fee. It’s not strictly a toolbox that allows you to pivot off a data point, but more of a directory of resources from which you can find more information about a target data point. 

The key features of the OSINT Framework are:

• It is very organized, with the list of tools presented as a tree-like structure based on the type of information you already have and want to pivot off.
• It prioritizes free or open-source tools.
• OSINT Framework is maintained by the OSINT community, so the listed resources are likely updated.

OSINT Framework is completely free and open-source, with its source code available on GitHub under the MIT license. The project seems to be actively maintained, with the latest pull request merged less than a month ago.

4. WhoisXML API MCP Server

WhoisXML API’s MCP Server allows investigators to conduct OSINT analysis and complex internet infrastructure investigations directly from a familiar chatbot interface (like Claude or Gemini) using natural language. Essentially, it connects the LLM model to 17 different APIs like WHOIS and WHOIS History, a variety of DNS APIs, threat Intelligence, domain categorization, and other APIs that WhoisXML API offers.

Among the MCP Server’s key features are:

• Users can query data from APIs using natural language prompts, eliminating the need to code.
• Users can instruct LLMs to access multiple APIs and pivot off a data point in a single request using multi-step queries.
• The MCP server grants LLMs access to 17 different WhoisXML API tools, which contain billions of DNS, domain, and IP records — and more. 
• The server offers multiple installation options, including Docker containers and native binaries.

The MCP Server is free to use. Existing WhoisXML API customers can use their API keys to set it up, while new users can sign up to get some free API credits. 

5. Jake AI

Jake AI is WhoisXML API’s cloud-based Domain Intelligence AI Assistant that works much like the aforementioned MCP Server, but without the need to install anything — it has a web-based GUI and runs an LLM and the MCP server under the hood. 

All you need is your API key, and you can start using Jake AI, doing OSINT investigations, external attack surface discovery, and threat infrastructure mapping, among other things.  

Like the MCP Server, Jake AI connects to 17 different APIs. Jake AI’s key features are:

• It can combine multiple APIs to answer complex questions.
• Jake AI can do bulk lookups, so you can investigate up to 10 IP addresses or domain names all at once.
• Setup is as easy as 1-2-3: Request access here, log in, and plug in your API key (existing WhoisXML API customers can use their API keys, while new users can sign up to get some free API credits)!
• It gives you access to 17 WhoisXML API tools and billions of WHOIS, IP, DNS, and threat-intelligence data points.

Search Engines

1. Ahmia.fi 

Ahmia.fi is a search engine designed to index and search hidden services on the Tor network. It allows investigators to find .onion sites without having to manually browse the Tor network. 

Its key features are:

• It’s dark-web-specific but accessible via your regular web browser.
• There’s a time filter that allows you to limit search results to entries added in the previous day, week, or month.
• It filters out potentially illegal content.

Ahmia.fi is free to use. If someone wants to contribute to the project, it’s available on GitHub under BSD-3-Clause license.

2. Intelligence X

Intelligence X specializes in searching for information in places not typically indexed by regular search engines, such as the darknet, document-sharing platforms, WHOIS databases, and public data leaks for email addresses, domains, URLs, IP addresses, CIDRs, Bitcoin addresses, IPFS hashes, and many other data points.

Some of Intelligence X’s features include:

• A broader scope than other search engines since it searches several sources.
• Searches current data but also archives historical data.
• Supports a diverse range of input types.
• Advanced search filters by date, media type, certain countries, specific TLDs, and other categories.

Intelligence X is a commercial product, but it offers as many as four different free tiers. They are, of course, severely limited compared to paid ones, but they still do the job.

3. Shodan

Shodan is a search engine for internet-connected devices that can be used for scanning IP addresses to find exposed services, industrial control systems, webcams, and other network devices. 

Shodan’s key features include the following:

• The tool’s search is device-centric, unlike other search engines that index websites.
• It displays service banners (metadata about running software or hardware), which often reveal version numbers, vulnerabilities, and misconfigurations.
• It allows you to filter results based on location, metadata, hostname, ISP, operating system, and other parameters.

While Shodan offers commercial price plans and doesn’t have a free plan, it still allows users to perform basic searches without requiring them to log in.

4. Censys Search

Censys’ search engine allows you to scan certificates and hosts (IP address, domain name, or protocol), which helps identify misconfigurations in web servers, databases, and other internet-facing systems. 

Among its key features are:

• Offers detailed information on SSL/TLS certificates, but you need to create an account to access other details like historical changes, WHOIS information, and connected domains.
• Identifies the software, versions, and protocols running on exposed ports.
• Performs broad and deep scans of the entire IPv4 space, often discovering different sets of exposed services and devices compared to other scanners.

Censys Search is a commercial product, but it allows you to perform some searches without having an account at all and offers additional information on the free plan. 

Infrastructure Analysis Tools 

1. BuiltWith 

BuiltWith is a website profiler that identifies the technologies used to build and run any given website. It uncovers everything from content management systems (CMS) and e-commerce platforms to analytics tools, hosting providers, and advertising networks. 

BuiltWith’s features include:

• A database with more than 108,000 web technologies.
• Tracking the historical usage of technologies on a website.
• Integrations with several third-party vendors, although most are sales- and marketing-related.

BuiltWith is a commercial tool, but individual website lookups are free and don’t even require registration. The paid plans allow you to get lists of websites built using a certain technology. 

2. Netcraft’s Site Report 

Netcraft's Site Report provides a detailed security and technology overview of any website, leveraging Netcraft's internet data mining and cybercrime monitoring capabilities. It lets investigators see that website’s hosting information, site popularity, network details, and various security-related configurations, including SSL/TLS, SPF, and DMARC records.

Its key features are:

• Netcraft’s Site Report includes critical security aspects like SSL/TLS certificate details, HTTP security headers (e.g., X-Frame-Options, CSP), and email authentication records (SPF, DMARC).
• The site report provides context related to the site's hosting, age, and reputation, which can indicate phishing or malicious intent.
• It tracks changes in a website's hosting provider, IP address, and nameservers over time.
• An option to report a suspicious website that is easily accessible from the site report page. 

Netcraft’s Site Report is completely free. Netcraft also offers paid products that allow users to find similar websites.

Threat Intelligence Tools

1. AlienVault's Open Threat Exchange (OTX)

OTX is a free, community-powered threat intelligence sharing platform where security professionals collaborate to share information about the latest threats. You can find information about indicators of compromise (IoCs), malware families, and adversaries, as well as browse threat intelligence by industry.

Its key features are:

• Threat intelligence is organized into "Pulses," which are curated lists of IoCs with a summary of a specific threat, its impact, and the targeted software.
• OTX allows users to automatically integrate shared IoCs into their security infrastructure (e.g., SIEMs, firewalls) via APIs.
• It supports a wide range of IoC types, including IP addresses, domains, URLs, file hashes (MD5, SHA-1, SHA-256), and email addresses.

Unlike many commercial threat intelligence feeds, OTX provides free and open access to a wealth of real-time threat data.

2. WhoisXML API’s Threat Intelligence API 

The Threat Intelligence API allows investigators to find threat information about any domain, URL, IP address, CIDR number, or hash identified as IoCs. It also accepts wildcard queries, allowing you to see if any IoC uses the search term. 

The key features of WhoisXML API’s Threat Intelligence API are:

• Seamless integration since query responses come in standardized XML and JSON formats.
• Various data sources, including honeypots, server logs, OSINT data sources, and ISP abuse reports.
• Covers several types of threats, including cyberattacks, botnet usage, C&C, malware, phishing, spamming, Tor usage, and suspicious activities.
• Supports several IoC types, such as domain, URL, IP address, CIDR, and hash.

Like most of WhoisXML API’s tools, the Threat Intelligence API is not entirely free, but offers a certain free monthly credit allowance that the user can employ to try it out (and enough to support small-scale investigations).

3. VirusTotal

VirusTotal is a free online service that analyzes suspicious files, URLs, domains, and IP addresses against more than 70 antivirus scanners and threat intelligence blacklisting services. Users can just scan a suspicious resource to see if any of the threat engines have reported it to be malicious.

Its key features are:

• Allows registered users to comment on indicators and share valuable context that enriches the analysis for other users and helps identify false positives or negatives.
• Its relationship graph enables users to visualize the connections between files, URLs, domains, and IP addresses.
• Aside from threat detection, VirusTotal provides WHOIS registration data and Google search results.

VirusTotal is free to use, but offers premium services such as an API or YARA rules matching.

Domain Intelligence Tools

1. WhoisXML API’s WHOIS History 

WhoisXML API’s WHOIS History provides access to billions of historical WHOIS records for domains, which allows investigators to track ownership changes, registration details, and contact information over time. 

WhoisXML API’s WHOIS History standout features include:

• Multiple data consumption models, including via API, web-based lookup tool, and a full database.
• For older websites, the tool gives access to WHOIS records from before the GDPR implementation that led to widespread redaction of registrant information, often allowing users to find website owner contact information. 
• The database is updated daily, ensuring that the information includes the latest records.
• It’s easy to integrate into workflows thanks to  standardized JSON and XML output formats.

WHOIS History is a commercial product, but 500 free API credits are available upon signup.

2. WhoisXML API’s DNS History

WhoisXML API’s DNS history products include the DNS Chronicle API, a web-based lookup tool, and a DNS database download. They enable investigators to perform both forward and reverse historical DNS searches. Forward lookups allow users to access a log of past DNS configurations for a given domain, including changes to IP addresses, nameservers, mail servers, and other DNS records (some record types are only available in the database download option). Reverse DNS searches for an IP address return a list of all connected FQDNs. 

DNS Chronicle’s key features are:

• Provides access to hundreds of billions of historical DNS records.
• Offers a detailed timeline of a domain's DNS activity, arranged in chronological order.
• Aggregates passive DNS data, which is collected from sensors worldwide, and records DNS resolutions over time.
• Like WHOIS History, WhoisXML API offers flexible DNS history access via API integration or database downloads.

Like with other WhoisXML API tools, DNS Chronicle is commercial, but 500 free API credits are available upon signup and can be used both for web lookups and API access.

3. WhoisXML API’s IP Geolocation API

IP Geolocation API is also a product of WhoisXML API, which adds geographical and network context to any given IPv4 or IPv6 address, including its country, region, city, postal code, precise coordinates, and time zone. It also reveals information about the internet service provider (ISP), autonomous system (AS) details, and associated domain names for that IP address.

Its key features include:

• 99.5% IP address coverage for both IPv4 and IPv6, across hundreds of thousands of unique locations worldwide.
• Provides very specific location data, including latitude, longitude, and postal codes, not just country or city.
• There’s an option to include up to five domain names associated with the target IP address.

You automatically get a free subscription plan limited to 1,000 queries after signing up.

4. WhoisXML API’s Subdomains Lookup 

Subdomains Lookup is a simple subdomain enumeration tool that comes in the form of a web-based lookup, an API, and a subdomain database. 

It works in a very straightforward way – you enter a domain name, it looks up all the subdomains that domain has.

Its key features include:

• A subdomain database that comprises over 9.6+ billion records.
• Over 15 million subdomains discovered daily.
• Addition of date first seen and date of last update for each subdomain that helps identify inactive subdomains.

Just like with most other tools that WhoisXML API offers, you receive 500 free API credits upon signup.

Conclusion

Open-source intelligence tools are an essential part of any investigator’s toolkit — whether you’re working in cybersecurity, digital forensics, threat hunting, or just having fun as a wanna-be FBI agent. While there’s no shortage of OSINT tools online, finding ones that are reliable, regularly updated, and truly useful can be a challenge. That’s why we focused this list on tools that work and deliver value, whether you're tracking domain ownership, analyzing infrastructure, mapping threat data, or scanning the deep web.

Many of these tools offer free tiers that are generous enough to support small-scale investigations. Paired together, they can help build a clearer picture of online threats, suspicious infrastructure, and digital footprints—without the need for expensive software licenses. As always, remember to validate findings, respect privacy laws, and use OSINT responsibly.