OSINT (Open Source Intelligence) is no longer optional. In 2026, supply chain attacks are sophisticated, AI-powered threat actors move fast, and the attack surface is enormous. Every security analyst needs a toolkit that works.
But OSINT tooling has a problem: fragmentation. You need Shodan for device discovery. Maltego for link analysis. VirusTotal for malware. Censys for certificate intel. Add in GreyNoise for noise filtering, and suddenly you're juggling seven dashboards to answer one question.
This guide cuts through the noise. We've evaluated eight popular OSINT tools (including a new entrant) against real-world security analyst workflows. We're being honest about strengths and trade-offs. None of these tools do everything, and that's OK—you'll likely use 2-3 in combination.
By the end, you'll know which tools fit your role, your budget, and your investigation style.
Tool Reviews
1. Shodan: Best for Device Discovery
The use case: You need to find what's exposed on the internet. Servers, IoT devices, network infrastructure.
What it does: Shodan scans the entire internet and indexes HTTP headers, banners, and service metadata. You search by service type, IP range, hostname, or port. Results show what's listening, what it is, and sometimes credentials (if leaked).
Strengths
- Unmatched device-level data. You find the physical thing (an unpatched web server, a Raspberry Pi exposing SSH, a Tesla charging station) before anyone else does.
- Speed. Query results are instant; no rate limiting for reasonable use.
- Simple syntax. Queries like "port:22 country:US" are intuitive.
- Unique data. Nobody else has HTTP header data at scale.
Weaknesses
- No link analysis. Shodan shows you devices, not threat actor infrastructure or connections.
- Limited context. You get a banner; you don't get "this IP is tied to X threat actor." You have to cross-reference manually.
- Noise. Results include a lot of honeypots, misconfigurations, and false positives. GreyNoise (see below) solves this.
- Expensive at scale. Free tier is 100 results/month. Paid: $49/month (1K results/month) or $2,999/year (unlimited). Corporate: $5K+.
Best for: Penetration testers doing reconnaissance. Network admins finding exposed assets. Incident responders narrowing down which servers were compromised.
Pricing: Free (limited), $49/month, $2,999/year, enterprise custom.
2. Maltego: Best for Link Analysis
The use case: You're tracking a threat actor, a domain, or a person. You need to visualize their footprint: related domains, IP addresses, email addresses, registrants, infrastructure.
What it does: Maltego is a graph database visualization tool. You feed it a seed (domain, IP, email), and it follows connections to show you the network. It includes hundreds of transforms (queries to external APIs like WHOIS, DNS, domain registration databases, malware analysis, threat feeds).
Strengths
- Visual mapping. Link analysis is hard on spreadsheets. Maltego's graph makes relationships obvious.
- Comprehensive transforms. Maltego connects to 30+ external data sources (Shodan, VirusTotal, LinkedIn, Google, DNS providers, etc.).
- Community-driven. Open-source transforms are available; advanced users write custom ones.
- Incident response workhorse. If you're hunting a threat actor across their entire infrastructure, Maltego is built for this.
Weaknesses
- Steep learning curve. It's powerful but not intuitive. Expect 2-3 days to get comfortable.
- Noisy results. Transforms can return thousands of connections. Filtering and pivoting takes skill.
- Expensive. Free tier (Maltego Community) is limited. Paid (Maltego Classic) starts at $999/year. Enterprise: $5K+.
- Slow at scale. Running transforms on 10K domains takes hours.
Best for: Threat hunters and incident responders with time to learn. Intelligence analysts mapping threat actor infrastructure.
Pricing: Free (limited), $999/year (Classic), $3K+/year (Professional), enterprise custom.
3. VirusTotal: Best Free Malware Analysis
The use case: You have a file hash, a URL, or a domain. Is it malicious? What do 70+ antivirus engines say?
What it does: VirusTotal is a free malware sandbox and aggregator. Upload a file (or just a hash), scan a URL, or query a domain. It returns verdicts from Kaspersky, McAfee, Norton, Avast, etc., plus community reports and analysis graphs.
Strengths
- Free tier is generous. Unlimited queries for file hashes, URLs, and domains.
- Aggregated AV verdicts. If 45 out of 70 engines flag something, you know it's bad.
- Community data. See who else has flagged this hash and in what context.
- Integrations everywhere. Malware sandboxes and threat feeds integrate with VirusTotal.
Weaknesses
- Limited forensic analysis. VirusTotal tells you "this is malware," but not "here's exactly what it does."
- Noisy community reports. User-submitted reports aren't always accurate.
- No contextualization. It doesn't connect this malware to a threat actor.
Best for: Malware triage. Breach response. Any security analyst needing a quick "is this bad?" check.
Pricing: Free (generous), $20/month (premium API quotas).
4. GreyNoise: Best for Internet Noise Filtering
The use case: You found an IP on your network, in a log, or in Shodan. Is it a real threat, or just a scanner?
What it does: GreyNoise runs honeypots and tracks internet scanners. It classifies IPs as "benign," "malicious," or "unknown."
Strengths
- Reduces false positives. Shodan + GreyNoise is a killer combo.
- Real attack data. GreyNoise sees actual traffic, not theoretical signatures.
- Fast lookup. Query an IP and get context in seconds.
- Free tier exists. Limited to 250 queries/month, but useful for triage.
Weaknesses
- Limited scope. GreyNoise only covers IPs that have hit their honeypots.
- Paid tier cost. Free is 250 queries/month. Paid (Professional) is $349/month.
- Incomplete attribution. GreyNoise groups IPs by behavior, not always by threat actor.
Best for: SOC teams filtering alerts. Incident responders contextualizing suspicious IPs.
Pricing: Free (250 queries/month), $349/month (Professional), enterprise custom.
5. Have I Been Pwned: Best for Breach Checking
The use case: A user registered for your service with their work email. Did their credentials leak in a known breach?
What it does: Troy Hunt aggregates breach databases from across the internet (Equifax, LinkedIn, Facebook, Twitter, etc.). You query an email address and see what breaches it appeared in.
Strengths
- Comprehensive breach index. 700+ breaches.
- Free for email queries. Unlimited lookups.
- API access. Bulk queries for enterprise environments.
- Industry standard. Security vendors integrate with it.
Weaknesses
- Email-only. You can't query by username, password, or IP.
- Passive. It doesn't discover new breaches; it aggregates public ones.
- No context. It tells you your email was in a breach, but doesn't tell you if the attacker activated it.
Best for: Proactive security work. Employee onboarding.
Pricing: Free (queries), £2/month (premium = no ads, faster API).
6. Censys: Best for Certificate Intelligence
The use case: You need to find all infrastructure registered to a company (or a threat actor). SSL certificates are your best lead.
What it does: Censys scans HTTPS across the internet and indexes SSL certificates. Query by certificate issuer, organization name, domain, public key, or SAN.
Strengths
- Certificate data is real. Unlike registrant WHOIS, SSL certificates require valid domain ownership.
- Subdomain enumeration. Query your main domain and see every certificate issued.
- Historical data. See what certificates a domain had over time.
- Free tier is solid. 120 queries/month is reasonable.
Weaknesses
- Paid tier scaling. Free tier limits you. Paid (Analyst): $4,500/year.
- No correlation. Censys shows you certificates, but doesn't connect them to threat actors.
- Limited to HTTPS. If a server only uses HTTP, Censys won't see it.
Best for: Incident responders finding threat actor infrastructure. Penetration testers doing reconnaissance.
Pricing: Free (120 queries/month), $4,500/year (Analyst), enterprise custom.
7. SpiderFoot: Best Open-Source OSINT
The use case: You want OSINT automation, no vendor lock-in, and the ability to customize.
What it does: SpiderFoot is an open-source reconnaissance tool. Feed it a target (domain, IP, person, email), and it automates queries to 200+ sources (WHOIS, DNS, Google, VirusTotal, Shodan, etc.).
Strengths
- Free and open-source. No licensing costs.
- Automation. Configure once; rerun on a schedule.
- Extensible. Write custom modules to integrate your internal databases.
- Privacy-friendly. Data stays on your hardware if self-hosted.
Weaknesses
- Dependent on free APIs. As APIs change or get rate-limited, modules break.
- Limited data quality control. Results include a lot of noise.
- Slower than commercial tools. Queries are sequential, not parallel.
- No built-in link analysis. Reports are lists, not visualized graphs.
Best for: Independent researchers and freelancers on a budget. Organizations wanting self-hosted OSINT.
Pricing: Free (open-source).
8. IntelSpec: Best for Consolidated OSINT with AI Scoring
The use case: You want to investigate a threat across 35 data sources without jumping between tools. You want AI-powered correlation and confidence scoring, not raw data.
What it does: IntelSpec aggregates OSINT from 35 sources (Shodan, Censys, DNS, WHOIS, threat feeds, breach databases, etc.) and uses AI to correlate across them. Instead of raw results, you get analyzed findings with confidence scores, threat context, and transparent reasoning.
Strengths
- One interface, 35 sources. No more tool-jumping.
- AI-powered confidence scoring. "This IP is malicious (confidence: 87%)" instead of raw data.
- Supply chain monitoring. Automatic checks for your vendors' infrastructure.
- Audit-ready. Every investigation is logged with timestamps, queries, and AI reasoning.
- Transparent reasoning. You see why the AI flagged something.
- New, actively developed. Built for 2026 threat landscape.
Weaknesses
- New entrant. IntelSpec launched in 2026. We don't have five years of user feedback.
- Not specialized. If you need deep device discovery or link analysis, specialized tools might be faster.
- Free tier is limited. 10 investigations/month.
- Learning curve. Different from other tools. First investigation takes 5-10 minutes.
Best for: Security analysts tired of tool fragmentation. GRC managers needing logged, auditable threat intel. SOC leads wanting AI-powered triage.
Pricing: Free (10 investigations/month), $79/month (100/month), $199/month (1K/month + reports), $499/month (unlimited + API + white-label).
Ready to consolidate your OSINT?
Try IntelSpec free. 10 investigations per month. No credit card required.