Published: 2026-05-24

There are hundreds of OSINT tools on GitHub. Most are single-purpose Python scripts written for a specific investigation need and then abandoned. The challenge isn't finding tools — it's filtering for ones that still work, don't silently leak queries to third parties, have acceptable false positive rates, produce parseable output, and integrate into a larger workflow without requiring a GUI. This article covers the ones that pass that bar in 2025, organized by investigation category.

Selection criteria: actively maintained (commit within 12 months), no mandatory registration before running, installable via pip or a single binary, stdout output, and a documented false positive profile.

holehe is the current standard for email-based account enumeration. It covers 300+ services using password-reset probes — not login attempts. Install: pip install holehe. The site list is maintained as platforms change their reset flows. False positive rate is low; most false positives come from platforms that return 200 for all reset requests regardless of account existence.

$ holehe target@example.com --only-used
[+] Spotify
[+] GitHub
[+] WordPress
[*] 3 accounts found / 312 services tested

For breach exposure, the HIBP v3 API is the standard. No local binary — query via REST. OpenOSINT's search_breach wraps the API with error handling and timeout control. Requires HIBP_API_KEY. The email OSINT guide covers combining holehe and HIBP in a single investigation workflow.

sherlock searches 400+ platforms for a username. Each platform entry in its YAML config specifies the URL pattern and detection method (status code, response body string, or redirect destination). Concurrent requests with configurable timeout. Install: pip install sherlock-project.

$ sherlock johndoe99 --timeout 10
[+] GitHub:    https://github.com/johndoe99
[+] Reddit:    https://reddit.com/user/johndoe99
[+] HackerNews: https://news.ycombinator.com/user?id=johndoe99

maigret (sherlock fork) covers 3000+ sites and performs deeper cross-platform correlation: it extracts identifiers (phone numbers, emails, linked accounts) from found profiles and automatically searches those. For most investigations, sherlock is sufficient and faster. Use maigret when sherlock misses platforms or when you need to follow identity threads automatically. OpenOSINT wraps sherlock as search_username.

Important: verify high-value hits manually. Both tools produce false positives on platforms that return non-404 responses for missing users.

Shodan CLI: pip install shodan. shodan host 8.8.8.8 returns open ports, service banners, and TLS certificate data for an IP. Best for understanding what services are running on infrastructure. Supports the full Shodan query language via shodan search.

For passive IP intelligence without touching target systems, three API-based tools cover the key questions: ipinfo.io (ASN, basic geolocation), OpenOSINT's search_ip2location (enriched geo plus VPN/proxy/Tor/datacenter classification via IP2Location.io), and search_abuseipdb (abuse confidence score and report history). These answer geolocation, infrastructure type, and threat context for any IP. See the IP intelligence guide for details on combining these sources.

nmap is out of scope for passive OSINT — it touches target infrastructure and is only appropriate for authorized engagements.

sublist3r: passive subdomain enumeration using search engines and DNS aggregators. Install: pip install sublist3r. Combines Google, Bing, VirusTotal, and DNSdumpster results. Good starting point; supplement with amass or subfinder for broader coverage. OpenOSINT's search_domain wraps sublist3r.

python-whois: WHOIS data retrieval with Python parsing. pip install python-whois. Returns registrar, creation date, name servers, and registrant fields (when not privacy-redacted). OpenOSINT's search_whois uses this library with timeout enforcement. The WHOIS automation guide covers bulk lookup patterns.

Fragmented tools create two investigation bottlenecks. First, context switching: you run holehe, read the output, decide to check HIBP, read that, notice a GitHub username, run sherlock. Each step requires you to manually carry context from the previous one. Second, no cross-tool correlation: holehe finding GitHub and sherlock confirming the same username on 12 other platforms are connected facts, but no individual tool surfaces that connection.

OpenOSINT solves both by wrapping best-in-class tools for each category under a single AI-driven loop. The AI receives each tool's real output and decides what to run next. If holehe returns a GitHub username, the model calls search_username immediately. If an IP appears in output, it calls search_ip and search_abuseipdb. The analyst states the target once; the AI produces a correlated report.

# Without unification: 4 manual steps, results not connected
$ holehe target@example.com
$ hibp-cli target@example.com
$ sherlock username_found_above
$ openosint ip2location ip_found_above

# With OpenOSINT: one command, AI chains the rest
openosint > investigate target@example.com

The unified approach is most valuable for multi-pivot investigations where findings from one tool should trigger follow-up queries in another. For single-tool lookups, direct CLI invocation is faster. See the parallel OSINT guide for running multiple targets simultaneously.

• Automating OSINT with APIs — Shodan, VirusTotal, Censys integration patterns
• Parallel OSINT — scaling to multiple targets with asyncio
• OpenOSINT tools reference — all 14 tools with parameters and example output