| AI OSINT Prompt Pack | openosint.tech | RESOURCES |
NAME
AI OSINT Prompt Pack — structured prompts for AI-assisted OSINT investigations
DESCRIPTION
OpenOSINT runs the tools. The prompts decide what to ask.
The model is capable. The gap is that an unguided LLM will pivot randomly, skip verification steps, or produce outputs that look thorough but are not. Structured prompts give it a repeatable process instead of improvised behaviour.
The AI OSINT Prompt Pack is a 7-page PDF with 30+ prompts organized by investigation type. Each prompt follows the same pattern: define scope, collect with the right tools, pivot to adjacent indicators, verify before concluding, document for the record.
scope → collect → pivot → verify → document
COVERAGE
| Category | What it covers |
|---|---|
| Account enumeration, breach lookup, dork generation, pivot to username | |
| Username | Platform coverage, profile cross-reference, alias patterns |
| Domain | WHOIS, subdomain enumeration, certificate history, infrastructure mapping |
| IP address | Geolocation, ASN, reverse DNS, hosting context, abuse history |
| Phone number | Carrier, line type, country, linked accounts |
| Company due diligence | Registration, key people, infrastructure, exposure surface |
| Image clues | Metadata extraction, reverse search approach, geolocation from context |
| Verification | Source triangulation, confidence scoring, claim validation |
| Reporting | Structured finding format, evidence citation, legal/ethical framing |
EXAMPLES
Two representative prompts from the pack:
DOMAIN INVESTIGATION — INITIAL SCOPE
Target: {domain}
Objective: map the infrastructure and identify the registrant.
Step 1 — WHOIS
Run search_whois({domain}).
Extract: registrant org, registrar, creation date, expiry, name servers.
Flag: privacy-protected registrations, recently registered (<90 days),
or registrar with known abuse history.
Step 2 — Subdomain enumeration
Run search_domain({domain}).
Note: any subdomains suggesting internal tooling, staging, or mail infra.
Step 3 — Certificate transparency
Search crt.sh for {domain} to surface historical subdomains.
Cross-reference with Step 2 results.
Step 4 — Pivot
If registrant email found: pivot to email investigation.
If IP found: pivot to IP investigation.
Document: registrant identity confidence, infrastructure map,
unresolved indicators.
EMAIL INVESTIGATION — BREACH CONTEXT
Target: {email}
Objective: determine breach exposure and linked account surface.
Step 1 — Breach lookup
Run search_breach({email}).
For each breach: note data types exposed and breach date.
Flag: password or plaintext credential exposures — high priority.
Step 2 — Account enumeration
Run search_email({email}).
List confirmed platforms. Note patterns (same handle across platforms?).
Step 3 — Verification
Do not conclude attribution from breach data alone.
Corroborate with at least one additional signal before documenting.
Document: breach history, account surface, confidence level,
verification steps taken.
FORMAT
7-page PDF. 30+ prompts. No filler. Plain text prompts you copy directly into any AI assistant — Claude, GPT-4, or a local model via Ollama.
Each prompt is self-contained: you fill in the target, the model follows the steps. Works with OpenOSINT's REPL or any standard chat interface.
GET THE PACK
SEE ALSO
- OpenOSINT — the AI-powered OSINT agent and MCP server these prompts are built for
- Email OSINT guide — background on the tools the email prompts invoke
- OSINT AI agents — how the agentic loop works under the hood