What are the best OSINT tools in 2026?

The top tools include Ziwa (contact extraction), Maltego (link analysis), Sherlock (username search), TheHarvester (email/domain OSINT), Shodan (internet device search), SpiderFoot (automated OSINT), and Recon-ng (web reconnaissance).

Are OSINT tools free?

Many OSINT tools have free tiers or are fully open source. Sherlock, TheHarvester, and SpiderFoot are free. Ziwa, Maltego, and Shodan have free tiers with paid upgrades for more features.

Do I need coding skills for OSINT?

Not necessarily. Tools like Ziwa and Maltego have web interfaces that require no coding. However, knowing Python helps for tools like Sherlock, TheHarvester, and custom scripts.

Which OSINT tool is best for finding phone numbers?

Ziwa specializes in finding phone numbers and emails from social media profiles. For phone-to-identity lookups, Ziwa's Phone Intel tool performs reverse phone lookups across public data sources.

The OSINT Toolkit: 12 Essential Tools Every Investigator Should Know

We Tested 50+ Tools. Most Were Mediocre.

The OSINT tool landscape is noisy. GitHub repos with 10,000 stars that haven't been updated in two years. "AI-powered" platforms that are just a ChatGPT wrapper. Enterprise tools that cost more than your car.

We spent three months testing 50+ tools across five categories — people search, username lookup, social intelligence, email reconnaissance, and network analysis. Twelve survived. Here's what made the cut and why.

People Search & Contact Extraction

1. Ziwa

What it does: Takes a LinkedIn, Facebook, or Twitter profile URL. Returns phone numbers and email addresses.

Ziwa wins on economics: pay-per-result pricing means you never pay for empty searches. Batch extraction handles up to 200 profiles at once. And it covers three platforms where most tools only handle LinkedIn.

Price: Credits from $0.10, pay only for results
Best for: Sales teams, recruiters, PIs
Why it made the list: Best price-to-value ratio we tested

2. Maltego

What it does: Visual link analysis. Maps relationships between people, companies, domains, IPs.

Maltego is the gold standard for investigations that require seeing connections. Its graph interface reveals relationships that would be invisible in a spreadsheet. It's expensive and has a learning curve, but nothing else does what it does.

Price: Free Community Edition; Pro from $999/year
Best for: Investigators, security researchers
Why it made the list: Unmatched for relationship mapping

3. SpiderFoot

What it does: Automated OSINT collection. Give it a target, it queries 200+ sources.

SpiderFoot is the lazy investigator's best friend. Point it at a name, domain, or IP, go make coffee, come back to a comprehensive intelligence profile. The open-source version is powerful; the cloud version (SpiderFoot HX) adds team collaboration.

Price: Free (open source); HX from $500/month
Best for: Security teams, penetration testers

Username & Social Media OSINT

4. Ziwa Username Search

What it does: Checks a username across 3,000+ websites. Returns confirmed profiles with direct links.

Ziwa's Username Search is web-based, free, and fast. No Python install, no command line. Type a username, get results. Categories include social media, tech, gaming, and forums.

5. Sherlock

What it does: Python CLI tool that hunts usernames across 400+ social networks.

Sherlock is the OG of username enumeration. Open source, highly customizable, and well-maintained. The trade-off vs. Ziwa: fewer sites (400 vs. 3,000+) but more control for technical users who want to modify detection logic.

Price: Free (open source)
Requires: Python, command line comfort

6. Social Searcher

What it does: Real-time social media monitoring across platforms.

Different from the others — Social Searcher monitors mentions rather than profiles. Useful for tracking what someone is posting and where they're engaging. Think of it as Google Alerts for social media.

Email & Domain Intelligence

7. TheHarvester

What it does: Enumerates emails, subdomains, and hosts from public sources.

Give TheHarvester a domain and it'll pull employee emails from search engines, PGP servers, and SHODAN. Essential for domain reconnaissance. Free, open source, occasionally flaky — but when it works, it's a firehose of data.

8. Hunter.io

What it does: Discovers email patterns for any company.

Need to know if Company X uses first.last@company.com or f.last@company.com? Hunter.io figures that out. Great complement to Ziwa — use Hunter for the pattern, Ziwa for direct extraction.

9. Have I Been Pwned

What it does: Checks if an email appeared in known data breaches.

HIBP tells you which services someone registered with (based on breach data). Not for contact finding per se, but invaluable for understanding someone's digital footprint and online behavior.

Network & Infrastructure Intelligence

10. Shodan

What it does: Indexes every internet-connected device — servers, webcams, routers, IoT.

Shodan is like Google for infrastructure. Search for a company's IP range and see every exposed service, open port, and misconfigured device. Critical for security assessments.

11. Censys

What it does: TLS certificate and host analysis across the internet.

Censys maps all assets belonging to an organization through certificate analysis. Found a company's one domain? Censys finds the other 47 they own.

12. Recon-ng

What it does: Modular web reconnaissance framework.

Think Metasploit but for OSINT. Module-based architecture with dozens of data source integrations. High learning curve, massive payoff for power users.

Which Tools Do You Actually Need?

Don't install all 12. Pick based on your role:

Sales teams: Ziwa + Hunter.io — that's it, you're covered
Investigators: Ziwa + Maltego + Username Search
Security researchers: SpiderFoot + Shodan + Recon-ng + TheHarvester
Journalists: Username Search + Wayback Machine + Social Searcher

Master one tool before adding another. Depth beats breadth in OSINT.