Top 7 Open Source Intelligence Tools Compared: Features, APIs, and Real-World Lessons

Over the past decade and a half, I’ve built and torn down more OSINT pipelines than I care to admit. I’ve swapped horror stories with red teamers, automated the tedious bits, and watched new tools rocket up and disappear. What works? What scales? Here’s a hard-won, feedback-driven guide to the seven most trusted OSINT tools on the market—plus exactly how their APIs fit into modern automation.

---

TL;DR: A comparison

---

The 7 Essential OSINT Tools—Field-Tested Insights

---

1. Maltego

Maltego is the industry reference for relationship mapping—person, company, infrastructure, you name it. The paid CTAS server unlocks automation at scale, but even the open edition shines for interactive work.

• API: Yes, via CTAS.
• Simple API Example (Python):

import requests

# Replace with your Maltego CTAS API key
headers = {"Authorization": "Bearer <API_KEY>"}
url = "https://api.ctas.maltego.com/api/v1/transforms"
payload = {
    "input": "example.com",
    "transform": "ToDomain"
}
resp = requests.post(url, json=payload, headers=headers)
print(resp.json())

My take: Maltego’s power is best leveraged as the “hub” for relationship-heavy cases—think investigations or graph pivoting. Don’t try to automate the GUI; automate data in/out via API, and only pull up the client for big-picture analysis.

---

2. SpiderFoot

SpiderFoot is the reconnaissance engine you can leave running in the background. Its API and headless mode are a godsend for monitoring and periodic sweeps.

• API: Yes, full REST API.
• Simple API Example (Python):

import requests

API_KEY = '<API_KEY>'
url = "http://localhost:5001/api/scan/new"
data = {
    "target": "example.com",
    "modules": "sfp_dns,sfp_email"
}
headers = {"X-API-KEY": API_KEY}
r = requests.post(url, json=data, headers=headers)
print(r.json())

My take: I use SpiderFoot in headless mode for scheduled scans of attack surfaces. Set it up to feed results into a dashboard or trigger alerts on new findings—no more manual sweeps.

---

3. TheHarvester

When you just want quick data—emails, hosts, subdomains—TheHarvester is still the fastest tool in the shed.

• API: No native API, but easy to wrap with CLI scripts.
• CLI Automation Example:

theHarvester -d example.com -b google,bing -f results.html

My take: I use TheHarvester for first-pass sweeps or to generate lists for deeper enrichment with other tools. Lightweight, integrates with bash/Python easily.

---

4. Recon-ng

Recon-ng is the OSINT “framework”—think plug-and-play modules, persistent workspaces, and solid CLI automation.

• API: Yes, via modules and command scripting.
• Script Automation Example:

recon-ng -m recon/domains-hosts/google_site_web -c 'set SOURCE example.com; run'

My take: For anything repeatable—especially for team handoff or CI/CD context—Recon-ng fits the bill. Build custom modules for odd data sources.

---

5. Amass

For mapping subdomains and exposed assets, Amass is my workhorse. Handles both active and passive DNS collection, at scale.

• API: Yes, via JSON API.
• Simple API Example (Python):

import requests

# Assuming Amass API is running on localhost:8080
resp = requests.get("http://localhost:8080/v1/enum/example.com")
print(resp.json())

My take: No tool discovers asset sprawl like Amass. For blue teams or attackers alike, it’s a must-have. Set it to run on a schedule; integrate results with SpiderFoot or OpenCTI.

---

6. OpenCTI

If you want OSINT as a living, queryable, shareable system, OpenCTI is your answer. It’s a platform, not just a tool—correlates everything, tracks context, links threats.

• API: Yes, robust GraphQL API.
• Simple API Example (Python):

import requests

url = "https://your-opencti-instance.com/graphql"
headers = {"Authorization": "Bearer <API_TOKEN>"}
query = '''
query getIndicators {
  indicators(first: 3) {
    edges {
      node {
        id
        name
      }
    }
  }
}
'''
resp = requests.post(url, json={"query": query}, headers=headers)
print(resp.json())

My take: This is the core of any intelligence program that goes beyond one-off scrapes. Store everything, cross-link, automate enrichment.

---

7. Shodan

Shodan is the search engine for internet-exposed devices, and its API is fast and generous. I’ve lost count of the incidents and exposures I’ve caught with it.

• API: Yes, excellent REST API.
• Simple API Example (Python):

import requests

API_KEY = '<API_KEY>'
url = f"https://api.shodan.io/shodan/host/search?key={API_KEY}&query=apache"
r = requests.get(url)
print(r.json())

My take: Shodan is a must in every asset or risk pipeline. Automate scans for exposed assets and trigger alerts for critical findings.

---

Lessons Learned: Building OSINT That Lasts

What I’ve learned from my own practice and from watching others in the field:

• Don’t just collect—correlate. The real value isn’t in “more data,” but in connecting the dots between sources and timeframes.
• APIs are the real differentiator. GUIs are for demo day. Pipelines run on APIs and automation.
• Modularity wins. Mix tools, write glue code, automate everything. Don’t be afraid to swap out pieces as your needs evolve.
• Community feedback matters. The best insights I’ve gotten are from peers and public field reports—not from vendor docs.

If you’re serious about OSINT, you need more than tools—you need a pipeline, feedback loops, and automation at every layer.

---

Want to see a full working pipeline, or need help automating OSINT at scale? Let’s connect. This field moves fast—your systems should too.