OSINT tools roundup

A lot of open-source intelligence used to feel like hunting through junk drawers, and this week the public toolkits got organized enough that one person with a laptop can now browse hundreds of investigation workflows from a few starting points. GitHub’s `osint-framework` topic page alone shows 107 public repositories, including heavily used projects like Maigret, SpiderFoot, and OSINT-Framework. (github.com) Open-source intelligence means building answers from information that is already public or commercially available, not from hacked systems or secret intercepts. The Defense Intelligence Agency says it is derived from public or commercial information, and the U.S. intelligence community’s 2024–2026 strategy calls it the “INT of First Resort.” (dia.mil, cia.gov) What changed this week is not a single breakthrough tool but a visible push to package the field like a searchable library. The GitHub topic page groups tools for username hunting, attack-surface mapping, and reconnaissance in one place, which cuts the setup time for a new investigator from hours of random searching to a few clicks. (github.com) One branch of that ecosystem is social and identity work, where a name, handle, or email gets checked across thousands of sites the way a reverse phone book checks one number against many listings. Maigret says it can collect a dossier on a person by username from more than 3,000 sites. (github.com) Another branch is automated scanning, where one tool walks the web for you instead of making you open 50 tabs by hand. SpiderFoot describes itself as software that automates open-source intelligence for threat intelligence and attack-surface mapping. (github.com) The other reason people are paying attention is that the catalogs are no longer tiny cheat sheets. Cyber Detective’s public OSINT tool collection says it contains more than 1,000 services and breaks them into concrete sections like maps, social media, domain research, reverse image search, cryptocurrencies, messengers, archives, emails, phone numbers, leaks, and automation. (cipher387.github.io) Tsurugi Linux sits one layer deeper, because it is not just a list of links but a full investigator’s operating system built for digital forensics and incident response. Independent documentation of the 25.11 release describes a rebuilt Ubuntu-based toolkit with organized collections for imaging, memory forensics, malware analysis, cloud work, and open-source intelligence. (thedistrowriteproject.blogspot.com) The new ingredient is cheap local artificial intelligence, which lets investigators summarize, sort, and cross-reference public material without shipping every note to a cloud service. Google launched Gemma 4 on April 2, 2026 under the Apache 2.0 license, with models sized for phones, laptops, and workstations. (blog.google, developers.googleblog.com) Google says Gemma 4 supports more than 140 languages and can handle multi-step planning, offline code generation, and on-device workflows. That is why researchers are already circulating investigator-focused variants like “gemma4-journalist”: the base models are small enough to adapt, and the license is open enough to redistribute. (developers.googleblog.com, blog.google) That combination changes who can do early warning work. A security team can watch exposed domains, leaked credentials, and brand impersonation with off-the-shelf tools, and an independent reporter can check ships, court records, archived pages, and wallet trails without buying a six-figure platform. (cipher387.github.io, github.com, thedistrowriteproject.blogspot.com) The catch is that bigger toolboxes also make it easier to be sloppy. Even Cyber Detective’s collection warns that many tools become obsolete or stop working, which means good investigators still have to verify dates, preserve copies, and check one source against another before treating a public clue as evidence. (cipher387.github.io)