Most people using AI for OSINT are doing it backwards.
They open ChatGPT or Claude, type "find everything on this email," and hope. The model produces something that looks confident, reads well, and is often wrong. No sourcing, no verification, no idea what it actually checked.
The problem isn't the model. It's the missing process behind the prompt. A language model with no structure will fill gaps with plausible text. An investigation is the opposite of that: it's the discipline of separating what you know from what you assume.
This post gives you a method and five prompt templates you can paste into ChatGPT, Claude, or any assistant today. They're written for authorized, public-source work only.
A note on ethics and scope, before anything else
OSINT means open-source intelligence: information that is publicly available and lawful to access. It does not mean breaking into accounts, scraping private data, social engineering, or surveilling people without authorization.
Every prompt below assumes you have a legitimate reason and the authority to run the investigation: your own assets, a client engagement with a signed scope, due diligence on a company, journalism, or a CTF. If you can't point to that authorization, stop. The fastest way to turn a research skill into a legal problem is to skip this step.
The method: scope, collect, pivot, verify, document
Good investigations are boring in the best way. They follow the same five phases regardless of the target:
scope -> what am I authorized to do, and what answer do I need?
collect -> gather public data from real sources
pivot -> turn one data point into the next (email -> username -> domain)
verify -> challenge every finding, rate confidence, kill assumptions
document -> a report someone else could reproduce
A model can help in every phase, but only if your prompt tells it which phase it's in. A prompt that says "investigate this" gets you a guess. A prompt that says "you are in the scoping phase, output only the plan" gets you something useful.
The five prompts
Paste these as-is. Replace the bracketed parts. Each one is built to keep the model honest about what it actually knows versus what it's inferring.
1. Scoping
Run this first, every time. It stops you from chasing the wrong thing.
You are an OSINT analyst in the SCOPING phase. Do not collect or guess any
data yet.
Engagement: [one line on what you are authorized to investigate]
Objective: [the specific question you need answered]
Output:
1. A restated objective in one sentence.
2. In-scope vs out-of-scope (sources, identifiers, targets).
3. The 3-6 concrete questions that, if answered, satisfy the objective.
4. The public source types relevant to each question.
5. Legal/ethical flags I should confirm before proceeding.
Ask me anything ambiguous instead of assuming.
2. Email as a starting point
An email rarely answers a question by itself. It's a seed you pivot from.
You are in the COLLECT and PIVOT phases. The seed is an email address:
[email]
List, as a checklist, the public-source checks worth running and what each one
could reveal:
- public breach/exposure datasets (presence only, no credential content)
- account discovery on public platforms tied to this address
- associated public profiles, avatars, and usernames
- domain of the email (if not a free provider) and what it implies
For each check, state: the data point it could produce, and the next pivot it
unlocks. Mark anything that requires live data I still need to fetch. Do not
fabricate results.
3. Username pivot across platforms
Usernames are the connective tissue of an identity online. Map them with confidence levels, not certainty.
You are in the PIVOT and VERIFY phases. Seed username: [handle]
Produce a table of public platforms where this handle may exist. For each:
- platform
- how to confirm the account is the same person (signals: bio, links, avatar,
writing style, cross-links)
- confidence: high / medium / low / unconfirmed
- what would raise or lower that confidence
Be explicit that handle reuse is not proof of the same person. Flag every
inference as an inference.
4. Domain and infrastructure
This is the most clear-cut OSINT surface: infrastructure is meant to be public.
You are in the COLLECT phase. Target: [domain or IP]
Outline the public infrastructure checks and what each tells me:
- WHOIS / registration data and registrar
- DNS records (A, MX, NS, TXT) and what they reveal about hosting and email
- passive DNS and historically associated records
- related infrastructure (shared hosting, certificates, subdomains)
- hosting provider and ASN
For each, note the pivot it enables and whether I need to pull live data.
Output a structure I can drop findings into.
5. Verify and report
The phase everyone skips and the one that separates analysis from a vibe.
You are in the VERIFY and DOCUMENT phases. Here are my raw findings:
[paste findings]
Do three things:
1. For each finding, classify it as confirmed, probable, or assumption, and say
what evidence supports it.
2. Attack the weakest links: what would make each finding wrong? What did I not
check?
3. Produce a short report: objective, method, findings with confidence levels,
gaps, and recommended next steps. Write it so another analyst could
reproduce it.
Make the prompts pull real data instead of guessing
The honest limitation: a chat model alone cannot see live WHOIS, current DNS, or whether an account actually exists right now. It reasons; it doesn't fetch. That's why the prompts above keep saying "mark anything that requires live data."
To close that gap, connect the model to real sources. OpenOSINT is a free, open-source OSINT agent and MCP server built exactly for this: the model plans the investigation, then calls real tools (DNS, WHOIS, account discovery, IP intelligence, and more) so the answers come from data, not from the model's imagination.
pip install openosint
It runs as an interactive REPL, a CLI, an MCP server, or a small web UI, and works with Anthropic Claude or a local Ollama model. Repo and docs: https://github.com/OpenOSINT/OpenOSINT
With it connected, the prompts above stop being templates for guesswork and become an actual investigation loop: prompt -> tool call -> real data -> pivot -> verify.
Want the full set?
These five cover the backbone. A real engagement needs more: phone numbers, image clues, company due diligence, social footprint, structured reporting templates, and a tighter ethics and legal primer so your work stays authorized and public-source.
I packaged the 30+ prompts I actually use into one file: the AI OSINT Prompt Pack. It's a 7-page PDF, built to pair with OpenOSINT, with the full scope -> collect -> pivot -> verify -> document workflow baked into every prompt.
If the five above saved you time, the complete set is here: https://tommasodev.gumroad.com/l/ai-osint-prompt-pack?ref=devto
Either way, take the method with you. The tools change. The discipline of separating what you know from what you assume is what makes the work hold up.
Top comments (0)