OSINTMay 24, 20268 min read

The Best Free OSINT Tools in 2026

By Scott Anderson, Clearfront maintainer

The best OSINT tools are free, and most of them are open-source. This is a working list of the ones actually worth using in 2026, grouped by what they do, with an honest note on which are truly free and which gate the good parts behind a paywall.

What are the best free OSINT tools?

The most useful free OSINT tools are Sherlock and Maigret for usernames, Have I Been Pwned and holehe for emails and breaches, Google dorks for search, Shodan and Censys for infrastructure, theHarvester and crt.sh for domains, the Wayback Machine for archives, and SpiderFoot or Recon-ng to tie it together. Nearly all are free or have a usable free tier.

One thing to know before you start: free splits three ways. Some tools are genuinely free and open-source, some are freemium with the useful parts behind a paywall, and some are free but need a free account or an API key to do anything. I have flagged which is which below.

  • -Sherlock: free and open-source, checks a username across 400+ sites from the command line
  • -Maigret: free and open-source, a Sherlock fork that checks 3,000+ sites and builds a fuller profile, with a web interface
  • -Blackbird: free and open-source, searches usernames and emails across 600+ platforms

Username tools are where beginners have their first real moment, because one reused handle maps to accounts across hundreds of sites. Sherlock is the fast, simple one; Maigret goes deeper. I cover this in how to find every account linked to a username.

Email and breach checking

  • -Have I Been Pwned: free for individuals, shows which breaches include your email
  • -holehe: free and open-source, checks which of 120+ sites an email is registered on, without alerting the account owner

Together these turn an email into a map of where you have accounts and which leaks include you. The free breach-check options are compared in open-source Have I Been Pwned alternatives.

Search and infrastructure

  • -Google dorks: free, advanced search operators that surface exposed files and pages, indexed in the Google Hacking Database
  • -Shodan: free account with limited searches, a search engine for internet-connected devices; deeper and programmatic use is paid
  • -Censys: free with an account, a search engine for hosts, certificates, and networks

Google dorking is the most underrated free skill in OSINT: the right search operator finds what normal searches miss. Shodan and Censys move from people to infrastructure, useful if you are checking exposed devices or servers.

Domains, subdomains, and archives

  • -theHarvester: free and open-source, gathers emails, subdomains, and hosts from public sources
  • -crt.sh: free, finds subdomains through certificate transparency logs
  • -Amass: free and open-source, deep subdomain enumeration from OWASP
  • -Wayback Machine: free, recovers what a page looked like before it was edited or deleted

The Wayback Machine deserves a special mention. When someone deletes a revealing page, the archive often still has it, which makes it one of the most powerful free tools there is.

  • -Google Lens: free, Google reverse image and visual match search
  • -PimEyes: freemium, a face search engine whose free tier shows that matches exist but hides the links, so real use is effectively paid

Face search is the most invasive category. I dig into what it can find and how to opt out in is your face searchable.

All-in-one frameworks

  • -SpiderFoot: the open-source version is free and automates 100+ data sources; note there is a separate paid cloud version, SpiderFoot HX
  • -Recon-ng: free and open-source, a modular reconnaissance framework
  • -Maltego: the free plan, now called Basic and formerly Community Edition, is free with an account but capped on results and data sources
  • -OSINT Framework: a free web directory of tools and resources, not a tool itself

Frameworks pull many sources into one place, but they are more setup and more to learn. For a beginner, a few focused tools beat a heavy framework.

The catch with a pile of free tools

Free tools are powerful, but stitching a dozen of them together by hand is slow, and it is easy to miss the connections between what each one finds.

That is the gap Clearfront fills. It wraps many of these tools, including Sherlock, Maigret, holehe, Have I Been Pwned, crt.sh, and the Wayback Machine, runs them for you, and an AI security analyst connects the results into one report. It is open-source and runs on your own machine. The full tool reference lists every source it uses. If you are new to all of this, start with what is OSINT.

Frequently asked questions

Are OSINT tools free?
Many of the best are genuinely free and open-source, like Sherlock, Maigret, holehe, theHarvester, and the Wayback Machine. Others, like Shodan, Censys, and PimEyes, are freemium, with the most useful features behind a paid tier or an API key.
Is Maltego still free?
Yes. The free tier, now called Maltego Basic and formerly Community Edition, is still free after you create an account, but it is capped on results per transform and on data sources.
Do I need to know how to code to use OSINT tools?
Not for all of them. Many are command-line Python tools, but Google Lens, the Wayback Machine, crt.sh, Maltego, and various web front-ends are point and click.
Are OSINT tools legal to use?
Yes, when used on public data. As with any OSINT, the legality depends on the target and intent. Run them on your own footprint or on targets you are authorized to investigate.

Scott Anderson believes your personal data is yours to own and protect. He built Clearfront, a free, open-source tool for scanning and scrubbing your own digital footprint from public data, and he writes about OSINT, breach exposure, and personal privacy.