The Best Free OSINT Tools in 2026
By Scott Anderson, Clearfront maintainer
The best OSINT tools are free, and most of them are open-source. This is a working list of the ones actually worth using in 2026, grouped by what they do, with an honest note on which are truly free and which gate the good parts behind a paywall.
What are the best free OSINT tools?
The most useful free OSINT tools are Sherlock and Maigret for usernames, Have I Been Pwned and holehe for emails and breaches, Google dorks for search, Shodan and Censys for infrastructure, theHarvester and crt.sh for domains, the Wayback Machine for archives, and SpiderFoot or Recon-ng to tie it together. Nearly all are free or have a usable free tier.
One thing to know before you start: free splits three ways. Some tools are genuinely free and open-source, some are freemium with the useful parts behind a paywall, and some are free but need a free account or an API key to do anything. I have flagged which is which below.
Username search
- -Sherlock: free and open-source, checks a username across 400+ sites from the command line
- -Maigret: free and open-source, a Sherlock fork that checks 3,000+ sites and builds a fuller profile, with a web interface
- -Blackbird: free and open-source, searches usernames and emails across 600+ platforms
Username tools are where beginners have their first real moment, because one reused handle maps to accounts across hundreds of sites. Sherlock is the fast, simple one; Maigret goes deeper. I cover this in how to find every account linked to a username.
Email and breach checking
- -Have I Been Pwned: free for individuals, shows which breaches include your email
- -holehe: free and open-source, checks which of 120+ sites an email is registered on, without alerting the account owner
Together these turn an email into a map of where you have accounts and which leaks include you. The free breach-check options are compared in open-source Have I Been Pwned alternatives.
Search and infrastructure
- -Google dorks: free, advanced search operators that surface exposed files and pages, indexed in the Google Hacking Database
- -Shodan: free account with limited searches, a search engine for internet-connected devices; deeper and programmatic use is paid
- -Censys: free with an account, a search engine for hosts, certificates, and networks
Google dorking is the most underrated free skill in OSINT: the right search operator finds what normal searches miss. Shodan and Censys move from people to infrastructure, useful if you are checking exposed devices or servers.
Domains, subdomains, and archives
- -theHarvester: free and open-source, gathers emails, subdomains, and hosts from public sources
- -crt.sh: free, finds subdomains through certificate transparency logs
- -Amass: free and open-source, deep subdomain enumeration from OWASP
- -Wayback Machine: free, recovers what a page looked like before it was edited or deleted
The Wayback Machine deserves a special mention. When someone deletes a revealing page, the archive often still has it, which makes it one of the most powerful free tools there is.
Reverse image and face search
- -Google Lens: free, Google reverse image and visual match search
- -PimEyes: freemium, a face search engine whose free tier shows that matches exist but hides the links, so real use is effectively paid
Face search is the most invasive category. I dig into what it can find and how to opt out in is your face searchable.
All-in-one frameworks
- -SpiderFoot: the open-source version is free and automates 100+ data sources; note there is a separate paid cloud version, SpiderFoot HX
- -Recon-ng: free and open-source, a modular reconnaissance framework
- -Maltego: the free plan, now called Basic and formerly Community Edition, is free with an account but capped on results and data sources
- -OSINT Framework: a free web directory of tools and resources, not a tool itself
Frameworks pull many sources into one place, but they are more setup and more to learn. For a beginner, a few focused tools beat a heavy framework.
The catch with a pile of free tools
Free tools are powerful, but stitching a dozen of them together by hand is slow, and it is easy to miss the connections between what each one finds.
That is the gap Clearfront fills. It wraps many of these tools, including Sherlock, Maigret, holehe, Have I Been Pwned, crt.sh, and the Wayback Machine, runs them for you, and an AI security analyst connects the results into one report. It is open-source and runs on your own machine. The full tool reference lists every source it uses. If you are new to all of this, start with what is OSINT.
Frequently asked questions
- Are OSINT tools free?
- Many of the best are genuinely free and open-source, like Sherlock, Maigret, holehe, theHarvester, and the Wayback Machine. Others, like Shodan, Censys, and PimEyes, are freemium, with the most useful features behind a paid tier or an API key.
- Is Maltego still free?
- Yes. The free tier, now called Maltego Basic and formerly Community Edition, is still free after you create an account, but it is capped on results per transform and on data sources.
- Do I need to know how to code to use OSINT tools?
- Not for all of them. Many are command-line Python tools, but Google Lens, the Wayback Machine, crt.sh, Maltego, and various web front-ends are point and click.
- Are OSINT tools legal to use?
- Yes, when used on public data. As with any OSINT, the legality depends on the target and intent. Run them on your own footprint or on targets you are authorized to investigate.
Sources and further reading
Scott Anderson believes your personal data is yours to own and protect. He built Clearfront, a free, open-source tool for scanning and scrubbing your own digital footprint from public data, and he writes about OSINT, breach exposure, and personal privacy.
Related posts
- How to Find Every Account Linked to a Username (and Lock Yours Down)
One username often maps to accounts across hundreds of sites. Here is how username enumeration works, what it reveals about you, and how to lock it down.
- What Is OSINT? A Beginner's Guide to Open-Source Intelligence
OSINT is finding things out from information that is already public. Here is what it is, how the four stages work, why it is legal, and the free tools to start with.
- Getting Started With Clearfront: Install It and Run Your First Scan
Clearfront is a free, open-source footprint scanner that runs on your own machine. Here is how to install it and run your first scan, start to finish.