Listen to this Post
Introduction:
Open-source intelligence (OSINT) is undergoing a seismic shift from manual, fragmented tool-hopping to orchestrated, AI-driven investigations. This week’s releases showcase agentic AI workbenches, browser-based passive reconnaissance, MCP servers that bridge AI assistants with Maltego graphs, and civic transparency platforms — all redefining how analysts collect, correlate, and act on publicly available data. Understanding these tools is critical for cybersecurity professionals, threat hunters, and intelligence analysts aiming to automate discovery while maintaining rigorous analysis.
Learning Objectives:
- Deploy and orchestrate an agentic OSINT workbench using LLM-driven adapters for automated data collection and structured reporting.
- Execute passive reconnaissance without local installation via browser-based tools for DNS, WHOIS, SSL, and subdomain enumeration.
- Integrate AI assistants with Maltego’s graphing environment using MCP servers to transform raw lookups into visual investigative workflows.
- Monitor parliamentary and political transparency data longitudinally for influence analysis, policy risk, and open-source civic intelligence.
You Should Know:
1. Argus: Agentic OSINT Workbench with LLM-Driven Orchestration
Argus is an early-stage, self-hosted OSINT workbench that replaces manual tool-switching with repeatable investigation plans. It uses pluggable LLM adapters to call sources like WHOIS, DNS, Shodan, web search, scraping, and identity APIs, then returns structured, provenance-tracked reports.
Step‑by‑Step Guide – Installing and Running Argus (Linux):
Clone the repository git clone https://github.com/AXRoux/argus-os.git cd argus-os Set up Python virtual environment python3 -m venv venv source venv/bin/activate Install dependencies pip install -r requirements.txt Configure LLM provider (example using OpenAI) export OPENAI_API_KEY="your-key-here" export ARGUS_DB_PATH="./argus.sqlite" Run a basic investigation plan python run_investigation.py --target "example.com" --modules whois,dns,shodan View structured report (JSON output with provenance) cat reports/latest_report.json
Windows Equivalent (PowerShell):
git clone https://github.com/AXRoux/argus-os.git cd argus-os python -m venv venv .\venv\Scripts\Activate.ps1 pip install -r requirements.txt $env:OPENAI_API_KEY="your-key-here" python run_investigation.py --target "example.com" --modules whois,dns
Why This Matters: Argus moves OSINT from “click fatigue” to reproducible, auditable automation. Analysts can chain multiple intelligence sources, store sessions locally in SQLite, and switch between LLM providers (OpenAI, local models via Ollama) without rebuilding workflows. For red teams, this enables rapid, consistent reconnaissance across many targets.
Tutorial – Custom Adapter for a New Source:
adapters/example_adapter.py
from argus.base import BaseAdapter
class CustomAPIAdapter(BaseAdapter):
name = "custom_api"
def collect(self, target: str):
Call any REST API, parse response
return {"source": "custom", "data": [...]}
Register the adapter in `config.yaml` and restart Argus.
2. NetSpecter: Browser-Based Passive Reconnaissance Without Installation
NetSpecter provides a zero-install, zero-API-key passive reconnaissance surface. Open a browser, input a domain or IP, and get DNS records, WHOIS data, SSL certificate details, subdomain enumeration, port status, and technology fingerprinting – ideal for rapid first-pass triage.
Step‑by‑Step Guide – Using NetSpecter:
- Navigate to the hosted version (or clone locally):
git clone https://github.com/NetSpecter-OSINT/NetSpecter.git cd NetSpecter If using local server (Python3) python3 -m http.server 8000
- Open browser to
http://localhost:8000`github.com`)
<h2 style="color: yellow;">3. Enter target domain (e.g., - Toggle modules: DNS, WHOIS, SSL, Subdomains, Ports, Tech Fingerprint
- Click “Run Recon” – results appear within seconds without sending API keys to third parties.
- Export results as CSV or JSON for ingestion into other tools.
Manual Passive Recon Commands (for comparison):
DNS enumeration dig +short github.com A nslookup github.com WHOIS (Linux) whois github.com SSL certificate transparency curl -s "https://crt.sh/?q=%.github.com&output=json" | jq '.[].name_value' Subdomain brute force (passive) curl -s "https://securitytrails.com/list/apex_domains/github.com" requires API key; NetSpecter avoids this
Windows PowerShell Passive Recon:
Resolve-DnsName github.com WHOIS (install sysinternals whois or use online) Invoke-WebRequest -Uri "http://whois.domaintools.com/github.com" -UseBasicParsing
Why This Matters: NetSpecter lowers the barrier for junior analysts and cross-functional teams. It’s perfect for client-side reviews, incident triage, and teaching OSINT fundamentals without managing local toolchains.
- Maltego MCP Server: Bridging AI Assistants to Visual Investigations
The Maltego MCP (Model Context Protocol) server allows AI assistants (e.g., Desktop, Continue) to author Maltego `.mtgx` graph files and run primitive OSINT lookups: WHOIS, DNS, ASN, and crt.sh. Instead of keeping outputs trapped in chat, the AI can generate graph-ready entities that compose with other security MCP servers.
Step‑by‑Step Guide – Setting Up Maltego MCP:
Requirements: Node.js 18+, Maltego Desktop (any edition)
Clone the repository
git clone https://github.com/solomonneas/maltego-mcp.git
cd maltego-mcp
Install dependencies
npm install
Build the MCP server
npm run build
Configure in Desktop (_desktop_config.json)
{
"mcpServers": {
"maltego": {
"command": "node",
"args": ["/absolute/path/to/maltego-mcp/dist/index.js"],
"env": {
"MALTEGO_CLIENT_ID": "your-maltego-client-id",
"MALTEGO_CLIENT_SECRET": "your-secret"
}
}
}
}
Using the MCP Server via AI Chat:
Prompt example to an AI (, Continue, etc.):
“Use the maltego-mcp server to query WHOIS for `example.com` and create a Maltego graph with entities for the domain, its registrar, and any associated name servers. Save as
example_investigation.mtgx.”
The AI will invoke the MCP server, returning a downloadable `.mtgx` file. Import into Maltego to visualize and extend the graph with transforms.
Manual Maltego Graph Creation (XML snippet):
<MaltegoMessage> <MaltegoTransformResponseMessage> <Entities> <Entity Type="maltego.Domain"> <Value>example.com</Value> </Entity> </Entities> </MaltegoTransformResponseMessage> </MaltegoMessage>
Why This Matters: This bridges natural language planning with professional visualization. Analysts can instruct an AI to “enumerate subdomains using crt.sh, then generate a Maltego graph showing SSL certificate chains” – and get a manipulatable graph instantly. For teams, multiple MCP servers (threat intel, vulnerability, cloud) can compose into a complete analyst assistant.
- Riksdagsmonitor: Civic OSINT for Political and Influence Monitoring
Riksdagsmonitor is an open intelligence platform that monitors Swedish parliamentary activity using real-time analysis and long-running historical data. It demonstrates OSINT beyond cybersecurity – applied to policy, lobbying, risk, and influence analysis.
Step‑by‑Step Guide – Deploying Riksdagsmonitor (Docker):
Clone and run using Docker Compose git clone https://github.com/Hack23/riksdagsmonitor.git cd riksdagsmonitor docker-compose up -d Access web interface at http://localhost:8080 Available endpoints: - /api/v1/party-activities - /api/v1/member-votes?member_id=XXX - /api/v1/committees/reports
Basic API Query Examples:
Fetch recent parliamentary decisions
curl "http://localhost:8080/api/v1/decisions?from=2026-04-01"
Monitor specific committee activity
curl "http://localhost:8080/api/v1/committees/justice/meetings"
Export member voting records
curl "http://localhost:8080/api/v1/members/votes.json" | jq '.[] | {name, party, vote}'
Python Script for Longitudinal Analysis:
import requests, time, csv
from datetime import datetime
base = "http://localhost:8080/api/v1"
parties = ["S", "M", "SD", "C", "V"]
with open('voting_trends.csv', 'w') as f:
writer = csv.writer(f)
writer.writerow(["date", "party", "bill_id", "vote"])
for party in parties:
resp = requests.get(f"{base}/parties/{party}/votes?days=90")
for vote in resp.json():
writer.writerow([datetime.now().isoformat(), party, vote['bill'], vote['decision']])
time.sleep(1) be polite
Why This Matters: For corporate security, understanding parliamentary activity around technology, privacy, or defense bills is crucial. Riksdagsmonitor provides a replicable model for any country with open parliamentary data (e.g., UK Hansard, US Congress API). Analysts can adapt the codebase to monitor lobbying influence, track amendments, or alert on keywords relevant to their industry.
- API Security and Cloud Hardening for Self-Hosted OSINT Tools
Deploying tools like Argus or Riksdagsmonitor in the cloud requires careful hardening. Below are commands and configurations to secure your OSINT infrastructure.
Linux Hardening Steps:
Run Argus in a restricted Docker container docker run -d --name argus-os \ -e OPENAI_API_KEY=$OPENAI_API_KEY \ -v $(pwd)/data:/app/data \ -p 127.0.0.1:8080:8080 \ --read-only --cap-drop=ALL --cap-add=NET_RAW \ axroux/argus-os:latest Restrict outgoing API keys via environment isolation systemd-run --user -p Environment=OPENAI_API_KEY=secret -p MemoryMax=512M python run_investigation.py Use iptables to limit outbound connections (allow only Shodan, WHOIS, DNS) iptables -A OUTPUT -d 198.20.69.0/24 -j ACCEPT Shodan iptables -A OUTPUT -p udp --dport 53 -j ACCEPT DNS iptables -A OUTPUT -j DROP
Windows Cloud Hardening (Azure VM Example):
Restrict inbound NSG to only your IP
$nsgRule = @{
Name = "Allow_OSINT_Admin"
Protocol = "Tcp"
Direction = "Inbound"
Priority = 100
SourceAddressPrefix = "YOUR_PUBLIC_IP/32"
SourcePortRange = ""
DestinationAddressPrefix = ""
DestinationPortRange = "8080,22"
Access = "Allow"
}
Disable unnecessary services on the VM
Set-Service -Name "RemoteRegistry" -StartupType Disabled
Set-Service -Name "WSearch" -StartupType Disabled
Secrets Management Best Practices:
- Never hardcode Shodan, OpenAI, or Maltego API keys in source code.
- Use environment variables or a secrets manager (Hashicorp Vault, AWS Secrets Manager).
- Rotate keys monthly and audit access logs.
- Vulnerability Exploitation and Mitigation Considerations for OSINT Tools
While OSINT tools are defensive, they can expose misconfigurations if deployed carelessly. Common pitfalls:
- Argus SQLite injection – The workbench uses parameterized queries, but custom adapters might introduce vulnerabilities. Always sanitize user inputs:
Vulnerable query = f"SELECT FROM sessions WHERE target='{target}'" Mitigated query = "SELECT FROM sessions WHERE target=?"; cursor.execute(query, (target,)) -
NetSpecter cross-site scripting (XSS) – Because it renders results in-browser, ensure output encoding:
// Instead of innerHTML document.getElementById("result").textContent = sanitizedData; -
Maltego MCP server authentication – By default, MCP servers trust local clients. When exposing over network, implement bearer tokens and TLS:
Use nginx as reverse proxy with auth server { listen 443 ssl; location /mcp { auth_basic "Restricted"; auth_basic_user_file /etc/nginx/.htpasswd; proxy_pass http://localhost:3000; } }
Exploitation Example (if misconfigured): An attacker could trick Argus into calling a malicious WHOIS server, causing SSRF or data exfiltration. Mitigation: validate all source URLs against an allowlist of trusted APIs.
What Undercode Say:
- Orchestration over fragmentation – Agentic AI workbenches like Argus represent the future of OSINT, but analysts must still validate AI-generated reports for context and false positives.
- Low-friction tools drive adoption – Browser-based passive recon (NetSpecter) and MCP bridges (Maltego) empower non-technical stakeholders and speed up initial triage.
- Civic OSINT is an underrated discipline – Parliamentary monitoring tools open new risk vectors for corporate and political intelligence, often ignored by traditional cybersecurity teams.
- Self-hosting demands hardening – Every OSINT tool becomes an attack surface. Use containers, read-only filesystems, least-privilege networking, and rotate API keys religiously.
- AI + visual graphs = analyst force multiplier – MCP servers that output Maltego graphs turn natural language queries into immediate, shareable intelligence products.
- The analysis part is still human – As the original post emphasized, tools augment but do not replace critical thinking, source validation, and contextual judgment.
Prediction:
Within 12 months, major security vendors will embed agentic OSINT orchestration natively into their SIEMs and SOARs, replacing static playbooks with LLM-driven investigation planning. Open-source projects like Argus and Maltego MCP will force commercial tools to adopt flexible, adapter-based architectures. Simultaneously, civic OSINT platforms will expand beyond Sweden to monitor legislative risk globally, becoming standard for corporate regulatory intelligence. However, the barrier to entry will shift from tool access to data provenance and LLM prompt engineering – requiring new training programs for analysts. Privacy and ethical concerns around automated public data collection will trigger updated legal frameworks in the EU and US by late 2027.
▶️ Related Video (82% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Aaroncti Osint – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
