If you've ever pasted an email address into ChatGPT and asked it to "find everything," you already know the problem: the model gives you something that looks like a real investigation, reads beautifully, and falls apart under scrutiny. No sources cited, no verification of claims, no distinction between what it actually checked versus what it inferred from training data. That's not OSINT—that's a confidence trick performed by software.
The Real Problem Isn't the Model
The author argues it's not that LLMs are bad at research; it's that users aren't giving them structure to work with. A model without constraints will fill gaps with plausible text because that's literally what it was trained to do. An investigation, by contrast, demands discipline: separate what you know from what you assume, cite your sources, and rate your confidence at every step.
The Method: Scope, Collect, Pivot, Verify, Document
The framework proposed here applies regardless of target type or tool. In the scoping phase, you define authorization boundaries and specific questions before touching any data. Collection means pulling public information from real sources. Pivoting is how you turn one identifier into the next—email leads to username leads to domain. Verification forces you to challenge every finding and explicitly mark assumptions versus confirmed facts. Documentation ensures another analyst could reproduce your work.
The Five Prompt Templates
The first prompt handles scoping: it restates your objective, defines in-scope versus out-of-scope sources, generates concrete investigation questions, identifies relevant public source types, and flags legal or ethical considerations—all before collecting a single data point. The second targets email addresses specifically, listing which public-source checks to run (breach exposure datasets, platform account discovery, associated profiles) and identifying what each pivot could unlock. The third template tackles username investigation across platforms, producing a table that rates confidence levels for each potential match while explicitly flagging that handle reuse doesn't prove identity. The fourth focuses on domain and infrastructure—WHOIS registration data, DNS records (A, MX, NS, TXT), passive DNS history, shared hosting indicators, certificates, subdomains, hosting provider, and ASN information. The fifth and most critical prompt handles verification and reporting: classifying each finding as confirmed, probable, or assumption; attacking your own weakest links; and producing a structured report designed for reproducibility.
Closing the Live Data Gap
A key limitation acknowledged throughout: chat models reason but don't fetch live data. They can't check current WHOIS records, query real-time DNS, or verify whether an account exists right now. To address this, the article recommends OpenOSINT—a free, open-source OSINT agent and MCP server that lets the model plan investigations and then call actual tools including DNS resolution, WHOIS lookups, account discovery, and IP intelligence. It runs as a CLI, interactive REPL, or web UI and works with Claude or local Ollama models.
Key Takeaways
- Structure your prompts by phase—"you are in the scoping phase" gets better results than vague instructions
- Explicitly distinguish findings from inferences; let confidence levels drive conclusions
- Connect LLMs to real OSINT tools via OpenOSINT or similar MCP servers for live data
- Never skip verification: attack your own weakest links before someone else does
The Bottom Line
This isn't about replacing traditional OSINT tradecraft—it's about applying structure so AI amplifies good methodology instead of generating confident nonsense. The discipline matters more than the tool. Scope first, collect second, pivot third, verify fourth, document fifth. Everything else is just typing and hoping.