Skip to content
OSINT AI One

What is OSINT AI One

In one sentence

OSINT AI One is an autonomous threat intelligence and investigation platform that combines 28 OSINT tools with an AI agent that reasons over results, automatically follows leads, and produces structured reports.

The problem it solves

Investigating a typical threat involves:

  1. Searching the IP on VirusTotal manually
  2. Opening AbuseIPDB in another tab
  3. Checking Shodan
  4. Checking if the domain is in threat feeds
  5. Running WHOIS to see who registered it
  6. Trying to correlate everything in your head
  7. Writing the report by hand

That’s for one single IOC. With a list of 50, that’s hours of work.

OSINT AI One automates this entire process: a ReAct agent selects the right tools, executes them, auto-pivots to related IOCs, calculates a risk score, and writes the report.

Who it’s for

  • Security analysts investigating incidents or IOCs
  • Blue teams that need to enrich alerts quickly
  • Pentesters doing pre-engagement reconnaissance
  • OSINT investigators managing complex investigations with multiple sources
  • Threat hunters monitoring feeds and searching for indicators
  • Developers wanting to embed OSINT capabilities in their applications

What it includes

Autonomous Threat Intelligence

  • 28 OSINT tools organized by IOC type: IPs, domains, URLs, hashes, and contextual analysis (news, geopolitics, markets)
  • ReAct agent (LangGraph) that reasons in multiple steps, selects tools, and follows leads
  • Auto-pivot: extracts related IOCs from results and follows them automatically (max 2 levels)
  • Risk Dashboard: composite score 0-100 with levels CLEAN / LOW / MEDIUM / HIGH / CRITICAL
  • Smart cache: SQLite with configurable TTL to avoid redundant API calls
  • Live threat feeds: Feodo Tracker, URLhaus, IPsum, C2IntelFeeds, Cloudflare Radar

Investigation Management

  • Full lifecycle: create, archive, reactivate investigations
  • Evidence pipeline: SHA-256 → dedup → text extraction → chunking → ChromaDB embeddings
  • 12 entity types following the FollowTheMoney ontology
  • Claims with traceability: every claim linked to evidence_id + chunk_id + snippet
  • Semantic search: ChromaDB with multilingual sentence-transformers
  • Alerts: scheduled searches and entity activity spike detection
  • 9-section reports: executive summary, methodology, findings, entities, evidence, risks, next steps

Protocols & Integrations

  • MCP Server: 44 tools/resources/prompts for Claude Desktop, VS Code, Cursor
  • A2A Server: 5 skills via Google Agent-to-Agent protocol
  • Claude Code: 15 skills + 4 specialized agents
  • Python: all tools are importable async functions

What it is NOT

  • Not an active scanner: passive reconnaissance only (DNS, public APIs, CT logs)
  • Not an attack tool: no brute-force, exploitation, or port scanning
  • Not a replacement for the analyst: it enriches and accelerates, human judgment is still needed
  • Not cloud-dependent: everything is local (SQLite, ChromaDB, files)