Skip to content
OSINT AI One

FAQ

General

What do I need to get started?

The minimum:

  1. Python 3.11+
  2. Ollama with a Qwen3 model (or an OpenAI/Anthropic API key)
  3. At least one OSINT API key (VirusTotal recommended — free tier: 500 req/day)

Is it free?

Yes. The project is open source (MIT). The OSINT tools have free tiers sufficient for most use cases. Ollama is free and runs locally.

Does my data leave my machine?

Only queries to OSINT services (VirusTotal, AbuseIPDB, etc.) go to their respective APIs. With Ollama, the LLM model runs completely locally. Investigations, evidence, and reports stay on your machine.

Does it work on Windows?

Yes, but WSL2 is recommended. The CLI and agent work correctly under WSL2. Native Windows hasn’t been extensively tested.

How many IOCs can I analyze per day?

It depends on your API keys. With VirusTotal’s free tier (500 req/day) and the 24h cache active, you can analyze up to 500 unique IOCs per day. For higher volume, upgrade to a paid tier or distribute across multiple keys.

Do I need Ollama for the MCP Server?

No. The MCP Server exposes the tools but the reasoning is done by the client’s model (Claude Desktop, VS Code…). Ollama is only required for the interactive ReAct agent.

Can it be automated with cron?

Yes:

Ventana de terminal
# Analyze threat feeds every morning at 7:00
0 7 * * * /path/to/.venv/bin/osint-agent --feed feodo --limit 10 --json >> /var/log/osint/feodo.json

OSINT Tools

Which API key is most important?

VirusTotal. It covers IPs, domains, and hashes with a single key, and has the most generous free tier (500 req/day).

What happens if I have no API key at all?

Free tools (WHOIS, DNS, crt.sh, threat feeds, GDELT, RSS, country risk) still work. The analysis will be less complete but functional for domains and contextual queries.

How often are threat feeds updated?

  • Feodo Tracker: every hour
  • URLhaus: every few hours
  • IPsum: daily

The local cache is 24h by default for individual tool results.

Investigations

Can I have multiple investigations open?

Yes, up to 5 simultaneously (configurable with ACTIVE_INVESTIGATIONS_LIMIT). You can have more in archived state.

Do investigation data persist if I close the terminal?

Yes. Everything persists in SQLite and ChromaDB. The active investigation is remembered in data/.active.

What evidence formats are supported?

PDF, TXT, HTML, Markdown, and JSON. Also accepts URLs (downloads and processes the page HTML).

Security

Yes, for authorized security research, defensive security, CTF competitions, and educational purposes. Do not use it for unauthorized reconnaissance or activities that violate applicable laws.

Are my API keys safe?

The .env file is in .gitignore — it never gets pushed to the repository. Keys are only sent to their respective OSINT services, never logged or transmitted elsewhere.