Skip to content
OSINT AI One

Complete Investigation

This workflow covers the most complete use case: a structured investigation with external evidence, OSINT on IOCs, entity extraction and report generation.

Scenario

Due diligence on “Acme Corp” — you need to know if the company and its digital infrastructure show risk signals.

Step 1: Create the investigation

Ventana de terminal
# CLI
osint-agent investigation create "Acme Corp Case" --goal "Pre-contract due diligence"
osint-agent investigation use acme-corp-case

Or from Claude Code:

/investigation-init "Acme Corp Case" --goal "Pre-contract due diligence"

This creates:

investigaciones/acme-corp-case/
├── evidencias/
├── hallazgos/
├── informes/
└── metadata.json

Step 2: Ingest existing documents

/evidence-ingest registry-report.pdf
/evidence-ingest supplier-contract-2024.pdf
/evidence-ingest https://acme-corp.com/about

Pipeline for each document:

  1. SHA-256 hash (automatic dedup)
  2. Text extraction (PDF, HTML, MD, TXT)
  3. Chunking with overlap
  4. Embeddings with multilingual sentence-transformers
  5. Storage in ChromaDB
  6. Registration in SQLite with metadata

Step 3: OSINT on infrastructure

/osint-investigate "acme-corp.com"

Agent automatically executes:

  • WHOIS → registration date, registrant, registrar
  • DNS → IPs, nameservers, MX
  • crt.sh → subdomains via CT logs
  • VirusTotal → domain reputation
  • AlienVault → threat pulses
/osint-investigate "185.220.101.34"

For the main server IP:

  • VirusTotal, AbuseIPDB, Shodan, AlienVault, IPInfo

Each result is automatically saved as evidence.

Step 4: Additional technical recon

/osint-recon acme-corp.com

Faster than /osint-investigate — no LLM reasoning, just raw technical data.

Step 5: Semantic search over evidence

/memory-query "mentioned executives"
/memory-query "foreign investments"
/memory-query "legal proceedings or litigation"

ChromaDB finds relevant fragments even if exact words don’t match.

Step 6: Extract entities

/entity-extract

Extracts and normalizes from all evidence:

  • People: executives, representatives, owners
  • Companies: subsidiaries, suppliers, clients
  • Domains and IPs: digital infrastructure
  • Emails and phones: contact points
  • Bank accounts: if appear in contracts

Step 7: Record key claims

/claim-track "Acme Corp was founded in 2019 according to registry report dated 2024-01-15"
/claim-track "Domain acme-corp.com was registered in 2018 according to WHOIS"
/claim-track "IP 185.220.101.34 appears clean in VirusTotal (0/94 detections)"

Step 8: Verify claims

/verify-claims

System audits:

  • Claims without supporting evidence
  • Contradictory statements between evidence
  • Duplicate claims

Step 9: Generate report

/report-generate

Generates investigaciones/acme-corp-case/informes/report-2026-03-07.md with 9 sections:

  1. Executive summary — main findings in 3-5 sentences
  2. Objective and scope — what was investigated and what’s excluded
  3. Methodology — tools and techniques used
  4. Verified findings — VERIFIED claims with evidence
  5. Identified entities — people, companies, domains…
  6. Evidence — list of documents and OSINT results
  7. Risk analysis — assessment of detected risks
  8. Limitations — what this investigation doesn’t cover
  9. Next steps — recommendations for continuation

Complete workflow summary

/investigation-init "Acme Corp Case"
/evidence-ingest registry-report.pdf
/evidence-ingest contract-2024.pdf
/osint-investigate "acme-corp.com"
/osint-investigate "185.220.101.34"
/osint-recon acme-corp.com
/entity-extract
/claim-track "..."
/verify-claims
/memory-query "key points"
/report-generate