OsintX.IOOsintX.IOv2.0.0
Back to home

OsintX.IO Tutorial

Investigate with confidence

This guide mirrors how analysts use the live workspace: pick the right signal, run a focused query, pivot on facts (not noise), and export a clean trail for your report or ticket package.

Dashboard workspaceSame limits as in-app searchPlan-gated IntelX & modules

Overview

OsintX.IO aggregates breach corpora, social and messenger signals, network and crypto tooling, optional IntelX buckets, and community modules behind one query bar. Your subscription decides which backends run and how much quota you burn per day—identical rules apply in the app and on the HTTP API.

Rule of thumb: choose the search type that matches the identifier you truly have (handle vs email vs snowflake vs IP). Wrong types still “run”, but you get weaker recall and more cleanup work downstream.

Workspace

After sign-in you land in the investigation workspace. The query string, selected search type, and optional toggles (such as wildcard where supported) are sent as one job to the orchestrator. Results stream into a table you can sort, skim, and pivot from—treat the first page as a triage surface, not the final answer.

  • Query bar: paste the exact token you verified (trim spaces, avoid mixing multiple identifiers in one run unless you know the parser supports it).
  • Search type: drives which modules activate; switching type is cheap—rerun instead of forcing a poor match.
  • Latency: some paths call slow third parties; expect occasional 30–120s runs when IntelX or heavy modules are in play.

Search types

The dashboard exposes the same catalog as the API. When in doubt, start with the literal identifier class you observed in evidence (a Discord snowflake wants the Discord type, not a generic username sweep).

SignalWhen to use itNotes
Username / handleAliases across socials and forumsExpect collisions; corroborate with email or unique IDs.
Email / domainCredential leaks, registrations, infra pivotsValidate format; watch for plus-address noise.
IP / ASN / passive DNSHosting, VPN exit, historical DNS edgesInterpret as infrastructure, not identity proof.
Phone (digits)Messengers and regional registries where availableNormalize country code; respect local rules.
Discord snowflakeAccount metadata and adjacent graph signalsUse the numeric ID, not display name.

The full list—including crypto wallets, IntelX UUIDs, and specialty modes—lives in the API docs · Search types section so you can align dashboard runs with automation.

Workflows

Three repeatable patterns teams use in OsintX. Each keeps hypotheses explicit so you can brief stakeholders without retracing dead ends.

Flow A — Person-of-interest seed

  1. Start from the strongest unique ID (email or snowflake).
  2. Pivot to usernames only after you have a corroborated handle cluster.
  3. Capture screenshots or exports per pivot so your chain-of-custody stays legible.

Flow B — Infrastructure-first

  1. Run IP / domain / DNS modes to map hosting and historical edges.
  2. Only promote a host to “attribution” when independent identifiers align.
  3. Log time windows—passive DNS without timestamps misleads fast.

Flow C — Breach-led triage

  1. Use email or phone modes to surface leak rows with source tags.
  2. Validate secrets or hashes through your org’s standard procedures.
  3. Escalate to tickets if a module errors repeatedly on the same corpus.

History & exports

The workspace keeps recent runs so you can diff answers across days (useful when a provider backfills data or when you tweak wildcards). Export the structured view when you need a hand-off package—JSON or table copies paste cleanly into case folders and postmortems.

Tip: name exports with the query hash, type, and UTC date. Future-you (and your teammates) will immediately know which run produced the artifact.

IntelX & modules

IntelX and community modules extend depth but carry their own quotas and latency. If a module is disabled, the UI matches your plan—upgrades or enterprise agreements unlock additional buckets; see pricing for the surface area.

When a module times out, retry once during off-peak hours before assuming data absence; intermittent upstream faults are normal for long-running OSINT chains.

AI Analyzer

On supported plans you can send structured result context into the AI Analyzer for summaries, tables, or follow-up Q&A. Treat model output as draft analyst text: verify every claim against the underlying rows, especially dates, platform names, and identifiers.

The public API docs · AI Analyzer block shows the exact JSON fields the HTTP route accepts—use it when mirroring dashboard flows in code.

API & automation

Anything you can run manually in the workspace maps to POST /api/v1/search (plus the AI route where enabled). Keys inherit your user’s plan, rate limits, and feature flags—perfect for cron jobs, SOAR playbooks, or internal research bots.

Open API referenceContact & tickets

Troubleshooting

  • 401 / key errors: rotate the API key in account settings and confirm the Authorization: Bearer header matches the live key prefix.
  • 429 / quota: wait for the daily window or reduce wildcard fan-out; quota counters are shared with interactive searches.
  • Empty IntelX rows: verify the plan includes the bucket you expect; some UUIDs simply have no public hits.
  • Platform slowness: check the public status page before opening a ticket.

Next steps

If something still feels off, send a ticket from the dashboard with timestamps and the search type you used—we can trace orchestration logs on our side. For billing, abuse reports, or community help, the Support hub lists every official channel in one place.