Knogin
[Developers]

Investigation Maltego Integration

Many financial crime and intelligence teams have built deep expertise around Maltego's transform ecosystem. Their analysts know which transforms surface company directorships, which ones pull passport-linked social profi

Back to All Modules
Category: InvestigationLast Updated: Feb 5, 2026
investigationcomplianceblockchaingeospatial

Overview#

Many financial crime and intelligence teams have built deep expertise around Maltego's transform ecosystem. Their analysts know which transforms surface company directorships, which ones pull passport-linked social profiles, and which ones trace phone numbers through public records. Switching away from that toolkit is not practical, but working in two disconnected systems creates its own problems: findings get lost in translation, entity naming drifts between platforms, and investigation records end up incomplete.

The Maltego Integration module solves that by making the two environments work together. Investigators export subjects and entities to Maltego for enrichment, run whatever transforms their workflow demands, then import the enriched graph back into the investigation with entity context, risk scores, and relationship structures intact.

Key Features#

  • Bidirectional Entity Synchronisation: Export investigation entities to Maltego for enrichment and import enriched Maltego graphs back into investigations with reliable entity mapping and attribute preservation.
  • Entity Type Mapping: Advanced mapping ensures cryptocurrency addresses, wallets, exchanges, and blockchain transactions integrate seamlessly with Maltego's entity model and transform ecosystem.
  • Transform Library Access: Investigators use Maltego's extensive transform library for entity enrichment, OSINT collection, and relationship discovery directly from investigation workflows.
  • Graph Fidelity Preservation: Lossless import and export maintains relationship structures, entity attributes, and graph layouts across platform boundaries without data loss.
  • Batch Entity Processing: High-performance processing handles large-scale entity imports and exports with progress tracking and error handling for complex investigation graphs.
  • Context Preservation: Complete attribute mapping maintains investigation integrity during cross-platform operations, ensuring risk scores, tags, and annotations transfer accurately.
  • Investigation-Aware Transforms: Custom transforms designed for financial crime investigation enrich entities with blockchain intelligence, sanctions screening, and adverse media data.
  • Session Management: Multiple concurrent Maltego integration sessions with state tracking enable investigators to manage parallel enrichment workflows across different case aspects.
  • Conflict Resolution: Intelligent merge strategies handle conflicting entity attributes when importing enriched data back into investigations, with analyst review for ambiguous cases.

Use Cases#

  • OSINT Entity Enrichment: Investigators export subjects to Maltego for open-source intelligence gathering, running transforms for social media analysis, domain research, and public records investigation before importing findings back into case files.
  • Network Expansion Analysis: Maltego's graph exploration capabilities extend investigation entity networks by discovering new connections through transform-based enrichment that would be difficult to find through transaction analysis alone.
  • Cryptocurrency Investigation Support: Blockchain-specific entity types flow between the investigation platform and Maltego, enabling investigators to combine blockchain analytics with Maltego's broader intelligence gathering capabilities.
  • Cross-Platform Investigation Workflow: Teams that use Maltego as part of their standard investigative toolkit maintain continuity between Maltego analysis sessions and the investigation platform's case management and compliance workflows.
  • Collaborative Intelligence Analysis: Multiple analysts work on different aspects of an investigation using Maltego, with results merged back into a unified investigation graph through the integration's conflict resolution capabilities.

Integration#

The Maltego Integration module connects with the investigation platform's entity management, graph visualisation, and case management systems. Exported entities carry investigation context including risk assessments, evidence links, and relationship metadata. Imported Maltego graphs automatically update investigation entity records, trigger re-evaluation of risk scores, and populate investigation timelines. The module supports Maltego's standard graph formats and provides custom transform server capabilities for investigation-specific enrichment.

Open Standards#

  • Maltego MTZ/MTGL Graph Format: The integration reads Maltego's MTZ archive format (a ZIP container holding CSV entity and relationship files) and writes MTGL exports as UTF-8 XML graphs, providing lossless round-trip fidelity with the Maltego desktop client.
  • ZIP Archive (ISO/IEC 21320-1 / PKWARE APPNOTE): MTZ files are parsed as standard ZIP archives, meaning any conformant ZIP tool can inspect or produce the import package independently of Maltego itself.
  • RFC 4180 CSV: Entity lists (entities.csv) and relationship lists (links.csv / relationships.csv) inside the MTZ archive follow the RFC 4180 comma-separated-values convention, enabling straightforward manipulation with standard data tooling.
  • W3C Extensible Markup Language (XML): MTGL graph exports are serialised as well-formed XML with a UTF-8 declaration, matching the structure Maltego expects when re-importing a graph file.
  • GraphQL: All import, export, and transform-management operations are exposed via a GraphQL API, allowing clients to request precisely the entity and relationship fields they need in a single request.
  • OAuth 2.0 Bearer Token (RFC 6750): Calls to the Maltego Transform Distribution Server (TDS) authenticate using a Bearer token carried in the HTTP Authorization header, in line with the RFC 6750 token-usage specification.
  • RFC 4122 UUID: Every entity record created during import is assigned a version-4 UUID, ensuring globally unique, collision-resistant identifiers that are portable across investigation platforms.
  • JSON: Transform results returned by the Maltego TDS REST API are exchanged as JSON, and enriched entity data is persisted in a JSON column, keeping the payload format interoperable with any HTTP client.

Last Reviewed: 2026-02-05 Last Updated: 2026-04-14

Ready to Build?

Get started with our APIs or contact our integration team for support.