Knogin
[Developers]

OSINT Intelligence: SpiderFoot Automation

The first hour of any investigation involves the same repetitive work: check the domain registrar, look up the IP, search breach databases, scan social media, verify the email, check certificate transparency logs. Done m

Back to All Modules
Category: IntelligenceLast Updated: Mar 18, 2026
intelligencegeospatial

Overview#

The first hour of any investigation involves the same repetitive work: check the domain registrar, look up the IP, search breach databases, scan social media, verify the email, check certificate transparency logs. Done manually, that process takes an experienced analyst thirty minutes to an hour per target. SpiderFoot runs all of those modules simultaneously and in parallel, covering dozens of data sources against a single target in a fraction of the time. Argus integrates SpiderFoot to automate the preliminary reconnaissance and OSINT enrichment phase of investigations, surfacing digital footprint data, breach exposures, DNS relationships, certificate transparency records, social media presence, and threat reputation data in a structured form.

Key Features#

Automated Scan Lifecycle#

Launch SpiderFoot scans from within Argus via launchSpiderfootScan. The integration client communicates with a self-hosted SpiderFoot instance to initiate and retrieve scan results, which are then persisted to PostgreSQL with the scan target, scan type, module list, and result counts.

Multi-Target Support#

Supports all SpiderFoot target types: IP addresses, domain names, email addresses, person names, phone numbers, Bitcoin addresses, and organisation names. Different scan profiles can be applied depending on whether the target is an unknown threat actor, a known infrastructure address, or a subject of interest in an investigation.

Result Inventory and Filtering#

Query scan results by module category (DNS, social media, breach data, threat intel, geolocation, and others) and by finding type. The spiderfootScans query surfaces the most significant findings at the top by risk score, enabling analysts to orient quickly without reading through hundreds of raw results.

Clearance-Filtered Results#

Scan results carry secrecy_level tags. OSINT conducted against classified subject matter can be tagged accordingly and restricted to cleared personnel, supporting intelligence operations where even the identity of the investigation subject is classified.

Use Cases#

  • Threat Actor Profiling: Run a SpiderFoot scan against a threat actor domain or IP range to rapidly surface associated infrastructure, registration history, certificate linkages, and breach data that feed attribution analysis.
  • Victim Digital Footprint: Assess a victim organisation's exposed attack surface (email addresses, breached credentials, exposed services) as part of incident response to understand how an adversary may have obtained initial access.
  • Missing Persons and Counter-Trafficking Investigations: Run name, email, and phone targets through SpiderFoot's social media and public record modules to reconstruct a person's recent digital activity timeline.
  • Due Diligence Automation: Automate the OSINT component of third-party risk assessments, vendor vetting, or staff background screening workflows.

Integration#

Available via GraphQL: spiderfootScans, spiderfootStats (queries); launchSpiderfootScan (mutation). All operations require authentication and organisation scoping.

Compatible with SpiderFoot 4.x REST API. Works alongside Shodan (exposure detail), GreyNoise (IP noise filtering), the OSINT Providers domain (for complementary enrichment), and the Investigation domain (for linking OSINT results to cases). SpiderFoot findings feed into OpenCTI for structured threat intelligence management and connect to MISP and MISP Modules for community indicator sharing. Part of the 153 third-party integrations accessible through the Argus provider orchestration layer.

Open Standards#

  • GraphQL (June 2018 specification): All SpiderFoot scan operations, spiderfootScans, spiderfootStats, and launchSpiderfootScan, are exposed exclusively through the Argus GraphQL API, with typed queries and mutations enforced by the Strawberry schema layer.
  • OAuth 2.0 Bearer Token (RFC 6750): Authentication to the SpiderFoot REST API uses HTTP Bearer token headers, and every Argus GraphQL operation requires an authenticated session, enforcing organisation-scoped access on all OSINT data.
  • STIX 2.1 (OASIS CTI TC): SpiderFoot findings are forwarded to OpenCTI using the platform's bidirectional STIX 2.1 adapter, mapping threat actors, indicators, and attack patterns to STIX domain objects for structured intelligence sharing.
  • TAXII 2.1 (OASIS CTI TC): The OSINT collection task model supports TAXII 2.1 feed subscriptions as an explicit trigger type, enabling analysts to push SpiderFoot-enriched indicators outbound to TAXII-capable threat intelligence platforms.
  • Certificate Transparency (RFC 6962): SpiderFoot's certificate module category queries public CT logs to surface TLS certificate issuance history, subdomain discovery, and certificate linkage chains for investigation targets.
  • DNS (RFC 1034 / RFC 1035): DNS record enumeration is a primary SpiderFoot module category, resolving A, AAAA, MX, NS, PTR, and SOA records as part of domain and infrastructure reconnaissance against any target.
  • WHOIS (RFC 3912): Domain registration and ownership lookups via WHOIS are a named provider capability in the platform's OSINT layer, used by SpiderFoot to surface registrant identity, registration dates, and registrar history.

Last Reviewed: 2026-03-18 Last Updated: 2026-04-14

Ready to Build?

Get started with our APIs or contact our integration team for support.