Knogin
[Wywiad]

OSINT Intelligence: SpiderFoot Automation

SpiderFoot is an open-source OSINT automation platform that runs hundreds of intelligence-gathering modules against a target (IP, domain, email, person name, organisation) and aggregates results from dozens of data sourc

Metadane modulu

SpiderFoot is an open-source OSINT automation platform that runs hundreds of intelligence-gathering modules against a target (IP, domain, email, person name, organisation) and aggregates results from dozens of data sourc

Powrót do wszystkich modułów

Odwolanie do zrodla

content/modules/osint-spiderfoot-automation.md

Ostatnia aktualizacja

18 mar 2026

Kategoria

Wywiad

Suma kontrolna tresci

cf4caef5cb157da7

Tagi

intelligence

Renderowana dokumentacja

Ta strona renderuje Markdown i Mermaid modulu bezposrednio z publicznego zrodla dokumentacji.

Overview#

SpiderFoot is an open-source OSINT automation platform that runs hundreds of intelligence-gathering modules against a target (IP, domain, email, person name, organisation) and aggregates results from dozens of data sources simultaneously. Argus integrates SpiderFoot to automate the preliminary reconnaissance and OSINT enrichment phase of investigations, surfacing digital footprint data, breach exposures, DNS relationships, certificate transparency records, social media presence, and threat reputation data in a structured form.

Key Features#

Automated Scan Lifecycle#

Launch SpiderFoot scans from within Argus via 

syncSpiderfoot
, specifying the target and the set of modules to run. The 
fetch_spiderfoot_data
client communicates with a self-hosted SpiderFoot instance to initiate and retrieve scan results. Completed scan records are persisted to PostgreSQL with module results structured by finding type.

Multi-Target Support#

Supports all SpiderFoot target types: IP addresses, domain names, email addresses, person names, phone numbers, Bitcoin addresses, and organisation names. Different scan profiles can be applied depending on whether the target is an unknown threat actor, a known infrastructure address, or a subject-of-interest in an investigation.

Result Inventory and Filtering#

Query scan results by module category (DNS, social media, breach data, threat intel, geolocation, etc.) and by finding type. The 

spiderfootItems
query surfaces the most significant findings at the top by risk score, enabling analysts to orient quickly without reading hundreds of raw results.

Clearance-Filtered Results#

Scan results carry 

secrecy_level
tags. OSINT conducted against classified subject matter can be tagged accordingly and restricted to cleared personnel, supporting intelligence operations where even the identity of the investigation subject is classified.

Use Cases#

  • Threat Actor Profiling: Run a SpiderFoot scan against a threat actor domain or IP range to rapidly surface associated infrastructure, registration history, certificate linkages, and breach data that feed attribution analysis.
  • Victim Digital Footprint: Assess a victim organisation's exposed attack surface (email addresses, breached credentials, exposed services) as part of incident response to understand how an adversary may have obtained initial access.
  • Missing Persons and Counter-Trafficking Investigations: Run name, email, and phone targets through SpiderFoot's social media and public record modules to reconstruct a person's recent digital activity timeline.
  • Due Diligence Automation: Automate the OSINT component of third-party risk assessments, vendor vetting, or staff background screening workflows.

Integration#

Available via GraphQL: 

spiderfootItems
, 
spiderfootStats
(queries); 
syncSpiderfoot
(mutation). All operations require authentication and organisation scoping.

Compatible with SpiderFoot 4.x REST API. Works alongside Shodan (exposure detail), GreyNoise (IP noise filtering), OSINT Providers domain (for complementary enrichment), and Investigation domain (for linking OSINT results to cases).

Last Reviewed: 2026-03-18