soxoj, the mind behind Maigret and more, has been keeping, for a few months now, a curated list of MCP servers for OSINT: connectors that let an LLM talk to shodan, virustotal and the company registries of 27 countries. Five years ago a list like that wouldn’t have made sense. Today it captures a phase shift: the tools are practically the same as ever — it’s just that now they have autopilot.
It’s worth understanding what the 2026 toolbox is made of — and what, thankfully, still rests on the analyst’s shoulders.
From tools to agents
The leap of the last two years isn’t the single “souped-up” tool: it’s the shift from tools that aggregate data by hand to systems that autonomously handle chunks of an investigation. LLMs act as orchestrators: they pick the tool, read the output, decide the next step, write the report. Three concrete directions:
- processing (thousands of documents summarised, translated and categorised in seconds),
- structuring (automatic entity extraction and relationship graphs),
- orchestration (several tools chained into a single workflow, on a natural-language request).
The one methodological point that separates automation from science fiction: the agent runs real tools and reads their output. It must not generate it on a hunch.
Remember? A whois that pulls a datum from a registry is usable information; a whois “learned” by an LLM during training is hearsay.
MCP: the connector that changed the game
The Model Context Protocol is the open standard that connects tools and services to LLMs: instead of a custom integration for every tool-model pair, an MCP server exposes the tool to any client (Claude, Cursor and the like). For OSINT it’s the infrastructural turning point, and soxoj’s list (alongside searchable directories like Glama) gives a sense of the ecosystem:
| Category | MCP server (examples) | What they do |
|---|---|---|
| SOCMINT | maigret | accounts linked to a username across thousands of sites |
| Network scanning | shodan, zoomeye, dnstwist | IP recon, CVE, typosquatting, WHOIS/DNS in parallel |
| Web scraping | bright data, anysite | structured extraction from dozens of platforms |
| Company intel | openregistry, companyscope | company registries of 27 countries, aggregated public sources |
| Threat intel | virustotal, voidly | URL/file/IP/domain with relationship mapping; internet censorship by country |
Translated: the OSINT tools are the same as ever — whois, shodan, maigret, the company registries — but now they talk directly to whoever knows how to chain them. The MCP server does for the AI what the connector does for the analyst: controlled access, one tool at a time, with guardrails.
The tools that learned to talk to LLMs
On the commercial front the pattern is one: opaque AI with paid tokens (oh, and how many it burns through). Maltego has been at it for a while with sentiment analysis and the automatic entity extraction of Key Insights (what happened, who, motive, status of the event). The broader theme — how AI is reshaping OSINT — it also tackles in a paper of its own.
Other threat-intelligence platforms are increasingly baking ML into entity resolution and anomaly detection.
On the open-source front the classic frameworks hold up just fine: spiderfoot (200+ modules) and recon-ng remain the workhorses of automation. And someone’s already hooking them into the agentic loop: for SpiderFoot there’s spiderfoot-mcp, a third-party MCP server that exposes scan start, status and results as tools — so an LLM can drive it directly (it stays a wrapper over its API, you need a running instance). The novelties of the agentic generation include projects like OpenOSINT (an agent with an interactive REPL, a CLI and a built-in MCP server) and self-hosted platforms for dark-web threat intelligence that run in Docker with free LLMs.
Here the box is a bit more transparent: you see what gets run and what comes back. These are alternatives I want to test, calmly.
Keeping the LLM in-house
Whoever doesn’t trust the boxes — black or glass alike — builds the agent themselves. The documented pattern is a tool-use loop of a few dozen lines: the LLM receives the request, makes a call to a real OSINT service, reads the output, iterates (freecodecamp has a complete tutorial in Python). The lightest layer is the skills for existing agentic environments: pre-packaged frameworks for people lookup, due diligence, domain recon, to install inside the tool you already use.
On the academic front there’s even research into co-designing AI-augmented collaborative investigations (OSINT Clinic, arXiv).
There’s another way to approach the question: you can keep the LLM under your own roof. For those working on sensitive targets it’s first of all a matter of OPSEC and privacy, since this way the prompts and case data don’t end up in a cloud provider’s logs but stay on your machine. The OWASP Social OSINT Agent is a concrete example: an autonomous agent that combs X, Reddit, GitHub, Bluesky and Mastodon, runs in Docker, has an offline mode over cached data and talks to any OpenAI-compatible API — meaning you can point it at a model served locally by Ollama or LM Studio, keeping investigation data from leaking out.
How much does it cost? The bottleneck is VRAM. A 7-8B model quantised to 4-bit runs in 6-8 GB, entry-level consumer-GPU stuff; for a quantised 70B you need the 24-32 GB of an RTX 4090/5090 (around $1,600-3,800) or the unified memory of an Apple Silicon Mac. Introl’s 2025 hardware guide lets you do the maths: two RTX 5090s match an H100 on the 70B at about a quarter of the cost, and a Mac Studio M3 Ultra (from $3,999) handles on its own models that would need several cards elsewhere. Quantisation does the rest: the Q4 format cuts VRAM to a quarter, in exchange for a sliver of quality.
The outlook? The local model stays less brilliant than the frontier in the cloud — don’t kid yourself there — but for the bulk of OSINT work (summarising, extracting entities, doing a first screening) a 7-30B at home is more than enough. And the path is set: ever smaller and more capable models, quantisation and falling consumer hardware are shifting self-hosting from a tinkerer’s quirk to an operational option.
With one rule that doesn’t change: even the model running on your PC must execute the tool and read its real output, not go from memory.
The flip side
All very nice, as long as you keep three things in mind:
- The same toolbox is in the hands of hostile adversaries who know how to use it like hell: the first AI-orchestrated espionage campaign, documented by Anthropic in late 2025, chained the usual pentest tools precisely via MCP.
- The more the agent chains, the tighter the chain of custody of the information has to be kept — every claim must trace back to a source, not to a statistical completion.
- Automation, in the long run, dulls the critical faculties. There’s a lot to say on this — so much that we made it a separate article.
It holds for the models themselves too: the most recent ones carry classifiers that try to block offensive use (in other words, reconnaissance aimed at an attack) while letting the investigative and defensive kind through: so the distinction between OSINT-to-defend and recon-to-attack ends up coded into the model, not just in the terms of service. Even if it seems these controls aren’t as rock-solid as they should be, the US government has stepped in to try to curb the problem.
Final notes
These are, and must remain, tools — and for now deciding what to look for, validating what comes back and signing off the conclusion must stay tasks in the hands of the human analyst.
AI may well open and read content from a million sources in your place; what to make of it, thankfully, is still a craft — an art — to entrust to a human. With all their flaws.
And what do you think? Want to point us to other repositories of this kind? Write to us in the comments or come have a chat in the Telegram group.
Leave a Reply