Skip to content

ZeroTrace OSINT

Report Writing

Turn a profile full of findings into a deliverable a non-investigator can read, defend, and act on.

The toolkit produces the evidence. You produce the report. This page is the discipline that turns the former into the latter.

What a report is for

A report exists to produce one of:

  1. A decision. Should we hire / fire / engage / litigate / publish?
  2. An action. Patch this server / block this IP / remove this content / contact this regulator.
  3. A claim. This is what happened, with citations.

If your report does not produce one of those, it is notes — useful internally, not yet a deliverable.

Structure

Most reports follow a structure like:

  1. Executive summary — one paragraph, the headline.
  2. Scope and method — what you investigated and how.
  3. Findings — grouped by severity or theme.
  4. Citations — which public sources support each finding.
  5. Limitations — what the investigation could not establish.
  6. Recommendations — if the report is decision-oriented.
  7. Appendices — raw findings, full profile export, screenshots.

The toolkit's PDF export already does much of this work — cover page, severity grouping, source citations, full finding cards. Your job is to add the executive summary, the scope, and the recommendations.

Writing the executive summary

The summary is the only thing some readers will read. It must:

  • State the question.
  • State the answer.
  • Highlight the strongest finding that supports the answer.
  • Highlight the strongest finding that contradicts the answer, if any.
  • Recommend an action or a decision.

One paragraph. Five sentences. If you cannot do it in five sentences, the investigation is not done.

Write the executive summary first, before writing the rest of the report. If you cannot write it, the investigation has not actually concluded. The act of trying to write it surfaces the gaps.

Writing about evidence

Two patterns to internalise:

Distinguish observation from inference

Observation: The domain example-bank.tk was registered on 2026-04-15. Inference: This is consistent with the targeted-phishing campaign described elsewhere in this report, which began on 2026-04-18.

The reader needs to see both. Inferences without observations are claims without evidence. Observations without inference are notes without a report.

Source every claim

Every claim of fact in the report should be traceable to a finding in the appendix or to a public source the reader can independently verify. The toolkit's PDF export carries source attribution per finding automatically; your prose should reference it ("see finding #14").

Severity in writing

Severity tags translate to prose:

SeverityProse framing
critical"This finding alone supports the conclusion that..."
high"This finding strongly indicates..."
medium"This finding contributes to a pattern of..."
low"This finding is consistent with..."
info"For context..."

Match the prose to the tag. A low finding written up as if it were critical overstates; a critical finding written up as if it were info understates.

Confidence calibration

For each headline claim, state your confidence. Common framings:

  • Very high confidence — multiple independent confirmed findings; the alternative explanations are implausible.
  • High confidence — confirmed findings; the alternative explanations exist but are unlikely.
  • Medium confidence — pending findings only, or contradiction unresolved; the conclusion is the most likely interpretation.
  • Low confidence — speculative; the conclusion is one possibility among several.

Reports that uniformly claim very-high confidence are not credible. Reports that calibrate confidence to evidence are.

What to leave out

A report is not a profile. The full export of every pinned finding belongs in the appendix; the body of the report is your selection of the findings that build the argument.

Things to leave out:

  • Findings that did not survive verification. Mark them dismissed in the profile; they stay out of the export.
  • Tangents the question did not require. Save them in a separate profile for later.
  • Tool-by-tool methodology unless asked. "We performed a WHOIS lookup, then a DNS lookup, then..." is internal-process narration. The reader cares about what you found, not what tool you used.

Defamation, privacy, and right-of-reply

For any report that names a private individual or makes a claim about an organisation:

  • Right-of-reply. If the subject can be reached and the deliverable will be published, offer them an opportunity to respond. Most journalistic ethics frameworks require this.
  • Defamation risk. Statements of fact must be supportable; opinions should be clearly framed as opinions. The toolkit's source-attribution discipline supports the former.
  • Privacy. Even when the data is publicly available, aggregating and publishing it is a separate act with its own consequences. The privacy frame is sometimes stricter than the legal frame.

For high-stakes reports, get the deliverable reviewed by a lawyer before publication.

A tight discipline that helps

Before the report leaves your desk, run this checklist:

  • Every claim of fact is traceable to a source.
  • The executive summary states the question, the answer, and a recommendation.
  • Severity tags are calibrated.
  • Confidence is calibrated.
  • Tangents are out.
  • The PDF appendix is the full profile export; nothing in the body contradicts the appendix.
  • Right-of-reply offered if applicable.
  • Lawyer review if applicable.

A report that passes this checklist is ready to ship.

Command Palette

Search for a command to run...