ZeroTrace OSINT
How investigations work
The profile-pivot-export loop that turns the toolkit from a tool drawer into an investigation system.
ZeroTrace OSINT is a toolkit, but it is built around a workflow. Every serious investigation in the application follows the same shape:
- Open a profile — name your case file.
- Run a tool — pick the right tool for the input you have.
- Pin the finding — every result attaches to the profile with provenance.
- Pivot — click any value (IP, domain, email, hash, username) to see every other tool that takes it as input.
- Repeat — until the profile has the answer you came for.
- Export — generate a sourced PDF, JSON, or Markdown report.
Once that loop clicks, the toolkit becomes navigable. Without it, seventy tools is a paralysis trigger.
Why the profile is the unit of work
A reconnaissance tool produces a screenshot and a finding. Five tools produce five screenshots and a vague memory. Twenty tools produce a Slack thread that nobody can audit a month later.
The profile inverts this. The toolkit captures every finding at the moment it is produced, with:
- Which tool ran it.
- What input you gave the tool.
- What the tool returned.
- What public source the finding ultimately came from.
- The timestamp.
If you ever need to defend a claim — to an editor, a client, a court — every claim is one click away from its source.
Treat the profile like a notebook, not a database. Pin too much rather than too little. Findings can be tagged, marked dismissed, or removed at any time. What you cannot do is reconstruct a finding you did not capture.
The pivot graph is what makes it a toolkit
A search engine answers the question you asked. A toolkit answers the questions you would have asked next.
When you click any value in the toolkit — an IP address in a WHOIS result, an email in a username sweep, a hash in a file inspection — the pivot menu opens. It shows every other tool in the toolkit that takes that value type as input. One click sends the value to the next tool with the input pre-filled.
| Click on | Pivot menu shows |
|---|---|
| IP address | WHOIS, reverse DNS, geolocation, ASN lookup, reputation, exposed services |
| Domain | WHOIS, DNS records, certificate history, subdomain discovery, Wayback, security.txt, robots/sitemap, tech-stack analysis |
| URL | Redirect chain, URL parser, page archive, tech-stack analysis, methods test |
| Email analyzer, breach lookup (HIBP), permutator | |
| Hash | Hash type detector |
| Phone | Phone lookup |
| Username | Username sweep across thirty-plus platforms |
Pivots make the toolkit combinatorial. Twenty tools combined four ways gives you an investigation depth no single tool could.
What changes when you skip the workflow
You can absolutely use the toolkit as a standalone tool drawer — open a tool, run it, copy the result, close. Some tasks deserve that.
But:
- Without a profile, you cannot export a report.
- Without pivots, you have to copy values between tools by hand.
- Without bulk paste, you have to run one input at a time.
- Without recent runs, you cannot quickly re-check a target.
The walkthroughs in this section are about getting the profile-pivot-export muscle memory in place.
In this section
- Profiles — case files, naming, and what they preserve.
- Pivots — the cross-tool pivot graph in depth.
- Findings — pinning, tagging, severity, and confirmation status.
- Bulk paste — running hundreds of inputs through one tool.
- Exports — JSON, CSV, Markdown, and the dark-themed PDF report.