ZeroTrace OSINT
Findings — pinning, tagging, severity
Every result captured by the toolkit is a finding. Findings get tagged, scored, confirmed, and exported.
A finding is a single tool result attached to a profile. It is the atomic unit of an investigation. The toolkit lets you tag, score, confirm, and export findings — alone or in bulk.
Anatomy of a finding
When you pin a tool result to a profile, the finding captures:
| Field | What it stores |
|---|---|
| Tool | The tool that produced the result (whois-lookup, ip-geolocation, etc.) |
| Input | The exact input you gave the tool — the domain, IP, email, file, etc. |
| Output | The full structured result — every field the tool returned |
| Sources | The public sources the tool actually queried for this result |
| Warnings | Soft issues the tool surfaced — degraded source, partial result, rate-limit notice |
| Timestamp | When the tool ran |
| Severity | info / low / medium / high / critical (you set this) |
| Status | pending / confirmed / dismissed (you set this) |
| Tags | Free-text tags — anything you want |
Because findings are structured, the toolkit can sort, filter, and export them coherently.
Severity
The severity tag is information for the consumer of your report — your editor, your client, your incident-response team.
| Severity | When to use |
|---|---|
| info | Background context. Useful, but not actionable. |
| low | Minor exposure or weak signal. |
| medium | Real exposure or strong signal. |
| high | Significant finding — actionable on its own. |
| critical | Showstopper. The headline of the report. |
Severity is your judgment, not the tool's. The toolkit deliberately does not score findings for you — context belongs to the investigator.
Status
| Status | What it means |
|---|---|
| pending | Captured but not yet validated. Default. |
| confirmed | You verified the finding through a second source or independent reasoning. |
| dismissed | False positive, irrelevant, or superseded. Stays in the profile but does not export. |
The dismissed status is intentional. You do not delete dismissed findings — leaving them in the profile preserves the audit trail of what you considered and rejected.
Tags
Tags are free-form. Common patterns in practice:
- Domain or stakeholder —
acme-corp,client-x,internal. - Source quality —
primary-source,circumstantial,needs-verification. - Investigation thread —
infrastructure-thread,identity-thread,documentary-thread. - Reporting status —
draft-included,cut-from-report,for-followup.
Tag aggressively at first; you can always remove later.
Tagging at the moment you pin a finding is much faster than tagging in bulk later. The friction is low and the cognitive context is fresh.
Filtering findings
Inside a profile, the finding list supports filtering by:
- Severity (multi-select).
- Status (multi-select).
- Tag (multi-select with autocomplete).
- Tool name.
- Free-text search across input and output.
Filters compose. "Confirmed + critical, tagged infrastructure-thread" gives you the report-ready showstopper findings instantly.
Bulk operations
Select multiple findings (click + Shift, click + Ctrl/Cmd) to:
- Tag in bulk.
- Set severity in bulk.
- Set status in bulk.
- Export selected findings only.
- Move selected findings to a different profile.
- Remove selected findings (cannot be undone).
Provenance and source attribution
Every finding shows which sources contributed to it. If a WHOIS lookup hit iana.org then who.is then RDAP for the registrar, the finding records all three.
This matters for two reasons:
- Reproducibility. Anyone reviewing your report can re-run the same query and verify the result.
- Source quality. If a critical finding rests on a single source, that is signal. Investigators who are about to make a strong claim want to see the source list and ask "is this enough?"
Findings vs. notes
Findings are structured tool results. Notes are free-text Markdown.
Use notes for hypotheses, open questions, narrative connecting findings, and editorial commentary. Notes export with the profile but do not get the same provenance treatment — they are your writing, not the toolkit's data.
A typical report-ready profile mixes both: the findings are the evidence, the notes are the argument.