ZeroTrace OSINT
Findings, pinning, tagging, severity
Every result captured by the toolkit is a finding. Findings get tagged, scored, confirmed, and exported.
A finding is a single tool result attached to a profile. It is the atomic unit of an investigation. The toolkit lets you tag, score, confirm, and export findings, alone or in bulk.
Anatomy of a finding
When you pin a tool result to a profile, the finding captures:
| Field | What it stores |
|---|---|
| Tool | The tool that produced the result (whois-lookup, ip-geolocation, etc.) |
| Input | The exact input you gave the tool, the domain, IP, email, file, etc. |
| Output | The full structured result, every field the tool returned |
| Sources | The public sources the tool actually queried for this result |
| Warnings | Soft issues the tool surfaced, degraded source, partial result, rate-limit notice |
| Timestamp | When the tool ran |
| Severity | info / low / medium / high / critical (you set this) |
| Status | pending / confirmed / dismissed (you set this) |
| Tags | Free-text tags, anything you want |
Because findings are structured, the toolkit can sort, filter, and export them coherently.
Severity
The severity tag is information for the consumer of your report, your editor, your client, your incident-response team.
| Severity | When to use |
|---|---|
| info | Background context. Useful, but not actionable. |
| low | Minor exposure or weak signal. |
| medium | Real exposure or strong signal. |
| high | Significant finding, actionable on its own. |
| critical | Showstopper. The headline of the report. |
Severity is your judgment, not the tool's. The toolkit deliberately does not score findings for you, context belongs to the investigator.
Status
| Status | What it means |
|---|---|
| pending | Captured but not yet validated. Default. |
| confirmed | You verified the finding through a second source or independent reasoning. |
| dismissed | False positive, irrelevant, or superseded. Stays in the profile but does not export. |
The dismissed status is intentional. You do not delete dismissed findings, leaving them in the profile preserves the audit trail of what you considered and rejected.
Tags
Tags are free-form. Common patterns in practice:
- Domain or stakeholder,
acme-corp,client-x,internal. - Source quality,
primary-source,circumstantial,needs-verification. - Investigation thread,
infrastructure-thread,identity-thread,documentary-thread. - Reporting status,
draft-included,cut-from-report,for-followup.
Tag aggressively at first; you can always remove later.
Tagging at the moment you pin a finding is much faster than tagging in bulk later. The friction is low and the cognitive context is fresh.
Filtering findings
Inside a profile, the finding list supports filtering by:
- Severity (multi-select).
- Status (multi-select).
- Tag (multi-select with autocomplete).
- Tool name.
- Free-text search across input and output.
Filters compose. "Confirmed + critical, tagged infrastructure-thread" gives you the report-ready showstopper findings instantly.
Bulk operations
Select multiple findings (click + Shift, click + Ctrl/Cmd) to:
- Tag in bulk.
- Set severity in bulk.
- Set status in bulk.
- Export selected findings only.
- Move selected findings to a different profile.
- Remove selected findings (cannot be undone).
Provenance and source attribution
Every finding shows which sources contributed to it. If a WHOIS lookup hit iana.org then who.is then RDAP for the registrar, the finding records all three.
This matters for two reasons:
- Reproducibility. Anyone reviewing your report can re-run the same query and verify the result.
- Source quality. If a critical finding rests on a single source, that is signal. Investigators who are about to make a strong claim want to see the source list and ask "is this enough?"
Findings vs. notes
Findings are structured tool results. Notes are free-text Markdown.
Use notes for hypotheses, open questions, narrative connecting findings, and editorial commentary. Notes export with the profile but do not get the same provenance treatment, they are your writing, not the toolkit's data.
A typical report-ready profile mixes both: the findings are the evidence, the notes are the argument.