ZeroTrace OSINT
Investigation profiles
The case file system that pins every finding with full provenance — name it, fill it, export it.
A profile is a named case file. Every finding you produce in the toolkit can be attached to a profile, with the tool, the input, the output, the source, and the timestamp captured at the moment the tool ran.
This is the system that makes the difference between "I ran some OSINT tools" and "I have a sourced investigation."
Creating a profile
From the dashboard:
- Click Profiles in the sidebar.
- Click New Profile.
- Name it.
Naming convention is up to you. Useful conventions in practice:
surname-firstname-2026-Q2— for people investigations.target-domain.com-due-diligence— for asset investigations.ticket-1234-soc-triage— for SOC casework.engagement-acme-q3— for pentest reconnaissance.
The name is the only required field. You can add a description and tags later.
Open one profile per investigation, not one per session. A profile is a unit of work, not a unit of time. The same case might span weeks of intermittent work.
Pinning findings to a profile
Every tool that produces a result has an Add to profile action.
When you click it:
- The active profile becomes the destination automatically.
- The full result envelope is saved — input, output, sources, timestamp, warnings.
- The finding becomes pivotable: clicking it later opens the same input pre-filled.
You can attach the same finding to multiple profiles. You can also create a new profile from the attach dialog if you forgot to open one first.
What lives inside a profile
The profile detail page shows three things side by side:
| Section | What is in it |
|---|---|
| Findings | Every result you pinned, sorted by recency. Each row links back to the tool and shows the input, the source, and the headline output. |
| Targets | The unique entities — domains, IPs, emails, usernames, hashes — that appear across your findings. Click any target for a sub-graph view. |
| Notes | Free-text notes per profile. Markdown supported. Use this for hypothesis tracking ("is X the same person as Y?"), open questions, and editorial commentary. |
Tagging and severity
Each finding can be tagged:
- Severity — info, low, medium, high, critical.
- Status — pending, confirmed, dismissed.
These tags drive sorting and filtering inside the profile, and they show up in the exported report. Use them.
For SOC and threat-intel work, tagging by severity is most of the deliverable. For investigative reporting, status is more useful — confirmed vs. pending tells your editor what is publishable.
Saved searches
Inside a profile, you can save a tool input as a saved search — for example, the exact subdomain enumeration query you used on a target domain. Saved searches re-run with one click and re-attach the new findings to the profile, so you can see what changed since last week.
Saved searches are how you build a continuous investigation. Set up a profile for an ongoing target, save the five or six tool runs that matter, and re-run them on whatever cadence suits you.
Profile lifecycle
A typical profile passes through three phases:
- Open / Active — the bulk of the investigation. Findings come in from many tools.
- Reviewed — you have stopped producing new findings. You are tagging and confirming.
- Exported / Archived — the deliverable left the building. The profile stays in the toolkit as the source of record.
You never have to delete a profile. They are local files on your machine, costing nothing to keep.
Privacy
Profiles are stored locally. They are not synced to any cloud, not transmitted to ZeroTrace, not visible to anyone but the user account on your machine. Backing up the toolkit's storage directory is your job — see the storage section in Settings for the path.