Maltego for OSINT: Graph-Based Investigation

Last updated: April 26, 2026

Maltego is the visual graph-relationship tool that turns OSINT findings into navigable intelligence. Where command-line OSINT produces lists, Maltego shows connections — the same email registered across multiple breached datasets, the corporate domain that shares an IP block with a phishing operation, the engineer whose GitHub commits reveal infrastructure paths. This article covers Maltego for security investigations in 2026, the transform ecosystem, and the workflow that turns scattered data into actionable intelligence.

The mental model

Maltego represents data as entities (a domain, an email, an IP, a person, a company) connected by relationships. Transforms take an entity and produce related entities — domain → MX records, email → breach datasets, IP → BGP ASN, person → social profiles.

The investigator starts with a seed entity, runs transforms, and progressively expands the graph. Patterns emerge that text-based research misses.

Core entity types

• Domain Name
• Email Address
• IPv4 Address / Netblock
• Person / Phone / Alias
• Document / Image / Hash
• Phrase / Location

Custom entity types for specific investigations (a wallet address, a Git commit hash, a Telegram channel).

Transform ecosystem

Maltego’s value is in its transform marketplace. Free and paid transforms cover:

• Standard Maltego transforms — DNS, WHOIS, social media basics
• Have I Been Pwned — email to breach exposure
• Shodan / Censys — IP / domain to exposed services
• VirusTotal — file hash / URL reputation
• Recorded Future / Mandiant — threat-intel context (subscription)
• Hunchly — saved-investigation context
• Custom Python transforms via Maltego TRX framework

Practical workflow — investigating a phishing campaign

1. Seed: the phishing URL fake-bank.com
2. Transform: DNS A record → IP 1.2.3.4
3. Transform: IP → reverse DNS, sometimes reveals other domains hosted same IP
4. Transform: IP → ASN / hosting provider
5. Transform: Domain → WHOIS → registrant email
6. Transform: Email → HaveIBeenPwned → linked breach datasets
7. Transform: Email → social media accounts (where the registrant reused the email)
8. Pattern emerges: the IP also hosts 47 other phishing domains; same registrant email registered all of them; email is associated with a specific Telegram alias active in phishing-as-a-service forums

The investigator now has: the operator behind the campaign, their other infrastructure, their forum identity. A take-down request to the hosting provider plus reporting to law enforcement is concrete and actionable.

Use cases beyond phishing investigation

• Threat-actor profiling — start with an IoC, expand to TTP map and infrastructure overlap
• Pre-engagement OSINT — visual map of target’s external attack surface
• Insider threat investigation — relationship between suspect employee’s accounts, communications, transfers
• Brand protection — visualise look-alike domains and their connections
• Supply-chain mapping — vendor relationships and their risk surface

Pitfalls

• Transform results are only as good as the underlying data sources. Free transforms have stale or incomplete data; paid services are richer.
• Confirmation bias — graphs show what you look for. Note alternative explanations.
• Operational security — Maltego transforms can leak your investigation to the data providers (you queried Shodan for an IP). Use Maltego’s “TDS Local” transforms or anonymisation for sensitive cases.
• Data freshness — domain registration data, breach datasets all age. Verify findings via independent sources.

Maltego CE vs Pro / Enterprise

• Community Edition (free) — basic transforms, 12 results per transform run, limited custom transforms
• Pro — full transform marketplace, larger result sets, commercial threat-intel integrations
• Enterprise / Custom — team collaboration, on-premise hosting, custom transform hub for proprietary data

Compliance angle

• SEBI CSCRF — threat-intelligence capability includes investigation tooling
• RBI — incident response capability with forensic correlation
• DPDP — investigations involving personal data (employee, customer) require lawful basis and minimum-data-collection discipline

The takeaway

Maltego turns scattered OSINT into structured intelligence. The visual representation reveals patterns that lists hide. For threat-intel and investigation work, Maltego compounded with quality transforms is the difference between “we found some IoCs” and “we mapped the threat actor’s operation.” Investment in Pro / Enterprise pays off rapidly for serious investigative work.