Maltego — Install, Use, Optimise (2026)

Manish Garg
Manish Garg Associate of (ISC)² · RingSafe
Apr 29, 2026
2 min read

Visual link-analysis platform for OSINT — graph relationships between people, domains, IPs, and infrastructure.

Use case: OSINTDifficulty: IntermediateHomepage: https://www.maltego.com

Installation

Pick the install method that matches your stack. The Docker option is the cleanest for one-off scans where you don’t want to pollute your workstation.

Linux (deb)

curl -O https://maltego.com/.../maltego.deb && sudo dpkg -i maltego.deb

macOS

brew install --cask maltego

Free CE edition

Register at maltego.com/community-edition

Core commands

The handful of invocations you’ll actually run on 90% of engagements:

Launch GUI

maltego

CLI (Pro+)

maltego-cli run-machine MachineName -e entity.csv

Export graph

File → Export → CSV / GraphML / Image

Performance optimisation

What separates a junior who runs the default invocation from a practitioner who knows the knobs:

  • Community Edition caps at 12 results per Transform — fine for learning, blocking for real work.
  • Pro/Classic/XL tiers unlock parallel transforms — graph generation goes 10-50× faster.
  • Custom transforms via TRX (XML schema) — write your own data sources in Python.
  • Use Maltego Hub to install reputable transform sets (Have I Been Pwned, Hunter.io, Shodan) — saves manual integration.

Common pitfalls

Real failure modes that bite people on engagements. Most are recoverable; a few are reputation-damaging.

  • CE’s 12-result cap will mislead you into thinking a target has small footprint. Always cross-check with theHarvester / Amass.
  • Transforms send queries to upstream APIs — your investigation is visible to those vendors. Avoid for sensitive engagements.
  • GraphML export sometimes truncates large graphs (>5000 nodes). Use CSV for archival.

Modern alternatives in 2026

The ecosystem moves fast. These are tools you should at least be aware of:

  • SpiderFoot — open source, no graph but solid coverage.
  • Cytoscape — pure visualisation; pair with your own data.
  • Lampyre — paid, similar mission.

India context and engagement notes

For DFIR investigations on Indian breaches: Maltego graphs of attacker infra (C2 IPs, domains, certs) are court-admissible evidence in Section 65 IT Act prosecutions. Save with timestamp + investigator metadata.

⚖️ Legal: Use only on systems you own or have explicit written authorisation to test. In India, unauthorised access is punishable under Section 66 of the IT Act, 2000 (up to 3 years imprisonment + fine). Pair every engagement with a signed Statement of Work or Rules of Engagement before running anything from this page.

Continue learning

Want this for your team?

Custom team training + practitioner advisory

Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.

Book team training call Replies in 4 working hrs · India-only · Senior consultants
Continue Learning

Related Academy modules

View all modules
Hacking Tools 2026

Sliver C2 Operator Guide — Implants, Transports, OPSEC, and the Detection Patterns Blue Teams Should Hunt

Sliver is the open-source post-Cobalt-Strike C2 framework — accessible to Indian red teams without licensing barriers,…

May 8, 2026 · 6 min read
Hacking Tools 2026

Burp Suite Pro 2026 — Five Production Bambdas and Three Custom BChecks (Paste-Ready)

Burp Bambdas (per-request JavaScript) and BChecks (YAML scanner checks) are the highest-leverage features in Burp Pro…

May 8, 2026 · 6 min read
Hacking Tools 2026

Caido for Web Pentest — A Modern Alternative to Burp Suite Pro (Hands-On Walkthrough)

Caido is the first credible challenger to Burp Suite Pro — Rust-built, web UI, multi-tester collaboration.…

May 8, 2026 · 6 min read