OSINT and investigations tooling market

OSINT — open-source intelligence — is the collection and analysis of information drawn from publicly-available sources to produce actionable intelligence for national security, law-enforcement, business and journalistic decision-making [ev_001]. The tooling market that has formed around it spans (1) link-analysis platforms that fuse heterogeneous data into navigable graphs (Palantir Gotham/Foundry, Maltego, i2 Analyst's Notebook), (2) digital-forensics suites that extract OSINT from seized devices and from the open internet (Cellebrite UFED, Magnet AXIOM), (3) threat-intelligence services that productise web and dark-web telemetry into early-warning feeds (Recorded Future, Dataminr, Hudson Rock), (4) social-media-monitoring and identity-intelligence platforms purpose-built for law enforcement and corporate investigators (Babel Street, PenLink, Voyager Labs, Skopenow, ShadowDragon, Fivecast, Clearview AI), (5) infrastructure-OSINT data sources that map the public internet itself (Shodan, Censys), and (6) a deep open-source layer that supplies investigators with free automation (SpiderFoot, Maltego CE, Sherlock, Maigret, theHarvester, OWASP Amass, OSINT Framework) [ev_001,ev_002,ev_004,ev_006,ev_010,ev_026,ev_029,ev_030,ev_032,ev_033,ev_058,ev_063]. The boundary with adjacent markets is porous — threat-intelligence platforms blend into cyber-defense, facial-recognition tools blend into biometric surveillance — but the unifying axis is reliance on public-source collection rather than warranted-access or classified collection.

The market organises into four overlapping cohorts. The first is a small group of strategically-owned platform giants: Palantir (public, NYSE:PLTR, the only large pure-play left independent) [ev_002,ev_007]; Recorded Future, owned by Mastercard since December 2024 [ev_014,ev_015]; Maltego, owned by Charlesbank Capital Partners since April 2023 with reported ARR of ~USD 18.5M and three subsequent acquisitions (PublicSonar / Social Network Harvester 2024, Hunchly 2025) [ev_010,ev_011,ev_012]; i2 Group, inside Constellation Software since 2022 [ev_063]. The second cohort is the digital-forensics axis — Cellebrite (NASDAQ:CLBT, Israel) and Magnet Forensics (Waterloo, Canada; private under Thoma Bravo) which Cellebrite's own SEC disclosures name as a direct competitor alongside Babel Street, Exterro, i2 (Harris) and GrayShift [ev_006,ev_009,ev_026]. The third is the surveillance-leaning social-media / identity intelligence cohort — Babel Street (Locate X), PenLink (the rebranded Cobwebs Technologies, owned by Spire Capital; reported in 2026 to hold a ~USD 2.9M DHS Homeland Security Task Force location-data contract), Voyager Labs (under active Meta litigation since January 2023), ShadowDragon, Skopenow, Fivecast (Adelaide; recently AI-pivoted with MATRIX), Clearview AI [ev_016,ev_017,ev_018,ev_019,ev_021,ev_022,ev_023,ev_024,ev_026,ev_044,ev_045,ev_046,ev_050,ev_057]. The fourth is the data-source layer (Shodan, Censys, Hudson Rock) and the open-source / community layer (SpiderFoot 18K stars, Sherlock 85K stars, Maigret 33K stars, theHarvester 16K stars, OWASP Amass 15K stars, OSINT Framework, Bellingcat, Trace Labs) [ev_004,ev_029,ev_030,ev_031,ev_032,ev_033,ev_051,ev_059,ev_062]. Practitioner non-profits — Bellingcat (founded 2014 by Eliot Higgins) and Trace Labs — set methodology norms and produce the analyst pipeline that all four cohorts hire from [ev_005,ev_028,ev_062]. Regulatory and oversight pressure is concentrated in Senator Ron Wyden's office and the US FTC, both of which have moved against the data-broker pipelines feeding the platforms [ev_047,ev_048].

The market operates as a layered value chain. At the bottom sit data-source suppliers that scan, scrape or aggregate public surface: infrastructure scanners (Shodan, Censys), certificate-transparency aggregators (Sectigo crt.sh, CertSpotter), passive-DNS providers, breach / infostealer corpora (Hudson Rock, HIBP), social-platform scrapers and licensed data brokers (the X-Mode / Outlogic / location-data layer) [ev_004,ev_051,ev_057,ev_059]. Open-source automation libraries — SpiderFoot, Maltego transforms, theHarvester, OWASP Amass, Sherlock, Maigret — sit one layer up and act as glue: they let a single analyst orchestrate the data layer without writing custom scrapers, and they double as the recruitment funnel that brings practitioners into commercial buyers [ev_029,ev_030,ev_031,ev_032,ev_033]. Above that, commercial platforms package the same patterns into multi-seat workflows with case management, audit trails, role-based access, integration into court-admissible chain-of-custody (Hunchly, now Maltego Evidence; Cellebrite UFED; Magnet AXIOM) and reporting [ev_006,ev_012,ev_049]. The top layer is the analyst-facing UX: link-analysis graphs (Maltego, Palantir Gotham, i2 Analyst's Notebook), early-warning dashboards (Dataminr First Alert, Recorded Future), and identity-intelligence search bars (Babel Street, PenLink, Clearview AI, Voyager Labs) [ev_002,ev_010,ev_040,ev_045,ev_058,ev_063]. The 2024-2026 inflection is that generative-AI is collapsing this stack from both ends: LLMs are absorbing the open-source orchestration layer (Fivecast MATRIX [ev_044], Recorded Future GPT-style summarisation, Maltego AI partnerships) and at the same time the same models are being weaponised to fabricate the public sources analysts rely on, forcing a verification reorientation that Reuters Institute and academic literature now treat as foundational [ev_044,ev_052,ev_053,ev_054,ev_056]. Practitioner non-profits — Bellingcat, Trace Labs — operate alongside the commercial chain as a quality / methodology backstop [ev_028,ev_062].

Three reinforcing drivers explain why the market exists at the size and shape it does. First, the supply side: the public surface of the internet has scaled to a point where useful intelligence is recoverable from open sources at scale only with tooling that fuses CT logs, passive DNS, social media, court records, breach corpora, infostealer dumps, satellite imagery and location data — work that no analyst can do by hand [ev_004,ev_030,ev_051]. Second, the demand side: government national-security and law-enforcement budgets, plus corporate compliance / fraud / brand-protection budgets, both rose through the 2010s and 2020s and rewarded vendors who could deliver investigator-friendly workflows on top of these data layers [ev_006,ev_014,ev_038,ev_058,ev_060]. Third, regulatory arbitrage: classified collection is bound by warrant requirements and constitutional constraints, but commercially-purchased data has been treated by US intelligence agencies as an alternative pathway with much weaker legal friction — a position that Senator Wyden's January 2024 disclosures and the FTC's X-Mode order have begun to challenge but not yet end [ev_047,ev_048]. The result is a market in which (a) governments will pay premium prices for tooling that does what they used to need a warrant to do, (b) PE buyers see annuity-grade contracts that justify roll-ups, and (c) open-source projects continue to supply the substrate because individual practitioners need free entry points and academic / activist users will not pay enterprise prices [ev_010,ev_014,ev_019,ev_029,ev_030].

OSINT-as-a-discipline predates the modern tool market by decades, but the commercial vendor landscape has cohered in five visible waves. Wave 1 (2003-2010): Palantir founded (2003) [ev_007]; Maltego project originated as Paterva (mid-2000s); Recorded Future and Shodan launched in 2009 [ev_003,ev_004]; the discipline gained a cyber-side data backbone. Wave 2 (2014-2018): Bellingcat (2014) and its MH17 investigation (2015) put OSINT methodology in front of governments and major news desks [ev_005,ev_027]; Maltego Technologies GmbH formed as the German corporate vehicle (2017) [ev_013]. Wave 3 (2019-2022): Clearview AI surfaced and triggered the first regulator dominoes (2019-2021); ShadowDragon was exposed by The Intercept (2021) [ev_021,ev_046]; i2 moved into Constellation Software (2022) [ev_063]. Wave 4 (2023-2024) — the consolidation wave: Charlesbank bought Maltego (April 2023) [ev_010]; Spire Capital pulled Cobwebs into PenLink (July 2023) [ev_016,ev_019]; Meta sued Voyager Labs (January 2023) [ev_024]; the FTC moved on X-Mode/Outlogic, Senator Wyden released NSA data-broker documents (January 2024) [ev_047,ev_048]; Mastercard agreed to buy Recorded Future for USD 2.65B (September 2024, closed December 2024) [ev_014,ev_015]. Wave 5 (2025-2026) — the AI wave: Fivecast shipped MATRIX (Nov 2024) [ev_044]; Dataminr raised an additional USD 100M from Fortress (April 2025) [ev_038]; Maltego acquired Hunchly (May 2025) [ev_012]; the Reuters Institute declared 'AI is undermining OSINT's core assumptions' (December 2025) [ev_053]; Prism Reports surfaced a DHS-PenLink PLX location-data contract (April 2026) [ev_018]. Full dated chronology in timeline[].

Geographically the market is concentrated in three poles. The United States hosts the largest commercial pure-play (Palantir, Denver / Delaware) [ev_007], the strategic acquirer (Mastercard, New York), the regulator-watcher cluster (Wyden's office, FTC) [ev_047,ev_048], and most of the surveillance-leaning vendor universe (Babel Street in Virginia, PenLink in Nebraska, Dataminr in New York, Clearview AI, ShadowDragon in Wyoming) [ev_007,ev_017,ev_021,ev_022,ev_045]. Israel anchors the digital-forensics and identity-intelligence axis (Cellebrite in Petah Tikva, Cobwebs originally in Tel Aviv before its PenLink consolidation, Voyager Labs in Tel Aviv) [ev_006,ev_017,ev_025]. Europe contributes the link-analysis pole (Maltego in Germany, i2 in the UK) [ev_013,ev_063] and the methodology-setting non-profit (Bellingcat in the Netherlands) [ev_005]. Australia provides a fast-growing AI-OSINT challenger (Fivecast, Adelaide) [ev_042,ev_043]. Canada hosts Magnet Forensics (Waterloo) [ev_009]. The open-source layer is geographically diffuse but heavily Anglophone in maintainership (e.g. Justin Nordine for OSINT Framework, Steve Micallef for SpiderFoot) [ev_030,ev_062]. Spatial points are in geo[].

• Palantir Technologies Inc. market leader (platform — government / link analysis) NYSE-listed pure-play; Gotham + Foundry + AIP serve intelligence and law-enforcement customers worldwide.
• Maltego Technologies GmbH market leader (mid-market link-analysis / OSINT platform) Charlesbank-owned since 2023; PE-backed roll-up strategy (PublicSonar, Social Network Harvester, Hunchly).
• Recorded Future, Inc. market leader (cyber threat intelligence) Acquired by Mastercard for USD 2.65B (closed December 2024).
• Cellebrite DI Ltd. incumbent (digital forensics) Israeli NASDAQ-listed; UFED is canonical mobile-forensics platform.
• Magnet Forensics Inc. incumbent (digital forensics) Canadian; taken private 2023 by Thoma Bravo.
• Babel Street, Inc. challenger (identity intelligence / location data) Locate X platform under sustained legal and journalistic scrutiny.
• PenLink, Ltd. (formerly Cobwebs Technologies) challenger (government OSINT + lawful intercept) Spire Capital-owned; reported DHS contract April 2026.
• Voyager Labs Ltd. challenger (social media intelligence) Defendant in active Meta lawsuit filed January 2023.
• Dataminr, Inc. challenger (real-time event intelligence) NATO + US public-sector customers; USD 4.1B 2021 valuation; +USD 100M Fortress 2025.
• Fivecast challenger (AI-enabled OSINT, APAC) Australian; MATRIX generative-AI release Nov 2024.
• ShadowDragon LLC challenger (police social-media surveillance) Subject of 2021 Intercept exposé and 2025 Mozilla campaign.
• Clearview AI, Inc. challenger (facial recognition for law enforcement) >20B scraped images; multiple regulatory violations including Canada's OPC ruling.
• i2 Group incumbent (visual link analysis) Constellation Software subsidiary; long-standing law-enforcement standard.
• Shodan supplier (infrastructure-OSINT data) Foundational data source consumed by both commercial vendors and OSS.
• Censys supplier (infrastructure-OSINT data) Co-founded by J. Alex Halderman; competes with Shodan.
• Hudson Rock supplier (infostealer cybercrime intelligence) Cavalier credential database; free + paid APIs.
• Thomson Reuters CLEAR incumbent (public-records identity intelligence) EPIC FTC complaint filed January 2024.
• SpiderFoot open-source (automated OSINT) 18K GitHub stars; baseline reference for attack-surface enumeration.
• Sherlock open-source (username enumeration) 85K GitHub stars; the most-starred OSINT repository.
• OWASP Amass open-source (DNS / attack-surface) 15K GitHub stars; OWASP-stewarded.
• theHarvester open-source (email / subdomain harvesting) 16K GitHub stars.
• Maigret open-source (3000+ site dossier by username) 33K GitHub stars.
• OSINT Framework open-source (curated resource directory) Maintained by Justin Nordine.
• Bellingcat practitioner non-profit / methodology setter Founded 2014 by Eliot Higgins; MH17 and Skripal investigations.
• Trace Labs practitioner non-profit (community / CTF) Missing-persons OSINT CTF events.
• Sen. Ron Wyden regulator / oversight Lead congressional pressure on data-broker pipelines.
• Mastercard Incorporated strategic acquirer Owns Recorded Future since December 2024.
• Charlesbank Capital Partners private-equity owner Owns Maltego.
• Spire Capital Partners private-equity owner Owns PenLink (consolidated Cobwebs).
• Constellation Software Inc. strategic owner Owns i2 Group since 2022.
• Meta Platforms, Inc. platform plaintiff / counter-force Plaintiff in Meta v Voyager Labs (Jan 2023) — sets active precedent against social-media-scraping OSINT vendors.

1. 2003-05-06 Palantir Technologies Inc. incorporated in Delaware (founders Thiel/Cohen/Lonsdale/Karp/Gettings).
2. 2009-01-01 Recorded Future founded; John Matherly launches Shodan — both come to anchor the cyber-side of OSINT data sourcing.
3. 2012-01-01 Voyager Labs founded in Tel Aviv (Avi Korenblum).
4. 2014-07-01 Bellingcat founded by Eliot Higgins — public-facing OSINT methodology enters mainstream investigative journalism.
5. 2015-10-08 Bellingcat publishes 'MH17 — The Open Source Evidence' — landmark OSINT investigation establishing the methodology's geopolitical credibility.
6. 2017-01-01 Maltego Technologies GmbH founded in Germany.
7. 2019-12-01 Clearview AI's use by US law enforcement first reported, triggering global regulatory scrutiny.
8. 2021-09-21 The Intercept publishes investigation of ShadowDragon's social-media surveillance for police.
9. 2022-01-01 i2 Group becomes a wholly-owned subsidiary of Constellation Software.
10. 2023-01-12 Meta sues Voyager Labs over alleged scraping using fake Facebook accounts.
11. 2023-04-18 Charlesbank Capital Partners acquires Maltego Technologies GmbH for USD 100M+.
12. 2023-07-11 PenLink, Ltd. and Cobwebs Technologies join forces; Spire Capital becomes parent of merged entity (deal value reported ~USD 200-250M).
13. 2024-01-09 FTC orders data broker X-Mode Social / Outlogic to stop selling sensitive location data — precedent affecting OSINT vendor data pipelines.
14. 2024-01-25 Senator Ron Wyden releases documents confirming the NSA buys Americans' internet browsing records from commercial data brokers.
15. 2024-04-02 Dataminr expands NATO partnership for AI-powered real-time alerts.
16. 2024-04-15 Maltego completes PublicSonar and Social Network Harvester acquisition (rebranded Maltego Monitor / Evidence).
17. 2024-08-23 PenLink announces Peter Weber as new CEO.
18. 2024-09-12 Mastercard announces USD 2.65B acquisition of Recorded Future from Insight Partners.
19. 2024-11-19 Fivecast releases MATRIX — generative-AI capability for large-scale OSINT risk assessments.
20. 2024-12-20 Mastercard completes Recorded Future acquisition.
21. 2025-04-24 Dataminr announces USD 100M investment from Fortress.
22. 2025-05-19 Maltego acquires Hunchly — adds browser-capture / evidence-preservation tool to platform.
23. 2025-12-12 Reuters Institute publishes 'AI is undermining OSINT's core assumptions' — reframes verification orthodoxy for the LLM era.
24. 2026-04-29 Prism Reports reveals DHS Homeland Security Task Force contract with PenLink PLX (~USD 2.9M) for real-time location data.

Sizing estimates disagree by a factor of three depending on scope (pure-OSINT vs OSINT-adjacent threat intel + investigations), so any single number should be treated with caution. Mordor Intelligence puts the OSINT market at USD 18.2B in 2025, USD 21.06B in 2026, and USD 43.49B by 2031 at a 15.62% CAGR [ev_034]. SNS Insider gives USD 11.11B in 2024 → USD 63.23B by 2032 [ev_036]. Market Research Future projects USD 76.81B by 2035 [ev_037]. GMInsights offers the most aggressive forecast — USD 15.9B in 2026 → USD 133.6B by 2035 at a 26.7% CAGR [ev_035]. Triangulating across these, a defensible mid-point view is that the addressable market is on a 15-20% CAGR through the late 2020s and grows by roughly a factor of 3 by 2031. Concentration is mid-to-high at the top: Palantir, Mastercard's Recorded Future, Cellebrite, Magnet, Charlesbank's Maltego, Spire's PenLink, Thomson Reuters CLEAR, and i2 inside Constellation now account for the great majority of disclosed enterprise contracts [ev_002,ev_006,ev_010,ev_014,ev_015,ev_017,ev_026,ev_060,ev_063]. The market is bifurcating: a 'platform' tier (Palantir / Maltego / Recorded Future / i2) that buyers procure as multi-year contracts, and a 'point tool' tier (Hunchly, ShadowDragon, Skopenow, Fivecast, Hudson Rock) that buyers stack alongside the platform.

Size

USD 18.2B (2025) → USD 43.49B (2031) per Mordor Intelligence; competing forecasts range USD 11-22B today to USD 63-133B by 2031-2035 [ev_034,ev_035,ev_036,ev_037].

Segments

Link-analysis platforms (Palantir, Maltego, i2) · Digital forensics (Cellebrite, Magnet) · Threat intelligence (Recorded Future, Hudson Rock, Dataminr) · Identity intelligence / social-media monitoring (Babel Street, PenLink, Voyager Labs, ShadowDragon, Skopenow, Fivecast) · Facial recognition (Clearview AI) · Infrastructure-OSINT data sources (Shodan, Censys) · Public-records / investigations (Thomson Reuters CLEAR) · Open-source automation (SpiderFoot, Sherlock, Maigret, theHarvester, OWASP Amass, OSINT Framework) · Practitioner non-profits / community (Bellingcat, Trace Labs)

Dynamics

Three concurrent dynamics: (1) PE-led consolidation in the commercial mid-market (Charlesbank / Maltego, Spire / PenLink, Thoma Bravo / Magnet) and strategic acquisition at the top (Mastercard / Recorded Future) [ev_010,ev_014,ev_017]; (2) a generative-AI feature war across every commercial vendor with Fivecast, Maltego and Recorded Future leading early productisation [ev_044,ev_052,ev_053,ev_054]; (3) sustained regulatory pressure in the United States on the data-broker pipelines that supply the location-data and identity layer, with FTC enforcement (X-Mode/Outlogic) and congressional disclosure (Wyden) as the visible vector [ev_047,ev_048].

Through 2027 the market is very likely to continue its 15-20% CAGR trajectory and to see further large-cap consolidation — additional strategic acquirers (a payments, cloud or defense major buying a second top-tier OSINT name) are roughly an even chance, while at least one more PE roll-up of the Maltego / PenLink kind is likely. Generative-AI capability is very likely to be the dominant procurement criterion in commercial RFPs by end-2026, and analyst-facing verification stacks (provenance, chain-of-custody, court-admissibility) are likely to become a parallel must-have as synthetic content erodes traditional OSINT verification assumptions [ev_044,ev_053,ev_056]. New US federal restrictions on commercially-purchased location and identity data — beyond the 2024 FTC X-Mode order — have a roughly even chance of landing in the next 24 months given Wyden-led pressure but face uncertain bipartisan appetite [ev_047,ev_048]. Open-source projects are very likely to remain the demand floor: Sherlock-class repos continue to grow at GitHub-platform-typical rates and act as the recruitment funnel into commercial buyers [ev_029,ev_031]. The single largest downside risk to the trajectory is a high-salience legal or compliance ruling against a Locate-X-style commercial-data pipeline that prices US public-sector buyers out of the segment [ev_047,ev_048,ev_057].