Loading, please wait…

Dashboard

BidzzFind

Unified OSINT Workflow: Domain → Username → Intel

Chain the best OSINT tools end-to-end for a repeatable reconnaissance workflow.

Most OSINT investigations fail not because a tool missed something, but because the investigator stopped at a single source. This guide shows you how to chain the OSINT tools inside BidzzFind — theHarvester, Sherlock, and IntelX — into one repeatable workflow. Think of it as a mini OSINT framework: each tool feeds the next.

Why chaining matters

A domain gives you email addresses. Email addresses reveal usernames. Usernames map to social profiles. Social profiles expose new emails and secondary domains. Every hop compounds — a good workflow keeps that momentum going instead of losing findings between tabs.

Step 1 — Domain surface with theHarvester

Start with the biggest surface you have: the target's primary domain. theHarvester pulls subdomains, employee emails, hosts, and IPs from public sources like crt.sh, Bing, DuckDuckGo, Shodan, and Hunter.

  • Capture every subdomain — staging boxes and forgotten services often leak the most.
  • Extract the local-part of every email (before the @) as a username candidate.
  • Note the IP ranges — they'll matter when you pivot to Shodan or SecurityTrails later.

Step 2 — Humans with Sherlock

Feed the username candidates from Step 1 into Sherlock. In a few seconds you'll see which social, developer, and forum platforms host an account under that handle. See the companion username reconnaissance guide for the full filter-and-verify playbook.

Step 3 — Deep intel with IntelX

Take the strongest emails and domains from Steps 1–2 into IntelX. IntelX searches leaks, pastes, and darknet mentions — the sources you can't casually browse. A single hit here often turns a shallow map into a real investigation.

Step 4 — Correlate and export

The last step is the one people skip: writing it down. Export each tool's results as CSV or JSON, then correlate them in a single document — one row per identity, columns for source, timestamp, and confidence. That's the difference between OSINT and gossip.

Domain surface

theHarvester → subdomains, emails, IPs

Identity map

Sherlock → social & dev profiles

Deep signals

IntelX → leaks, pastes, darknet

Ethics and scope

Only search public data, respect each platform's terms of service, and stay inside your legal authorization. A workflow is only as defensible as the paperwork behind it.

Ready to start chaining?

Kick off with a domain in theHarvester and follow the trail.

Start with theHarvester