What is the minimum OSINT toolkit for a sanctions analyst in 2026?

Six tools cover the majority of sanctions reconstruction work: Equasis (vessel and operator records); OpenCorporates (cross-jurisdictional company registry index); ICIJ Offshore Leaks (offshore-structure search); the Wayback Machine (deleted-content recovery); OpenSanctions (consolidated list and entity model); and OCCRP Aleph (investigative document and corporate records). For maritime cases, add IMO GISIS and MarineTraffic. For network reconstruction, add Maltego Community Edition.

Is there a free alternative to Maltego for sanctions network analysis?

Maltego Community Edition is itself free with limits on transform runs and graph size. Genuine open-source alternatives include SpiderFoot (open-source automated OSINT collection with built-in graph output), Open Semantic Search, and Neo4j with custom data import scripts. For a sanctions analyst who needs link-analysis on small-to-medium graphs, Maltego CE is usually sufficient. For larger graphs, the practical choice is between Maltego Pro and a self-built Neo4j workflow.

What is Hunchly and why is it relevant to a compliance file?

Hunchly is a browser extension that automatically captures every page an investigator visits during an investigation, hashing and timestamping each capture for chain-of-custody. For a sanctions file that may have to be defended to a regulator or in litigation, Hunchly produces the evidentiary record that an analyst would otherwise have to assemble manually from screenshots. It is widely used by civil-society OSINT teams including Bellingcat.

Is scraping corporate registries a legal risk?

It depends on the jurisdiction, the terms of service of the registry, and the volume of access. Public registries like Companies House (UK) and EDGAR (US) publish bulk data deliberately and welcome programmatic access. Russian SPARK-Interfax and parts of the EGRUL ecosystem have terms restricting automated access. The CJEU's November 2022 Sovim ruling restricted public access to EU beneficial-ownership registers, so what was once routine scraping is now jurisdictionally constrained. Treat automated access as a question that requires answering before the scraper runs.

What does Sherlock do and when is it useful for sanctions work?

Sherlock is an open-source tool that searches a list of usernames across hundreds of social media and forum platforms simultaneously. For sanctions work, it is useful when an officer or beneficial owner is named in a corporate filing and the analyst needs to reconstruct their public footprint across platforms. It does not access private accounts, only public profile pages, so it operates within standard OSINT ethical and legal boundaries.

How do these tools relate to a paid sanctions database?

They complement, they do not replace. A paid database like World-Check or Sayari answers 'is this entity on a list?' The tools in this stack answer 'what does this entity actually look like, what is connected to it, and what does the regulator want me to have reconstructed before I document my decision?' The paid database is the screen; the OSINT stack is the investigation. Regulators have made clear in 2024-2025 enforcement actions that they expect both, not one or the other.

← All Briefings

2026-05-19 TOOLS 15 min read

OSINT Investigation Stack for Sanctions Analysts: Reconstruction Tools Beyond the Lists (2026)

A sanctions screening hit is the start of an investigation, not the end of one. By the time a regulator asks a firm to explain its decision on a counterparty, the firm needs to have reconstructed the entity — corporate genealogy, beneficial-ownership chain, asset footprint, operational pattern of life, and digital surface — from primary public sources. The lists tell the firm that a party is sanctioned. The reconstruction tells the firm what the party actually is, who controls it, and how it moves. This briefing maps the working OSINT toolkit a sanctions analyst uses in 2026, what each tool is genuinely good for, and where the gaps sit. It is not a comprehensive directory; it is the working set we run for actual case files.

TL;DR

The sanctions analyst's working toolkit splits into five categories: vessel and aviation reconstruction (Equasis, IMO GISIS, MarineTraffic, VesselFinder, Flightradar24); corporate genealogy (OpenCorporates, ICIJ Offshore Leaks, OCCRP Aleph, national registry portals); content recovery (Wayback Machine, Archive.today); persona reconstruction (Sherlock, Mitaka, OSINT Framework); and link-analysis (Maltego Community Edition, SpiderFoot). The free tier of this stack handles the majority of routine sanctions reconstruction. Paid alternatives — Lloyd's List Intelligence, Sayari Graph, Maltego Pro — close specific gaps around vessel pattern-of-life enrichment, cross-jurisdiction graph traversal, and analyst-curated risk profiles, but should be acquired against a documented gap rather than as default. The differentiator from list-screening: these tools answer "what is this entity, and what is it connected to?" not "is it on a list?"

Why "OSINT toolkit" and "sanctions screening" are not the same question

Most published sanctions-tool overviews conflate two distinct functions. Screening is the binary check: does this name, this identifier, this vessel appear on a designated-party list? Reconstruction is the investigation: what is this entity, who controls it, what are its connections to designated parties through ownership, control, contract, or pattern of behaviour? Screening is satisfied by the lists themselves — we walk the free public list infrastructure in our companion piece Free Sanctions Lists Compared. This briefing is about the second category: the tools that reconstruct.

The 2024-2025 enforcement environment has tightened the expected standard for reconstruction. The US Treasury's GVA Capital enforcement of 2025 made the point explicit: compliance obligations are evaluated on the adequacy of the analytic record, not on the adequacy of the automated screen. A firm that screened cleanly but failed to reconstruct the ownership chain that connected its counterparty to a designated party through a chain of two or three corporate tiers is not protected by the screen. The OSINT stack below is what closes that gap.

Category 1: Vessel and aviation reconstruction

Equasis

Free IMO-backed aggregator of vessel records, owners, operators, P&I cover, classification society, and flag history. The first tool a maritime sanctions analyst opens.^[1]
Use case: verify a tanker's current and historic flag state, registered owner, ship manager, ISM manager, technical manager, and IG P&I club membership. Flag-change history is the first indicator of shadow-fleet behaviour.
Limits: data is provided by participating maritime authorities; coverage is excellent for International Maritime Organization-flagged tonnage and uneven for the small registries. Requires a free account for full access.

IMO GISIS

The International Maritime Organization's Global Integrated Shipping Information System. Authoritative source for IMO numbers, ship particulars, and several modules including Ship Identification Numbers, Ship Owner, and IMO Member State Audit Scheme.^[2]
Use case: primary verification when an Equasis record conflicts with another source. GISIS is the IMO's own dataset.
Limits: not all modules are open to the public; some require user roles delegated by member-state administrations. The public modules are sufficient for ownership and identification verification.

MarineTraffic / VesselFinder / FleetMon

AIS broadcast aggregators with historical track replay. Free tier offers current position and limited recent history; paid tiers (or institutional access) extend to long-range historical playback.^[3][4]
Use case: pattern-of-life analysis. A tanker that turns AIS off for 48 hours near a known STS anchorage is not exhibiting a behaviour consistent with the cargo it later declares. Our 287-tanker shadow-fleet briefing walks the AIS gap-analysis methodology in detail.
Limits: commercial AIS aggregators receive their data from terrestrial and satellite providers; coverage in remote regions is uneven. For comprehensive coverage including arctic and trans-Pacific tracks, Spire Maritime's commercial feed is the production-grade source.

Flightradar24 / ADS-B Exchange / OpenSky

Aircraft ADS-B aggregators. Flightradar24 is the most familiar; ADS-B Exchange offers unfiltered data (including aircraft on the FAA Limited Aircraft Data Display list that Flightradar24 obscures); OpenSky is the academic research-oriented archive.^[5]
Use case: tracing sanctioned-aircraft movements, identifying flight patterns inconsistent with declared business purpose, reconstructing aviation links to sanctioned principals. Particularly relevant for Russian oligarch aircraft post-2022, where ownership-and-tracking work has been a continuous public-interest investigation.
Limits: ADS-B coverage is excellent over densely-populated airspace and poor over the polar regions and large parts of the Pacific. Aircraft with ADS-B disabled or operating below transponder altitude do not appear.

Category 2: Corporate genealogy

OpenCorporates

The largest open database of company information, drawing on more than 140 jurisdictions. Free public search; bulk and API access on a tiered commercial basis.^[6]
Use case: first-pass cross-jurisdictional discovery of a named company. Identifies the registered jurisdiction(s), historical name changes, and links to the underlying national registry.
Limits: reliant on jurisdictional registries that vary widely in data quality. Russian, UAE, and many offshore-jurisdiction records are limited; for Russia, native registries (EGRUL via tax-service portals, SPARK-Interfax for paid access) carry the canonical data. Following the CJEU's November 2022 ruling in Sovim, public access to EU beneficial-ownership registers has been restricted, and OpenCorporates' EU BO coverage reflects that restriction.

ICIJ Offshore Leaks

The International Consortium of Investigative Journalists' searchable database of entities and persons named in the Panama Papers, Paradise Papers, Pandora Papers, Bahamas Leaks, and successor projects.^[7]
Use case: identifying offshore structures used by named persons. A Russian principal whose name does not appear in OpenCorporates as a director may appear in Offshore Leaks as a shareholder of a BVI or Seychelles entity.
Limits: the data reflects the source leaks; it is not a current registry. Where ICIJ shows a person as a beneficial owner of an entity as of the leak date, that ownership may have changed. Cross-verify with current registry sources.

OCCRP Aleph

The Organized Crime and Corruption Reporting Project's investigative document platform, indexing leaked datasets, court documents, corporate registries, sanctions lists, and the OCCRP's own reporting.^[8]
Use case: the single most useful free tool for investigative entity reconstruction. Aleph's strength is full-text search across heterogeneous document collections that no other free aggregator indexes together.
Limits: coverage is broad but not exhaustive; the platform indexes what OCCRP and its partners have collected, not the entire investigative-records universe. Some collections require an OCCRP investigative partner account.

National registries: Companies House, EDGAR, EGRUL, and others

The UK's Companies House, the US SEC's EDGAR, the German Unternehmensregister, the French INPI, and analogous registries in most major jurisdictions are the canonical primary sources for company filings.^[9][10] For Russia, the Federal Tax Service's EGRUL (yegrul) extract is the canonical primary source; SPARK-Interfax wraps it with analytics on a paid tier.
Use case: primary-source verification of incorporation, officers, share capital, and filings. For UK and US, free and audit-ready. For Russia, free for basic extracts but degraded UI; SPARK is the practical paid wrapper.
Limits: beneficial-ownership coverage varies by jurisdiction; the Sovim ruling has constrained EU-wide public BO access; UAE free-zone disclosures are partial; many offshore-jurisdiction registries are not public.

Category 3: Content recovery

Wayback Machine and Archive.today

The Internet Archive's Wayback Machine and the independent Archive.today (also accessed as archive.ph) preserve snapshots of public web pages over time.^[11]
Use case: recovering deleted corporate websites, scrubbed officer biographies, sanitised "about us" pages, and the public history of a counterparty's web presence. A Russian corporate site that announced a partnership with a sanctioned entity in 2020 and quietly deleted the page in 2022 will typically still be available in the Wayback Machine.
Limits: not all pages are archived; crawl frequency varies; some sites block the Internet Archive crawler. Where critical evidence relies on a Wayback capture, take a fresh archive immediately on discovery to preserve the citation.

Category 4: Persona reconstruction

Sherlock and WhatsMyName

Open-source username-enumeration tools that query a list of social media and forum platforms for a target username, returning hits where the account exists.^[12]
Use case: mapping an officer's or beneficial owner's public footprint across platforms. A handle that resolves to LinkedIn, GitHub, Telegram, VK and a defunct forum profile produces a richer picture than any single platform query.
Limits: false positives are common; platforms vary in how aggressively they confirm or deny username existence; both tools are limited to public pages.

Mitaka and the OSINT Framework

Mitaka is a browser extension that lets an investigator pivot from a selected string (email, IP, hash, URL, domain) to dozens of investigative search engines in a right-click menu.^[13] The OSINT Framework is an open directory of investigative tools organised by data type and use case.^[14]
Use case: tactical pivots during an active investigation. Mitaka in particular saves significant time on repetitive cross-tool lookups.
Limits: both are navigational, not analytical. They route you to the right tool; they do not analyse the result.

Category 5: Capture and link-analysis

Hunchly

A commercial (paid) browser extension that automatically captures every page an investigator visits, hashing and timestamping each capture and supporting export to a documented evidentiary record.^[15]
Use case: chain-of-custody for sanctions and litigation files. Hunchly is widely used in the Bellingcat methodology and in regulatory work where a defensible record of what the analyst saw, and when, is required.
Limits: paid product; alternatives are manual screenshot capture supplemented by archive.org snapshots, which scale poorly for active investigations.

Maltego Community Edition

The free tier of Maltego, the standard link-analysis platform in OSINT investigation. Community Edition supports a constrained transform set and graph size; Pro and Enterprise tiers unlock larger graphs and additional transforms.^[16]
Use case: visualising relationships between entities — companies, officers, addresses, domains — in a way that surfaces clustering and indirect links not visible in a table view.
Limits: Community Edition's graph-size cap is restrictive for serious reconstruction work; the free transforms are useful starters but the productive transforms tend to be paid.

SpiderFoot

Open-source automated OSINT collection platform. Free self-hosted; commercial SaaS tier available.^[17]
Use case: automated reconnaissance against a domain, IP, email, person, or organisation. SpiderFoot will iterate through hundreds of OSINT modules and produce a structured report.
Limits: automated collection produces volume; the analyst still has to triage. Best used as a starting-point sweep, not an investigation in itself.

Comparison matrix

Tool	Tier	Best for	Audit-grade?
Equasis	Free	Vessel ownership and flag history	Yes (primary source)
IMO GISIS	Free (partial)	IMO-authoritative vessel data	Yes
MarineTraffic	Freemium	AIS pattern-of-life	Yes for current data; paid tier for history
Flightradar24 / ADS-B Exchange	Freemium / Free	Aircraft tracking	Yes for ADS-B Exchange (unfiltered)
OpenCorporates	Freemium	Cross-jurisdictional company discovery	Yes (links to primary registry)
ICIJ Offshore Leaks	Free	Offshore-structure search	Yes (with leak-date caveat)
OCCRP Aleph	Free (partial paid)	Investigative document search	Yes
Wayback Machine	Free	Content recovery	Yes
Sherlock	Free / OSS	Username enumeration	Indicative only
Mitaka	Free / OSS	Investigative pivoting	Tooling only
Hunchly	Paid	Evidentiary capture	Yes (chain of custody)
Maltego CE	Free (capped)	Link analysis	Yes (with graph export)
SpiderFoot	Free OSS / Paid SaaS	Automated reconnaissance	Yes if logs preserved

Free versus paid: where the trade-off bites

Three places where commercial alternatives close real gaps:

Vessel pattern-of-life enrichment. Lloyd's List Intelligence Seasearcher, Kpler, Vortexa, Windward, and Spire Maritime each layer enrichment on top of raw AIS that the free aggregators do not provide: cargo-pair inference, STS-event detection, registered owner cross-reference, flag-state risk scoring. For a firm running active shadow-fleet exposure, one of these is normally justified once exposure crosses a meaningful operational threshold.

Cross-jurisdiction corporate graph traversal. Sayari Graph, Moody's Orbis, and Dun & Bradstreet each provide cross-jurisdictional ownership-chain traversal that the free stack (OpenCorporates plus per-registry pulls) replicates manually with significant labour. For high-volume EDD, a commercial graph product saves analyst time at a cost that is usually defensible.

Curated risk narratives. World-Check, Dow Jones, and LexisNexis each maintain analyst-curated profiles that combine sanctions hits, PEP status, adverse-media, and risk narrative in a single record. The free stack can reconstruct each of these elements; the labour to do so per counterparty is high. For mid-to-high-volume programmes, commercial PEP coverage is normally indispensable.

None of these displace the free stack. They sit alongside it. The free stack is the investigation; the commercial products are the operational efficiency. Our sanctions compliance service and the shadow fleet IMO lookup tool are built to fit alongside both, not to compete with either.

Operational discipline: what makes the tools work

Five disciplines that distinguish an effective OSINT sanctions analyst from a tool-collector:

Hypothesis first, tools second. Open a case with a written hypothesis: "Counterparty X is a beneficial vehicle for designated person Y through corporate tiers A and B." Run the tools against the hypothesis; do not run the tools and assemble a hypothesis afterwards. Confirmation bias is the most common failure mode.
Primary sources before aggregators. An OpenCorporates record is a useful index. The companies-house filing it references is the source. The aggregator is what gets you to the document; the document is what goes in the file.
Capture as you go. Hunchly or its alternatives, applied throughout the investigation, eliminate the reconstruction labour at the end. Capture the page, hash it, timestamp it, log the access.
Negative evidence is evidence. A search that returns no results is itself a finding. Document the search performed, the date, and the parameters. A regulator may later ask "did you check?"; the answer should be "yes, on this date, with these parameters, and here is the captured negative result."
Cross-reference, do not stack. Two tools that both source from the same underlying registry are not two confirmations. They are the same confirmation. Genuine cross-reference requires sources of different provenance.

Closing note

The OSINT toolkit for sanctions compliance in 2026 is, in raw capability, the strongest it has ever been. The free tier alone covers vessel reconstruction, corporate genealogy, offshore-structure search, persona reconstruction, content recovery, and link analysis with a fidelity that would have required a full subscription stack five years ago. What has not changed is that the toolkit is only as good as the analyst running it. The discipline is in the hypothesis, in the documentation, in the cross-reference, and in the question every analyst should be asking before a case file is closed: if a regulator asked me to walk through how I reconstructed this entity, would I have the record to do so? The tools below produce that record. The analyst's job is to use them as if the record will be examined — because, increasingly, it will be.

Sources and further reading

Equasis — IMO-backed vessel information aggregator.
IMO Global Integrated Shipping Information System (GISIS).
MarineTraffic — AIS-based vessel tracking and historical playback.
VesselFinder.
ADS-B Exchange — unfiltered ADS-B aircraft tracking.
OpenCorporates.
ICIJ Offshore Leaks Database.
OCCRP Aleph.
UK Companies House.
US SEC EDGAR.
Internet Archive Wayback Machine.
Sherlock — open-source username enumeration.
Mitaka — browser extension for investigative pivoting.
OSINT Framework.
Hunchly — evidentiary capture tool.
Maltego (including Community Edition).
SpiderFoot — automated OSINT reconnaissance.
Bellingcat investigative resources and toolkits.
OpenSanctions consolidated sanctions dataset.
CJEU Joined Cases C-37/20 and C-601/20 (Sovim) — the 2022 judgment restricting public access to EU beneficial-ownership registers.

Need entity reconstruction on a specific counterparty or corporate chain?

We run the full OSINT reconstruction stack — vessel, corporate genealogy, persona, link-analysis, content recovery — with documented chain-of-custody and a written investigative record formatted for compliance, legal, and regulatory use.

View Sanctions Compliance Services