What Is Maltego: OSINT, Threat Intel and Graph Investigation

Maltego is the most widely used graph analysis platform for OSINT in the world. It draws relationships between people, domains, infrastructure, social networks and leaks from open sources and commercial APIs, all on a single interactive graph. It was built by Paterva in South Africa in 2007, today is maintained by Maltego Technologies GmbH (Munich) and has become the de facto standard for Red Team investigations, threat intelligence, corporate due diligence and law enforcement work.

This guide explains what Maltego is in concrete terms, how a graph is built (entities, transforms and machines), the four versions, the data hubs that matter most, real use cases in Red Team and CTI, open source and commercial alternatives, and the legal aspects any serious team reviews before launching an investigation with this tool.

What Maltego is

Maltego is a Java desktop application that lets you build relationship graphs from public information or information acquired via API. Each node in the graph is an entity (person, email, domain, IP, organisation, social media handle, hash, URL) and each edge is a relationship obtained by executing a transform: a function that takes an entity and returns other related entities.

The difference with a script of Google Dorks or with direct API queries is that Maltego centralises the result in a navigable graph: right-click on an email, run "domains where this email appears", three domains appear, right-click on each domain and run "subdomains", 27 subdomains appear, repeat against each one until you have a full map of the asset under investigation in minutes.

What it brings operationally:

• Visualisation of complex relationships without writing code.
• Repeatability: the graph is saved and shared, another analyst can continue.
• Single connector to dozens of sources (WHOIS, Shodan, VirusTotal, Have I Been Pwned, Pipl, BuiltWith, GreyNoise, AlienVault OTX, Censys, social networks).
• Custom transforms programmable in Python or any language via a local TDS server.
• Case-management mode (Casefile) to annotate, tag and export as formal evidence.

It is not magic: Maltego does not discover data that is not in some accessible source. Its value is in chaining sources and leaving the path documented.

The four versions of Maltego

The product has four editions with differences that matter for professional work.

Maltego Community Edition (CE)

Free, for non-commercial use. Limits the graph to 12 entities per transform and requires a registered free account. Useful to learn the tool and for small ad-hoc investigations. Not suitable for billable professional audits.

Maltego Pro

Individual commercial licence. Without the 12-entity limit, includes premium transforms, advanced export and support. The version most Red Teamers and freelance CTI analysts use.

Maltego Enterprise

For teams. Adds multi-user collaboration, centralised access control, SAML/SSO integration, licence management and auditable data retention. Required in public bodies, banking and corporates running formal internal investigations.

Maltego Casefile

Paid version specialised in case management: timelines, attached evidence, exportable to legal packages. Used by compliance, anti-fraud and law enforcement units.

There was also a free "Classic CE" version before 2020 that lost functionality when Paterva pivoted to SaaS and CTAS Hub integration. A lot of old material online references transforms that no longer exist in Community Edition.

How it works: entities, transforms and machines

Three concepts cover 90% of the product.

Entities. The types of information Maltego knows how to represent. The standard library brings more than 60 (Person, Email Address, Phone Number, Domain, DNS Name, IP Address, Netblock, Document, URL, Phrase, Hash, Twitter Handle, Facebook Object, GitHub User, AWS Account ID, etc.) and commercial hubs add hundreds more (Cryptocurrency Wallet, Telegram Channel, Have I Been Pwned breach, Shodan service, VirusTotal sample). Each type has its own icon and specific properties.

Transforms. The functions that convert one entity into others. For example, the transform [CTAS] To DNS Names from Domain takes a domain and returns its DNS records. The transform [Have I Been Pwned] Get breaches for Email Address takes an email and returns the breaches it appears in. They run with right-click on the entity or from the transforms bar in the menu.

Machines. Automated sequences of transforms. A machine called "Footprint L1" starts from a domain and automatically runs DNS, WHOIS, MX, NS, subdomains and listening services, all with one click. There are standard machines included and you can define custom ones.

The typical workflow is: drag the initial entity onto the canvas, run a machine or several successive transforms, manually prune the irrelevant, repeat against promising nodes until the graph tells a useful story for the case.

Hubs and data sources that matter

Maltego's value depends directly on which sources it is connected to. The most relevant hubs in serious investigations in 2026:

• Maltego Standard Transforms (CTAS). Included in any licence. Cover DNS, WHOIS, email search, public social networks, coordinate translation and other basics.
• Have I Been Pwned. Breaches associated with an email or domain. Essential for due diligence and to verify exposure pre-pentest.
• Shodan. Services exposed to the internet, certificates, banners. Essential in reconnaissance for infrastructure pentesting.
• VirusTotal. Samples, domains, malicious IPs. Used in threat intelligence to pivot between IoCs.
• Censys. Alternative or complement to Shodan, with better coverage of TLS certificates.
• AlienVault OTX, MISP, Recorded Future, ThreatConnect. CTI platforms that enrich entities with known threat context.
• GreyNoise. Distinguishes internet noise traffic (mass scanners) from potentially targeted traffic.
• WhoisXML, DomainTools, RiskIQ PassiveTotal. Historical WHOIS and passive DNS resolution for time-based investigations.
• Pipl, IPQualityScore, Hunter.io. People and email enrichment. Pipl in particular has a reputation as the reference in people investigation, with high cost and legal restrictions depending on jurisdiction.
• Social Links, Datawalk. Powerful commercial hubs for SOCMINT (social media intelligence).
• Have I Been Sold, Snusbase, Dehashed. Raw breaches with cracked material. Their ethical use depends heavily on jurisdiction and on the contractual framework of the work.

Almost every hub is paid (credits per query or annual subscription). A professional investigation typically combines 4 to 8 hubs; a Red Team doing reconnaissance on a B2B client usually activates CTAS plus Shodan, VirusTotal, Have I Been Pwned, Hunter.io and a SOCMINT hub.

Use cases in Red Team

In the reconnaissance phase of a Red Team exercise, Maltego chains what would otherwise be 30 manual searches:

1. Start from the client's domain. Run the Footprint L2 or L3 machine.
2. Out come subdomains, MX, TXT records, IPs, netblocks, TLS certificates.
3. Cross TLS certificates against Censys: other domains owned by the same client that the marketing department never declared to the CISO appear.
4. Pivot to Hunter.io from the domain: public corporate emails.
5. Cross emails with Have I Been Pwned: past breaches, potentially reused credentials.
6. Pivot to LinkedIn via a SOCMINT hub: key employees, org chart.
7. Cross social handles with exposure analysis: leaked documents, accidental corporate GitHub repos.
8. Pivot to Shodan from IPs: exposed services, admin panels, detectable WAFs, software versions.
9. Final result: a graph with ghost domains, emails with leaked credentials, GitHub repos with secrets and forgotten external services.

What an experienced Red Team gets in 4 hours with Maltego takes 2 days with loose scripts. And the resulting graph is delivered to the client as an annex to the report, which forces the CISO to audit the shadow IT that appears.

Use cases in threat intelligence

The CTI team uses Maltego differently. They start from an IoC (a hash, a C2 domain, a Bitcoin address) and expand the adversary's infrastructure:

• Hash of a received ransomware sample.
• VirusTotal returns contacted domains, IPs, related samples.
• Pivot to Censys: certificates sharing fingerprints on other servers.
• Pivot to passive DNS: history of resolutions for each domain.
• Pivot to cryptocurrency wallet investigation if there is extortion.
• Result: campaign map with adversary assets that can be blocked proactively.

This activity fits the TTP-driven flow of threat hunting: findings get translated into SIEM or EDR queries to detect the adversary in your own environment.

Use cases in corporate due diligence

Before signing with a provider, merging with a company or investing, Maltego maps:

• Public corporate structure (subsidiaries, shareholders, corporate registries).
• Digital reputation of the leadership team (media appearances, social networks, past breaches).
• Digital exposure of the target company (forgotten subdomains, employee breaches, corporate GitHub repos).
• Reputational risks (litigation, sanctions, connections with risk jurisdictions).

The deliverable is usually a graph-based report that accompanies classical legal and financial due diligence.

Maltego compared to open source alternatives

Not everyone needs or can pay for Maltego Pro. The most used alternatives:

• SpiderFoot. Open source, CLI mode or Web UI. Covers hundreds of sources, runs unattended investigations. Less visual than Maltego, better for automation in pipelines.
• theHarvester. Open source, CLI. Specialised in enumeration of emails, subdomains and banners. Essential in any Red Team toolkit, complementary to Maltego.
• Recon-ng. Open source, modular framework like Metasploit. Ideal for builders who want to automate transforms without paying for hubs.
• OSINT Industries, Skopenow, ShadowDragon SocialNet. Commercial, oriented to people investigation, heavily regulated by jurisdiction.
• i2 Analyst's Notebook (IBM). Commercial, dominant in classical law enforcement. More expensive, better for complex financial fraud investigations, with a steeper learning curve.

A realistic stack for a boutique on a typical Red Team project: Maltego Pro + theHarvester + SpiderFoot + custom scripts. Each tool covers a different phase and the result consolidates into the Maltego graph for delivery.

Limitations and common mistakes

Maltego has real limitations worth accepting.

Cost per query. Most hubs charge per credit. A large investigation can burn hundreds of euros in a session if not planned.

Transform rate limits. Hubs impose rate limits. Running Footprint L3 against a large domain can take long and cost a lot. The practice is to go in layers: L1, examine results, then L2 on promising nodes.

Dependency on external sources. If Have I Been Pwned or Shodan goes down, part of the graph won't complete. Good operators keep fallbacks in open source tooling.

Noise. Graphs grow fast. Without discipline, they end up with thousands of irrelevant nodes. The analyst's skill is in pruning what doesn't help before expanding further.

Social media data in flux. APIs from Twitter, Meta, Instagram have changed a lot since 2023. Transforms that worked in 2019 courses return nothing today. Always verify that the active hubs are still alive.

The "everything is OSINT" trap. Some hubs combine bought data, cracked data and legitimately open data. Knowing what you're querying matters for legal and ethical reasons.

Legal aspects in the EU

An investigation with Maltego can move personal data (emails, profiles, breaches) and that falls under GDPR and national data protection law, depending on the use case.

Rules any serious team applies:

• Documented legal basis. For corporate clients, contract and specific written authorisation for OSINT reconnaissance on the organisation (not only on IPs). For own investigations, well-argued and registered legitimate interest.
• Data minimisation. Only personal data strictly necessary for the declared objective is collected. Mass employee breaches are queried with limits, not exfiltrated whole.
• Retention. The graph and exports are deleted after the project lifecycle, except for legal obligation to the contrary (litigation, judicial requests).
• Care with cracked data. Hubs like Snusbase or Dehashed return passwords in cleartext from past breaches. Their use for legitimate security purposes is defensible; any secondary use is a crime.
• EU subjects. If the target is an EU natural person, GDPR applies to the investigator even if the server is in another jurisdiction.
• Client outside the EU. Even with a US client, if the investigated employees or infrastructure are in the EU, GDPR applies to the processing.
• Internal transparency. Internal corporate OSINT investigations require prior information to employees and to the works council where applicable.

Typical misuse to avoid: investigating a partner, neighbour or competitor without a documented legal framework. Beyond the ethical problem, it exposes the investigator to serious administrative sanctions and potential criminal consequences.

Practical setup step by step

How to get started with Maltego without wasting hours on friction:

1. Choose a version. Pro if you plan to bill, CE to learn. Enterprise only if your organisation demands SSO and central management.
2. Create an account and download the client. Java included in the modern installer.
3. Activate standard CTAS hubs. Included at no extra cost.
4. Activate 2-3 key hubs depending on the work: Shodan, Have I Been Pwned and VirusTotal cover most Red Team needs. Hunter.io adds email enrichment. SpiderFoot HX integrated as a hub if you want the unattended engine.
5. Configure API keys. Each hub asks for its own key; centralising them in a password manager (1Password, Bitwarden) makes rotation easier.
6. Run a test graph against your own domain to understand the flows without risk.
7. Build your first Casefile. Helps internalise the discipline of notes and findings before a real engagement.

Reasonable curve to be professionally useful: 1-2 weeks part-time. For fluent mastery and building custom machines: 2-3 months of intensive use.

How to defend against a Maltego investigation

Maltego is not invasive in the classical sense (it doesn't exploit anything, doesn't attack assets), but it leaves a minimal trace in passive DNS logs, Shodan queries or access to commercial APIs. Defence is hygiene, not detection.

Good practices that reduce the OSINT surface against an organisation:

• Audit your own subdomains and TLS certificates every 6-12 months. Trim what is not used.
• Sanitise corporate GitHub repos: rotated secrets, deleted old branches.
• Social media policy: minimum viable for sensitive roles (CISO, CFO, CTO).
• Training for employees on impersonation: if Maltego identifies the hierarchy, an attacker already has a target for spear phishing.
• Monitoring of homograph and typosquatting domains.
• Periodic OSINT Red Team exercise that documents exactly what information leaks and to whom to warn.

Frequently asked questions

Is Maltego legal in the EU?

Yes. The tool is legal and used by administrations, security forces and companies. What requires supervision is the specific use: queries to sources with personal data have to comply with GDPR. A corporate investigation with a contractual basis and data minimisation is defensible; a personal investigation without a legal framework is not.

How much does Maltego Pro and the hubs cost?

Maltego Pro is an annual individual licence. Commercial hubs are paid per subscription or per credit. A mid-range stack for a professional Red Teamer runs into several thousand euros a year between licence and active hubs, without entering Enterprise plans. The official page keeps prices up to date.

Difference between Maltego Casefile and Pro?

Pro is the analysis tool for agile use. Casefile adds formal case management on top of Pro: timelines, evidence custody, legal export. Used by fraud, anti-money laundering and law enforcement units.

Which hub is worth paying for first?

Depends on the work. For Red Team and pentest: Shodan plus Have I Been Pwned. For CTI: VirusTotal Premium plus AlienVault OTX. For SOCMINT and due diligence: Hunter.io plus Pipl or equivalent. Starting with at most 2-3 hubs and expanding based on real need avoids spending before knowing what falls short.

Does Maltego replace SpiderFoot, theHarvester or custom scripts?

No. It is complementary. Maltego excels in visualisation and traceability; SpiderFoot in mass automation; theHarvester in fast enumeration from CLI; custom scripts when there are very specific APIs or custom requirements. The mature team combines all of them.

Can Maltego find information behind login or paywall?

Not directly. Maltego only accesses sources where the user has valid credentials (via API key). It does not bypass controls. What looks like "magic" is in reality the combination of paid sources plus pure OSINT, not unlawful access.

What is its relationship with DorkGPT and recent AI OSINT tools?

They are different approaches. Maltego is structured and traceable; solutions like LLM-based dork generators use language models to produce Google Dork or OSINT queries in natural language, useful to accelerate the first phase but less auditable. In formal investigations, use AI only to accelerate, never to replace the documentary trail that Maltego provides.

Related resources

• What is OSINT: cycle, sources, tools: the broader discipline where Maltego is the reference graph tool.
• Google Dorks: operators, OSINT and Red Team use: the classic technique that complements Maltego in the initial phase.
• What is threat hunting and how it works: the defensive discipline that consumes adversary maps built with Maltego.
• What is MITRE ATT&CK: tactics, techniques: the catalogue where the Reconnaissance techniques Maltego operationalises live.
• What is a penetration test: the technical engagement where Maltego-built graphs feed the reconnaissance phase.

OSINT investigation with Maltego at Secra

At Secra we integrate Maltego into the reconnaissance phase of every Red Team exercise and every digital due diligence. We work with Maltego Pro plus a stack of active hubs depending on the client's scope, maintain custom machines for specific sectors (fintech, healthcare, industrial) and deliver the final graph as an annex to the report, not as an isolated document. The client receives an actionable map: forgotten domains to retire, employees with leaked credentials to force a reset, GitHub repos to sanitise, Shodan exposures to patch or move behind a WAF. If you need to evaluate the OSINT footprint of your organisation before a formal Red Team or want to validate the quality of a provider already offering you threat intelligence service, get in touch through contact or check our Red Team service.