Introduction
Maltego is the gold standard for open-source intelligence (OSINT) investigations. Its visual graph-based approach transforms raw data into actionable intelligence by revealing hidden connections between entities. Whether you’re investigating a domain, person, organization, or email address, Maltego’s transform ecosystem automates the discovery process and presents findings in an intuitive, graphical format.
Understanding Maltego
Maltego is an OSINT and graphical link analysis tool that leverages an extensive transform library to gather intelligence from public sources. It excels at revealing relationships and connections that wouldn’t be obvious through traditional research methods.
Key Capabilities
- Entity transformation using 500+ transforms
- Graph visualization of relationships and connections
- Automated data gathering from public sources
- Link analysis across domains, people, and organizations
- Custom transform creation for specialized searches
- Case management for organized investigations
Installation and Setup
Download Maltego
Visit maltego.com and download Maltego CE (Community Edition) for free or choose Maltego Classic for advanced features.
# On Linux
wget https://downloads.maltego.com/maltego-ce-latest-linux.zip
unzip maltego-ce-latest-linux.zip
First Run and Configuration
Launch Maltego and create a free account. This enables access to the public transform library and cloud-based processing for many transforms.
After login, Maltego automatically downloads available transforms for your region. You’ll see dozens of transform sets including:
- Paterva public transforms
- Shodan transforms
- VirusTotal transforms
- DNS resolution transforms
Core OSINT Concepts in Maltego
Understanding Entities
Maltego works with “entities”—discrete pieces of information:
- Websites (domains)
- IP addresses
- Email addresses
- Person names
- Phone numbers
- Documents
- Locations
Transforms are data queries that take one entity and return related entities. For example:
- A domain transform might return associated IP addresses
- An email transform might return associated websites
- A person transform might return their social media profiles
Practical OSINT Investigation: Domain Reconnaissance
Step 1: Create a New Graph
Open Maltego and start a new local transform set. This keeps your investigation organized and isolated.
Step 2: Add Domain Entity
Right-click on the canvas and select “Add Entity” → “Website” → “Domain”. Type your target domain (e.g., example.com).
Step 3: Run Domain Transforms
Right-click on your domain entity and explore available transforms:
- “To Website” — Returns the main website
- “To IP” — Returns associated IP addresses
- “To Nameserver” — Shows DNS servers
- “Domain to Registrant” — Reveals WHOIS information
Step 4: Expand the Investigation
Click on discovered entities to reveal more connections:
- IP addresses may link to hosting provider information
- Nameservers might connect to other domains
- Registrant information reveals other assets by the same owner
Investigating Email Addresses
investigator@example.com
↓ (Email to Domain)
example.com
↓ (Domain to IP)
192.0.2.1
↓ (IP to Hosting Provider)
AWS / DigitalOcean
Email Enumeration
Use transforms to discover:
- Associated websites (where this email is registered)
- Social media profiles (LinkedIn, Twitter, Facebook)
- Breached password lists (via integration with haveibeenpwned)
- Previous domains (where the same email appeared)
Person Investigation Workflow
Starting Point: Name
Add a “Person” entity with the target’s full name.
- “Person to Website” — Finds personal websites, portfolios
- “Person to Phone” — Discovers associated phone numbers
- “Person to Email” — Returns known email addresses
- “Person to Social Media” — Finds LinkedIn, Twitter, Facebook profiles
- “Person to Company” — Reveals employment history
Building the Picture
Connect person entities to:
- Company entities (where they work)
- Location entities (where they live)
- Email entities (contact information)
- Document entities (published papers, leaks)
Integrate Shodan API for network intelligence:
- Settings → Transforms → Add Shodan API key
- Right-click IP → “Shodan Lookup”
- Discover exposed services and vulnerabilities
VirusTotal Integration
Check suspicious files and hashes:
- Add your VirusTotal API key
- Right-click file hash → “VirusTotal Detail Lookup”
- See detection rates and analysis results
Domain → "Name Server"
Domain → "MX Record"
Domain → "DNS A Record"
While beyond basic OSINT, Maltego allows custom transform development:
Custom Transform Input: Email Address
Query Custom API/Database
Return: Associated Organizations
This requires scripting knowledge but extends Maltego’s capabilities to proprietary data sources.
Graph Analysis and Interpretation
Reading Your Visualization
Maltego displays connections as a graph where:
- Nodes represent entities
- Edges represent relationships
- Colors indicate entity type
- Size (in some views) indicates relevance
Finding Patterns
Look for:
- Hub entities — Highly connected points suggesting central figures
- Isolated clusters — Separate groups with few connections to others
- Unexpected links — Surprising relationships indicating shared infrastructure or operations
Practical Investigation Examples
Example 1: Company Domain Reconnaissance
Target: acmecorp.com
↓ Domain Transforms
- IP: 203.0.113.50
- Nameservers: ns1.hostingprovider.com
- Registrant: John Doe
↓ Further Investigation
- John Doe's Email: john@acmecorp.com
- Associated Domains: acmecorp-backup.com, acmecorp-staging.com
- IP Whois: DigitalOcean, reveals other customer domains
Example 2: Person Investigation
Target: alice@company.com
↓ Email Transforms
- linkedin.com/in/alice-smith
- twitter.com/alicesmith
- github.com/alicesmith
↓ Further Research
- Company: TechStartup Inc
- Other emails: alice.smith@techstartup.com
- Associated websites: techstartup.com
Best Practices for OSINT Investigations
Document Everything
Use the “Report” feature to export your findings:
- Take screenshots of final graphs
- Document timestamps
- Note all sources
- Include methodology
Cross-reference Maltego findings with:
- Original source websites
- Multiple transforms (don’t rely on single result)
- External OSINT tools
- Official company information
Stay Legal and Ethical
- Only investigate targets you have authorization for
- Don’t attempt to verify findings with direct access
- Respect privacy laws (GDPR, CCPA)
- Document authorization and scope
Troubleshooting Common Issues
- Verify internet connectivity
- Check API credentials for third-party transforms
- Ensure you’re using supported entity types
- Restart Maltego if transforms continue failing
Limited Results
- Run multiple transform types on same entity
- Expand investigation with secondary entities
- Use transform sets designed for your target type
- Check if public sources have sufficient data
Conclusion
Maltego transforms OSINT from tedious manual research into structured, visual investigation. By mastering entity types, transforms, and graph analysis, you can quickly map intelligence landscapes, identify relationships, and support comprehensive security investigations. Start with simple domain reconnaissance, progress to multi-entity investigations, and build expertise in revealing hidden connections within public data.