A modern, open-source graph-based investigation tool for cybersecurity analysts, OSINT researchers, and investigators. Visualize relationships between entities (domains, IPs, emails, wallets) with automated enrichment and local-first data storage.
Ethical Use Only: Flowsint must only be used for lawful, ethical investigation and research purposes. Review the project’s ETHICS.md before deployment.
Installation
Quick Setup (Docker)
# Clone the repository
git clone https://github.com/reconurge/flowsint.git
cd flowsint
# Production deployment
make prod
# Development deployment
make dev
Prerequisites: Docker and Make
Access
| Mode | URL |
|---|
| Development | http://localhost:5173 |
| Production | http://localhost:5173/register (create account first) |
Architecture Overview
Flowsint is a modular platform with five core components:
| Module | Purpose |
|---|
flowsint-app | Frontend interface (graph visualization) |
flowsint-api | FastAPI backend with authentication |
flowsint-core | Database, utilities, task orchestration |
flowsint-enrichers | Data enrichment modules |
flowsint-types | Pydantic data models |
Entity Types
Flowsint works with various investigation entities you can add to your graph:
| Entity | Description |
|---|
| Domain | Website domain names |
| IP Address | IPv4/IPv6 addresses |
| Email | Email addresses |
| Phone Number | Phone numbers |
| Username | Social media / service usernames |
| Organization | Companies and organizations |
| ASN | Autonomous System Numbers |
| CIDR | IP address ranges |
| Cryptocurrency Wallet | Bitcoin, Ethereum, etc. addresses |
| URL | Specific web pages |
Available Enrichers
Network Intelligence
| Enricher | What It Does |
|---|
| DNS Resolution | Resolve domain to IP addresses |
| Reverse DNS | Find domains pointing to an IP |
| Subdomain Enumeration | Discover subdomains of a domain |
| WHOIS Lookup | Domain registration information |
| IP Geolocation | Physical location of IP addresses |
| ASN Mapping | Identify network ownership |
| CIDR Expansion | Expand IP ranges to individual addresses |
Digital Identity
| Enricher | What It Does |
|---|
| Email Breach Check | Check if email appears in known breaches |
| Gravatar Discovery | Find Gravatar profiles linked to emails |
| Phone Breach Check | Check phone numbers in breach databases |
| Username Search (Maigret) | Search for username across social platforms |
Organization Research
| Enricher | What It Does |
|---|
| ASN Ownership | Identify organizations behind ASNs |
| Domain Portfolio | Find other domains owned by same entity |
| Company Details | Retrieve company registration info |
Web Analysis
| Enricher | What It Does |
|---|
| Website Crawling | Map site structure and discover pages |
| Link Extraction | Extract all links from a webpage |
| Tracking Scripts | Identify analytics and tracking code |
| Text Harvesting | Extract text content from pages |
Cryptocurrency
| Enricher | What It Does |
|---|
| Wallet Transactions | View transaction history for addresses |
| NFT Ownership | Track NFT holdings of wallet addresses |
Integrations
| Integration | What It Does |
|---|
| N8n Workflows | Connect to N8n automation workflows |
Investigation Workflow
1. Create an Investigation
Start a new investigation from the dashboard. Give it a descriptive name and optional tags.
2. Add Seed Entities
Add your starting entities (known domains, emails, IPs, etc.) to the graph canvas.
3. Run Enrichers
Right-click an entity or select it and run relevant enrichers. New entities and connections are automatically added to the graph.
4. Analyze Relationships
Use the visual graph to trace connections:
- Domain → IP: Hosting relationships
- Email → Breaches: Compromised accounts
- Domain → Subdomains: Attack surface mapping
- Username → Platforms: Digital footprint
5. Expand and Pivot
Select newly discovered entities and run additional enrichers to expand the investigation graph.
Key Features
| Feature | Description |
|---|
| Graph Visualization | Interactive node-link diagrams showing entity relationships |
| Automated Enrichment | One-click data gathering from multiple OSINT sources |
| Local Storage | All data stays on your machine — privacy by design |
| Multi-User | Authentication system for team investigations |
| Modular Architecture | Add custom enrichers via the plugin system |
| Export | Export investigation data for reporting |
Running Tests
# Test individual modules
cd flowsint-core
poetry run pytest
cd flowsint-api
poetry run pytest
cd flowsint-enrichers
poetry run pytest
Common Investigation Scenarios
Domain Investigation
- Add target domain as entity
- Run DNS Resolution → discover IPs
- Run Subdomain Enumeration → map attack surface
- Run WHOIS → find registrant info
- Run Website Crawling → map site structure
- Pivot to discovered IPs → run Reverse DNS
Email Investigation
- Add target email as entity
- Run Breach Check → find compromised databases
- Run Gravatar Discovery → find linked profile
- Extract username → run Username Search across platforms
Infrastructure Mapping
- Add known IP or ASN
- Run ASN Ownership → identify organization
- Run CIDR Expansion → map IP ranges
- Run Reverse DNS on IPs → discover domains
- Visualize full infrastructure on graph
Troubleshooting
| Issue | Solution |
|---|
| Docker build fails | Ensure Docker and Make are installed and running |
| Port conflict on 5173 | Change port mapping in docker-compose.yml |
| Enricher timeout | Check network connectivity; some enrichers require internet |
| Empty results | Verify the entity format is correct (valid domain, IP, etc.) |
| Authentication errors | Register a new account at /register |
Resources
