Glossary

OSINT terms, plain English.

Reference glossary for investigators, journalists, and diligence teams. 56 terms.

— A

Adverse media: Negative news coverage about a subject — accusations, indictments, regulatory actions, controversies. Standard component of due-diligence reports. Tracelight scans 80,000+ news sources for adverse-media signals.
Alias: An alternate identity or username used by a subject. Often the key signal for resolving cross-platform identity in OSINT investigations.
Audit log: Immutable record of who did what, when. In Tracelight, every report viewer + download + admin action is logged for the workspace's retention window.

— B

Background check: Pre-employment or pre-engagement screening of an individual's history. Regulated by the FCRA in the US when used for employment decisions.
Beneficial owner: The natural person who ultimately owns or controls a corporate entity, often hidden behind layers of shell companies. Tracelight's corporate-registry workers surface beneficial-owner data where it's been disclosed.
BIN: Bank Identification Number — the first 6-8 digits of a credit card, identifying the issuing institution. Useful in fraud investigations for pattern detection.
Breach corpus: Aggregated dataset of leaked credentials and PII from breached services. HIBP, Dehashed, IntelX, and BreachDirectory are major aggregators Tracelight queries.

— C

Chain of custody: Documented trail showing how evidence was collected, handled, and preserved from discovery to presentation. Tracelight's citation appendix is a chain-of-custody substitute for OSINT findings.
Citation appendix: Section of a Tracelight report listing every claim with a link to the evidence row that supports it, which links to the raw API response. The mechanism that makes the report defensible.
Claim mill: Insurance fraud pattern where the same identifiers (address, phone, email, doctor, attorney) recur across many supposedly unrelated claims. Tracelight's cross-case intelligence catches these.
Confidence score: Per-evidence-row metric estimating how reliable a finding is, typically based on the source worker's signal quality. Aggregated by Tracelight into 'verified by N sources' badges.
Consent capture: Recording the subject's permission to be investigated, with timestamp + supporting evidence. Required by FCRA before generating an employment-screening report.
Cross-platform identity correlation: Confirming that handles on Twitter, LinkedIn, GitHub, Reddit, Telegram, etc. all belong to the same person. Tracelight's username probe is the primary tool.

— D

Dark web: Web content accessible only through Tor or similar privacy networks. Often hosts breach indices, marketplaces, and forums of investigative interest.
Daubert challenge: Motion to exclude expert testimony as scientifically unreliable. Pattern-of-testimony research is a key input.
Digital footprint: The aggregate of a subject's online presence — accounts, posts, purchases, registrations. Distinct from real-time location data.
DKIM: DomainKeys Identified Mail — cryptographic signature on outbound email proving it was sent by the claimed domain. Required for reliable Resend deliverability from trytracelight.com.
DMARC: Domain-based Message Authentication, Reporting + Conformance — policy telling receivers what to do with email that fails SPF or DKIM. Start at p=none, tighten to p=reject.
Dox / Doxxing: Publishing an individual's private identifying information online, often maliciously. OSINT investigators must distinguish their professional work from doxxing — Tracelight's audit log + consent capture help establish that distinction.
DSAR: Data Subject Access Request — under GDPR, an individual's right to request all data a controller holds on them. Tracelight provides per-subject JSON export endpoints.
Dual-use data: Information that's legal to collect for legitimate purposes but harmful if misused (e.g. address history). FCRA + state privacy laws govern permissible purposes.

— E

Enrichment: Process of adding context to an identifier by querying multiple data sources. A Tracelight enrichment run executes 32 OSINT workers against a single subject in parallel.
Evidence row: Single discrete finding stored in Tracelight — source, finding type, summary, confidence, observed date, raw API response. Building block of every report.

— F

FCRA: Fair Credit Reporting Act (US) — regulates the use of consumer reports in employment, housing, credit, and insurance decisions. Imposes consent + notice + adverse-action requirements.

— G

Geo-tagging: Embedding location coordinates in social-media posts, photos, or other content. Useful for surveillance deployment + skip tracing.

— H

HIBP: Have I Been Pwned — Troy Hunt's breach-aggregation service. The single most-impactful OSINT source for email-based breach lookups.
HMAC: Hash-based Message Authentication Code — cryptographic signature on a webhook payload proving it came from Tracelight. Verify with X-Tracelight-Signature header.

— I

ICAC: Internet Crimes Against Children — federal task-force structure for investigating child exploitation cases. A specialized OSINT vertical Tracelight does not target.
Identifier: Any piece of data that can be associated with a subject — name, email, phone, IP, domain, username, photo. Inputs to Tracelight enrichment.

— L

Litigation hold: Legal obligation to preserve evidence relevant to anticipated or pending litigation. Tracelight's snapshot-evidence model satisfies most reasonable-preservation requirements.

— M

Maltego: Long-established desktop graph-OSINT tool. Strong on graph visualization, weak on hosting and onboarding speed. See /vs/maltego for comparison.
Monitor: Continuous re-enrichment job that fires alerts when a subject's profile changes (new breach, sanctions hit, dark-web mention). Tracelight monitors run on configurable cadence.

— O

OFAC: Office of Foreign Assets Control (US Treasury) — administers sanctions lists. Tracelight checks every subject against OFAC, EU, UK, and UN sanctions data.
OpenCorporates: Open dataset of corporate registry data from 130+ jurisdictions. Tracelight uses it for beneficial-ownership + corporate-relationship discovery.
OSINT: Open-Source Intelligence — gathering and analyzing publicly available information. Distinct from HUMINT (human sources), SIGINT (signals), and proprietary database intelligence.

— P

PACER: Public Access to Court Electronic Records — US federal court record system. Primary source for federal litigation history.
Patterns of life: Recurring behaviors a subject exhibits — when they post online, where they connect from, what their typical week looks like. Tracelight surfaces these via the activity heatmap.
Permissible purpose: FCRA-defined set of allowable uses for a consumer report — employment, credit, insurance, housing. Using a report outside permissible purpose triggers statutory damages.
PII: Personally Identifiable Information — data that can identify a specific individual. Subject to GDPR, CCPA, and state privacy laws.
Pivot: Following a new identifier discovered in one evidence row to enrich a subject's profile further. Tracelight's auto-pivot extracts surfaced identifiers and re-enriches them.

— R

Reverse image search: Finding the source or other instances of an image. Useful for identifying staged photos in fraud investigations or verifying source-supplied images in journalism.
Risk score: Composite 0-100 metric per Tracelight subject, derived from sanctions hits + breach exposure + adverse media + court records + cross-case overlap.
RLS: Row-Level Security — Postgres feature that filters rows visible to a given query based on a policy. Tracelight uses RLS to enforce workspace isolation at the database level.

— S

Sherlock: Open-source tool for finding usernames across social platforms. Tracelight's username worker is Sherlock-style with quality-of-life improvements (timeout, retry, content sanity check).
Skip tracing: Workflow for finding people who have moved or gone off the grid. See /use-cases/skip-tracing for a detailed playbook.
SOC 2: AICPA audit standard for service organizations. Type I = controls exist, Type II = controls operated effectively over a 6-12 month period. On Tracelight's roadmap.
Source URL: Direct link to the original data source for an evidence row. Tracelight stores source URLs whenever the upstream API exposes them, enabling click-through verification.
SPF: Sender Policy Framework — DNS TXT record listing IPs/services authorized to send email for a domain. Required for Resend deliverability from trytracelight.com.
Subject: The person, organization, or entity being investigated in a Tracelight case. Identified by one or more identifiers (email, phone, name, etc.).
Surface web: The publicly indexed web — what Google sees. Distinct from deep web (behind login walls) and dark web (Tor / I2P).

— T

TLS: Transport Layer Security — protocol securing in-transit data. Tracelight terminates connections with TLS 1.3 (1.2 minimum) at Vercel's edge.

— U

Username probe: Querying multiple social platforms with the same username to find which accounts exist. Tracelight's worker covers 30+ platforms.

— V

Verification (multi-source): Confirming a finding by getting the same answer from independent OSINT sources. Tracelight badges any evidence-row finding type produced by 2+ workers as 'verified by N sources'.

— W

Wayback Machine: Internet Archive's archived web snapshot system. Useful for retrieving deleted social posts or inspecting how a website looked at a specific date.
WHOIS: Public registry record for a domain — registrant, contact, registration date, nameservers. Tracelight's domain worker queries WHOIS as part of every domain enrichment.
Workspace: Tracelight's tenant unit. Each workspace has its own cases, subjects, evidence, monitors, alerts, billing, and team — fully isolated from other workspaces by RLS.

Term you wish was here?

Email product@trytracelight.com. We add to this glossary regularly.