Why your OSINT tool lies to you

Open almost any OSINT tool, run a username, and you get a wall of green checkmarks. Found on 40 sites. Phone traced to a carrier. Email confirmed. Every line rendered in the same confident styling as a real breach hit pulled from a cryptographic database.

Most of those checkmarks are lying to you. Not on purpose. The tool simply has no way to show the difference between "a cryptographic check confirmed this" and "a web page returned HTTP 200, so I guessed."

The uncertainty is real, and good analysts carry it in their heads. They know a phone "carrier" field is often wrong, that a username hit on an obscure site is close to a coin flip, that an email "exists" only means the domain accepts mail. But that knowledge lives in the analyst, not in the tool. It evaporates the second a junior reads the report, or the result gets pasted into a slide where the green is all anyone sees.

So I wrote a small library that moves the uncertainty out of the analyst's head and into the result itself. The idea is one sentence: every lookup gets wrapped in an envelope, and the verdict is capped at the highest level the source type can honestly support. Not the highest level this particular result reached. The highest that kind of source can ever reach. And the cap lives in the code, so a downstream UI cannot accidentally promote a guess into a fact.