Good investigation isn’t about knowing a hundred sites. It’s about disciplined pivoting: every artifact is a node, every relationship is an edge, and your job is to expand the graph without drowning in noise.

Start with one node

Say you have a single email address. Don’t grep the whole internet — ask what linked identifiers it can yield:

email
 ├─ username (local-part reuse)
 ├─ breach appearances → passwords, other emails
 ├─ gravatar / avatar hash → image
 └─ account existence across platforms

The pivot loop

Each new artifact re-enters the same loop. I keep it explicit so I don’t wander:

  1. Extract — what identifiers does this artifact contain?
  2. Expand — resolve each identifier to accounts/records.
  3. Corroborate — does a second, independent source agree?
  4. Record — add the node + edge to the graph with a source citation.

Rule I never break: one unconfirmed source is a lead, not a fact. Two independent sources make an edge. Everything on the board is labeled with its confidence.

Usernames are the richest pivot

A reused handle is a gift. A quick existence sweep across platforms:

# check a handle across sites, then eyeball the true positives
sherlock "$HANDLE" --timeout 10 --print-found \
  | tee "recon/${HANDLE}.txt"

Automated hits are candidates. Confirm each one manually — avatar match, bio overlap, join date, writing style. Tools find; humans decide.

Map, don’t list

The deliverable is a graph, not a spreadsheet of links. I drop entities into a link-analysis view so relationships surface:

  • Nodes = people, accounts, domains, images.
  • Edges = “controls”, “reused”, “registered”, “appears-with”.
  • Color = confidence.

The picture tells you where the next pivot has the most leverage — usually the node with the most low-confidence edges begging to be confirmed.

Stay clean

Investigate from a compartmented environment, log your sources as you go, and keep to passive collection unless you have explicit authorization to do otherwise. The methodology is the same whether the target is a threat actor or a phishing domain — only the authorization changes.


Single artifact in, mapped network out. The discipline isn’t the tools — it’s refusing to add an edge you can’t cite.