This chapter is not a tutorial. It is a design document — the foundation for a project that will gradually evolve inside SystemLog.
The goal: to build a fully private, automated OSINT Agent that lives entirely inside my own infrastructure, combining:
- passive OSINT techniques
- scheduled workflows in n8n
- structured parsing of collected data
- a local self-hosted AI (Sim AI + Ollama)
- zero cloud exposure
This is the roadmap before the first line of automation is written.
1. Why build a private OSINT Agent?
Traditional OSINT workflows rely on:
- manual queries,
- switching between tools,
- interpreting raw data by hand,
- and cloud-based AI for summaries.
This creates several issues:
slow
repetitive
inconsistent
privacy-leaking
not scalable
A self-hosted automation stack solves all of these.
The planned OSINT agent will:
Collect data automatically
Enrich and structure the results
Offload interpretation to local AI
Generate SystemLog-ready reports
Maintain historical archives
Run inside a private network through WireGuard
No external provider, no telemetry, no logs leaving the system.
2. The architecture: simple, modular, maintainable
The planned OSINT agent will be built on four layers:
Layer 1 — Data Collection (Tools)
Passive OSINT tools running locally:
subfinder,dnsx,httpx- WHOIS & DNS resolvers
- header and metadata extractors
- certificate transparency parsers
- HTML snapshot tools
All executed inside HOME infrastructure, without cloud calls.
Layer 2 — Automation Engine (n8n)
n8n will orchestrate:
- scheduled scans
- delta comparisons
- evidence storage
- periodic refreshing of data
- error handling and retries
- forwarding results to the AI layer
Each workflow will be versioned and documented inside SystemLog.
Layer 3 — Local AI Processing (Sim AI + Ollama)
The agent will use self-hosted AI for:
- pattern detection
- change summaries
- report drafting
- classification
- grouping related signals
- anomaly spotting
Models run locally — no leaks, no external dependencies.
Layer 4 — Reporting & Publishing (SystemLog)
Finally, the agent will:
- generate markdown
- write full OSINT chapters
- produce short “intel notes”
- prepare attachment-safe evidence packages
Some output may be published on SystemLog. Sensitive cases will stay private.
3. Planned abilities of the OSINT Agent
These abilities are planned goals, not yet implemented.
1. Passive domain & infrastructure profiling
- DNS history
- WHOIS snapshots
- subdomain discovery
- TLS fingerprinting
- server metadata changes
2. Web surface analysis
- status code monitoring
- redirect chains
- sitemap diffs
- content hashing
3. Evidence archiving
- timestamped folders
- hashed artefacts
- structured JSON for AI parsing
4. AI-assisted analysis
- summarise raw findings
- detect correlations
- highlight anomalies
- classify infrastructure
- produce human-readable reports
5. Automation cycle
- run every 6h, or daily, depending on target
- store results
- generate deltas
- create alerts for significant changes
4. Security model and isolation
To prevent leaks:
- all scans run behind WireGuard
- DNS goes through private resolver
- no cloud AI
- no external logging
- outputs anonymised before publication
- sensitive artefacts stay offline
This ensures that the OSINT agent remains ethical, legal and safe.
5. Roadmap
The development will be documented step by step. Planned chapters in this OSINT series:
1. Designing the OSINT agent architecture (this article)
2. Building the first n8n workflow
3. Integrating passive scanning tools
4. Connecting evidence storage
5. Teaching local AI to analyse the outputs
6. Automated change detection
7. Generating SystemLog-ready OSINT reports
8. Expanding the agent with modules
Each chapter will bring a small, working component.
Conclusion
This article marks the start of the SystemLog OSINT Agent project.
Nothing is built yet. No automation exists. This is the blueprint — the motivation, architecture and goals.
From here, the real development begins.