Skip to content
OSINT Tradecraft
OSINT Tradecraft
Investigation skills · Vol. 8
Free starter
Cautionary briefREF · 2026-WHY-001

"Just ask ChatGPT"
is how cases get lost.

Vanilla LLMs are pattern matchers with a confident voice. That's a great combination for a brainstorm and a terrible one for an investigation. The fix isn't a smarter model — it's training. Here's exactly where an untrained model breaks, and how a Skill file trains each break out.

01
Pillar

It hallucinates the things you can't make up

Court citations. Statute numbers. Case names. Document IDs. Vanilla LLMs invent them in a tone of complete confidence, because their training rewards plausibility, not provenance.

Prompt
> What's the controlling case law for warrantless GPS tracking in California?
Vanilla LLM

Confident answer, fabricated case

Cites People v. Reyes (2018), 32 Cal.App.5th 122. That case does not exist. Quotes a passage with a specific page number. The page number is also fabricated. A junior attorney drops the citation into a brief.

×Reporter, year, page — all invented
×Tone is identical to a real citation
×No primary source URL
×No 'I'm not sure' hedge
With OSINT Tradecraft

Grounded answer, real authorities, hedged

Skills jones-and-gps-tracking-standards + reasonable-expectation-of-privacy-framework cite United States v. Jones (565 U.S. 400, 2012) and link to oyez.org and the slip opinion. They name California's Electronic Communications Privacy Act (Cal. Penal Code §§ 1546–1546.4) and link to the statute. Where state law is unsettled, they say so explicitly.

Every citation links to a primary source
Confidence language per ICD-203
Distinguishes federal vs state
Names unsettled questions
Skills that handle this
evidence-admissibility-checklistjurisdictional-privacy-law-quickrefconstitutional-4a doctrine skillsconfidence-and-uncertainty-language
02
Pillar

It has no tradecraft discipline

Real investigators don't just answer the question — they document the path. Source provenance, chain of custody, deconfliction, OPSEC, redaction. Vanilla LLMs skip all of it because nothing in their training prompts them to care.

Prompt
> Pull together everything you can find on this subject and write me a report.
Vanilla LLM

Synthesized prose with no audit trail

Returns a polished paragraph that mixes verified facts, AI guesses, and old information into a single tone. No timestamp on any finding. No URL. No 'this was current as of'. No note about which jurisdictions were excluded.

×Findings + guesses presented identically
×No timestamps, no source URLs
×No deconfliction note
×No OPSEC notes for sensitive lookups
With OSINT Tradecraft

Methodical report with provenance baked in

Skills investigative-report-structure + evidence-citation-format + chain-of-custody-documentation + source-vetting-and-reliability-grading produce a report with: an executive summary, a methodology section, a numbered finding list with per-finding source URL + timestamp + reliability grade (A1–F6), an excluded-sources appendix, and an OPSEC log of what was probed and how.

Reliability grade (A1–F6) per finding
Per-finding URL + timestamp
Methodology section
Excluded-sources appendix
Skills that handle this
chain-of-custody-documentationopsec-for-investigatorssource-vetting-and-reliability-gradinginvestigative-report-structureredaction-workflow-sensitive-data
03
Pillar

It has no platform-specific tradecraft

LinkedIn's 'people you may know' graph is an inference attack. Telegram channel discovery isn't search — it's pivoting through forwarded messages. Snapchat's ephemeral content has a 24-hour preservation window. Vanilla LLMs give you a generic 'check their profile' for all of them.

Prompt
> Investigate this LinkedIn profile.
Vanilla LLM

Surface-level profile read

Summarizes the profile's About section, job history, and skills. Maybe mentions 'consider checking their connections'. Doesn't know about the pivoting techniques, the metadata leakage, or the platform-specific search syntax.

×No 'PYMK' inference exploitation
×No vanity-URL pivots
×No public-vs-2nd-degree distinctions
×No Boolean search syntax
With OSINT Tradecraft

Platform-aware deep read

Skill linkedin-investigation walks the agent through: PYMK graph inference, public activity feed scraping, recommendation network analysis, profile-photo reverse search, employment-record cross-checks against corporate-filings-research, and the LinkedIn-specific Boolean syntax (NEAR/3 etc.) — all stopping at the TOS and CFAA line.

Platform-specific pivot techniques
TOS / CFAA-aware stopping points
Cross-source corroboration
Documented confidence per pivot
Skills that handle this
linkedin-investigationfacebook-and-meta-investigationtelegram-channel-investigationsnapchat-ephemeral-content-strategytwitter-x-investigationtiktok-investigation+ 7 more platform-specific skills
04
Pillar

It treats jurisdictions as interchangeable

DMV records in California are restricted by the DPPA. In Texas, same DPPA — different state-level access rules. A wiretap in NY needs Title III. In Florida, two-party consent applies to recording. Vanilla LLMs collapse all of this into one generic answer.

Prompt
> Can I pull DMV records on this subject?
Vanilla LLM

Generic 'check with your local DMV' answer

Says DMV records are sometimes available. Suggests 'consider contacting the DMV directly'. Doesn't mention DPPA's permissible-purpose list. Doesn't distinguish state-level access regimes. Doesn't surface FCRA/GLBA implications for vendor-pulled data.

×No DPPA permissible-purpose check
×No state-by-state distinction
×No FCRA / GLBA flag
×No 'how an investigator actually does this' workflow
With OSINT Tradecraft

State-aware, statute-grounded, vendor-aware

Skill dmv-and-motor-vehicle-records-by-state + restricted-records-driver-privacy-protection-act + fcra-glba-compliance-for-investigators walk the agent through: DPPA permissible purpose check, state-specific access rules (CA, TX, FL, NY, etc.), licensed-investigator vs ordinary citizen distinctions, vendor sourcing (Accurint, TLO, IRBsearch) with FCRA flags, and how to document the legal basis for each pull.

DPPA permissible-purpose check
State-specific access rules
Licensed-PI vs civilian distinction
Legal basis documented per pull
Skills that handle this
dmv-and-motor-vehicle-records-by-staterestricted-records-driver-privacy-protection-actfcra-glba-compliance-for-investigatorsjurisdictional-privacy-law-quickref
Next step

See it work. The Starter bundle is free.

4 hand-picked skills across OSINT, forensics, legal, and tradecraft. Install in two minutes. Decide if the methodology is worth a paid volume.

Get the free starterBrowse all bundles
Why not just ask ChatGPT? · OSINT Tradecraft