maigret: Username Recon Across 3,000+ Sites
How soxoj/maigret works, where it beats Sherlock and WhatsMyName, and a reproducible CLI recipe for building a structured identity dossier.
Username enumeration looks simple until you have to do it at scale with defensible output. “Check a few sites manually” gets you nowhere on a real investigation. soxoj/maigret — 31,000+ GitHub stars, 3,000+ sites in the database — is what systematic coverage actually looks like.
This post covers how maigret’s detection logic works, where it sits relative to Sherlock and WhatsMyName, and a CLI recipe you can run right now.
Disclosure: No affiliate links. OSINT activities must be conducted within applicable legal frameworks and with proper authorization.
What maigret Does Under the Hood
maigret accepts a username and probes its site catalogue to determine account existence. The detection logic is what separates it from cruder tools in the same category.
Detection Mechanics
According to the project’s official documentation, site definitions support three probe strategies:
- Status-code matching — 200 vs. 404. The simplest check, and the least reliable.
- Response-body keyword matching — presence or absence of a specific string in the returned HTML or JSON.
- Profile URL pattern validation — confirming the returned page resembles a user profile rather than a generic error page dressed as a 200.
The layered approach matters because a significant number of platforms return HTTP 200 for non-existent users — a deliberate anti-enumeration pattern. Body matching and URL pattern checks catch those cases. Tools that only look at status codes produce garbage false-positive rates on modern sites.
Data Extraction Beyond Existence Checks
On a confirmed profile, maigret attempts to pull structured metadata: bio text, linked accounts, profile photo URLs, real names, location fields. Output formats:
- PDF — formatted summary for case files.
- HTML — interactive view with hyperlinks to each confirmed profile.
- JSON/CSV — structured data for pipeline integration.
- Graph visualization — plots connections between confirmed accounts and any linked usernames or email addresses discovered in profile data.
The graph feature is maigret’s sharpest edge for professional use. When a confirmed account on one platform links to an alias on another, maigret can recursively investigate that secondary username. One seed identity can expand into a mapped web of associated handles without manual pivot work.
Where maigret Fits in a Recon Workflow
A standard OSINT workflow moves through: seed collection → account enumeration → profile enrichment → correlation → reporting. maigret owns enumeration and enrichment.
Upstream Inputs
maigret performs best with a clean username seed. Common sources:
- Breach data — a compromised credential set often reveals username patterns.
- Email-to-username correlation — tools like Holehe or h8mail surface usernames registered to a known address.
- Manual recon — forum posts, social handles, WHOIS contact fields.
Downstream Consumers
maigret’s JSON output slots into Maltego (custom transforms), SpiderFoot (additional module seeding), and case management platforms like MISP or Elastic. It’s a high-breadth, medium-depth enrichment layer. It tells you where someone exists across the internet quickly. It doesn’t replace platform-specific deep-dive tooling.
maigret vs. the Alternatives
maigret vs. Sherlock
Sherlock is the most direct comparison. Both take a username and probe multiple sites.
| Dimension | maigret | Sherlock |
|---|---|---|
| Site coverage | 3,000+ | ~400 |
| Profile data extraction | Yes (bio, linked accounts) | Minimal |
| Recursive username discovery | Yes | No |
| Report formats | PDF, HTML, JSON, CSV, graph | Text/CSV |
| False-positive mitigation | Multi-strategy checks | Primarily status code |
Sherlock’s simplicity is genuinely useful for a fast, lightweight check where you just need a hit list. For a structured investigation with a documented methodology, maigret’s output depth is not optional — it’s the point.
maigret vs. WhatsMyName
WhatsMyName maintains a community-curated site list that other tools, including maigret, can reference. The web UI works well for ad-hoc checks and onboarding analysts who haven’t run CLI tools before. maigret’s programmatic output makes it the right choice for automated pipelines and repeatable workflows.
maigret vs. Social-Analyzer
Social-Analyzer adds NLP hooks and confidence scoring on top of profile discovery — specifically to address whether a found profile actually belongs to your target versus a same-username coincidence. If automated identity-confidence scoring matters for your workflow, Social-Analyzer is worth evaluating alongside maigret, not instead of it. Use maigret for systematic coverage, Social-Analyzer or manual review for confidence scoring on high-stakes investigations.
A Reproducible CLI Recipe
Steps drawn from maigret’s official installation documentation. Tested on Python 3.10+. Run only against usernames you are authorized to investigate.
Prerequisites
- Python 3.10 or higher
- pip
- Outbound HTTPS access
Step 1 — Install
pip3 install maigretOr clone for the latest site definitions:
git clone https://github.com/soxoj/maigret.git
cd maigret
pip3 install .Step 2 — Basic Username Search
maigret TARGET_USERNAMEA full scan across 3,000+ sites completes in two to five minutes on a standard broadband connection, depending on concurrency and latency.
Step 3 — Structured Report Output
maigret TARGET_USERNAME --html --pdf -J --folderoutput ./reports/--html— HTML report with clickable profile links.--pdf— PDF summary for case documentation.-J— JSON output for downstream pipeline use.--folderoutput ./reports/— all output files in one directory.
Step 4 — Scope by Category (Optional)
maigret TARGET_USERNAME --tags social,tech --htmlFilters the site database to specified tag categories. Useful when scan time matters more than exhaustive coverage.
Step 5 — Recursive Discovery
maigret TARGET_USERNAME --parse-url-rules --htmlParses linked accounts from confirmed profiles and queues them for investigation. Scope creep is a real risk here — the recursive graph expands fast. Set a depth limit or review queue manually before letting it run unsupervised on a broad target.
Step 6 — Review the Graph
Open the HTML report after a recursive scan. The graph view renders confirmed accounts as nodes with edges between accounts where a link or shared identifier was detected. This is where non-obvious identity connections surface — connections that would take hours to find manually.
Operational Notes
Rate Limiting and Source IP Exposure
maigret fires a high volume of HTTP requests in a short window. WAFs and bot-detection systems flag exactly this traffic pattern. Your source IP will be logged by the sites being probed. High-profile targets on platforms with active security teams may trigger account-activity alerts. Use a dedicated investigation environment — VPN, isolated VM, or a commercial OSINT proxy layer — when OPSEC matters.
Legal Scope
Username enumeration against public profiles doesn’t constitute unauthorized access in most jurisdictions, but the legal landscape is not uniform. Confirm authorization before running: a signed engagement letter, a documented law enforcement request, or an internal policy authorizing the activity. Scope is not optional documentation.
Site Database Currency
Result quality is directly tied to the freshness of the site definitions. Running from a cloned repo rather than a stale pip install is the right default. Before a critical investigation, run git pull in your maigret directory.
Where This Leaves You
maigret’s combination of multi-strategy detection, 3,000+ site coverage, structured output, and recursive identity discovery makes it the right tool for investigations that require documented methodology and reproducible results. It won’t access private profiles, and it won’t tell you whether a found account belongs to your target versus a coincidental username match — cross-reference confirmed profiles manually and apply confidence scoring before treating any hit as attributable. Those gaps are tradecraft problems, not tool problems.
If you run threat-actor profiling, red team recon, or fraud investigations with any regularity, the immediate next step is building maigret into a standardized workflow with a consistent output directory structure. The JSON format is stable enough to script against.