An AI dork is the AI-era cousin of a Google dork: a specialized prompt that surfaces what most people miss. The difference from "just ask ChatGPT" is that these prompts are built to make the model do the work with real data — Claude fetches from public APIs, parses with Python, correlates pivots, cites its sources, and saves structured output in one pass. That closes the gap the whole field keeps warning about: a model with no structure fills gaps with plausible text; a good dork forces it to separate what it checked from what it inferred. Below are eight categories — infrastructure, contact, social, documents, corporate, subject, geolocation, and verification — each with ready-to-run prompts. All use passive, public sources, for authorized work only.
What is an AI dork?
The name plays on the Google dork — a specialized search query that surfaces information most people overlook. An AI dork does the same job through a language model: it's a precise, reusable prompt that turns a general-purpose assistant into a repeatable, verifiable OSINT step. The ones on this site are written specifically for Claude's code sandbox, which changes everything. Instead of the model describing what it would do, it queries a public RDAP endpoint, pulls certificate-transparency records from crt.sh, resolves DNS over HTTPS, or reconstructs a page from the Wayback Machine — then parses the results with Python and hands back a table with its sources. The prompt encodes three things: which investigative phase you're in, which public source to fetch, and a standing instruction to cite what it checked and flag what it inferred.
Why this beats "ask ChatGPT and hope"
Every serious write-up on AI for OSINT lands on the same warning: open a chatbot, type "find everything on this person," and you get output that looks confident, reads well, and is frequently wrong — no sourcing, no verification, no idea what it actually checked. The problem isn't the model; it's the missing process behind the prompt. The fix the field has converged on has two parts: give the model structure, and connect it to real data so answers come from sources rather than imagination. AI dorks encode both. A prompt that says "investigate this" gets you a guess; a prompt that says "you are in the collection phase — fetch RDAP for this domain via rdap.org, parse the registrar and dates into a table, and cite the endpoint" gets you something you can defend. Running in Claude's sandbox is what makes the second half real: the model fetches, parses, pivots, and reports in one conversation, instead of leaving you to run each lookup by hand.
The eight categories
Each category page below has ready-to-run prompts for that task. Start with the one that matches your selector — an email, a domain, a username, a photo — and pivot from there.
| Category | What Claude fetches & does | Start |
|---|---|---|
| Domain & Infrastructure | RDAP, certificate transparency (crt.sh), DNS-over-HTTPS, Wayback history, ASN/netblock, typosquat sweeps | Infra dorks |
| Contact & Footprint | Email-address discovery and validation from public sources; linked accounts | Contact dorks |
| Social | Username search across platforms; social-media footprint mapping | Social dorks |
| Documents | PDF and document metadata extraction; author, software, timestamps | Document dorks |
| Corporate | Beneficial ownership, registries, shell-company and layering checks | Corporate dorks |
| Subject | Due diligence, sanctions and PEP screening from public lists | Subject dorks |
| Geolocation | Placing a photo from visual clues — signage, architecture, shadows, terrain | Geo dorks |
| Verification | Checking photos for manipulation and fact-checking claims against sources | Verify dorks |
A repeatable method
The dorks are more powerful inside a simple loop that keeps the model honest. Run these phases in order and make the model stay in its lane at each step:
- Scope. State what you're authorized to investigate and the exact question. Have the model restate the objective and list in-scope versus out-of-scope sources before it touches any data.
- Collect. Use the category dork to fetch from one public source at a time, with citations.
- Pivot. Feed a found selector — a subdomain, a username, an email — into the next relevant dork.
- Verify. Cross-check anything important against a second independent source; require the model to mark confidence and distinguish fact from inference.
- Document. Save structured output (a table, a CSV, a short report) with the sources and the date, for chain of custody.
Ethics and authorized use
These prompts are for authorized, public-source work only. OSINT means information that is publicly available and lawful to access — it does not mean breaking into accounts, scraping private data, social engineering, or surveilling people without authorization. The infrastructure dorks use passive sources (RDAP, certificate transparency, DNS, Wayback); any liveness or banner check is scoped to hosts you own or are authorized to test. When AI-assisted analysis informs a finding that affects a person, disclose that AI was used and verify before you rely on it. The model is a force multiplier for collection and synthesis; the judgment, and the responsibility, stay with you.
Sources and further reading
The method here reflects the current consensus in AI-OSINT practice — structure the prompt, ground it in real data, require citations, verify everything — drawn from practitioner write-ups (OSINT Combine, authentic8, Espectro, and community prompt collections) and the tool-use pattern behind agentic frameworks like OpenOSINT. For the autonomous, agent-driven version of this idea, see our AI-Agent OSINT & MCP guide; for how AI capability fits the wider intelligence picture, OSINT vs Professional Intelligence. Models and their sandboxes change quickly — verify current behavior before relying on any single prompt.