The Art of Pivoting: How One Data Point Leads to the Next

Pivoting is the craft of turning one OSINT datapoint into the next. Email to username, username to domain, domain to infrastructure, infrastructure to identity.

A pivot is a move from one datapoint to another along a relationship that public records expose. "This email address" → "which domains are registered to it" → "who owns those domains" → "what other addresses do they use" is a pivot chain. Every OSINT investigation is a sequence of pivots; the craft is knowing which one comes next.

This post catalogs the pivots that come up most often and the logic behind picking the right one.

Pivot Logic

Every pivot has three parts:

  1. Input — the datapoint you have.
  2. Relationship — the public-records relationship you are exploiting.
  3. Output — the new datapoint, with a confidence level.

The confidence level matters. Pivoting "John Smith in Delaware registry" to "John Smith on LinkedIn" is low confidence without corroborating signals. Pivoting "john.smith@example.com" to "registrant of example.com" via current WHOIS is high confidence.

Investigators who track confidence levels produce defensible analyses. Investigators who do not produce conspiracy maps.

Email Pivots

An email address pivots well:

  • Email → domain registrar history via historical WHOIS. If the email was used to register any domain at any time, historical WHOIS databases may show it.
  • Email → data-breach corpus via Have I Been Pwned or DeHashed. HIBP tells you which breaches an email appeared in; DeHashed exposes some associated data. Use of breach data is jurisdiction-dependent — see /blog/legal-boundaries-of-osint/.
  • Email → gravatar — md5(email) produces the Gravatar hash; an image is often public.
  • Email → reused username — the local part of the email often matches usernames on other platforms.
  • Email → account recovery hints — password reset flows on major services sometimes expose partial phone numbers or alternate emails. This skirts the legal line; investigators use it cautiously.

Example:

Input: j.lin@meridianholdings.example
Pivot 1: domain WHOIS on meridianholdings.example → registrant org "Meridian Holdings LLC"
Pivot 2: username "j.lin" on GitHub → commits under "Jonathan Lin"
Pivot 3: "Jonathan Lin" + "Meridian" on LinkedIn → profile with matching role

Three pivots, one starting datapoint, named individual at the end.

Username Pivots

Usernames are often reused across platforms. Tools like WhatsMyName, Sherlock, and Namecheckr query hundreds of sites.

Caveats:

  • Username collision is common; "sarahlin" on X and "sarahlin" on GitHub are not necessarily the same person.
  • Corroboration requires stylistic, temporal, or content overlap.
  • A strong pivot is "same username + same profile photo + overlapping content timeline."

Domain Pivots

Starting from a domain:

  • Domain → registrant via current and historical WHOIS.
  • Domain → infrastructure via DNS records and Shodan — see /tools/shodan/.
  • Domain → other domains on same server via reverse IP lookup (Censys, SecurityTrails).
  • Domain → subdomains via Certificate Transparency logs (crt.sh).
  • Domain → historical content via the Wayback Machine.
  • Domain → Google Analytics ID — inspecting page source for UA- or GTM- IDs can cluster sites under common ownership.

The GA-ID pivot is powerful. Historical page source (via Wayback) for a domain often exposes an analytics ID, and third-party tools catalog which other domains used the same ID.

// In page source:
ga('create', 'UA-12345678-1', 'auto');

Other domains with UA-12345678-1 are likely under the same operator.

Company Pivots

Starting from a company name:

  • Company → officers via state registry (where disclosed) or SEC filings (see /blog/how-to-trace-company-ownership-using-public-records/).
  • Company → registered agent → sibling companies on the same agent and date.
  • Company → address → co-located entities via county commercial filings.
  • Company → litigation via PACER and state dockets, which often expose contracts, relationships, and sworn statements.
  • Company → real property via county recorders.

See /tools/company-registry/ for the operational detail.

Image Pivots

A single image can pivot to:

  • Where it has appeared before via reverse image search on Yandex, Google Lens, TinEye — see /tools/reverse-image/.
  • Embedded metadata — EXIF with GPS, timestamps, device identifiers. See /tools/metadata/.
  • Landscape features — geolocation via visible landmarks, signage, or vegetation.
  • Chronolocation — sun angle and shadow direction constrain time and date.
  • Face identity via reverse-face search services (PimEyes; use carefully, jurisdiction-dependent).

Bellingcat's published geolocations are a training library for image pivoting. Investigations like the Epstein Revealed investigation series use the same techniques against archival photographs rather than current news imagery.

Phone Number Pivots

  • Phone → carrier and line type via free lookup services (useful to distinguish mobile from VoIP).
  • Phone → account registration on platforms that expose whether a phone is linked (Signal, WhatsApp, Telegram have varying privacy settings).
  • Phone → directory history via legacy phonebook and people-search sites.
  • Phone → corporate filings — sometimes disclosed as company contact numbers on formation documents.

Phone pivots in the US are weaker than a decade ago; carriers and platforms have tightened disclosure. Outside the US, capability varies.

IP Address Pivots

  • IP → hosting provider and ASN via whois/rDAP.
  • IP → domains via reverse-DNS (passive DNS via SecurityTrails, DNSTwister).
  • IP → exposed services via Shodan and Censys.
  • IP → geolocation at coarse resolution; precision marketing claims are usually wrong.

Pivot Hygiene

Every pivot belongs in the collection log:

2026-03-26T14:10Z | j.lin@meridianholdings.example (input) | WHOIS historical | registrant org "Meridian Holdings LLC" | confidence: high | source: domaintools snapshot 2020-11-02 archived at archive.org/...

Without this record, analysts cannot audit your chain, reviewers cannot reproduce it, and you cannot reconstruct your own reasoning three weeks later.

Dead Ends

Most pivot chains terminate without a strong result. That is success, not failure — it tells you where the investigation cannot go. The investigators who produce the most aggressive findings are usually the ones who did not recognize a dead end.

Mark dead ends explicitly. A chain with "no further public-records signal after 2022" is a reportable finding.

Confirmation Bias

Pivoting rewards the hypothesis you already have. Every pivot tends to surface corroborating evidence because you chose it with the hypothesis in mind.

Guardrails:

  • Run one pivot chain testing the opposite hypothesis for every chain testing your working one.
  • Before concluding, list what evidence would falsify the finding. If none exists, your finding is not falsifiable.
  • Have a colleague review the pivot log with the question "where could I have been wrong?"

A Full Chain

A realistic journalism pivot chain:

  1. Tip: "Sarah Lin runs a shell company out of Delaware."
  2. Pivot: "Sarah Lin" in Delaware registry → nothing (Delaware does not disclose members).
  3. Pivot: "Sarah Lin" in SEC EDGAR full-text → Form D filing for "Meridian Holdings LLC."
  4. Pivot: Meridian Holdings LLC in Delaware registry → registered agent, formation date, nothing else.
  5. Pivot: Registered agent + formation date → sibling shells filed same day (via OpenCorporates agent search).
  6. Pivot: Sibling shells → one foreign-qualified in NY, discloses officer address.
  7. Pivot: NY address → PACER search returns civil litigation against "Sarah Lin individually."
  8. Pivot: PACER complaint → exhibits include bank records naming "Lin Capital Partners LLC."
  9. Pivot: Lin Capital Partners in UK Companies House → PSC filing names Sarah Lin as 75%+ owner.
  10. Pivot: PSC record → date of birth and correspondence address.

Ten pivots, one named individual, full chain of public-source support. The chain is defensible because every step is logged, every source is archived, and the confidence level at each step is recorded.

The Skill

Pivoting is not a trick list. It is a way of thinking about public records as a connected graph. Investigators who internalize the graph — who know, without looking, that SEC Form D will name executives that Delaware hides, that UK PSC registers disclose what US state filings don't, that historical WHOIS often contains what current WHOIS masks — move faster than investigators who work one source at a time.

Build the graph in your head by working the methodology framework end to end on real cases. The map gets denser with every investigation.

More from the blog