Phase 4

Reporting

Communicate what the evidence supports, mark what it does not, and preserve the chain back to every source cited.

Reporting is where the investigation becomes useful to somebody other than the investigator. It is also where the discipline of the previous three phases pays out, or where it is squandered. A report that overstates its findings burns the investigator's credibility. A report that buries a clear finding in hedges fails its audience. The task is to communicate exactly what the evidence supports — no more, no less — and to preserve the path back to source so that a reader can verify every claim without the investigator's help.

Know your reader

The single most important question before drafting is: who is this for, and what decision will they make with it? The same evidence becomes a different report depending on whether the consumer is a judge weighing admissibility, an editor deciding whether to publish, a compliance committee onboarding a counterparty, or a public audience assessing accountability.

A legal memo requires explicit citation to authority, a clean chain of custody, and hedged language that accurately reflects evidentiary limits. A news article requires a lead that conveys the finding and a narrative that guides a general reader through the evidence. A compliance report requires structured fields, defined risk ratings, and a record of the sources checked. Do not write a single report in the hope it will serve every audience; pick one and write it properly.

The structure of a defensible report

Regardless of audience, a defensible OSINT report contains the same sections in some order:

  • Intelligence requirement as stated at the planning phase, with any documented scope changes.
  • Summary of findings, each one graded by evidentiary weight and hedged to match.
  • Evidence for each finding, cited to a specific artefact in the collection log — not to a live URL.
  • Alternative explanations considered, and what evidence (if any) would change the conclusion.
  • Gaps and limitations — the claims the evidence does not support, and why the investigation did not close them.
  • Methodology note — what sources were queried, what was out of scope, and what tooling was used.
  • Annex of exhibits, or an index into the collection log.

A reader who reaches the end of the report should be able to answer: what did the investigator find, how strong is the basis for each finding, and what alternative explanations remain on the table.

Evidentiary language

The vocabulary of honest reporting is narrow. Use it consistently:

  • "The records show..." when citing a primary document.
  • "According to [source]..." when citing secondary reporting.
  • "Open sources indicate..." when drawing an inference from multiple corroborating sources.
  • "The evidence is consistent with..." when a finding is supported but not dispositive.
  • "The evidence does not establish..." for claims that could not be substantiated.

Avoid language that asserts certainty the evidence does not support. "X is the owner" is an assertion; "Registry records filed on [date] list X as the ultimate beneficial owner" is a citation. The second survives scrutiny; the first invites it.

Preserving the chain

Every cited claim in the report should resolve, through a footnote or an endnote, to an artefact in the collection log. The artefact in turn resolves to an archival URL, a hash, a timestamp, and the investigator's capture notes. A reader — or a hostile reviewer — should be able to travel from a sentence in the report to the exact captured page that supports it in under a minute.

This is the single most important quality differentiator in OSINT reporting. Work that preserves the chain back to source is checkable, defensible, and re-usable. Work that does not is trivia.

Responsible disclosure and harm

Before publication, weigh the harm of publishing against the public interest. Some findings name natural persons whose involvement is incidental; some expose security weaknesses that can be exploited; some touch on victims who have not consented to further visibility. Standard practice:

  • Redact or anonymise data on minors, victims, and bystanders whose presence is incidental to the finding.
  • Hold technical findings (exposed credentials, vulnerable systems) for responsible disclosure to the affected party before publication.
  • Offer subjects of significant findings a right of reply in advance of publication, where safe and feasible.
  • Distinguish between private facts and public conduct; the latter is generally fair game, the former generally is not.

The ethics and legal framework goes into each of these in more depth. Reporting is the phase where those principles become decisions with names attached.

Tools relevant to this phase

  • The Subthesis legal document analysis tool for consolidating long evidence trails into structured summaries.
  • Report templates and citation formats from the resources library.
  • Hashing utilities for exhibit integrity; keep the hashes produced at the collection phase and reference them in the annex.

Common pitfalls

Burying the lede. The reader does not want a narrative of your investigation; they want the finding. Open with the finding, then justify it.

Over-claiming. The evidence supports a specific conclusion; the draft says something broader. Edit down, not up.

Under-claiming. The evidence clearly supports a finding, but the draft hedges past the point of usefulness. Clarity is not the enemy of rigour; vagueness is.

Losing the chain. Citing a live URL that will die, instead of the archive captured during collection. The citation should point at an artefact whose integrity you control.

Publishing without internal review. A second reader, ideally adversarial, catches errors that the investigator is blind to by this point in the work.

Deliverables checklist

By the end of reporting you should have:

  • A report tailored to a named audience, with language matched to their standard of proof.
  • A findings section where every claim is graded and hedged honestly.
  • A citation apparatus that resolves every claim to a preserved artefact.
  • An explicit limitations section.
  • A preserved exhibit archive, hashed and stored independently of the live web.
  • A record of responsible-disclosure decisions, including any redactions applied and why.

When the report is delivered, the investigation is not quite finished. Preserve the full artefact set for the retention period appropriate to the domain — typically several years — so that challenges or follow-ups can be addressed from the evidence, not from memory.

Previous phase: Analysis. Return to the methodology overview.