DefenceCore vs Flowsint: Hosted Enrichment or Self-Hosted Graph for OSINT Investigations?
Quick answer
DefenceCore and Flowsint solve adjacent problems in opposite ways. Flowsint is an open-source, self-hosted, graph-based investigation platform — you run it yourself, bring your own data sources and API keys, and visually map relationships between entities. DefenceCore is a hosted enrichment service — you send one identifier and get back linked accounts, breach exposure, carrier data, and a risk score, with the data sources already wired in. Choose Flowsint if you want full control, no per-lookup cost, and a team that can self-host and integrate sources. Choose DefenceCore if you want enriched answers immediately, with abuse safeguards and data sources handled for you, and no infrastructure to maintain.
In practice many investigators use both: Flowsint as the canvas that maps the case, DefenceCore as an enrichment source that fills each node with data.
What each tool is
Flowsint (flowsint.io) is an open-source, graph-based OSINT investigation platform built in TypeScript and licensed under Apache-2.0, with roughly 6,000 GitHub stars as of mid-2026. It lets investigators explore relationships between entities — domains, IPs, emails, phone numbers, people, organizations — visually on a graph. It is self-hosted, integrates with the n8n automation ecosystem, and grows through open-source credibility: GitHub, a Discord community, and organic coverage from security bloggers and YouTubers. Flowsint is the canvas and the engine; the data that fills it depends on the sources and API keys you connect.
DefenceCore (defencecore.com) is a hosted identifier-enrichment tool for defenders. You send a single identifier — phone number, email, username, IP, or name — and it returns the connected picture: linked accounts and profiles, breach appearances, carrier or domain data, and an exposure/risk score, within legal and consent bounds. The data sources are already integrated, there is nothing to host, and abuse safeguards are built in. DefenceCore is the enrichment that produces the data; it is not, by itself, a graph canvas.
These are complements as much as competitors. The real comparison is build-and-host versus buy-and-call.
Side-by-side comparison
| Dimension | DefenceCore | Flowsint |
|---|---|---|
| Model | Hosted enrichment service (SaaS) | Open-source, self-hosted platform |
| License / cost | Free self-scan + paid professional tier | Free, open source (Apache-2.0) |
| What it produces | Enriched data: linked accounts, breaches, carrier/domain, risk score | A relationship graph you populate from your own sources |
| Data sources | Pre-integrated, within legal/consent bounds | Bring your own (your API keys and connectors) |
| Setup | None — use immediately | Self-host, configure, integrate sources |
| Visual link analysis | Enrichment-focused output | Core strength — visual entity graph |
| Automation | Enrichment call / API | n8n integration ecosystem |
| Maintenance | Managed for you | You run and update it |
| Abuse safeguards | Built-in intent screening, defender framing | Up to the operator |
| Best for | Fast, defensible answers with zero infra | Teams wanting full control and a visual case map |
Note: Flowsint's open-source figures (stars, license, language) reflect its public GitHub repository and may change. The total cost of running Flowsint depends on the third-party data sources and API keys you connect to it.
Where DefenceCore is the better fit
1. You want enriched answers now, not an infrastructure project. Flowsint is powerful, but it is software you stand up, configure, and feed with your own data connectors. DefenceCore is a call you make today. For a fraud or Tier 2/3 SOC analyst who needs the connected picture on a single identifier in seconds, the hosted model removes the setup tax entirely.
2. You don't want to source and maintain your own data feeds. The hidden cost of a self-hosted graph is the data: Flowsint maps relationships, but the quality depends on the sources you wire in and keep paying for. DefenceCore ships with enrichment sources already integrated within legal and consent bounds, so the "where does the data come from" problem is solved before you start.
3. You need abuse safeguards baked in. With a self-hosted tool, intent screening and abuse controls are entirely on the operator. DefenceCore builds defender framing and intent screening into the product — the controls a CISO or Trust & Safety lead expects to see before approving an OSINT capability.
4. Your team isn't resourced to self-host. Not every fraud team has the engineering capacity to deploy, secure, and maintain a self-hosted TypeScript platform. DefenceCore requires none of that.
Where Flowsint is the better fit
1. You want full control and no per-lookup cost. Open source means you own the deployment, can read and modify the code, and pay nothing for the platform itself. For privacy-sensitive work or budget-constrained teams comfortable with self-hosting, that control is the entire point.
2. Visual link analysis is central to your cases. Flowsint's graph canvas — mapping how domains, IPs, emails, phone numbers, people, and organizations connect — is its core strength. If you think in relationship maps, it is purpose-built for that.
3. You want to automate across many services. The n8n integration opens Flowsint to a large automation ecosystem, useful for teams building custom investigation pipelines.
4. You prefer auditable, open-source tooling. When you must inspect exactly what a tool does — for legal, compliance, or trust reasons — open source is an advantage a hosted service can't match.
The strongest setup: use both
Flowsint and DefenceCore are not really a head-to-head choice for most investigators. Flowsint is the canvas — the place you lay out a case and see how entities connect. DefenceCore is an enrichment source — the thing that fills each node with linked accounts, breach exposure, and carrier data.
A practical workflow:
- Drop the starting identifier (a phone number, say) into Flowsint as the root node.
- Enrich it through DefenceCore to surface linked accounts, breaches, and carrier data.
- Add those results as new nodes and pivot — letting the graph grow while DefenceCore supplies the data behind each pivot.
You get Flowsint's control and visualization plus DefenceCore's ready-made, defensible enrichment.
Frequently asked questions
Is DefenceCore an alternative to Flowsint? They overlap but optimize differently. Flowsint is an open-source, self-hosted investigation graph you populate with your own data sources. DefenceCore is a hosted enrichment service with sources already integrated. If you want a no-setup way to enrich identifiers, DefenceCore is the alternative to standing up and feeding a self-hosted graph. If you want a visual canvas you control, Flowsint is the alternative to a managed service.
Is Flowsint free and is DefenceCore free? Flowsint is free and open source (Apache-2.0), though running it incurs the cost of the third-party data sources and hosting you connect. DefenceCore offers a genuinely free self-scan as its entry point, with a paid professional tier for full investigation depth.
Can I use DefenceCore and Flowsint together? Yes — that is often the strongest setup. Use Flowsint as the relationship graph and DefenceCore as the enrichment source that fills each node with linked accounts, breach exposure, and carrier data.
Which is better for a team without engineering resources? DefenceCore. Flowsint must be self-hosted, configured, and supplied with data connectors, which assumes engineering capacity. DefenceCore is a hosted service you can use immediately.
Do either of these tools require connecting my own data sources? Flowsint, generally yes — you bring your own connectors and API keys, and data quality depends on them. DefenceCore ships with enrichment sources pre-integrated within legal and consent bounds, so you don't assemble the data layer yourself.
Try the enrichment with zero setup
The fastest way to see what DefenceCore adds to an investigation is to run it on an identifier you already know — no install, no self-hosting, no data connectors to configure. Run a free self-scan and see the linked accounts, breach appearances, and exposure signals a single identifier reveals.