Quick answer
Company due diligence is a layered evidence problem.
A company profile is not solved by one database. Good OSINT separates legal identity, ownership clues, officer roles, sanctions context, litigation, procurement, web footprint, archived claims, and source quality. Each layer can support or weaken a conclusion, but none should be treated as universal truth.
- Start with identity: exact legal name, jurisdiction, registration number, aliases, and current status.
- Use direct records first: Companies House, SEC EDGAR, CourtListener, official registries where available.
- Add network context: OpenCorporates, Aleph, OpenSanctions, OpenOwnership, LittleSis, OpenSecrets.
- Check web footprint: Wayback Machine, urlscan.io, SecurityTrails, WHOIS workflow, and archived public claims.
Recommended due diligence stack
Legal identity
OpenCorporates, Companies House, SEC EDGAR
Use to establish the exact entity before investigating claims. Names collide, companies change status, and jurisdictions use different filing systems.
Best for: registration, filings, jurisdiction, officer clues
Networks and risk
Aleph, OpenSanctions, LittleSis
Useful for building leads around people, entities, sanctions references, public datasets, and relationship maps. These are leads that need source-level review.
Best for: entity resolution, sanctions context, networks
Legal and public context
CourtListener, OpenSecrets, Wikidata
Useful in specific jurisdictions and research questions. Legal mentions, political-money records, and structured public references need careful context.
Best for: litigation leads, political-money context, structured references
Web footprint
Wayback Machine, urlscan.io, SecurityTrails
Use to see how a company described itself, where domains pointed, what changed, and whether public claims align with records.
Best for: historical claims, domain history, public web presence
Due diligence sequence
- Confirm exact entity identity before following people, addresses, domains, or brand names.
- Collect direct registry and filing records, then note jurisdiction, filing date, and status.
- Separate ownership, officer, director, shareholder, and contact roles instead of merging them into one relationship.
- Check sanctions, litigation, procurement, press, web footprint, and archive clues as independent layers.
- Look for contradictions: claimed headquarters, old domains, changed names, dissolved entities, shell-like patterns, or unsupported marketing claims.
- Write risk language carefully: evidence of a filing is not proof of wrongdoing, control, fraud, or beneficial ownership.
What evidence can and cannot say
Registry data
Can identify formal records. It may be stale, incomplete, jurisdiction-specific, or limited to official self-reported fields.
Officer names
Can show roles. They do not automatically prove ownership, operational control, or current involvement.
Sanctions and watchlist data
Can flag sensitive context. Matching names require entity resolution, dates, identifiers, and source review.
Web history
Can preserve claims and changes. It does not prove that a claim was true when published.
Legal caveat
This is a research guide, not legal, compliance, investment, or due diligence advice. Sensitive findings should be reviewed against primary sources and appropriate professional standards before action.
Where to go next
Open Tools for Company Records and Due Diligence, or use the tool directory to compare company, public-record, archive, and infrastructure tools.