Open navigation

Introduction to Maltego Machines

Modified on: Wed, 23 Aug, 2023 at 9:07 PM

IMPORTANT: Maltego Machines are macros written using the Maltego Scripting Language - a custom scripting language developed to allow any user to build their own Machines.


Maltego Machines help analysts and researchers to streamline workflows and decrease the amount of manual work involved during a Maltego investigation, allowing users to speed through the process of data collection and allocate more time to analyzing an automatically populated graph.

To fully understand Maltego Machines, please read more on our website, we have put together an in-depth guide for our users in the form of a series of articles that not only explain the functionality of Machines, but also showcase their functions.

What are Maltego Machines?

Maltego Machines represent the automation of the Transform running process.

Maltego Machines are macros in the Maltego Desktop Client that run multiple Transforms on a data set. These macros are written using the Maltego Scripting Language—a custom scripting language developed to allow any user to create their own Machines.

Depending on the script, Machines can run Transforms both in parallel and sequentially. Users can run multiple Transforms on the same data Entity or run a series of Transforms from one data output to another—or perform both simultaneously.

Figure 1: Nodes with the same color are results of the same Transform. The number indicates the order

in the Transform sequence of the Machine.

As the Machine runs, investigators can use that time for other tasks and preparation. Once the Machine is done, users will see a fully populated graph, the results of which they can begin to analyze.

By standardizing processes and implementing automations, both large investigative teams and individual analysts can allocate their time more efficiently and, thus, establish more streamlined workflows.

Maltego Machines are best used to simplify and automate repetitive or standardized investigation processes, specifically the process of data collection and data mapping.

This automation provides two main advantages, saving investigators’ time, and lowering the investigation barrier.

Machines Save Time

Let’s assume that you are a cybersecurity analyst and one of your routine tasks is to perform infrastructure footprinting to analyze and identify potential indicators of compromise (IoCs) in the organization’s network. If you must manually run over a dozen Transforms each time you create a network footprint, the task will not only become time-consuming, but tedious.

This is when Machines come in. Machines are created to automate this type of standardized processes. As the Machine does its work, investigators can utilize the time for other tasks and preparation. After the Machine has run, an investigator can come back to a fully populated graph and begin analyzing the results.

By standardizing processes and implementing automations, both large investigative teams and individual analysts can allocate their time more efficiently and establish more streamlined workflows.

Machines Lower the Barrier for Non-Technical Investigators

Another advantage that Maltego Machines provide is lowering the barrier of investigation for non-technical investigators and newcomers to the analyst profession.

It is common to have a mixture of technical and non-technical investigators with varying degrees of experience working together in analyst teams. Although Maltego is designed for all types of investigators, a fast-onboarding process depends largely on elements such as the maturity and size of the team.

By setting up Machines for standardized processes, investigation teams can ensure that their novice as well as advanced members are able to conduct important data mapping and link analysis tasks easily and independently.

Maltego Enterprise Machines

Read our documentation page on Maltego Enterprise Machines for a comprehensive overview as well as a list of Maltego Machines exclusively available to Maltego Enterprise users. 

Built according to standard and common workflows used in cybersecurity, cybercriminal, and social media investigations, these Enterprise Machines allow investigators to quickly gather fundamental data points, thus finishing the groundwork of their investigations in a few clicks.

Which Types of Machines are Available in Maltego?

There are three types of Machines available in the Maltego Desktop Client:

  • Pre-Installed OSINT Machines
  • Third-Party Machines
  • Custom Machines

Pre-Installed OSINT Machines

Maltego comes with a set of pre-installed Machines that are built with Maltego Standard Transforms. These Machines are free to use for all Maltego users and they query OSINT data to perform tasks like network footprinting.

Below, you will find a list of all Pre-Installed, Maltego OSINT Machines:

  • Company Stalker

This Machine will try to get all email addresses tied to a domain and then see which resolves to social networks. It also gets documents and extracts meta data. 

  • Find Wikipedia Edits 

This Machine takes a domain and looks for possible Wikipedia edits. 

  • Footprint L1 

This performs a level 1 (fast, basic) footprint of a domain. 

  • Footprint L2 

This performs a level 2 (mid) footprint of a domain. 

  • Footprint L3 

This performs a level 3 (intense) footprint on a domain. It takes a while and eats resources. Use with care. 

  • Footprint XXL 

This Machine is built to work on really large targets that are hosting their own infrastructure. It tries to obtain the footprint by looking at SPF records hoping for netblocks as well as reverse delegated DNS to their name servers. It is very important to look at what the userfilter is presenting you, else you will find false positives. This machine can result in massive graphs, so please 1) be patient 2) have lots of RAM. 

  • Person – Email Address 

Tries to obtain someone's email address and sees where it's used on the Internet. 

  • URL to Network and Domain Information 

From URL To Network and Domain Information

Third-Party Machines

Besides the pre-installed Machines, Maltego integrates with a variety of third-party free and paid data sources. Some of these data integrations—RiskIQ PassiveTotal and Farsight DNSDB, and many more—come with Machines created by the integration developers.

Users who have API keys or subscriptions to the data integrations will be able to access these Machines upon installation of the Hub items.

Below, you will find a list of all Machines from Free-Tier Data Integrations & Transform Hub items:

RiskIQ PassiveTotal

  • Certificate Explorer

This Machine will take an IP address as an input to quickly explore certificate connections based off of detail information and IP overlap.

  • Child Pair Enrichment

This Machine will take a Domain Entity as an input and prune enrichment Transform to allow for only displaying Tags.

  • Domain Analysis

This Machine will pull all relevant information from PassiveTotal about a given domain.

  • [PT] Get Dynamic Status
  • [PT] Get Whois Details
  • [PT] Get Passive DNS
  • [PT] Get Subdomains

  • Domain Explorer

Pulls all relevant information from PassiveTotal about a given domain and all second order connections.

  • Google Tracker ID Enrichment

Quickly enriches domain associations from Google Tracker IDs.

  • IP Analyzer

Brings together PassiveDNS, Certificate SSL Certificate, and Enrichment data for a single IP address.

  • IP Explorer

Rapidly build out second order connections and enrichment data for a given IP address.

  • Parent Pair Enrichment

Gets Parent Pair associations for a domain, enriches the domains, and prunes unwanted Entities.

  • SSL Enrichment

Takes SSL Cert Hash, gets all IP address associations, IP to associations, enriches all entities, and prunes unnecessary results.


  • To Similar Images and To Pages

Executes To similar pages and To pages linking to image TinEye Transforms.


  • MISP Event to All

Automatically expands MISP Objects to their attributes.

  • To Attribute & Object Attributes

Also automatically expands MISP Objects to their attributes.

Have I Been Pwned?

  • @haveibeenpwned v3 Alias

Checks to see whether an alias has been listed as breached by @haveibeenpwned API v3.

  • @haveibeenpwned v3 Email Address

Checks to see whether an e-mail address has been listed as breached by @haveibeenpwned API v3.

  • @haveibeenpwned v5 Pwned Password

Finds the k-anonymity of "Pwned Passwords" v5.

Farsight DNSDB

  • DNSDB Enumerate Domain

Takes a domain Entity, pulls all known hostnames, MX, NS, TXT, grabs IPs for *.domain -> Netblocks -> ASN.

Custom Machines

Finally, Maltego allows users to create their own Machines. With just a few lines of code, investigators can easily build Machines for their standardized investigative processes.

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.