Overview#
A security team discovers that an employee's corporate email address has appeared on a dark web forum alongside what appears to be a credential dump. By the time a human analyst finds the post, the data may already have been exploited. The Dark Web Monitoring domain runs continuous background scanning across dark web sources so that the first alert fires minutes after a credential appears, not days.
This is the difference between discovering a breach before attackers exploit it and discovering it after.
Key Features#
- Keyword tracking for emails, phone numbers, names, credit cards, SSNs, and IP addresses.
- Source scanning across pastebins, forums, marketplaces, breach databases, onion sites, Telegram, and IRC.
- Alert lifecycle management from NEW through ACKNOWLEDGED, IN_PROGRESS, and RESOLVED.
- Severity classification for detected matches.
- Graph relationship modelling linking alerts to matched keywords and discovery sources.
- Organisation-scoped keyword and alert management.
- Dual-database persistence for transactional and graph-based analysis.
- Configurable source selection per organisation.
Use Cases#
Corporate security teams monitor for leaked employee credentials on dark web forums and pastebins, receiving alerts within minutes of a credential appearing and initiating password reset and access review workflows before exploitation occurs.
Government agencies tracking mentions of sensitive personnel information across dark web sources receive alerts when names, identification numbers, or contact details of protected individuals are posted to monitored platforms.
Financial institutions detect compromised customer card data on dark web marketplaces, triggering card cancellation and fraud alert workflows faster than the customer would independently discover the compromise.
Critical infrastructure operators monitor for dark web discussions of vulnerabilities in their systems, operational technology, or physical security configurations, gaining early warning of threat actor reconnaissance activity.
Integration#
Integrates with alert management, investigation, and notification domains. Supports background scanning via dedicated worker services.
Open Standards#
- OASIS STIX 2.1: Dark web findings, including indicators of compromise, threat-actor profiles, and matched credentials, are exported as STIX 2.1 Structured Threat Information Expression bundles for sharing with community threat intelligence platforms.
- OASIS TAXII 2.1: Threat intelligence derived from dark web monitoring is distributed to and ingested from external platforms (OpenCTI, MISP) via the TAXII 2.1 Trusted Automated eXchange of Intelligence Information protocol.
- TLP (Traffic Light Protocol): Exported STIX bundles carry TLP marking-definition labels (TLP:WHITE, TLP:GREEN, TLP:AMBER, TLP:RED) to control recipient handling and redistribution of sensitive dark web intelligence.
- MISP REST API (v2.4): Matched indicators and credential leak records are shared with MISP (Malware Information Sharing Platform) instances via the MISP REST API for cross-organisation IOC correlation and community alerting.
- GraphQL (June 2018 specification): All keyword management, source configuration, alert lifecycle operations, and real-time alert queries are exposed through a GraphQL API implemented with the Strawberry framework.
- JSON Web Token (RFC 7519): Access to dark web monitoring endpoints is controlled by RS256-signed JWTs verified against a JWKS endpoint, enforcing per-organisation and per-tenant access boundaries.
- WebSocket (RFC 6455): New dark web alerts are pushed in real time to authenticated dashboard clients over WebSocket via a publish/subscribe bridge, enabling immediate analyst notification without polling.
Last Reviewed: 2026-02-24 Last Updated: 2026-04-14