Dark Web Scanning

Last updated: December 19, 2025

Dark Web Scanning monitors known breach sources and underground marketplaces to identify exposed credentials and compromised identity data associated with an organization. This capability helps organizations detect exposure early and reduce the risk of credential abuse, account takeover, and downstream compromise.

This article explains what Dark Web Scanning does, how monitoring works, what data is collected, how often scans run, and how to interpret results.

What Dark Web Scanning Does

Dark Web Scanning continuously searches curated breach intelligence sources for evidence that organizational identities or assets have been exposed.

It is commonly used to:

  • Detect leaked credentials and identity data

  • Monitor corporate brands and domains for exposure

  • Identify recurring or high-risk exposure patterns

  • Support identity hygiene and remediation workflows

  • Complement vulnerability and configuration scanning

Dark Web Scanning focuses on identity exposure, not endpoint or network vulnerabilities.

Execution Model

  • Execution: Cyrisma internal cloud service

  • Agent requirement: None

  • Credential usage: None

Dark Web Scanning does not interact with customer infrastructure and does not require scan agents, credentials, or network access.

Dark Web Monitoring Models

Cyrisma supports two complementary monitoring models:

Domain Monitoring

Domain Monitors provide broad coverage for organizational exposure.

For each Domain Monitor:

  • One Company Name is specified

  • One Domain Name is specified

The platform searches dark web sources for matches against both the company name and the domain name to identify exposure related to the organization.

Domain monitoring is intended to capture:

  • Corporate email addresses under the monitored domain

  • Brand or company-name–related exposure

  • Breach data broadly associated with the organization

This is the primary monitoring method and should be configured for all customer domains.

Email Address Monitoring

Email Address Monitors provide targeted monitoring for specific email addresses.

Email monitors are intended for:

  • Email addresses outside the scope of configured domain monitors

Important clarification:

  • Email addresses using a domain already covered by a Domain Monitor do not require a separate Email Address Monitor, as they are already included in domain-based monitoring.

Monitoring Frequency

  • Dark Web Monitoring runs automatically every 24 hours

  • Newly discovered exposure data is surfaced as it becomes available

  • Monitoring is continuous and does not require manual scheduling

Data Collected

Dark Web Scanning reports exposure indicators only, including:

  • Email addresses associated with monitored domains or email monitors

  • Usernames (where available)

  • Exposure categories (e.g., password, username, name, phone, location, IP address)

  • Breach source references

  • Last-seen timestamps for observed exposure

The scan does not validate credentials against live systems and does not collect endpoint, network, or application data.

Understanding Dark Web Results

Dark Web results are presented in aggregated and detailed views to help teams prioritize response.

Key indicators include:

  • Total number of breaches – overall exposure volume

  • Most dangerous breach category – highlights the highest-risk exposure type (commonly passwords)

  • Breach type distribution – shows what types of data are most frequently exposed

  • Victim accounts – identifies impacted email addresses

  • Number of findings – indicates repeated exposure for the same account

  • Last seen – shows when exposure data was most recently observed

Findings indicate historical exposure, not confirmation of active compromise.

Interpreting Risk Correctly

  • Exposure does not guarantee credentials are still valid

  • Older breaches may involve outdated or changed passwords

  • Repeated findings for the same account increase risk likelihood

  • Password-related exposure should be treated as highest priority

Dark Web results should be treated as risk signals that guide remediation actions.

Best Practices for Using Dark Web Scanning

  • Configure Domain Monitors for all customer domains

  • Use Email Address Monitors only for addresses not covered by domain monitoring

  • Prioritize password-related exposure first

  • Focus on accounts with multiple or recent findings

  • Reset passwords and enforce MFA for impacted users

  • Review access privileges for exposed accounts