Dark web monitoring is the continuous process of tracking underground forums, marketplaces, messaging channels and breach dumps to detect whether an organisation's credentials, data or brand have been exposed before an attacker uses them. For a company subject to NIS2 or GDPR, that early detection is the difference between resetting a leaked password within hours or discovering the compromise weeks later, already turned into a ransomware incident.
The essentials
- Dark web monitoring watches underground sources (forums, marketplaces, Telegram channels, breach dumps) looking for your organisation's data.
- Exposure detection relies on breach corpora, combolists and stealer logs, with Have I Been Pwned as the best known public reference.
- A one-off scan gives a fixed snapshot, while a monitoring service alerts you continuously when a new credential appears.
- Consumer exposure reports check a profile (email, phone, ID document) against aggregated breach datasets.
- For a business, monitoring fits as a threat intelligence layer within a programme that combines offensive security and incident response.
What the dark web is and what dark web monitoring is
It helps to separate three layers of the web. The surface web is the set of pages indexed by search engines like Google. The deep web is everything that exists but is not indexed: online banking, email, internal panels, databases behind a form. And the dark web is the fraction of the deep web reachable only through anonymity networks such as Tor (.onion domains) or I2P, designed to hide the identity and location of servers and users.
Not all of the dark web is criminal, but it does concentrate stolen data markets, intrusion forums and extortion services. Dark web monitoring is the systematic observation of those sources, together with others that are technically on the surface web (Telegram channels, text paste sites, misconfigured repositories), to locate sensitive information about an organisation: credentials, cards, documents, source code or brand mentions tied to an attack campaign.
In MITRE ATT&CK terms, much of what you look for maps to the adversary reconnaissance phase (for example T1589, gathering victim identity information). Monitoring those sources is equivalent to watching the raw material an attacker would use against you.
How exposure and credential leaks are detected
Detecting leaked credentials relies on several families of sources that are worth distinguishing because their quality varies widely.
- Breach dumps. When a platform is compromised, its databases end up circulating on forums such as the successors of BreachForums. A serious service normalises those dumps, extracts emails, hashes and passwords, and indexes them for lookup.
- Combolists. Files with millions of
email:passwordpairs collected from multiple breaches and used directly for credential reuse attacks. They feed account takeover campaigns at industrial scale, the same input we describe in what is credential stuffing. - Stealer logs. Records generated by infostealers (RedLine, Lumma, Vidar, Raccoon) that infect a machine and exfiltrate session cookies, browser-saved passwords and system data. They are especially dangerous because they include session tokens that let an attacker bypass the second factor. Many of these programs combine keystroke capture, as we explain in what is a keylogger, with theft of the credential store.
- Paste sites and repositories. Pastebin, Ghostbin, gists or misconfigured S3 buckets where API keys,
.envfiles or credentials are leaked by mistake.
The best known public reference is Have I Been Pwned, Troy Hunt's service that aggregates billions of accounts from known breaches. Its password API uses a k-anonymity model: the client sends only the first five characters of the SHA-1 hash of the password and receives the range of matches, so the full password never leaves the device. That design sets the standard for how to check exposure without creating a new risk.
What a dark web service or scan actually does
Here it pays to be honest, because marketing has inflated expectations. A dark web scan is a one-off query: you enter a domain or an email and the service compares that value against the breach corpora and stealer logs it has indexed. It is a fixed snapshot of a specific moment.
A dark web monitoring service does the same continuously: it registers your domains, addresses, key executives and brand assets, and alerts you when a new match appears. The practical difference is time to detection. A scan tells you what was there yesterday, monitoring alerts you tomorrow when a credential from your domain shows up in a freshly published log.
What a free dark web scan is and what its limits are
Free dark web scans are almost always commercial lead-generation tools. They provide real value, but with important limits worth knowing:
- They usually check a single email address, not a full domain.
- They query already known and public breach databases, they do not crawl the dark web in real time.
- They include no remediation context or prioritisation.
- Sometimes they return a plain yes or no, without saying which breach or with what password.
They are a good starting point for an individual or for a first check, but they do not replace a continuous programme with domain coverage, alerts and a response process behind them.
How consumer exposure reports work
In recent years several search providers, password managers and banks have added exposure reports aimed at the individual user. Beyond the specific brand, the pattern is always similar: the user defines a monitoring profile (name, email, phone, ID document, card number) and the service periodically compares those values against an aggregated set of breach databases. When it finds a match, it generates an alert and states which breach the data appeared in and which fields were exposed.
It is important to understand what these reports do not do. They do not exhaustively browse live .onion markets, they query already collected and normalised datasets. And they cover individual identities, not the exposure surface of an organisation with hundreds of employees, subdomains and suppliers. For a company, that consumer approach falls short: you need domain coverage, correlation with assets and a remediation workflow.
Dark web monitoring for business and SMEs
For an organisation, dark web monitoring is not a standalone product but a threat intelligence layer within a broader security programme. It fits naturally between offensive security (which discovers your attack surface) and incident response (which acts when something materialises). The same OSINT an attacker gathers to prepare a strike is what you should watch to stay ahead.
The concrete value for a company or an SME shows up in everyday scenarios:
- Detecting that an employee's corporate credentials appear in a stealer log lets you force a reset and revoke sessions before anyone uses them for initial access.
- Locating exposed accounts of a supplier or an executive helps anticipate fraud campaigns, including the vishing that relies on real data to gain credibility.
- Seeing your domain or brand mentioned in an access-selling forum can be the first sign of a ransomware operation in preparation.
Tools and sources
The market offers options for every size. On the directly queryable side sit Have I Been Pwned, DeHashed, Intelligence X and Leak-Lookup. Among managed, higher-coverage platforms you find SpyCloud, Recorded Future, Flare, DarkOwl and Constella Intelligence, able to correlate exposure, prioritise by risk and integrate with the SIEM and the response workflow. The choice depends on programme maturity: an SME can start with domain coverage and email alerts, while an organisation subject to NIS2 will want integration with its operations centre and traceable evidence for the regulatory file. It is worth remembering that these platforms are also fertile ground for AI-assisted fraud, a risk we cover in ChatGPT security in business.
Whatever the tool, the key is the process behind it: alert, verification, credential reset, session revocation and analysis of whether there was prior use. An alert without a response does not reduce risk.
Frequently asked questions
Is dark web monitoring legal?
Yes. Observing public or semi-public sources and checking whether your own data is exposed is a legitimate intelligence and defence activity. What is not legal is taking part in buying stolen data or accessing third-party systems. A professional service works with already published dumps and respects GDPR in handling the personal data it locates.
Does a dark web scan find everything leaked?
No. No service has full visibility into every underground source, and much data is sold privately without ever reaching an indexable corpus. A scan or monitoring reduces uncertainty and shortens detection time, but does not guarantee full coverage. That is why they are a layer within a programme, not a single solution.
What is the difference between a scan and a monitoring service?
A scan is a one-off query that gives a fixed snapshot of the moment. A monitoring service watches continuously and alerts every time a new exposure appears. For a business, continuous monitoring is what delivers real value, because leaks do not happen once, they happen constantly.
Is dark web monitoring useful for an SME?
Yes, and it is often where it pays off most. Many SMEs lack their own SOC and discover a compromise late. Monitoring with domain coverage and alerts lets them react to leaked credentials without a large team, integrated into an external managed service.
What do I do if my company's credentials appear leaked?
Act fast: force a reset of those passwords, revoke active sessions and tokens, review whether there were anomalous logins and check if that password is reused across other services. If the leak includes personal data, assess the notification obligations under GDPR. Document the whole process for the file.
Related resources
- What is credential stuffing: attack and defence
- What is a keylogger: types, how it works and how to protect yourself
- What is OSINT: cycle, sources, tools and legal framework
- What is vishing: voice attacks against business
- Ransomware in Spain 2026: landscape and response
Dark web monitoring with Secra
At Secra we integrate dark web monitoring into a threat intelligence programme tailored to your organisation: domain and brand asset coverage, detection of leaked credentials and stealer logs, risk-based prioritisation and a response process that connects the alert to the reset, session revocation and impact analysis. All aligned with NIS2 and GDPR, with traceability for the file.
Discover our dark web monitoring service and plan the monitoring of your exposure with us.
About the author
Secra Solutions team
Ethical hackers with OSCP, OSEP, OSWE, CRTO, CRTL and CARTE certifications, 7+ years of experience in offensive cybersecurity, and authors of CVE-2025-40652 and CVE-2023-3512.

