Threat Intelligence
deep web
dark web
Tor

Deep Web vs Dark Web: Differences Explained

Deep web vs dark web: what they are, how they differ (Tor, .onion) and why they matter to your business through credential and data leaks.

SecraJuly 6, 202610 min read

The confusion around deep web vs dark web is one of the most common in cybersecurity, and it is not harmless: blurring the two concepts leads people to underestimate where a company's data actually ends up when it leaks. The deep web is simply everything on the internet that does not appear in Google, whereas the dark web is a tiny fraction of that layer, reachable only with anonymity software such as Tor. This article draws the distinction with technical precision and then explains why it matters for business: your organisation's credentials, data and brand can surface in any of these layers.

The essentials

  • The surface web is what search engines index; it represents a small fraction of the total.
  • The deep web is everything not indexed (online banking, email, internal panels, databases behind a form) and is perfectly legitimate.
  • The dark web is a tiny portion of the deep web reachable only through anonymity networks such as Tor (.onion domains) or I2P.
  • The common mistake is treating deep web and dark web as synonyms: the deep web is huge and everyday, the dark web is marginal and mixed.
  • For a business, the relevance is concrete: credential leaks, stealer logs and access sales that materialise across both layers and in surface channels like Telegram.

Deep web vs dark web: the three layers of the web

The clearest way to grasp the difference is to picture the internet as three overlapping layers. They are not separate worlds but different levels of accessibility over the same network.

The surface web

The surface web is the set of pages that search engines crawl and index: a corporate site, a blog, an online shop. For Google to show a page, it must be reachable without authentication and not blocked by robots.txt or noindex tags. It is usually estimated to be only a small fraction of all internet content, although any specific figure is an approximation that is hard to verify.

The deep web

The deep web is everything that exists but is not indexed. There is nothing clandestine about it: it is most of the internet and you use it every day. This includes your online banking, your email inbox, a CMS admin panel, a database you can only query through a form, an intranet's documents or content behind a paywall. It does not appear in search engines for trivial reasons: it requires authentication, it is generated dynamically when you submit a query, or its owner has explicitly asked not to index it. Confusing this with illicit activity is the first misunderstanding worth clearing up.

The dark web

The dark web is a tiny portion of the deep web that is only reachable through anonymity networks designed to hide the identity and location of servers and users. The best known is Tor, whose services use domains with the .onion suffix, which a conventional browser cannot resolve. Not all of the dark web is criminal (it hosts news mirrors, secure drop boxes for whistleblowers and privacy forums), but it does concentrate stolen data markets, intrusion forums and the extortion sites of ransomware groups.

Why deep web and dark web get confused

The confusion comes down to scale and framing. The deep web is enormous and dull (your inbox is not news), while the dark web is tiny but newsworthy. Sensationalist headlines have used "deep web" as a synonym for "the shady side of the internet", when the correct relationship is one of inclusion: the dark web is a very small subset of the deep web, not a synonym. Put another way, all of the dark web is deep web, but almost none of the deep web is dark web. Keeping this precise is not pedantry: it defines where you look when investigating an exposure and which tools you need to reach each layer.

How the dark web works under the hood: Tor and .onion domains

Understanding the mechanics of Tor helps you gauge what can and cannot be watched. Tor implements onion routing, a technique born from US naval research and now maintained by an open project. When you connect, the client builds a circuit of three relays: an entry or guard node, a middle node and an exit node. Traffic is encrypted in successive layers, so each relay only knows the previous and next hop, never the full origin and destination at once. That is the property that provides anonymity.

Onion services (formerly called hidden services) go one step further: the server does not reveal its IP address either. Instead of leaving through an exit node, client and service meet at a previously negotiated rendezvous point via introduction points. Third-generation .onion addresses (v3), which replaced the deprecated v2 addresses in 2021, are 56 characters in base32 and derive from an ed25519 public key. Their descriptor is published to a hash table distributed across relays flagged as HSDir. In practice this means there is no central directory you can crawl: to find a .onion site you need to know its address in advance.

Tor is not the only network of this kind. I2P uses a scheme called garlic routing and hosts internal services (eepsites) on .i2p domains. Hyphanet (formerly Freenet) works as a distributed content store. Each network has its own mechanics, but they all share the goal of decoupling content from identity, which makes them attractive both for legitimate privacy and for illicit trade.

What actually lives in each layer

Moving from concept to specifics avoids both alarmism and blind spots:

  • On the surface web lives the public and indexable, but credentials also show up through carelessness: API keys in repositories, exposed .env files, dumps on text paste sites or Telegram channels carrying combolists. Much of what people call a "dark web leak" is actually on the surface.
  • On the deep web sits the legitimate and protected: your internal systems, customer portals, authenticated APIs. The risk here is not the content itself but a poor configuration that accidentally pushes it to the surface.
  • On the dark web you find stolen data markets, forums where initial access brokers sell access to corporate networks, and the leak sites of ransomware groups practising double extortion.

Why it matters to your business: leaks and threat intelligence

This is where the disambiguation stops being academic. To an attacker, your exposure surface is spread across the three layers, and defending yourself means watching them with judgement. An infostealer that infects an employee's laptop (we describe them in what is an infostealer) generates a stealer log with session cookies and saved passwords that can end up both on a surface Telegram channel and on a .onion market. That same data, in the hands of an access broker, becomes the foothold a group uses to deploy ransomware. Many of those programs combine keystroke capture, as we explain in what is a keylogger, with theft of the browser's credential store.

In MITRE ATT&CK terms, much of what circulates across these layers feeds the adversary reconnaissance phase (for example T1589, gathering victim identity information). Watching those sources means getting ahead of the raw material of an attack. That logic is exactly what an offensive team applies when preparing a red team exercise: the information an attacker collects in the open or in underground forums is what you should watch first. And when one of those forums sells an exploit for an unpatched flaw, we are talking about a zero-day that can hit you before any mitigation exists.

Turning that watch into a continuous process is what we call monitoring, an approach we detail in dark web monitoring for business. It is not about "browsing" the dark web, but about systematically observing breach dumps, combolists, stealer logs and brand mentions, correlating them with your domains and assets, and triggering a response: credential reset, session revocation and analysis of prior use. The same OSINT discipline that structures open-source collection applies just as well to underground sources.

Frequently asked questions

Are the deep web and the dark web the same thing?

No. The deep web is all internet content not indexed by search engines, including your online banking or your email, and it is perfectly legitimate. The dark web is a very small fraction of the deep web reachable only through anonymity networks like Tor. All of the dark web is deep web, but almost none of the deep web is dark web.

Is it illegal to access the deep web or the dark web?

Accessing the deep web is something you do every day when you log in to any service, so there is nothing illegal about it. Using Tor or entering the dark web is not illegal in most countries either, since the browser is a legitimate privacy tool. What is illegal are specific activities: buying stolen data, hiring criminal services or accessing third-party systems.

What is a .onion domain?

It is the address of a service hosted on the Tor network. Current (v3) addresses are 56 characters in base32 and derive from an ed25519 public key, so they hide both the server's location and its identity. A conventional browser cannot resolve them: you need the Tor Browser and you must know the address in advance, because there is no central search engine indexing them.

Why should my business care about the dark web?

Because your organisation's credentials, data and brand can end up exposed on underground forums and markets before an attacker uses them. Detecting it in time lets you reset passwords and revoke sessions within hours, rather than discovering the compromise weeks later as a full incident. It is a threat intelligence layer within a broader security programme.

Can the entire dark web be tracked?

Not fully. There is no central index of .onion sites and much data is sold privately without ever reaching a searchable corpus. Professional monitoring reduces uncertainty and shortens detection time, but no tool offers total visibility. That is why it is a layer within a programme, not a single solution.

Watch your exposure with Secra

At Secra we integrate dark web monitoring into a threat intelligence programme tailored to your organisation: domain and brand asset coverage, detection of leaked credentials and stealer logs, risk-based prioritisation and a response process that connects the alert to the reset, session revocation and impact analysis. All aligned with NIS2 and GDPR, with traceability for the file.

Discover our dark web monitoring service and plan the monitoring of your exposure with us.

About the author

Secra Solutions team

Ethical hackers with OSCP, OSEP, OSWE, CRTO, CRTL and CARTE certifications, 7+ years of experience in offensive cybersecurity, and authors of CVE-2025-40652 and CVE-2023-3512.

Share article