Dark-Web Monitoring
Surface leaked credentials before adversaries
SICenter monitors dark-web sources and breach databases for credentials associated with your organization's domains. When a match is found, the affected account is surfaced in your findings queue with context on the breach source and the credential type — before an attacker can use it.
Key capabilities
- Continuous monitoring of breach databases and paste sites for your domain-associated credentials
- Findings include breach source name, credential type (password, token, cookie), and estimated breach date
- Deduplication across breach sources: one finding per unique credential pair, not one per breach source
- Slack or Jira notification on first detection so response starts within minutes of discovery
- Affected accounts can be flagged for forced password reset directly from the finding card
- Evidence is retained for the duration of your plan's finding-retention period for compliance purposes
How it works
Monitoring jobs query our aggregated breach intelligence index — compiled from public and semi-public dumps, paste sites, and partner feeds — for any credential where the email domain matches your declared domains. Matches are normalized: the email address is stored as a salted hash to prevent the raw address from appearing in logs, while the plain text is available only to authorized users in your organization.
Each match is evaluated against your existing findings to determine whether it is a new exposure or a re-occurrence of a previously acknowledged breach. New exposures open a finding of class `credential_leak`. Re-occurrences update the last-seen timestamp on the existing record. The deduplication key is the hash of the email address and credential type, not the credential value itself.
When a credential-leak finding is opened, the notification bus fires a `credential.leaked` event. Your configured integrations (Slack, Jira, webhook) receive a payload with the affected domain, credential type, estimated breach date, and a recommended action. The actual credential value is never included in notification payloads — it is accessible only through the authenticated console.
Ready? Enable monitoring.
No credit card required. Start free, upgrade when you need more.