Adding Dark Web Search Terms
Bolster’s Dark Web module monitors specific terms you define to surface threats such as stolen credentials, leaked code, or phishing kits. This guide shows you how to set up those search terms for accurate findings.
A search term consists of up to three elements:
1. Entity – Type of information to look for (optional)
2. Category – Types of dark web posts to look in (optional)
3. Value – Keyword or keywords that the search needs to match (required)
Steps to Add a Search Term
Here’s how to add a search term to the Dark Web module for Bolster to monitor.
1. Navigate to Attack Surface > Dark Web > Add Search Terms.
2. Under Search Terms, use the dropdowns to define the three elements:
- Monitor results in select category
- that includes select entity
- with value enter value
3. Select Submit to create the search.
4. Verify that it appears in the Searches list. At first, Last Search will say In Progress.
Example
If you wanted to look for:
- The credit card number 1111 2222 3333 4444
- Only in posts containing breach data for sale
- Excluding those same digits if they’re found in other contexts
Then you’d make the following Search Terms dropdown selections:
- Monitor results in Breach Data for Sale
- that includes Credit Card
- with value 1111 2222 3333 4444
For more examples covering full workflows for common use cases, see Setting Up Dark Web Detection Workflows.
Search Term Guidelines
To get useful results, your search terms should match the kind of dark web data you’re looking for. This helps ensure complete and relevant findings, giving you comprehensive protection and making triage easier.
Here are guidelines for building successful dark web searches.
Categories
Category narrows your search to a specific type of dark web content, such as posts selling breach data or malware. Select Any to search across all types.
For example, if your search focuses on finding potentially damaging information about company executives, choose the Employee Monitoring category to search only posts that talk about employee names.
| Category | Dark Web Content Type |
| Breach Data for Sale | Posts selling data from breaches and leaks. |
| Employee Monitoring | Posts referencing employee names. |
| Hacker Chatter | Conversations that appear to have hostile intent. |
| IP Leak Data for Sale | Posts selling leaked intellectual property (like source code). |
| Malware for Sale | Posts offering malware for sale. |
| Phishing Kits for Sale | Posts selling kits to help hackers impersonate your brand. |
| Ransomware for Sale | Posts offering ransomware for sale. |
Entities
Entity refers to the type of information the value represents.
Entity narrows your search to a specific type of information, such as an email address. Select Any to search across all types.
For example, if your search uses the Email-Domain entity, the value must be an email address in the expected format (e.g., identifier@domain.com).
| Entity | Matching Value Format |
| Credit Card | Complete or partial BIN or credit card number. Dashes or other punctuation are disregarded. |
| Crypto Address | Crypto wallet type. Valid values are:
|
| Email Address | Email address (example: identity@domain.com). |
| Customer-Email-Domain | Domain name (example: domain.com) as part of an email address (anything@domain.com). |
| Employee-Email-Domain | Domain name (example: domain.com) as part of an email address (anything@domain.com). |
| IP Address | Single IP address (example: 192.1.67.0.5) or a subnet in CIDR notation (example: 192.1.68.0.0/24). |
| SSN | Complete or partial United States Social Security number. Dashes or other punctuation are disregarded. |
Values
The keyword value is the most important part—it’s the exact text Bolster will look for on the dark web. So craft your value carefully to surface relevant results without too much noise. You can use Boolean operators like AND and OR (must be all caps) for precision.
| Operator | Function | Example |
| Double quotation marks “” | March an exact sequence of keywords | “Jim Smith” |
| AND | Match content containing multiple keywords | drugs AND crime |
| OR | Match content containing any of multiple keywords | drugs OR crime |
| Double parentheses () | Specify a list of options | Bolster AND (hack OR ddos OR 0day) |
More Examples
Here are a few sample search terms to show how values work in different contexts. You’ll see what gets returned (and what doesn’t) based on the combinations you use.
| Category | Entity | Value | Returns | Doesn’t Return |
| Any | Email Domain | bolster.ai | Posts containing tom@bolster.ai | Posts containing bolster.ai/docs because it’s not in an email format |
| Hacker Chatter | Any | bolster.ai | Hacker posts containing tom@bolster.ai and/or bolster.ai/docs | Breach data for sale containing tom@bolster.ai and/or bolster.ai/docs, because it’s not found in hacker conversations |
| Phishing Kits | Any | bolster.ai OR bolster.com | Phishing kit posts containing either bolster.ai or bolster.com | Hacker chatter containing either bolster.ai or bolster.com, because it’s not in a post selling phish kits |
| Phishing Kits | Any | bolster.ai AND bolster.com | Phishing kit posts containing both bolster.ai and bolster.com | Phishing kit posts containing only bolster.ai, because both keywords aren’t there |
Refining Search Terms
To improve relevance and reduce noise, your Customer Success Manager or Bolster support contact can review your planned search terms and suggest refinements based on best practices.
