Setting Up Dark Web Detection Workflows
The dark web is often the first place stolen credentials, phishing kits, and leaked source code appear. Bolster’s Dark Web module monitors anonymous sources like Tor, I2P, and Telegram so security teams can detect threats early and take action.
This guide provides step-by-step workflows to protect against the most common threats:
- Compromised Internal Accounts
- Compromised Customer Accounts
- Stolen Credit Cards
- Employee PII Leak / Doxing
- Phishing Kits
- Leaked Source Code
For a high-level comparison of all use cases, see the Quick Reference table at the end.
Security teams can quickly spot and remediate exposed sensitive information using this basic approach:
- Add search terms – Identify the sensitive information you want Bolster to monitor the dark web for.
- Add playbook – Automatically route filtered, focused threat information directly to the people in your organization who can take action.
Before You Start
Tools
This article provides step-by-step guidance, but it assumes familiarity with the Add Search Terms and Automation (Playbook) tools. You may want to review what those tools are and how to use them:
- For more about search terms, see Adding Dark Web Search Terms.
- For more about playbooks, see Intro to Automating with Playbooks and Creating Playbooks From Scratch.
Connectors
Additionally, you’ll need to configure any desired connectors before setting up the playbook. A connector is the method you’ll use to route findings to someone in your organization, such as Teams, Slack, or an API. The ones your organization already has set up are listed under Integrations > Implemented Connectors. For more, go Platform Integrations and open Connectors.
Guidance
Before adding search terms, consider checking with your Customer Success Manager or Bolster support. They can help refine your syntax to reduce noise and return more relevant results.
Compromised Internal Accounts
When threat actors steal account credentials from internal users, they often start by posting a portion of the information for sale on the dark web. After several months, the rest of the data set is likely to be there, too. The earlier you catch the breach, the better you can protect your organization.
Add Search Terms
Here’s how to set up detection for compromised internal accounts on the dark web:
- Navigate to Attack Surface > Dark Web > Add Search Terms.
- Under Search Terms, select the following dropdowns:
- Monitor results in Breach Data for Sale
- that includes Employee-Email-Domain
- with value yourdomain.com (your organization’s domain)
- Select Submit to create the search.
- Make sure it appears in the Searches list.
Create Playbook
This sample playbook routes internal account breaches to your team so they can take quick action, like revoking access or forcing a password reset:
- Create a list of Findings and choose the attributes you want to see.
- Export in CSV format.
- Filter for results of the search you created.
- Filter for emails that include your email domain.
- Filter for results discovered in the last 2 days.
- Choose an output (email or existing connector).
- Schedule for every weekday.
Compromised Customer Accounts
Threat actors may also steal account credentials from customers, partners, or third-party users associated with your brand. For example, a customer has signed up for an account on your website with their personal @gmail.com email address. If you learn their account has been compromised, you can take preemptive actions like alerting them and enforcing stricter login security. Expanding Dark Web intelligence beyond corporate accounts provides a 360-degree view of email security threats.
Add Search Terms
Here’s how to set up detection for compromised customer and other external accounts on the dark web:
- Navigate to Attack Surface > Dark Web > Add Search Terms.
- Under Search Terms, select the following dropdowns:
- Monitor results in Breach Data for Sale
- that includes Customer-Email-Domain
- with value customer email domain such as gmail.com
- Select Submit to create the search.
- Make sure it appears in the Searches
Create Playbook
Here’s a sample playbook that flags exposed customer or partner accounts, so your team can notify users and reduce risk before attackers exploit it:
- Create a list of Findings and choose the attributes you want to see.
- Export in CSV format.
- Filter for results of the search you created.
- Filter for emails that include the target email domain.
- Filter for results discovered in the last two days.
- Choose an output (email or existing connector).
- Schedule for every weekday.
Stolen Credit Cards
When attackers get hold of credit card numbers, they put them up for sale on the dark web. To look for stolen credit cards, focus search terms on the bank identification number (BIN). This initial sequence of numbers on a credit card identifies the issuing institution. Then you can cancel or reissue any credit cards that appear in your findings.
Add Search Terms
Here’s how to set up detection for stolen credit card numbers on the dark web:
- Navigate to Attack Surface > Dark Web > Add Search Terms.
- Under Search Terms, select the following dropdowns:
- Monitor results in Breach Data for Sale
- that includes Credit Card
- with value the bank identification number (BIN)
- Select Submit to create the search.
- Make sure it appears in the Searches
Create Playbook
Here’s a sample playbook setup that helps your team identify stolen card numbers so they can cancel or reissue them quickly:
- Create a list of Findings and choose the attributes you want to see.
- Export in CSV format.
- Filter for results of the search you created.
- Filter for credit card numbers that include your BIN.
- Filter for results discovered in the last two days.
- Choose an output (email or existing connector).
- Schedule for every weekday.
Employee PII Leak / Doxing
High-level employees (like C-suite executives) are frequent targets of monitoring by threat actors looking for information to use against a company. This sort of information can include PII (Personally Identifiable Information) and be posted on the dark web (doxing). Bad actors can use that information to threaten the employees and their families, attempt extortion, or publish information that could damage their reputation or the company’s.
Add Search Terms
Here’s how to set up detection for the spread of information about your executives on the dark web, using search terms that target anything including the executive’s full name:
- Navigate to Attack Surface > Dark Web > Add Search Terms.
- Under Search Terms, select the following dropdowns:
- Monitor results in Employee Monitoring
- that includes Any
- with value employee’s full name
- Select Submit to create the search.
- Make sure it appears in the Searches
Create Playbook
This example playbook routes findings about PII leaks, doxing attempts, or targeted threats against executives, so you can respond quickly:
- Create a list of Findings and choose the attributes you want to see.
- Export in CSV format.
- Filter for results of the search you created.
- Filter for results discovered in the last two days.
- Choose an output (email or existing connector).
- Schedule for every weekday.
Phishing Kits
Phishing kits make it easy for attackers to impersonate your brand, even if they aren’t elite coders. Kits are posted on the dark web for sale to anyone with access to the post site. You can purchase a kit to anticipate and prevent future attacks.
Add Search Terms
Here’s how to set up detection for phishing kits on the dark web, using search terms to focus on postings that include your company name plus the term “phish”:
- Navigate to Attack Surface > Dark Web > Add Search Terms.
- Under Search Terms, select the following dropdowns:
- Monitor results in Phishing Kits for Sale
- that includes Any
- with value your company name + phish
- Select Submit to create the search.
- Make sure it appears in the Searches
Create Playbook
This playbook example lets people in your organization know when phishing kits are being sold, so your team can respond before the kits are widely used to impersonate your brand:
- Create a list of Findings and choose the attributes you want to see.
- Export in CSV format.
- Filter for results of the search you created.
- Filter for results discovered in the last two days.
- Choose an output (email or existing connector).
- Schedule for every weekday.
Leaked Source Code
Source code is a form of intellectual property (IP). Leaks can expose trade secrets, create security risks for your users, and make it easier for attackers to get into your system. Knowing what code is for sale on the dark web enables you to make proactive technical updates to protect your company and customers from bad actors.
Add Search Terms
Here’s how to set up detection for leaked source code on the dark web, using search terms that might include the company and/or product name plus the term “source code”:
- Navigate to Attack Surface > Dark Web > Add Search Terms.
- Under Search Terms, select the following dropdowns:
- Monitor results in IP Leak Data for Sale
- that includes Any
- with value your company name + source code
- Select Submit to create the search.
- Make sure it appears in the Searches list.
Create Playbook
This playbook configuration surfaces leaked code tied to your products and routes the findings to your team, helping you take preemptive steps to secure your systems.
- Create a list of Findings and choose the attributes you want to see.
- Export in CSV format.
- Filter for results of the search you created.
- Filter for results discovered in the last two days.
- Choose an output (email or existing connector).
- Schedule for every weekday.
Quick Reference
Here’s a summary of the variables in the steps above for each use case. Use this table to compare detection workflows across different threat types. Each row shows the recommended search category, field, example value, and key playbook filters. For setup details, see each section above.
| Use Case | Category | Entity | Example Value | Playbook Filters |
| Internal Accounts | Breach Data for Sale | Employee-Email-Domain | yourdomain.com | email includes domain, last 2 days |
| Customer Accounts | Breach Data for Sale | Customer-Email-Domain | gmail.com | email includes domain, last 2 days |
| Stolen Credit Cards | Breach Data for Sale | Credit Card | 123456 | credit card includes BIN, last 2 days |
| Executive PII Leak/ Doxing | Employee Monitoring | Any | John Smith | last 2 days |
| Phishing Kits | Phishing Kits for Sale | Any | Company Name phish | last 2 days |
| Leaked Source Code | IP Leak Data for Sale | Any | Company Name source code | last 2 days |
What’s Next
Use these workflows as starting points to build broader Dark Web detection strategies. To strengthen your threat detection strategy with a more complete view of emerging threats:
- Combine search terms and playbooks across use cases.
- Correlate findings across modules for a fuller view of active campaigns.
- Automate response by routing findings into your existing workflows.
- Review search terms periodically to keep pace with evolving attacker tactics.
