# Table of Contents - [SpyCloud Docs](#spycloud-docs) - [Release Notes](#release-notes) - [Compromised Credit Card API](#compromised-credit-card-api) - [Password Exposure API ONLY](#password-exposure-api-only) - [Choosing the Right CAP API ](#choosing-the-right-cap-api-) - [Consumer IDLink API](#consumer-idlink-api) - [Consumer ATO Prevention](#consumer-ato-prevention) - [User Exposure API ONLY](#user-exposure-api-only) - [Password AND User Exposure APIs](#password-and-user-exposure-apis) - [Tips for Measuring Program Success ](#tips-for-measuring-program-success-) - [CAP Password Exposure API](#cap-password-exposure-api) - [The "Before You Get Started" Guide](#the-before-you-get-started-guide) - [CAP User Exposure API](#cap-user-exposure-api) - [CAP User Exposure API](#cap-user-exposure-api) - [Compromised Credit Card API](#compromised-credit-card-api) - [CAP User Exposure API](#cap-user-exposure-api) - [CAP User Exposure API](#cap-user-exposure-api) - [CAP User Exposure API](#cap-user-exposure-api) - [CAP User Exposure API](#cap-user-exposure-api) - [Risks of Consumer Password Reuse](#risks-of-consumer-password-reuse) - [Introduction](#introduction) - [Advanced | AD Object Collections](#advanced-ad-object-collections) - [Advanced | Configuring Okta](#advanced-configuring-okta) - [Communicating with Exposed Users](#communicating-with-exposed-users) - [Best Practices & Optimization](#best-practices-optimization) - [Responding & Remediating](#responding-remediating) - [Investigating Alerts](#investigating-alerts) - [Password Exposure API](#password-exposure-api) - [Understanding Your Portal](#understanding-your-portal) - [Advanced | Extended Attributes](#advanced-extended-attributes) - [Compass Malware Remediation](#compass-malware-remediation) - [Employee ATO Prevention](#employee-ato-prevention) - [Session Identity Protection](#session-identity-protection) - [Understanding Alerts & Severity](#understanding-alerts-severity) - [FAQs](#faqs) - [Active Directory Guardian](#active-directory-guardian) - [Advanced | Configuring Banned Passwords List](#advanced-configuring-banned-passwords-list) - [Account Settings](#account-settings) - [Configuring a Group with 'Least Privilege'](#configuring-a-group-with-least-privilege-) - [Remediating Users from the Scan Results](#remediating-users-from-the-scan-results) - [Advanced | Configuring Remediations](#advanced-configuring-remediations) - [CSV Reports](#csv-reports) - [CAP User Exposure API](#cap-user-exposure-api) - [Compromised Credit Card API](#compromised-credit-card-api) - [Launching UI After Installation](#launching-ui-after-installation) - [Advanced | Email Templates](#advanced-email-templates) - [Configuring ADG](#configuring-adg) - [Installation](#installation) - [LDAPS Configuration ](#ldaps-configuration-) - [Logging](#logging) - [Compromised Credit Card API](#compromised-credit-card-api) - [Compromised Credit Card API](#compromised-credit-card-api) - [Scan in Progress](#scan-in-progress) - [Configuring Scan Options](#configuring-scan-options) - [Requirements](#requirements) - [Scheduling a Scan](#scheduling-a-scan) - [Upgrading Active Directory Guardian](#upgrading-active-directory-guardian) - [Uninstalling ADG Using the Installer](#uninstalling-adg-using-the-installer) - [Entra ID Guardian](#entra-id-guardian) - [Settings](#settings) - [Compromised Credit Card API](#compromised-credit-card-api) - [Identity Guardians](#identity-guardians) - [Viewing the Scan Report](#viewing-the-scan-report) - [Okta Workforce Guardian](#okta-workforce-guardian) - [Compromised Applications](#compromised-applications) - [Tips for Strong Passwords](#tips-for-strong-passwords) - [Introduction](#introduction) - [Supply Chain Fundamentals](#supply-chain-fundamentals) - [Supply Chain Threat Protection](#supply-chain-threat-protection) - [Threat Index Summaries](#threat-index-summaries) - [Identity Threat Index](#identity-threat-index) - [How It Works & Set Up](#how-it-works-set-up) - [VIP Guardian](#vip-guardian) - [VIP Guardian and SSO](#vip-guardian-and-sso) - [Crowdstrike Falcon EDR](#crowdstrike-falcon-edr) - [Introduction](#introduction) - [Elastic SIEM](#elastic-siem) - [Microsoft Defender for Endpoint](#microsoft-defender-for-endpoint) - [Integration Guide](#integration-guide) - [Microsoft Sentinel SIEM](#microsoft-sentinel-siem) - [Palo Alto Cortex XSOAR](#palo-alto-cortex-xsoar) - [Splunk SIEM](#splunk-siem) - [SpyCloud Connect](#spycloud-connect) - [Tines SOAR](#tines-soar) - [Analyst Credits & Training](#analyst-credits-training) - [IDLink API](#idlink-api) - [Choosing the Right Deployment](#choosing-the-right-deployment) - [FAQs](#faqs) - [Understanding Data Sources](#understanding-data-sources) - [Selector Best Practices](#selector-best-practices) - [Use Cases](#use-cases) - [Understanding Searching](#understanding-searching) - [RBAC](#rbac) - [Introduction ](#introduction-) - [Audit Logging](#audit-logging) - [Investigations API](#investigations-api) - [Investigating Fraud](#investigating-fraud) - [Establishing a Real Identity in a Resume](#establishing-a-real-identity-in-a-resume) - [Validating Identities in Cryptocurrency Exchange](#validating-identities-in-cryptocurrency-exchange) - [Exploring and Filtering Sources](#exploring-and-filtering-sources) - [Investigating a Hijacking Incident](#investigating-a-hijacking-incident) - [Using the Source Catalog](#using-the-source-catalog) - [Data Collection, Parsing & Ingestion](#data-collection-parsing-ingestion) - [License Assignment](#license-assignment) - [How We Can Help](#how-we-can-help) - [Understanding IDLink](#understanding-idlink) - [Configuring SSO](#configuring-sso) - [Data Types & Breach Categories](#data-types-breach-categories) - [User Management](#user-management) - [Data FAQs](#data-faqs) - [Understanding AI Insights](#understanding-ai-insights) - [Severity, Source Types](#severity-source-types) - [Detecting Evidence of DPRK Remote IT Workers](#detecting-evidence-of-dprk-remote-it-workers) - [Data Schema](#data-schema) - [Investigations Module](#investigations-module) - [Graphing](#graphing) - [API Guidelines](#api-guidelines) - [Source Catalog](#source-catalog) - [Introduction ](#introduction-) --- # SpyCloud Docs Simple Bootstrap Landing Page ![](https://spycloud.com/wp-content/uploads/2025/06/spycloud-solution-enterprise-protection-2025-spycloud.png) ##### ENTERPRISE PROTECTION Secure employees’ identities – protect, prevent and remediate compromised credentials and malware-infected users to reduce your attack surface [EXPLORE DOCS](https://docs.spycloud.com/public-sc/docs/introduction-2) ![](https://spycloud.com/wp-content/uploads/2025/06/consumer-risk-protection-hero-2025-spycloud.webp) ##### CONSUMER PROTECTION Safeguard consumer identities & protect your brand – combat account takeover and unauthorized access to reduce risk of monetary loss [EXPLORE DOCS](https://docs.spycloud.com/public-sc/docs/introduction-4) ![](https://spycloud.com/wp-content/uploads/2025/06/investigationa-hero-2025-spycloud.webp) ##### INVESTIGATIONS Surface hidden risks, uncover new investigative angles, and connect the dots for rapid response before cyber threats escalate – now with AI Insights [EXPLORE DOCS](https://docs.spycloud.com/public-sc/docs/introduction-1) ##### OUR DATA We chase the chaos so you don’t have to – delivering breach, malware, and phished data that’s verified, enriched, and ready to use. [EXPLORE DOCS](https://docs.spycloud.com/public-sc/docs/data-types-sources) ##### INTEGRATIONS From SIEMs to IdPs, we plug into the platforms you trust – turning your stack into a coordinated defense. [EXPLORE DOCS](https://docs.spycloud.com/public-sc/docs/introduction-3) ##### SUPPORT Whether it’s email, portal tickets, or a live call, our experts are here to keep you moving forward – fast, friendly, and focused on outcomes. [LEARN MORE](https://docs.spycloud.com/public-sc/docs/how-we-can-help) ##### TRUST CENTER Certifications, audits, and compliance resources – all in one place, so you know exactly how we protect your data (and ours). [VISIT TRUST CENTER](https://app.vanta.com/spycloud.com/trust/itvhddyqxnnf6gi6aatcx) ### NEW TO SPYCLOUD? Let’s start by checking your exposure – a clear way to see what needs remediation and to get a preview of the scope of compromise across your digital footprint. Yes, we uncover your digital baggage – but think of this as a judgment-free zone. The goal isn’t finger-pointing, it’s clarity – and the first step toward taking back control. [CHECK YOUR EXPOSURE](https://spycloud.com/check-your-exposure/) --- # Release Notes Aug 22, 2025 v.225 Release Notes ------------------- Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Aug 22, 2025 v.225 Release Notes ------------------- Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. --- # Compromised Credit Card API SpyCloud's Compromised Credit Card API detects compromised **credit, gift, and loyalty** cards siphoned from **malware-infected devices** and other criminal sources **before** criminals can use them, giving issuers and retailers a chance to act early. * * * 🚨 The Challenge [](https://docs.spycloud.com/public-sc/docs/compromised-credit-card-api#-the-challenge) ------------------------------------------------------------------------------------------------------------ Criminals monetize stolen payment data by **breaching companies**, **infecting desktops and phones with infostealers**, and running **phishing sites**. This exposes not just card numbers, but often **emails, phone numbers, full names, postal codes, and other PII** tied to **credit, gift, and loyalty cards**. * * * ✅ What This API Helps You Do [](https://docs.spycloud.com/public-sc/docs/compromised-credit-card-api#-what-this-api-helps-you-do) ------------------------------------------------------------------------------------------------------------------------------------- * **Uncover issued card exposures**: Match your portfolios to SpyCloud’s darknet recaptures (credit/gift/loyalty) to spot compromise quickly. * **Prevent financial losses**: Act on compromised cards to reduce fraud and chargebacks, and protect brand trust. * **Automate remediation**: Pull exposed card records for your **BIN(s)** via REST and feed into risk models, case management, or re-issuance workflows. > 📝 > > #### > > **Note for retailers:** Retail-issued credit/gift/loyalty cards must be **digits only**, min **12** and max **28** digits to use this API. > > [](https://docs.spycloud.com/public-sc/docs/compromised-credit-card-api#note-for-retailers-retail-issued-creditgiftloyalty-cards-must-be-digits-only-min-12-and-max-28-digits-to-use-this-api) * * * ⚙️ How It Works [](https://docs.spycloud.com/public-sc/docs/compromised-credit-card-api#%EF%B8%8F-how-it-works) ------------------------------------------------------------------------------------------------------------------- 1. **Query your BINs** — Submit one or more **6-digit BINs** (up to **10 per request**) to the API. 2. **Receive matched records** — API returns **compromised card records** (card numbers as **SHA-1 hash** by default; SHA-256/512 by request), plus exposure context. Delivered via **RESTful JSON**. 3. **Take action** — Use results to **block/verify/flag** transactions, prioritize outreach, or **reissue** cards. * * * 🧰 Request & Response [](https://docs.spycloud.com/public-sc/docs/compromised-credit-card-api#-request--response) --------------------------------------------------------------------------------------------------------------------- **Requests** | Parameter | Purpose | | --- | --- | | `bin[]` (6-digit, up to 10) | Portfolio/brand scope for exposure lookups. | | Time window / pagination | Retrieve from first published to most recent as needed. | **Responses** | Field (selected) | What you get | | --- | --- | | `cc_number` | **SHA-1 hash** of card number (SHA-256/512 available). | | `cc_bin`, `cc_last_four`, `cc_type`, `cc_expiration`, `cc_code` | BIN, last 4, card type, expiration (MM/YYYY), CVV. | | `full_name`, `postal_code` | Cardholder name and postal code (when available). | | `source_id`, `log_id`/`document_id` | Breach/phish/malware source linkage to support triage. | | `infected_time`, `spycloud_publish_date` | Approx. time stolen and SpyCloud publish time (UTC ISO-8601). | | `ip_addresses`, `email`, `user_hostname`, `system_model`, `user_sys_registered_owner` | Device/user context for investigations and customer outreach. | * * * 🧪 Common Uses [](https://docs.spycloud.com/public-sc/docs/compromised-credit-card-api#-common-uses) -------------------------------------------------------------------------------------------------------- ### Transaction screening Flag BIN-matched cards at **authorization** or checkout; step-up, **block**, or queue for review. ### Portfolio hygiene Identify exposures across **co-branded** or issuer programs; **reissue** cards pre-fraud. ### Fraud analytics Enrich models with **pre-fraud exposure** signals instead of waiting for confirmed fraud. * * * 🗃️ Data Sources [](https://docs.spycloud.com/public-sc/docs/compromised-credit-card-api#%EF%B8%8F-data-sources) -------------------------------------------------------------------------------------------------------------------- SpyCloud recaptures exposed financial data from **malware-infected devices**, **phishing sites**, and **breaches**, transforming it into actionable intelligence for issuers, processors, and retailers. * * * 📈 Outcomes You Can Target [](https://docs.spycloud.com/public-sc/docs/compromised-credit-card-api#-outcomes-you-can-target) -------------------------------------------------------------------------------------------------------------------------------- * **Reduce chargebacks and operational burden** by cutting off exposed cards early. * **Protect customer trust & brand equity** with proactive remediation. * **Accelerate investigations** using source and device context embedded in results. * * * 🔍 Selected API Field Reference [](https://docs.spycloud.com/public-sc/docs/compromised-credit-card-api#-selected-api-field-reference) ------------------------------------------------------------------------------------------------------------------------------------------ | Field | Example | Description | | --- | --- | --- | | `source_id` | `12322` | Maps to a specific breach/source. | | `log_id` / `document_id` | `sha256` / `alphanum` | Malware vs. non-malware record pointer. | | `infected_time` | `2023-01-01T00:00:00Z` | Closest known time data was stolen. | | `spycloud_publish_date` | `2023-01-01T00:00:00Z` | Closest publish time by SpyCloud. | | `cc_bin` / `cc_last_four` | `510510` / `5100` | BIN and last four digits. | | `cc_type` | `Visa` | Card network (when known). | | `cc_expiration` / `cc_code` | `01/2001` / `123` | Expiry (MM/YYYY) and CVV. | | `full_name` / `postal_code` | `Bob Smith` / `100-01A5` | Cardholder name and postal code. | | `cc_gateway` | `Stripe` | Gateway observed checking card validity. | | `ip_addresses`, `email`, `user_hostname`, `system_model`, `user_sys_registered_owner` | | Device and user context from malware logs. | * * * 📎 Integration Notes [](https://docs.spycloud.com/public-sc/docs/compromised-credit-card-api#-integration-notes) -------------------------------------------------------------------------------------------------------------------- * **Delivery:** RESTful API with JSON output. * **Scale:** Query **up to 10 BINs per request**; retrieve records from first published to most recent. * **Hashing:** Card numbers returned as **SHA-1** by default (SHA-256/512 available by request). Updated 13 days ago * * * Ask AI --- # Password Exposure API ONLY 🔐 Password Exposure API — Overview [](https://docs.spycloud.com/public-sc/docs/cap-password-exposure-api-only#-password-exposure-api--overview) ==================================================================================================================================================== Recommended for enterprises that are restricted from sending hashed identifiers over the network. * * * 💡 Why Use It [](https://docs.spycloud.com/public-sc/docs/cap-password-exposure-api-only#-why-use-it) --------------------------------------------------------------------------------------------------------- If a password has ever appeared in the SpyCloud database, it’s already in the hands of cybercriminals and may be used in password spraying attacks. Blocking your consumers from choosing a password that has been exposed dozens, hundreds, thousands, or even millions of times strengthens their account security and helps to protect them from account takeover. * * * ✅ What It Can Do [](https://docs.spycloud.com/public-sc/docs/cap-password-exposure-api-only#-what-it-can-do) ---------------------------------------------------------------------------------------------------------------- * Checks passwords as they are created (point-in-time check) when consumers set up an account, change their password, or have their password reset. * Checks each new password against SpyCloud’s entire database (billions of passwords recovered from criminal communities). * Identifies how many times a password has ever appeared in the SpyCloud database, allowing you to tailor your threshold for rejecting a password and avoid friction * Uses k-anonymity, meaning only the first 5 characters of a password hash are sent over the network. * Supports alignment with NIST password standards. * Does not check passwords that are already in use for new breach exposures > ❗ > > ### > > **Important:** The Password Exposure API checks passwords at one point in time: creation. If a user’s credentials appear in a breach later on in the account lifecycle, the Password Exposure API won’t check them. > > [](https://docs.spycloud.com/public-sc/docs/cap-password-exposure-api-only#important-the-password-exposure-api-checks-passwords-at-one-point-in-time-creation-if-a-users-credentials-appear-in-a-breach-later-on-in-the-account-lifecycle-the-password-exposure-api-wont-check-them) * * * ⚙️ How It Works [](https://docs.spycloud.com/public-sc/docs/cap-password-exposure-api-only#%EF%B8%8F-how-it-works) ---------------------------------------------------------------------------------------------------------------------- To securely check password-only matches against the entire SpyCloud database, the Password Exposure API uses an approach called **k-anonymity**. Only the **first 5 characters** of each password hash are sent over the network – never the user’s plaintext password. * * * 🧭 When to Use It [](https://docs.spycloud.com/public-sc/docs/cap-password-exposure-api-only#-when-to-use-it) ----------------------------------------------------------------------------------------------------------------- Customers typically query the Password Exposure API whenever a customer creates a new password, which includes **account creation**, **password resets**, and **password changes**. See the **“Implementation”** section for more detailed information. Updated 13 days ago * * * Ask AI --- # Choosing the Right CAP API ### **Stop consumer account takeovers before they start.** [](https://docs.spycloud.com/public-sc/docs/choosing-the-right-cap-api#stop-consumer-account-takeovers-before-they-start) Empower fraud and security teams with timely identity intelligence so you can detect **compromised users** and intervene with resets or step-up authentication **before** unauthorized access, fraud, or brand damage occurs. > 🎯 > > **What CAP does:** Operationalizes SpyCloud’s **recaptured identity data** from **breaches**, **malware**, and **phishing** to surface exposed credentials and support automated, low-friction controls at **registration** and **login**. * * * ✅ Outcomes at a glance [](https://docs.spycloud.com/public-sc/docs/choosing-the-right-cap-api#-outcomes-at-a-glance) ------------------------------------------------------------------------------------------------------------------------ * **Reduce ATO and fraud** (fewer successful logins with exposed credentials). * **Increase operational efficiency** with automated **password resets** or **step-up** for only the risky users. * **Preserve customer trust** while keeping friction low for legitimate users. * * * 🧩 API options (choose what fits your workflow) [](https://docs.spycloud.com/public-sc/docs/choosing-the-right-cap-api#-api-options-choose-what-fits-your-workflow) ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### 1) User Exposure API [](https://docs.spycloud.com/public-sc/docs/choosing-the-right-cap-api#1-user-exposure-api) Identify **exact-match** identity exposures tied to a user (email/username/phone/IP). **Good for:** inline checks at **account creation** or **login**, background hygiene sweeps, malware/phish exposure checks. ### 2) Password Exposure API [](https://docs.spycloud.com/public-sc/docs/choosing-the-right-cap-api#2-password-exposure-api) Check whether a **password** has appeared in SpyCloud’s corpus (k-anonymity supported). **Good for:** NIST-aligned password policy, registration/login checks, background hygiene. ### 3) Consumer IDLink API [](https://docs.spycloud.com/public-sc/docs/choosing-the-right-cap-api#3-consumer-idlink-api) Reveal **holistic exposure signals** for a consumer by correlating identity artifacts across breach/malware/phish for deeper risk decisions. **Good for:** Background hygiene, high-value transactions, synthetic identity reviews. * * * 🔎 Where CAP fits in your app [](https://docs.spycloud.com/public-sc/docs/choosing-the-right-cap-api#-where-cap-fits-in-your-app) ------------------------------------------------------------------------------------------------------------------------------------- Account creation – block risky sign-ups Evaluate new registrations for known exposure and weak/reused passwords; prevent synthetic and recycled-credential abuse. Login – stop stuffing & replay Detect reused or previously exposed credentials; enforce forced reset or step-up authentication before granting access. * * * 🛠️ When to use which API [](https://docs.spycloud.com/public-sc/docs/choosing-the-right-cap-api#%EF%B8%8F-when-to-use-which-api) ------------------------------------------------------------------------------------------------------------------------------------- | Use Case | API | Match Type | Data Returned | Ideal For | Notes | | --- | --- | --- | --- | --- | --- | | **Inline password check (login/registration)** | **User Exposure** | Exact match on email/username/phone | Exposed credentials + PII metadata | Low-latency **inline** checks | Exact-match context. | | **Background password hygiene (batch)** | **User Exposure** | Periodic checks by identifier | Exposed credentials + PII metadata | Low-friction hygiene at scale | Exact-match context. | | **Deeper background hygiene (correlated)** | **Consumer IDLink** | Holistic identity correlation | Aggregated exposures (credentials + PII) | Comprehensive hygiene & risk | Higher latency; batch-friendly. | | **Transaction risk check (high value)** | **User Exposure** → **IDLink** | Exact → Holistic (as needed) | Exposed identity context | Inline verify; escalate to deeper check | Use IDLink for richer context. | | **Synthetic identity screening (registration)** | **IDLink** → **User Exposure** | Holistic → Exact (as needed) | Correlated exposure view | Thorough verification at signup | Use exact match to confirm. | > **Why ID correlation matters:** Turning fragmented, account-centric signals into a **risk-ranked, holistic identity** enables earlier, more accurate interventions and scalable automation. * * * 🚀 Getting started [](https://docs.spycloud.com/public-sc/docs/choosing-the-right-cap-api#-getting-started) --------------------------------------------------------------------------------------------------------------- 1. **Pick control points** – registration and login. 2. **Select API(s)** – start with **User Exposure** and/or **Password Exposure**; add **Consumer IDLink** for deeper correlation. 3. **Define policies** – drive **forced reset** or **step-up auth** based on **source** (breach/malware/phished), **severity**, and **credential risk**. 4. **Automate** – integrate via your preferred tools to reduce manual triage. 5. **Measure & tune** – ATO prevented, password resets, step-up success, and user friction. * * * 🧠 Why SpyCloud Consumer ATO Prevention? [](https://docs.spycloud.com/public-sc/docs/choosing-the-right-cap-api#-why-spycloud-consumer-ato-prevention) ---------------------------------------------------------------------------------------------------------------------------------------------------------- * **Fresh, actionable data** from breaches, malware, and phishing – not stale surface collections. * **Identity correlation** to move beyond basic credential matching and inform smarter decisions. * **Automation-ready** responses with high-volume REST APIs and structured outputs. * **Password hygiene support** for policy enforcement at scale. Updated 13 days ago * * * Ask AI --- # Consumer IDLink API 🧭 Consumer IDLink API — Overview [](https://docs.spycloud.com/public-sc/docs/consumer-idlink-api#-consumer-idlink-api--overview) ===================================================================================================================================== **Correlate multiple identifiers to a single consumer exposure view.** Consumer IDLink API helps you understand a **holistic risk picture** by linking identity artifacts (e.g., email, phone, username, IP) across **breach**, **malware**, and **phished** sources—so your policies can make better decisions with fewer false positives. * * * 💡 Why Use It [](https://docs.spycloud.com/public-sc/docs/consumer-idlink-api#-why-use-it) ---------------------------------------------------------------------------------------------- * Go beyond single-identifier lookups to see the **full exposure footprint** of a consumer. * **Prioritize action** (reset, step-up, monitor) using correlated context like exposure **source**, **recency**, and **frequency**. * Improve **precision** and reduce **unnecessary friction** by making decisions on a more complete identity view. * * * ✅ What It Can Do [](https://docs.spycloud.com/public-sc/docs/consumer-idlink-api#-what-it-can-do) ----------------------------------------------------------------------------------------------------- * **Correlate identifiers** (email, username, phone, IP) to assemble a **unified exposure profile** per consumer. * Return **aggregated exposure signals** by **source** (breach/malware/phished), including counts and severity indicators. * Provide **reference keys** (e.g., `source_id`) that align to the **Breach Catalog** for downstream analysis and reporting. * Support **batch hygiene** and **on-demand** checks to fit real-time and offline workflows. * * * ⚙️ How It Works [](https://docs.spycloud.com/public-sc/docs/consumer-idlink-api#%EF%B8%8F-how-it-works) ----------------------------------------------------------------------------------------------------------- Your application submits one or more **consumer identifiers** (e.g., email, username, phone, IP). Consumer IDLink API correlates these artifacts across SpyCloud’s datasets and returns an **aggregated exposure view** for that consumer. **Typical response elements (conceptual)** * **Identifiers evaluated** (echoed) * **Exposure summary**: counts by source (breach/malware/phished), severity indicators, recentness windows * **Source references**: list of `source_id` values that map to entries in the **Breach Catalog** * **Policy helpers**: fields intended to support routing (e.g., “recent high-severity exposure present: true/false”) > Note: If you use the **Breach Catalog**, you can enrich/report on results by joining on `source_id`. * * * 🧭 When to Use It [](https://docs.spycloud.com/public-sc/docs/consumer-idlink-api#-when-to-use-it) ------------------------------------------------------------------------------------------------------ * **Background hygiene sweeps** – Periodically evaluate your consumer base to find **high-risk identities** that single-identifier checks might miss. * **High-value transactions** – Run a **deeper risk check** before allowing sensitive actions (e.g., major purchases, profile changes). * **Synthetic identity screening** – Correlate fragmented artifacts to spot risky sign-ups with **inconsistent or overexposed** identities. * **Tiered policy decisions** – Use correlated context to decide **reset vs. step-up vs. monitor** with better precision. Updated 13 days ago * * * Ask AI --- # Consumer ATO Prevention **Consumer ATO Prevention** helps you spot compromised customers early and **block account takeover** by acting on identity evidence from the criminal underground — including **breached credentials**, identity exposures from **malware-infected devices**, and **successfully phished** logins. > 🎯 > > Give security & fraud teams the _earliest possible signal_ that a user is at risk, then **reset or step-up** before attackers get in. * * * 🚀 What does Consumer ATO Prevention do? [](https://docs.spycloud.com/public-sc/docs/consumer-ato-prevention#-what-does-consumer-ato-prevention-do) ------------------------------------------------------------------------------------------------------------------------------------------------------- * Continuously checks your consumers against SpyCloud’s **recaptured breach, malware, and phished** datasets to flag exposed identities. * Detects **credential reuse and replay** to prevent ATO without adding unnecessary friction. * Lets you **automate outcomes** via our flexible APIs and within your preferred tools and frameworks. * * * 🧩 Key capabilities [](https://docs.spycloud.com/public-sc/docs/consumer-ato-prevention#-key-capabilities) -------------------------------------------------------------------------------------------------------------- * **Early exposure detection** at **account creation & login** to stop credential-based ATO. * **Credential risk evaluation** (reused, exposed, or known-compromised passwords). * **Policy-driven actions** (forced reset, step-up authentication, re-verification) tuned to source & severity. * **Low-friction UX** by acting only on **high-confidence** events; reduce false positives & churn. * * * 🏦 Who benefits [](https://docs.spycloud.com/public-sc/docs/consumer-ato-prevention#-who-benefits) ------------------------------------------------------------------------------------------------------ * **Financial services** — reduce ATO & transaction fraud * **E-commerce & marketplaces** — protect revenue & loyalty balances * **Telecom & media** — safeguard high-value subscriptions * **Any B2C app** — strengthen identity security without excess friction * * * 🛠️ Getting started [](https://docs.spycloud.com/public-sc/docs/consumer-ato-prevention#%EF%B8%8F-getting-started) ---------------------------------------------------------------------------------------------------------------------- 1. **Choose control points:** account creation and login. 2. **Integrate APIs:** call **Consumer ATO Prevention** to evaluate user risk. 3. **Define policies:** by **source** (breach / malware / phished), **severity**, and **credential risk**. 4. **Automate responses:** force resets or require step-up auth. 5. **Measure & tune:** ATO prevented, password resets, step-up auth success, and user friction. * * * ✅ Outcomes you can expect [](https://docs.spycloud.com/public-sc/docs/consumer-ato-prevention#-outcomes-you-can-expect) --------------------------------------------------------------------------------------------------------------------------- * **Fewer takeovers** from password reuse and credential replay * **Lower operational load** through automation and high-fidelity alerts * **Protected brand trust** and improved customer retention ![](https://files.readme.io/46e75614bd4ef2df3242dcc9e073d86c8626f29f45d5a17ceb7d160b0b004938-Screenshot_2025-08-26_at_3.39.19_PM.png) Updated 13 days ago * * * Ask AI --- # User Exposure API ONLY 🕵️‍♂️ User Exposure API — Overview [](https://docs.spycloud.com/public-sc/docs/cap-user-exposure-api-only#%EF%B8%8F%EF%B8%8F-user-exposure-api--overview) ============================================================================================================================================================== Identify vulnerable accounts by checking for breach exposure tied to your consumers’ email addresses, IP addresses, phone numbers, or usernames. ![](https://files.readme.io/d7be7db97ad9957569c5a28b77a1be951bcdb2505b8879312396662bc08ab252-Screenshot_2025-08-26_at_10.04.55_PM.png) * * * 💡 Why to use it [](https://docs.spycloud.com/public-sc/docs/cap-user-exposure-api-only#-why-to-use-it) ----------------------------------------------------------------------------------------------------------- The User Exposure API helps you identify breach exposures tied to your consumers so you can **reset compromised passwords**, **protect vulnerable accounts**, and **prevent fraudulent activity**. * * * ✅ What It Can Do [](https://docs.spycloud.com/public-sc/docs/cap-user-exposure-api-only#-what-it-can-do) ------------------------------------------------------------------------------------------------------------ * Identify vulnerable accounts by checking for breach exposure tied to **email addresses, IP addresses, phone numbers, or usernames**. * Return **all breach records** that match the submitted identifier, enabling targeted remediation. * * * ⚙️ How It Works [](https://docs.spycloud.com/public-sc/docs/cap-user-exposure-api-only#%EF%B8%8F-how-it-works) ------------------------------------------------------------------------------------------------------------------ Your application submits an **identifier** to SpyCloud: an **email address**, **IP address**, **phone number**, or **username**. SpyCloud returns **all breach records** that match that identifier. * * * 🧭 When to use it [](https://docs.spycloud.com/public-sc/docs/cap-user-exposure-api-only#-when-to-use-it) ------------------------------------------------------------------------------------------------------------- Enterprises typically use the **User Exposure API** at two points: * **Login** — Check credentials in real time as users log into your application, in parallel with a **step-up authentication** procedure for high-risk actions. * **At Rest (Batch Mode)** — Check your entire database of credentials on a frequent basis to detect **new exposures**, whether or not your users have been active during that time. Updated 13 days ago * * * Ask AI --- # Password AND User Exposure APIs 🧩 CAP APIs & Deployment Options [](https://docs.spycloud.com/public-sc/docs/password-and-user-exposure-apis#-cap-apis--deployment-options) =============================================================================================================================================== To provide flexibility for your organization, SpyCloud offers **two high-volume, performant APIs** for **Consumer Account Takeover Prevention** that can be used **together or separately**. * * * 🔐 The APIs [](https://docs.spycloud.com/public-sc/docs/password-and-user-exposure-apis#-the-apis) ------------------------------------------------------------------------------------------------------ * **Password Exposure API** — Check **hashes of your consumers’ passwords** against **all passwords** in the SpyCloud database, **regardless of username**. * **User Exposure API** — Check the SpyCloud database for **breach exposure** tied to your consumers’ **email addresses, IP addresses, phone numbers, or usernames**. > ✅ > > ### > > **Complementary coverage:** The two APIs are complementary; they can be used in separate scenarios and offer different protections. **Using both APIs together provides the strongest protection against account takeover.** > > [](https://docs.spycloud.com/public-sc/docs/password-and-user-exposure-apis#complementary-coverage-the-two-apis-are-complementary-they-can-be-used-in-separate-scenarios-and-offer-different-protections-using-both-apis-together-provides-the-strongest-protection-against-account-takeover) * * * 🧭 Using Both APIs [](https://docs.spycloud.com/public-sc/docs/password-and-user-exposure-apis#-using-both-apis) -------------------------------------------------------------------------------------------------------------------- **Recommended for most enterprises** Using both APIs together, you can protect your consumers’ credentials **from the moment they create an account** throughout their **entire relationship** with your enterprise. **How “both” typically maps to your flows** * **At account creation / password change / reset:** Use **Password Exposure API** to block exposed, commonly used passwords at the point of creation. * **At login and in batch hygiene:** Use **User Exposure API** to identify users whose credentials have appeared in breaches and take protective action. Updated 13 days ago * * * Ask AI --- # Tips for Measuring Program Success 📊 Metrics & KPIs for Consumer ATO Prevention (CAP) [](https://docs.spycloud.com/public-sc/docs/tips-for-measuring-program-success#-metrics--kpis-for-consumer-ato-prevention-cap) ====================================================================================================================================================================================== > Use this guide to define success, build dashboards, and report impact. Start with a short baseline, set targets, and iterate. * * * 🎯 What to measure [](https://docs.spycloud.com/public-sc/docs/tips-for-measuring-program-success#-what-to-measure) ----------------------------------------------------------------------------------------------------------------------- | Category | KPI | Why it matters | | --- | --- | --- | | **Outcomes** | **ATO Incidents** ↓ | The core “bad thing” you’re trying to stop. | | | **ATO Prevented** ↑ | Proactive blocks/resets that stopped credential-based account abuse. | | **Efficiency** | **Time to Detect (TTD)** ↓ | Time from new exposure observed → user flagged. | | | **Time to Remediate (TTR)** ↓ | Time from user flagged → action completed (reset/step-up). | | **Coverage** | **Population Evaluated** ↑ | % of active users evaluated by CAP controls. | | | **Identifier Coverage** ↑ | % of users with matchable identifiers (email/phone/username/IP). | | **Quality** | **Policy Precision** ↑ | % of CAP actions on accounts with confirmed exposure. | | | **False Positive Rate** ↓ | % of CAP actions later reversed as “not risky.” | | **User Experience** | **Friction Rate** ↔︎ | % of logins/registrations impacted by CAP actions. | | | **Password Reset Completion** ↑ | % of forced resets completed within SLA (e.g., 24h). | * * * 🧪 Baseline, targets, and cadence [](https://docs.spycloud.com/public-sc/docs/tips-for-measuring-program-success#-baseline-targets-and-cadence) --------------------------------------------------------------------------------------------------------------------------------------------------- * **Baseline:** 2–4 weeks **pre-enforcement** to record ATO incidents, fraud losses, and login/registration conversion. * **Targets (first 90 days):** * **ATO incidents:** ↓ 20–40% (credential-based) * **TTR:** ↓ 30–50% (from flag to reset/step-up) * **Friction rate:** ≤ 1–3% of total logins (tune to business tolerance) * **Cadence:** Weekly ops review; monthly KPI roll-up; quarterly ROI update. > Aim for **steady improvements**, not perfection on day one. Tighten thresholds as precision improves. * * * 🔢 Core definitions & formulas [](https://docs.spycloud.com/public-sc/docs/tips-for-measuring-program-success#-core-definitions--formulas) ---------------------------------------------------------------------------------------------------------------------------------------------- > Adjust to your data model; keep formulas stable over time for trend integrity. **1) ATO Incidents (credential-based)** Number of confirmed account takeovers that used exposed/reused credentials during the period. **2) ATO Prevented** `Prevented = ForcedResets_PreAccess + High-Risk_Login_Blocks + Registration_Blocks` **3) Time to Detect (TTD)** `TTD (median) = time(user_flagged_by_CAP) − time(exposure_available)` **4) Time to Remediate (TTR)** `TTR (median) = time(action_completed) − time(user_flagged_by_CAP)` **5) Population Evaluated** `Evaluated % = distinct(users_evaluated_by_CAP) / distinct(active_users)` **6) Policy Precision** `Precision % = CAP_Actions_On_Exposed / Total_CAP_Actions` **7) False Positive Rate (FPR)** `FPR % = Reversed_CAP_Actions / Total_CAP_Actions` **8) Friction Rate** `Friction % = (Forced_Resets + Step-Up_Auth_Prompts) / Total_Logins` **9) Password Reset Completion** `Completion % = Resets_Completed_within_SLA / Resets_Triggered` * * * 🧱 Suggested events to log (for dashboards) [](https://docs.spycloud.com/public-sc/docs/tips-for-measuring-program-success#-suggested-events-to-log-for-dashboards) ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- Capture these events (or equivalents) to power KPIs: * `ExposureEvaluated` (user\_id, identifiers, exposure\_source: breach/malware/phished, exposure\_count, severity, ts) * `LoginEvaluated` (user\_id, credential\_risk, action\_applied, ts) * `RegistrationEvaluated` (user\_id/email, action\_applied, ts) * `ActionApplied` (type: forced\_reset | step\_up | registration\_block, reason, ts) * `ResetCompleted` (user\_id, ts) * `ATOConfirmed` (user\_id, ts, vector: credential) * `Conversion` (type: login\_success | registration\_complete, ts) > Keep identifiers consistent so you can join **SpyCloud results** with **app/fraud/IdP** logs. * * * 🗺️ Dashboard layout [](https://docs.spycloud.com/public-sc/docs/tips-for-measuring-program-success#%EF%B8%8F-dashboard-layout) ----------------------------------------------------------------------------------------------------------------------------------- **📈 Executive top line (always-on)** * **ATO incidents (credential-based)** – 13-week trend * **ATO prevented** – weekly count & cumulative * **TTR (median)** – by action (reset vs step-up) * **Friction rate** – % of logins impacted * **Reset completion** – % within SLA (24h, 72h) **🧰 Operations (daily)** * **New exposed users** – by source (breach/malware/phished) & severity * **Actions applied** – by policy route (reset/step-up/block) * **Open remediations** – aging buckets (0–24h, 24–72h, 3–7d) * **Precision & FPR** – weekly trend * **Population evaluated** – by user segment (region, product line, risk tier) **🧪 Policy tuning** * **Exposure count bands** (e.g., 1, 2–5, 6+) → action outcomes * **Credential risk score** → conversion/abandon comparisons * **A/B threshold tests** – effect on precision, FPR, friction * * * 🧭 Segmentation you’ll want [](https://docs.spycloud.com/public-sc/docs/tips-for-measuring-program-success#-segmentation-youll-want) ---------------------------------------------------------------------------------------------------------------------------------------- * **Source:** breach vs malware vs phished * **Lifecycle:** new registration vs returning login * **Tier:** high-value accounts vs standard * **Region/geo & device class** * **Credential hygiene:** prior resets, repeat offenses > Segment reports to see **where to tighten** and **where to lighten** controls. * * * 🧪 Example KPI scorecard (monthly) [](https://docs.spycloud.com/public-sc/docs/tips-for-measuring-program-success#-example-kpi-scorecard-monthly) ----------------------------------------------------------------------------------------------------------------------------------------------------- | KPI | This Month | Prev Month | Δ | Target | Status | | --- | --- | --- | --- | --- | --- | | ATO Incidents (cred) | 42 | 61 | **−31%** | −20% | ✅ | | ATO Prevented | 3,210 | 2,780 | **+15%** | +10% | ✅ | | TTR (median) | 3.6h | 6.1h | **−41%** | ≤ 4h | ✅ | | Precision | 92.4% | 88.7% | **+3.7pp** | ≥ 90% | ✅ | | FPR | 1.3% | 1.9% | **−0.6pp** | ≤ 2% | ✅ | | Friction | 1.8% | 1.7% | **+0.1pp** | ≤ 2% | ⚠️ | | Reset Completion (24h) | 74% | 69% | **+5pp** | ≥ 75% | ▢ | _pp = percentage points_ * * * 🧩 Translating SpyCloud results into actions [](https://docs.spycloud.com/public-sc/docs/tips-for-measuring-program-success#-translating-spycloud-results-into-actions) --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Map exposure severity/counts to actions (tune to your risk tolerance): | Condition | Suggested Action | | --- | --- | | High severity or multiple recent exposures | **Force password reset** immediately | | Medium severity, first-time exposure | **Step-up auth** + optional reset nudge | | Low severity or stale exposure | **Monitor**; nudge user to refresh password | | Repeat exposure within 30 days | **Mandatory reset** + education banner | > Start conservative; widen enforcement as precision stabilizes. * * * 🧮 Simple ROI sketch (optional) [](https://docs.spycloud.com/public-sc/docs/tips-for-measuring-program-success#-simple-roi-sketch-optional) ----------------------------------------------------------------------------------------------------------------------------------------------- `ROI = (Avg Incident Cost × ATO Prevented) − (Ops Cost + Tooling Cost)` * **Avg Incident Cost**: fraud loss + recovery + support time * **Ops Cost**: time to handle resets/exceptions * **Tooling Cost**: incremental platform/infra spend > Report quarterly; socialize wins with Security, Fraud, and CX. * * * 🧑‍🔧 Implementation tips [](https://docs.spycloud.com/public-sc/docs/tips-for-measuring-program-success#-implementation-tips) ---------------------------------------------------------------------------------------------------------------------------------- * **Fail-open async** checks at login; **sync** checks at registration where policy requires. * Track **attempt → success** for forced resets (this powers TTR and completion). * Log **policy route** and **reason** for every action to enable precision/FPR reporting. * Revisit **thresholds** monthly; keep a changelog for experiments. * * * 📅 Reporting cadence & owners [](https://docs.spycloud.com/public-sc/docs/tips-for-measuring-program-success#-reporting-cadence--owners) -------------------------------------------------------------------------------------------------------------------------------------------- * **Weekly ops**: CAP owner + Fraud + SRE/Platform * **Monthly KPI**: Security leadership + Product + Support * **Quarterly ROI**: Finance + Exec sponsor > Keep it boring and repeatable. The program wins by consistency. Updated 13 days ago * * * Ask AI --- # CAP Password Exposure API **SpyCloud** provided the ability to further reduce account take over fraud related to registered users. Criminals are able to access a customer account and leverage stored payment information. This type of fraud often presents itself as credit card fraud or chargeback fraud. ⚠️ **NOTE** Criminals can spend loyalty rewards resulting in customer relations issues as well as additional fraud losses required to replenish a customer's reward program. * * * 🛡️ Enhanced account security & NIST alignment [](https://docs.spycloud.com/public-sc/docs/cap-password-exposure#%EF%B8%8F-enhanced-account-security--nist-alignment) ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- By adding enhanced account security clients are able to adhere to NIST standards. With billions of assets circulating the criminal underground, and new data breaches and malware infections occurring daily, security teams are experiencing resource constraints and challenges around collecting data specific to their consumers, and then making it actionable to validate compromise at scale, while ensuring and maintaining account security. \*\*SpyCloud \*\*helps improve **operational efficiency** and _simplifies alignment with NIST password guidelines_ by enabling you to check your consumers’ passwords against the largest and most actionable database of stolen credentials in the world. By implementing **SpyCloud Password Exposure API** into existing workflows, you can easily detect and prevent weak, common, and compromised passwords from being used – dramatically reducing time and costs associated with monitoring and mitigating password-related risk * * * 🔍 What it does [](https://docs.spycloud.com/public-sc/docs/cap-password-exposure#-what-it-does) ---------------------------------------------------------------------------------------------------- Using the Password Exposure API, you can screen your consumers’ passwords for weak, common, and compromised passwords by checking how many times (_if ever_) the password has appeared in the SpyCloud database, regardless of username. To securely check **password-only** matches against the entire SpyCloud database, the \*\*Password Exposure API \*\*uses an approach called _k-anonymity._ Only the first 5 characters of each password hash are sent over the network – _never the consumer’s plaintext password_. This method offers the benefit of identifying matches without exposing exact passwords to SpyCloud and also ensures that if the traffic were intercepted, it would be useless to an attacker. * * * ✅ Identify and avoid [](https://docs.spycloud.com/public-sc/docs/cap-password-exposure#-identify-and-avoid) --------------------------------------------------------------------------------------------------------------- * “Passwords obtained from previous breach corpuses * “Dictionary words * “Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’) * * * ⚙️ How k-anonymity works [](https://docs.spycloud.com/public-sc/docs/cap-password-exposure#%EF%B8%8F-how-k-anonymity-works) ------------------------------------------------------------------------------------------------------------------------------- To securely check password-only matches against the entire SpyCloud database, the Password Exposure API uses an approach called k-anonymity. Only the first 5 characters of each password hash are sent over the network — never the consumer’s plaintext password. > 🏆 > > This method offers the benefit of identifying matches without exposing exact passwords to SpyCloud and also ensures that if the traffic were intercepted, it would be useless to an attacker. * * * 🧭 When & how resets are triggered [](https://docs.spycloud.com/public-sc/docs/cap-password-exposure#-when--how-resets-are-triggered) ----------------------------------------------------------------------------------------------------------------------------------------- Once a consumer’s password has been identified as compromised (typically in an account creation, login, or password reset workflows or via a batch check), businesses typically automate notifying the affected consumer and initiating a password reset. 💡**NOTE** Some companies opt to only force password resets after a specific number of appearances in the SpyCloud database; however, resetting all passwords with even a single exposure is still recommended as a best practice. Updated 13 days ago * * * Ask AI --- # The "Before You Get Started" Guide 🚀 Before You Get Started with Consumer ATO Prevention (CAP) [](https://docs.spycloud.com/public-sc/docs/the-before-your-get-started-guide#-before-you-get-started-with-consumer-ato-prevention-cap) ======================================================================================================================================================================================================== SpyCloud’s **Consumer ATO Prevention (CAP)** helps you prevent consumer account takeover by detecting exposed credentials _before_ they’re abused. This guide covers planning, collaboration, integration patterns, and how to measure success. * * * 📝 Getting Started [](https://docs.spycloud.com/public-sc/docs/the-before-your-get-started-guide#-getting-started) ---------------------------------------------------------------------------------------------------------------------- 🛠️ Planning Your Implementation * Gather requirements early. * Identify all teams that need to be involved. * Ensure devs are familiar with SpyCloud APIs (see Portal). * Verify access permissions for all stakeholders. * Build in time for testing and iteration. * * * 🤝 Preparing to Collaborate with Other Teams [](https://docs.spycloud.com/public-sc/docs/the-before-your-get-started-guide#-preparing-to-collaborate-with-other-teams) -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- #### 💡 Build a Business Case [](https://docs.spycloud.com/public-sc/docs/the-before-your-get-started-guide#-build-a-business-case) * Outline the _opportunity cost of delay_: * Number of accounts taken over * Average fraud loss per incident (direct $ + wasted cycles/opportunity cost) * If data is hard to obtain, use representative cases to illustrate impact. #### ✨ Address Customer Experience [](https://docs.spycloud.com/public-sc/docs/the-before-your-get-started-guide#-address-customer-experience) * Explain measures to **avoid friction** (asynchronous checks, fail-open at login). * Share attention-grabbing stats (e.g., “X% of customer passwords appear in SpyCloud data”). #### 📣 Keep Stakeholders Engaged [](https://docs.spycloud.com/public-sc/docs/the-before-your-get-started-guide#-keep-stakeholders-engaged) * Report outcomes regularly: accounts protected, fraud averted, reduction in escalations. * Maintain alignment with product, CX, finance, and leadership. * * * 🔑 Implementation: Common Approaches [](https://docs.spycloud.com/public-sc/docs/the-before-your-get-started-guide#-implementation-common-approaches) --------------------------------------------------------------------------------------------------------------------------------------------------------- Enterprises typically call SpyCloud APIs at the following points: ### 🔒 Password Creation [](https://docs.spycloud.com/public-sc/docs/the-before-your-get-started-guide#-password-creation) * Call **Password Exposure API** on create / reset / change. * Use exposure counts to block weak/known-bad passwords. * Calibrate thresholds by risk: * **High-value (finance):** block if seen even once. * **High-friction-risk (ecom):** block only the most common. * Optionally cap failed attempts to reduce churn. ![](https://files.readme.io/23601847b90aa0cb7c1ef1b1041aac1d38466de34e8f496e1aecea0d4ea72f4d-Screenshot_2025-08-26_at_9.37.13_PM.png) ### ✅ Login [](https://docs.spycloud.com/public-sc/docs/the-before-your-get-started-guide#-login) * Call **User Exposure API** asynchronously at login. * **Fail open** so errors don’t block legitimate users. * If exposed, flag the account and require step-up auth for risky actions: * Multi-factor authentication (MFA) * Email verification * Geolocation or other behind-the-scenes checks * Optionally force a password reset later to minimize login friction. ![](https://files.readme.io/2e2fc110fe3637b7deb81674e151cdd6014ec083ee2d4c5b9c18912da99401e2-Screenshot_2025-08-26_at_9.38.20_PM.png) ### 🔁 Password Reset [](https://docs.spycloud.com/public-sc/docs/the-before-your-get-started-guide#-password-reset) * Check newly provided credentials during reset. * Prevent users from _resetting into_ compromised passwords. ### 📦 At Rest (Batch Mode) [](https://docs.spycloud.com/public-sc/docs/the-before-your-get-started-guide#-at-rest-batch-mode) * Run scheduled checks of your entire user base (nightly → monthly). * Detect exposures for **dormant or inactive** users. * Schedule during low-volume windows. ![](https://files.readme.io/7f07d3707a5c0234639a29974b65809a4df8c080ea4c4556cf7093cef3645f90-Screenshot_2025-08-26_at_9.39.38_PM.png) * * * 🛡️ Account Maintenance & Ongoing Protection [](https://docs.spycloud.com/public-sc/docs/the-before-your-get-started-guide#%EF%B8%8F-account-maintenance--ongoing-protection) --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ⏱️ Continuous Exposure Monitoring Run scheduled checks (daily, weekly, or monthly) against SpyCloud’s dataset to identify newly compromised credentials associated with existing accounts. This ensures you’re not only reacting during login or reset events, but also proactively catching dormant accounts or infrequent users who may still pose a risk. 🧹 Credential Hygiene Enforcement * Establish policies that trigger remediation workflows when SpyCloud flags an exposure. For example, force password rotation, revoke active sessions, or apply step-up authentication until the user resets credentials. 📩 Silent Notifications & Guided Recovery * Instead of only enforcing disruptive resets, some organizations silently monitor and guide remediation: send tailored alerts, provide self-service recovery options, or encourage users to enable MFA if their credentials have been compromised. 💤 Inactive & Dormant Accounts * Use SpyCloud data to identify exposures tied to accounts that haven’t logged in for months (or years). Decide whether to disable, flag, or place those accounts into a limited state until the user re-engages securely. 🕵️ Fraud & Risk Engine Integration * Enrich broader fraud prevention or identity risk scoring systems with SpyCloud’s compromise signals, so exposed accounts can be flagged for higher scrutiny during future transactions or logins. Updated 13 days ago * * * Ask AI --- # CAP User Exposure API E-commerce and retail organizations manage millions of customer accounts tied to online storefronts, mobile shopping apps, loyalty programs, and subscription services. These accounts often contain valuable information –stored payment methods, saved shipping addresses, loyalty points, and purchase history – that, if compromised, can result in fraud, customer churn, and financial loss. SpyCloud empowers retailers and online merchants to stop account takeover (ATO) fraud targeting shoppers, rewards members, and customer service teams. When cybercriminals gain unauthorized access to customer accounts, they can exploit stored data to make fraudulent purchases, drain loyalty balances, or reroute deliveries –resulting in lost revenue and damaged brand trust. * * * 🚨 Why Account Takeover Is a Growing Threat for E-commerce & Retail [](https://docs.spycloud.com/public-sc/docs/user-exposure-api#-why-account-takeover-is-a-growing-threat-for-e-commerce--retail) ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- As digital shopping becomes the norm, attackers increasingly target customer credentials to exploit account features and stored financial data. Key risk factors include: * **Password reuse:** Shoppers often reuse login credentials across multiple sites, making accounts vulnerable to large-scale credential stuffing attacks. * **Malware and phishing:** Customers and employees alike may be tricked by phishing emails, fake order confirmations, or infected coupon downloads – leaking their login credentials. **Fraudulent account actions:** Once attackers gain access, they may: * Make unauthorized purchases using stored cards * Modify shipping addresses to intercept deliveries * Redeem loyalty rewards or store credits * Lock out legitimate users by changing passwords or MFA settings > These threats lead to chargebacks, inventory loss, increased support costs, and erosion of customer trust. * * * 🛡️ Proactive Defense with SpyCloud [](https://docs.spycloud.com/public-sc/docs/user-exposure-api#%EF%B8%8F-proactive-defense-with-spycloud) ------------------------------------------------------------------------------------------------------------------------------------------------ SpyCloud helps e-commerce and retail brands identify exposed credentials and PII before they’re used for fraud. By continuously monitoring breach, malware, and phishing data, retailers can: * Detect vulnerable customer or employee accounts in real time * Prevent ATO-related fraud at checkout or login * Automate fraud response through enhanced authentication or password resets * Minimize damage to brand reputation and customer loyalty * * * 🔍 User Exposure API for E-commerce & Retail [](https://docs.spycloud.com/public-sc/docs/user-exposure-api#-user-exposure-api-for-e-commerce--retail) --------------------------------------------------------------------------------------------------------------------------------------------------------- The **User Exposure API** allows fraud, security, or IT teams to query SpyCloud’s breach and malware intelligence using identifiers commonly associated with customer accounts: * Email address * Phone number * Username * IP address With seamless integration, retailers can: * Prevent logins using compromised credentials seen in third-party breaches * Detect malware-infected devices leaking authentication and session data * Identify exposed PII (e.g., billing details, addresses) connected to retail fraud > ⭐ > > **SpyCloud** supports over 200+ data types, enabling organizations to assess user risk holistically and take targeted action to protect customers. * * * 🔧 How It Works [](https://docs.spycloud.com/public-sc/docs/user-exposure-api#-how-it-works) ------------------------------------------------------------------------------------------------ 1. Submit an account identifier (email, username, etc.) to SpyCloud’s API (SHA1 hash or plaintext). Data is securely transmitted via TLS. 2. SpyCloud returns exposure results—including data from malware logs, phishing kits, and credential breaches. 3. Your system evaluates the exposure: 1. Is the exposed password still in use? 2. Was the data tied to malware or phishing? 4. Take action based on threat level: 1. Enforce a password reset 2. Initiate step-up verification (e.g., OTP or email confirmation) 3. Flag the account for investigation or limit checkout functionality * * * 🎯 Key Benefits for E-commerce & Retail Companies [](https://docs.spycloud.com/public-sc/docs/user-exposure-api#-key-benefits-for-e-commerce--retail-companies) ------------------------------------------------------------------------------------------------------------------------------------------------------------------- * Stop unauthorized purchases and reward redemptions * Reduce chargebacks and return fraud linked to account takeovers * Protect customer loyalty and satisfaction * Lower support costs tied to compromised accounts and disputes * Strengthen fraud detection workflows and identity trust models * * * ❗ Why It Matters [](https://docs.spycloud.com/public-sc/docs/user-exposure-api#-why-it-matters) --------------------------------------------------------------------------------------------------- Exposed login credentials, PII, and stored payment data are actively traded on the dark web and used by cybercriminals to target retail platforms. The consequences of unchecked ATO attacks include: * Financial loss through fraudulent orders * Loyalty program abuse and promo fraud * Operational disruption and negative press * Loss of customer confidence and lifetime value > 💪 > > Integrating SpyCloud’s credential intelligence into your customer protection stack is essential. It empowers you to take proactive measures – blocking bad actors and building long-term trust with your customers. Updated 13 days ago * * * Ask AI --- # CAP User Exposure API Banks, credit unions, fintechs, and insurers manage millions of customer accounts across digital banking portals, mobile apps, trading platforms, and claims systems. These accounts often contain highly sensitive data – personally identifiable information (PII), account numbers, payment instruments, and transaction histories – that, if compromised, can lead to fraud losses, regulatory exposure, and erosion of customer trust. SpyCloud empowers financial institutions to combat account takeover (ATO) fraud targeting retail and commercial users, advisors, and support staff. Cybercriminals who gain access can initiate fraudulent transfers, file fake claims, open new lines of credit, or social-engineer support – driving direct loss and downstream operational costs. * * * 🚨 Why Account Takeover Is a Growing Threat for Financial Services [](https://docs.spycloud.com/public-sc/docs/cap-user-exposure-api-5#-why-account-takeover-is-a-growing-threat-for-financial-services) ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ As customers adopt digital-first banking and payments, account security becomes a frontline control. Common behaviors and attacker tradecraft increase credential-driven risk: * **Password reuse:** Consumers often reuse credentials across sites, enabling **credential stuffing** at scale. * **Malware & phishing:** Banking-themed lures and infostealer malware expose **logins and PII** that fuel ATO and application fraud. * **Fraudulent account actions:** Once inside, attackers may: * Initiate unauthorized transfers or card-not-present purchases * Change contact details to bypass alerts and lock out the rightful user * Abuse P2P rails, bill pay, or ACH to launder funds > 🚩 > > These incidents drive fraud write-offs, claims leakage, higher support load, and reputational damage. * * * 🛡️ Proactive Defense with SpyCloud [](https://docs.spycloud.com/public-sc/docs/cap-user-exposure-api-5#%EF%B8%8F-proactive-defense-with-spycloud) ------------------------------------------------------------------------------------------------------------------------------------------------------ SpyCloud helps financial institutions detect compromised credentials and sensitive user data **before** attackers exploit them. Using a continuously updated collection of **breach, malware, and phishing** data, teams can: * Identify **at-risk consumer or staff accounts** in real time * Block ATO attempts and **prevent funds movement abuse** * Strengthen authentication and fraud orchestration workflows * Reduce recovery costs, chargebacks, and call center escalations * * * 🧰 User Exposure API for Financial Services [](https://docs.spycloud.com/public-sc/docs/cap-user-exposure-api-5#-user-exposure-api-for-financial-services) -------------------------------------------------------------------------------------------------------------------------------------------------------------- The User Exposure API allows fraud, security, or IAM teams to query SpyCloud’s intelligence using identifiers commonly associated with financial accounts: * Email address * Phone number * Username * IP address With seamless integration, institutions can: * **Prevent logins** using credentials known to be exposed * Detect **malware-infected devices** leaking authentication data * Identify **exposed PII** tied to identity and application fraud * Correlate **200+ data types** beyond usernames/passwords to assess risk * * * ⚙️ How It Works [](https://docs.spycloud.com/public-sc/docs/cap-user-exposure-api-5#%EF%B8%8F-how-it-works) --------------------------------------------------------------------------------------------------------------- 1. **Submit an account identifier** (email, phone, etc.) to SpyCloud via API (SHA1 hash or plaintext). TLS encryption secures all traffic. 2. **Receive exposure results** matching that identifier from breach, malware, or phishing sources. 3. **Evaluate risk** in your fraud stack: * Is the exposed password **still in use**? * Is the data tied to **malware or phishing** activity? 4. **Take risk-based action**: * **Force a password reset** * **Trigger step-up authentication** (e.g., OTP, push) * **Flag or throttle** high-risk sessions; route to review * * * 🎯 Key Benefits for Financial Services [](https://docs.spycloud.com/public-sc/docs/cap-user-exposure-api-5#-key-benefits-for-financial-services) ---------------------------------------------------------------------------------------------------------------------------------------------------- * Reduce **ATO, funds transfer fraud, and claims abuse** * Lower **chargebacks** and operational recovery costs * Improve **precision** of authentication and fraud rules * Protect **advisor/staff** accounts from social engineering risk * Preserve **customer trust** and digital conversion rates * * * 📌 Why It Matters [](https://docs.spycloud.com/public-sc/docs/cap-user-exposure-api-5#-why-it-matters) ---------------------------------------------------------------------------------------------------------- Exposed credentials – obtained via breaches, phishing, or malware – remain a primary entry point for financial fraud. Consequences include: * Silent takeover of banking and card accounts * Unauthorized transfers and payments * Regulatory scrutiny and reputational harm > 👍 > > Integrating SpyCloud’s credential intelligence is essential to outpace credential-driven attacks – protecting customers, reducing losses, and maintaining confidence in your digital channels. Updated 13 days ago * * * Ask AI --- # Compromised Credit Card API In today’s financial landscape, banks and card-issuing institutions manage massive volumes of sensitive consumer data – including stored credit card numbers, transaction histories, and cardholder PII. These institutions are often the first line of defense against fraud, yet even cards issued by trusted brands are frequently targeted and exploited by cybercriminals. Financial institutions can reduce fraud losses and strengthen customer trust by proactively monitoring compromised credit cards – including card numbers, expiration dates, and CVVs that have been exposed in breaches or traded on dark web marketplaces. When this intelligence is integrated into fraud detection systems, it acts as an early warning signal – empowering institutions to take swift, informed action before fraud occurs. Issuers can directly monitor their portfolios by querying Bank Identification Numbers (BINs) to detect exposure early and intervene decisively. By identifying compromised cards in circulation, banks and financial institutions can: * Prevent unauthorized purchases and cash advances using stolen card data * Reduce chargebacks and false claims through proactive detection * Flag high-risk cardholder accounts for enhanced authentication or contact * Support investigations into organized fraud rings and synthetic identity operations * * * 🧠 SpyCloud’s Credit Card Intelligence for Financial Institutions [](https://docs.spycloud.com/public-sc/docs/compromised-credit-card-api-5#-spyclouds-credit-card-intelligence-for-financial-institutions) --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- SpyCloud offers unparalleled visibility into recaptured credit card data – specifically cards that have already fallen into the hands of cybercriminals and are actively at risk of fraudulent use. With **SpyCloud’s Compromised Credit Card API**, risk, fraud, and compliance teams can: * Access exposed card records linked to their BIN ranges * Integrate alerts into transaction risk models, fraud scoring engines, and card management workflows * Block, verify, or flag transactions using compromised cards at critical points (authorization, online purchases, new device provisioning) By intervening early, banks preserve consumer confidence, reduce operational burden, and cut off fraud vectors before they lead to financial loss. * * * ⚙️ How the Credit Card BIN API Works [](https://docs.spycloud.com/public-sc/docs/compromised-credit-card-api-5#%EF%B8%8F-how-the-credit-card-bin-api-works) --------------------------------------------------------------------------------------------------------------------------------------------------------------- \*\*SpyCloud’s Compromised Credit Card API \*\*enables automated detection of exposed credit card data through a secure RESTful JSON API. Institutions query the endpoint using one or more 6-digit BINs (up to 10 per request) and receive: * SHA1-hashed credit card numbers * Exposure source metadata (e.g., malware, phishing, breach) * Timestamps of compromise * Contextual details to inform follow-up action **At a glance** | 🔎 Queries | 📤 Output | | --- | --- | | One or more 6-digit BINs (up to 10 per request). | SHA1-hashed credit card numbers; exposure source metadata (e.g., malware, phishing, breach); timestamps of compromise; contextual details to inform follow-up action. | * * * 🧪 Common Use Cases Include: [](https://docs.spycloud.com/public-sc/docs/compromised-credit-card-api-5#-common-use-cases-include) ------------------------------------------------------------------------------------------------------------------------------------- * Flagging cards at risk during transaction authorization or account access * Triggering card reissuance or additional identity verification for exposed accounts * Detecting large-scale exposure events tied to coordinated phishing or skimming campaigns * * * 🗃️ Data Sources [](https://docs.spycloud.com/public-sc/docs/compromised-credit-card-api-5#%EF%B8%8F-data-sources) ---------------------------------------------------------------------------------------------------------------------- SpyCloud researchers collect exposed card data from a broad network of criminal data sources, including: * Malware-infected consumer devices * Phishing kits designed to mimic online banking or card activation portals * Dark web forums, breach dumps, and closed fraud communities > 👍 > > This high-fidelity intelligence gives banks the ability to act decisively, based on validated risk indicators – not guesswork. * * * 📣 Why This Matters for Financial Institutions [](https://docs.spycloud.com/public-sc/docs/compromised-credit-card-api-5#-why-this-matters-for-financial-institutions) -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Credit card fraud is an ever-evolving threat, and the costs are real: * Unauthorized purchases and ATM withdrawals made using exposed card data * Chargeback volumes that erode profit margins and processor relationships * Reputational harm and regulatory scrutiny when compromised cards are linked to major breaches * Operational strain on fraud, support, and card services teams When institutions proactively alert customers about compromised cards – even before fraud occurs – they create: * A stronger sense of protection and brand loyalty * Higher engagement with security recommendations * Fewer escalations tied to fraud claims and disputes * * * 🎯 Key Benefits for Banks & Card Issuers [](https://docs.spycloud.com/public-sc/docs/compromised-credit-card-api-5#-key-benefits-for-banks--card-issuers) ------------------------------------------------------------------------------------------------------------------------------------------------------------- * Lower fraud losses and operational impact from exposed cards * Real-time risk mitigation before transactions are finalized * More effective fraud scoring based on verified exposure intelligence * Improved customer experience through proactive fraud prevention * Support for internal and external investigations of card fraud rings Updated 13 days ago * * * Ask AI --- # CAP User Exposure API Healthcare organizations manage vast numbers of patient and user accounts across electronic health record (EHR) systems, patient portals, telehealth platforms, and billing systems. These accounts often contain highly sensitive data—protected health information (PHI), insurance details, and payment methods –that, _if compromised_, can have severe consequences including **identity theft**, **financial fraud**, and **regulatory penalties**. SpyCloud empowers healthcare providers to combat account takeover (ATO) fraud targeting patients, providers, and administrative staff. Cybercriminals who gain unauthorized access to healthcare systems can submit fraudulent insurance claims, alter patient information, and misuse stored payment or medical data. The results include privacy breaches, financial losses, and a loss of trust in critical care systems. * * * 🚨 Why Account Takeover Is a Growing Threat for Healthcare [](https://docs.spycloud.com/public-sc/docs/cap-user-exposure-api-1#-why-account-takeover-is-a-growing-threat-for-healthcare) -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- With the surge in digital health services, patient portals, and telemedicine, account security is now a front-line defense in protecting healthcare ecosystems. Risky behaviors – like password reuse and phishing susceptibility –amplify exposure to credential-based attacks: * **Password reuse:** Patients and staff often reuse credentials across multiple sites, making them vulnerable to credential stuffing. * **Malware and phishing:** Devices infected with malware or targeted by phishing attacks can expose login credentials and sensitive medical information. * **Fraudulent account actions:** Once an attacker gains access to a healthcare account, they may: * Modify patient data or insurance information. * Access and misuse stored PHI. * Submit false claims or prescriptions. * Lock out legitimate users, delaying or disrupting care. These incidents can jeopardize care delivery, violate HIPAA and data privacy regulations, and increase the administrative burden on providers. * * * 🛡️ Proactive Defense with SpyCloud [](https://docs.spycloud.com/public-sc/docs/cap-user-exposure-api-1#%EF%B8%8F-proactive-defense-with-spycloud) ------------------------------------------------------------------------------------------------------------------------------------------------------ SpyCloud enables healthcare organizations to identify compromised credentials and sensitive user data before bad actors exploit them. Leveraging our constantly updated breach, malware, and phishing repository, providers can: * Detect at-risk patient or staff accounts in real time. * Prevent ATO, fraudulent activity, and PHI exposure. * Enhance access control workflows across EHRs, billing systems, and portals. * Reduce the cost of remediation, patient communication, and compliance enforcement. * * * 🧰 User Exposure API for Healthcare Providers [](https://docs.spycloud.com/public-sc/docs/cap-user-exposure-api-1#-user-exposure-api-for-healthcare-providers) ------------------------------------------------------------------------------------------------------------------------------------------------------------------ The **User Exposure API** allows healthcare IT teams to query SpyCloud’s threat intelligence database using patient or staff identifiers: * Email address * Phone number * Username * IP address With seamless integration, organizations can: * Prevent logins using known-exposed credentials. * Detect malware-infected devices leaking authentication data. * Identify exposed PII and health-related data points tied to identity fraud. > 📈 > > Over 200+ data types beyond just usernames and passwords can be uncovered, offering deep visibility into compromised user risk. * * * ⚙️ How It Works [](https://docs.spycloud.com/public-sc/docs/cap-user-exposure-api-1#%EF%B8%8F-how-it-works) --------------------------------------------------------------------------------------------------------------- 1. Submit an account identifier (email, phone number, etc.) to SpyCloud via API (SHA1 hash or plaintext). TLS ensures encrypted transmission. 2. SpyCloud returns any matches from breach or malware sources containing exposed credentials or sensitive user data. 3. Your systems evaluate the exposure: * Does the password match one used in your system? * Was the data captured through malware or phishing? **Take action based on exposure risk:** * Enforce a password reset. * Trigger step-up verification (e.g., email, SMS, or phone call). * Flag account for investigation or alert the user. Keep attackers out, even if users recycle known-compromised passwords. * * * 🎯 Key Benefits for Healthcare Organizations [](https://docs.spycloud.com/public-sc/docs/cap-user-exposure-api-1#-key-benefits-for-healthcare-organizations) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- * Prevent unauthorized access to patient portals and EHR systems * Detect and block compromised user credentials tied to PHI * Reduce insurance and medical billing fraud * Ease support burden for account recovery and identity validation * Strengthen regulatory compliance and patient trust * * * 📌 Why It Matters [](https://docs.spycloud.com/public-sc/docs/cap-user-exposure-api-1#-why-it-matters) ---------------------------------------------------------------------------------------------------------- Exposed credentials and patient data – whether stolen via breaches or exfiltrated through malware – are actively traded and exploited by cybercriminals. For healthcare providers, the impact can include: * Undetected access to sensitive patient records * Fraudulent medical billing and prescriptions * Regulatory fines and reputational damage Integrating SpyCloud’s credential intelligence is essential to stay ahead of credential-driven threats. It equips healthcare organizations to act quickly and prevent exploitation – protecting patient safety, maintaining compliance, and ensuring continuity of care. Updated 13 days ago * * * Ask AI --- # CAP User Exposure API Internet Service Providers (ISPs) and Cable Operators manage a vast number of subscriber accounts connected to broadband, TV, phone, and bundled services. These accounts often store sensitive billing data, payment methods, device identifiers, and service preferences – all of which can be exploited if compromised. **SpyCloud** empowers ISPs and cable providers to combat account takeover (ATO) fraud targeting subscribers. Cybercriminals who gain unauthorized access to subscriber accounts can abuse stored payment credentials, alter service plans, or initiate fraudulent equipment orders. This activity results in financial losses, chargebacks, customer dissatisfaction, and escalated support costs. * * * 🚨 Why Account Takeover Is a Growing Threat for ISPs and Cable Providers [](https://docs.spycloud.com/public-sc/docs/cap-user-exposure-api-3#-why-account-takeover-is-a-growing-threat-for-isps-and-cable-providers) ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ As customers increasingly use online portals, mobile apps, and smart devices to manage their subscriptions, account security becomes a frontline concern. Common behaviors – like password reuse and poor credential hygiene– amplify exposure to attacks: * **Password reuse:** Customers often reuse login credentials across multiple services, increasing the risk of credential stuffing. * \*\*Malware and phishing: \*\*Infections and scams can silently capture subscriber login information and PII. * \*\*Fraudulent account actions: \*\*Attackers gaining access may: * Modify billing information or upgrade service plans. * Redeem promotional credits or loyalty points. * Place unauthorized orders for modems, routers, or pay-per-view content. * Lock legitimate users out by changing contact information. > 🚩 > > This leads to service abuse, identity theft, and unauthorized access to smart home ecosystems. * * * 🛡️ Proactive Defense with SpyCloud [](https://docs.spycloud.com/public-sc/docs/cap-user-exposure-api-3#%EF%B8%8F-proactive-defense-with-spycloud) ------------------------------------------------------------------------------------------------------------------------------------------------------ SpyCloud enables ISPs and cable providers to identify compromised credentials and subscriber data before fraud occurs. By leveraging our constantly updated repository of breach, malware, and phishing data, you can: * Detect vulnerable accounts in real time. * Prevent ATO, unauthorized orders, and fraud escalation. * Enhance support center verification and fraud workflows. * Reduce the need for costly account remediation and recovery. * * * 🧰 User Exposure API for ISPs & Cable Providers [](https://docs.spycloud.com/public-sc/docs/cap-user-exposure-api-3#-user-exposure-api-for-isps--cable-providers) --------------------------------------------------------------------------------------------------------------------------------------------------------------------- The User Exposure API allows you to query SpyCloud’s threat intelligence database using common subscriber identifiers: * Email address * Phone number * Username * IP address With this integration, you can: * Prevent logins using exposed credentials. * Detect malware-infected subscriber devices and compromised authentication data. * Identify exposed PII and behavioral signals tied to identity fraud. * Over 200+ data types beyond just usernames and passwords can be returned, revealing deep insights into subscriber exposure. * * * ⚙️ How It Works [](https://docs.spycloud.com/public-sc/docs/cap-user-exposure-api-3#%EF%B8%8F-how-it-works) --------------------------------------------------------------------------------------------------------------- Submit an account identifier (email, phone number, etc.) to SpyCloud via API (plaintext or SHA1 hash). TLS encryption protects all transmitted data. SpyCloud returns any matching records of exposed credentials or subscriber data. Your application or workflow evaluates the exposure: * Is the password a match? * Was it seen in malware logs or phishing attacks? **Take appropriate action:** | ✅ Action | 📌 Purpose | | --- | --- | | Force a password reset. | Remove known-compromised credentials from use. | | Enable step-up verification (e.g., SMS, email, or voice confirmation). | Add verification for risky attempts while preserving good-user access. | | Alert the customer or flag the account for review. | Route for follow-up and prevent further abuse. | * * * 🎯 Key Benefits for ISPs and Cable Providers [](https://docs.spycloud.com/public-sc/docs/cap-user-exposure-api-3#-key-benefits-for-isps-and-cable-providers) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- * Prevention of unauthorized service changes and device orders * Detection of infected devices tied to subscriber logins * Reduced chargebacks and fraud loss from fake account activity * Lower support burden for account recovery * Stronger customer satisfaction and reduced churn * * * 📌 Why It Matters [](https://docs.spycloud.com/public-sc/docs/cap-user-exposure-api-3#-why-it-matters) ---------------------------------------------------------------------------------------------------------- Exposed passwords and subscriber data—harvested through breaches or malware—are not legacy threats. They’re actively weaponized by criminals seeking easy entry into subscriber accounts. For ISPs and cable providers, this means: * Unnoticed infiltration of customer accounts * Equipment and service abuse * Erosion of brand trust > 💯 > > Integrating SpyCloud’s credential intelligence into your customer security stack is essential. It empowers you to act before attackers do, minimizing the impact of fraud and strengthening subscriber safety. Updated 13 days ago * * * Ask AI --- # CAP User Exposure API Telecommunications providers manage vast volumes of consumer accounts tied to mobile plans, internet services, and digital communications. These accounts often store sensitive personal data, billing information, and linked payment methods that, if compromised, can result in _significant fraud and service disruption_. \*\*SpyCloud \*\*enables telecom providers to reduce account takeover (ATO) fraud impacting subscribers. Threat actors who compromise telecom user accounts can reroute phone numbers, order premium services, or exploit stored billing information for fraudulent purchases. This often manifests as unauthorized service usage, SIM swap attacks, or fraudulent handset orders – costing providers money and damaging customer trust. * * * 🚨 Why Account Takeover Is a Growing Threat for Telecom [](https://docs.spycloud.com/public-sc/docs/cap-user-exposure-api#-why-account-takeover-is-a-growing-threat-for-telecom) ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ As subscribers increasingly rely on online portals and mobile apps to manage their accounts, their login credentials become a prime target. Weak, reused, or stolen credentials lead to increased ATO risk – especially when: * Attackers **use exposed passwords** to take over user accounts. * Compromised accounts result in **unauthorized access** to services or PII (personally identifiable information). * **Fraudulent charges** and SIM swaps escalate, affecting both consumer safety and provider liability. * * * 🔐 Key Security Risks for Telecom Providers [](https://docs.spycloud.com/public-sc/docs/cap-user-exposure-api#-key-security-risks-for-telecom-providers) ------------------------------------------------------------------------------------------------------------------------------------------------------------ * **Password reuse:** Subscribers often use the same password across multiple services, making them vulnerable to credential stuffing. * **Credential-based fraud:** Once in control of an account, attackers may: * Access sensitive billing or identity details. * Order new devices, SIMs, or upgrade services. * Change account settings (e.g., email, phone number) to block legitimate user access. * **SIM swap fraud:** Criminals take over a phone number by transferring it to a new SIM, bypassing SMS-based 2FA and hijacking downstream services like banking or email. * * * 🛡️ Proactive Protection with SpyCloud [](https://docs.spycloud.com/public-sc/docs/cap-user-exposure-api#%EF%B8%8F-proactive-protection-with-spycloud) ---------------------------------------------------------------------------------------------------------------------------------------------------------- SpyCloud detects exposed subscriber credentials and identity elements—before attackers can act. We match logins to a continuously updated database of recaptured breach, malware, and phishing data, empowering telecom providers to: * Identify risky users in real time. * Automate password resets and elevate authentication steps. * Prevent account misuse, SIM swap fraud, and unauthorized service provisioning. * * * 🧰 User Exposure API for Telecom Providers [](https://docs.spycloud.com/public-sc/docs/cap-user-exposure-api#-user-exposure-api-for-telecom-providers) ---------------------------------------------------------------------------------------------------------------------------------------------------------- The User Exposure API lets you check SpyCloud’s breach and malware database using subscriber identifiers like: * Email address * Phone number * Username * IP address By integrating this API into customer portals, mobile apps, or fraud prevention workflows, telecom security teams can: * Block login attempts using exposed credentials. * Detect devices infected with malware leaking authentication data. * Protect up to 200+ non-credential data points that can lead to identity fraud. * * * ⚙️ How It Works [](https://docs.spycloud.com/public-sc/docs/cap-user-exposure-api#%EF%B8%8F-how-it-works) ------------------------------------------------------------------------------------------------------------- 1. Your system submits an account identifier (email, phone number, etc.) to SpyCloud (hashed or plaintext). 2. SpyCloud returns matching exposure records, including compromised credentials and related PII. 3. You assess risk and take action: * Force a password change. * Require MFA or additional verification. * Block login or flag for investigation. 4. Keep attackers out, even if users recycle known-compromised passwords. **Actions you may take when exposure is detected** | ✅ Action | 📌 Purpose | | --- | --- | | Force a password change. | Remove known-compromised credentials from use. | | Require MFA or additional verification. | Add friction for risky attempts while preserving good-user access. | | Block login or flag for investigation. | Stop suspected abuse and route for follow-up. | * * * 🎯 Benefits for Telecom Providers [](https://docs.spycloud.com/public-sc/docs/cap-user-exposure-api#-benefits-for-telecom-providers) ---------------------------------------------------------------------------------------------------------------------------------------- * Reduced SIM swap and ATO fraud * Increased customer trust and retention * Proactive risk mitigation across web, mobile, and call center channels * Enhanced fraud workflows using real-time threat intelligence Updated 13 days ago * * * Ask AI --- # CAP User Exposure API Travel and hospitality brands manage millions of guest and member accounts across airline booking engines, hotel loyalty platforms, mobile apps, and online travel agencies (OTAs). These accounts often contain sensitive data –including stored payment methods, travel history, loyalty points, and passport or ID numbers. If compromised, they can lead to identity theft, financial loss, and brand damage. **SpyCloud** empowers travel and hospitality providers to combat account takeover (ATO) fraud targeting travelers, frequent flyer members, and customer service agents. Cybercriminals who gain access to travel-related accounts can exploit stored data to make fraudulent bookings, redeem loyalty rewards, or resell compromised accounts on dark web forums – damaging guest trust and inflating support costs. * * * 🚨 Why Account Takeover Is a Growing Threat for Travel & Hospitality [](https://docs.spycloud.com/public-sc/docs/cap-user-exposure-api-4#-why-account-takeover-is-a-growing-threat-for-travel--hospitality) --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- As digital travel experiences become the norm—via mobile bookings, digital check-ins, and loyalty apps—account security is a critical piece of the customer experience. Common behaviors and evolving threats increase the likelihood of credential-based attacks: * **Password reuse:** Travelers and staff often reuse passwords across platforms, making accounts vulnerable to credential stuffing attacks. * **Phishing and malware:** Travel-themed scams (e.g., fake itineraries or boarding passes) are common vectors for stealing login credentials and personal data. * **Fraudulent account actions:** Once an attacker gains access to a guest account, they may: * Redeem loyalty points for gift cards or flights * Modify contact details to lock out the rightful owner * Access stored travel documents, preferences, or billing data * Book and resell fraudulent travel services > 🚩 > > These compromises lead to brand damage, chargebacks, increased call center demand, and lost loyalty. * * * 🛡️ Proactive Defense with SpyCloud [](https://docs.spycloud.com/public-sc/docs/cap-user-exposure-api-4#%EF%B8%8F-proactive-defense-with-spycloud) ------------------------------------------------------------------------------------------------------------------------------------------------------ SpyCloud helps travel and hospitality businesses detect compromised credentials and personal data before attackers exploit them. Using our continuously updated collection of breach, malware, and phishing data, providers can: * Identify vulnerable guest or employee accounts in real time * Block ATO attempts and prevent loyalty fraud or booking abuse * Integrate advanced identity protection into reservation, loyalty, and support systems * Reduce customer churn and high-cost account recovery processes * * * 🧰 User Exposure API for Travel & Hospitality Providers [](https://docs.spycloud.com/public-sc/docs/cap-user-exposure-api-4#-user-exposure-api-for-travel--hospitality-providers) ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The User Exposure API allows security, fraud, or IT teams to query SpyCloud’s threat intelligence database using identifiers commonly associated with guest accounts: * Email address * Phone number * Username * IP address With seamless API integration, you can: * Prevent logins using credentials known to be compromised * Detect malware-infected guest devices or employee endpoints * Identify exposed PII (passport numbers, addresses, etc.) tied to potential fraud * Correlate over 200+ data types beyond usernames and passwords to assess risk and exposure severity * * * ⚙️ How It Works [](https://docs.spycloud.com/public-sc/docs/cap-user-exposure-api-4#%EF%B8%8F-how-it-works) --------------------------------------------------------------------------------------------------------------- 1. Submit an account identifier (email, phone number, etc.) to SpyCloud via the API using a SHA1 hash or plaintext. All data is securely encrypted with TLS. 2. SpyCloud returns exposure results matching that identifier, including password leaks and other sensitive information. 3. Your system evaluates risk, asking: * Is the password still in use? * Was it exposed in a phishing kit or malware log? 4. Take risk-based action, such as: * Forcing a password reset * Triggering multi-factor authentication * Flagging or locking the account for investigation * * * 🎯 Key Benefits for Travel & Hospitality Organizations [](https://docs.spycloud.com/public-sc/docs/cap-user-exposure-api-4#-key-benefits-for-travel--hospitality-organizations) ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- * Prevent unauthorized access to traveler accounts and loyalty programs * Reduce fraud-related losses from stolen points and unauthorized bookings * Lower support costs tied to account lockouts and credential resets * Protect staff accounts that could be exploited for insider fraud or social engineering * Reinforce guest trust and loyalty with proactive security measures * * * 📌 Why It Matters [](https://docs.spycloud.com/public-sc/docs/cap-user-exposure-api-4#-why-it-matters) ---------------------------------------------------------------------------------------------------------- Exposed credentials – harvested via data breaches, phishing, or malware – remain a top entry point for fraud in the travel industry. The consequences include: * Silent takeover of high-value loyalty accounts * Reselling of fraudulently booked itineraries * Brand erosion from negative guest experiences * Costly recovery efforts and reputational harm Integrating SpyCloud’s credential intelligence is no longer optional. It’s essential for protecting the digital identity of your guests and staff – ensuring a secure and seamless travel experience from booking to checkout. Updated 13 days ago * * * Ask AI --- # Risks of Consumer Password Reuse Reusing passwords can be a major security risk that leads to **account compromise**. If a cybercriminal obtains a working password for one account, they can try it on other accounts that use the same password – granting access to **personal information**, **company data**, or **financial details** for fraud or further attacks. > 📍 > > **Recommended action:** If a cybercriminal has access to your credentials, **change the password immediately** for the affected account – and any other account using the same or similar password. * * * ⚠️ Why password reuse is dangerous [](https://docs.spycloud.com/public-sc/docs/risks-of-consumer-password-reuse#%EF%B8%8F-why-password-reuse-is-dangerous) -------------------------------------------------------------------------------------------------------------------------------------------------------------- * A single exposed password can unlock **multiple accounts**. * Attackers **test stolen credentials** across services to find easy wins. * Compromise can cascade to **privacy loss, financial theft, and brand damage**. * * * 🧪 The risk of consumers reusing passwords [](https://docs.spycloud.com/public-sc/docs/risks-of-consumer-password-reuse#-the-risk-of-consumers-reusing-passwords) --------------------------------------------------------------------------------------------------------------------------------------------------------------------- **Easier to Fall Victim** Cybercriminals know password reuse is common and actively design tactics to exploit this weakness. **Credential Stuffing** Stolen username–password pairs are bought and sold on the dark web, then replayed at scale to gain unauthorized access. **Ransomware Attacks** Reused passwords can increase the number of accounts that get locked or impacted during a ransomware event. **Brute-Force Attacks** Attackers try many combinations until they find a match. _Long, complex, unique_ passwords dramatically reduce success rates. * * * 🎯 Targeted attacks (beyond passwords) [](https://docs.spycloud.com/public-sc/docs/risks-of-consumer-password-reuse#-targeted-attacks-beyond-passwords) ----------------------------------------------------------------------------------------------------------------------------------------------------------- * **Malware-derived data**: Infostealer malware provides criminals a rich dataset per victim—not just usernames and passwords, but also **URL details** that give a “map” of your environment for precise abuse. * **Phishing-as-a-Service**: Industrialized phishing campaigns collect exactly the data attackers want—often **login credentials** they can replay at real sites. * * * 🌒 Why full visibility matters [](https://docs.spycloud.com/public-sc/docs/risks-of-consumer-password-reuse#-why-full-visibility-matters) --------------------------------------------------------------------------------------------------------------------------------------------- With multiple ways for consumer data to be **exposed or exfiltrated** to the criminal underground, it’s critical for enterprises to maintain **full visibility into a user’s dark web profile** – including exposed credentials and related artifacts – so they can act before attackers do. * * * ✅ Quick takeaways [](https://docs.spycloud.com/public-sc/docs/risks-of-consumer-password-reuse#-quick-takeaways) -------------------------------------------------------------------------------------------------------------------- * Don’t reuse passwords – use **unique, long, and complex** ones for every account. * If credentials are exposed, **change them immediately** and review other accounts for reuse. * Monitor for exposures and **enforce resets or step-up authentication** when risk is detected. Updated 13 days ago * * * Ask AI --- # Introduction In today’s digital landscape, consumers entrust businesses with a growing volume of sensitive personal data—from financial information to login credentials and beyond. Unfortunately, this trust is under constant threat from cybercriminals leveraging stolen credentials and personal details to perpetrate account takeover (ATO) attacks. These attacks not only compromise user privacy and financial security but also erode brand reputation and customer loyalty. SpyCloud offers powerful solutions designed to proactively detect and disrupt ATO risks before they can impact consumers. By recapturing data directly from the criminal underground – such as **breached credentials**, **malware-infected session cookies**, and **compromised PII** – SpyCloud provides organizations with visibility into the compromised assets of their users. * * * ⚡Consumer product offering [](https://docs.spycloud.com/public-sc/docs/introduction-4#consumer-product-offering) -------------------------------------------------------------------------------------------------------------------- ### Consumer ATO Prevention Stop targeted and automated account takeover of your customers’ accounts. ### Session Identity Protection Get early warning of malware-compromised cookies to protect authenticated sessions. ### Compromised Credit Card API Remediate stolen payment card data before it’s monetized by bad actors. Criminals weaponize more than just passwords; they use stolen **credentials**, **session cookies**, and **PII** from breaches and malware to bypass defenses – even MFA. **SpyCloud** provides deep, proactive intelligence to detect and stop identity threats _before_ they lead to ATO, fraud, or churn. * * * ✅ What you can do with Consumer Risk Protection [](https://docs.spycloud.com/public-sc/docs/introduction-4#-what-you-can-do-with-consumer-risk-protection) -------------------------------------------------------------------------------------------------------------------------------------------------------------- * **Identify compromised user accounts in real time**, using data recovered from threat actor infrastructure. * **Automate protective actions** (forced password reset, step-up auth) before criminals can exploit stolen credentials. * **Reduce fraud and account abuse**, especially in high-risk verticals like banking, e-commerce, and telecom. * **Build customer trust** by demonstrating a proactive, data-driven approach to protecting digital identities. Whether you serve millions of consumers or operate in a high-stakes digital environment, SpyCloud’s ATO prevention platform keeps you a step ahead – **restoring trust in every interaction.** * * * 🚀 What it is? [](https://docs.spycloud.com/public-sc/docs/introduction-4#-what-it-is) ------------------------------------------------------------------------------------------ **Consumer Risk Protection** operationalizes SpyCloud’s identity intelligence from **breaches**, **malware-infected devices**, and **successful phish** across your consumer workflows – at **account creation**, **login**, and during **active sessions**. * Detect exposed consumers using breach and malware data to **prevent account takeover** and protect brand trust. * Use recaptured **malware-exfiltrated session data** (cookies, tokens, device IDs) to **spot hijackable sessions** and stop MFA-bypass. * * * 🧩 Key capabilities [](https://docs.spycloud.com/public-sc/docs/introduction-4#-key-capabilities) ----------------------------------------------------------------------------------------------------- * **Early exposure detection** – Check new and existing users against SpyCloud’s continuously updated corpus of **breach, malware, and phished** data. * **Session risk detection** – Identify **malware-exfiltrated cookies/tokens** that enable session hijacking and authentication sidestepping. * **Policy-driven controls** – Enforce **resets**, **step-up authentication**, re-verification, or **session revocation** based on risk. * **Low-friction experiences** – Act on high-confidence events without punishing low-risk users, reducing false positives and churn. * * * 🔎 Where it fits in your app [](https://docs.spycloud.com/public-sc/docs/introduction-4#-where-it-fits-in-your-app) ----------------------------------------------------------------------------------------------------------------------- **Account creation** – block risky sign-ups Check new registrations against exposed credentials/PII. Stop synthetic identities and recycled emails immediately. **Login** – stop credential-stuffing & replay Detect reused or previously exposed credentials; trigger resets or step-up auth before attackers gain access. **Active session** – prevent session hijacking Identify malware-exfiltrated cookies/tokens associated with your users; revoke at-risk sessions and re-authenticate. * * * 🏦 Who benefits [](https://docs.spycloud.com/public-sc/docs/introduction-4#-who-benefits) --------------------------------------------------------------------------------------------- * **Financial services** – curb ATO, account abuse, and transaction fraud * **E-commerce & marketplaces** – protect revenue and loyalty programs * **Telecom & media** – reduce takeover of high-value subscriptions * **Any B2C app** – strengthen identity defenses without excess friction > Fraud starts when a user’s identity is compromised – not at checkout. Shifting controls **upstream** cuts fraud without degrading UX. * * * 🛠️ Getting started [](https://docs.spycloud.com/public-sc/docs/introduction-4#%EF%B8%8F-getting-started) ------------------------------------------------------------------------------------------------------------- 1. **Pick your control points:** account creation, login, session management. 2. **Wire data:** call **Consumer ATO Prevention** and **Session Identity Protection** APIs to evaluate user risk. 3. **Automate outcomes:** enforce resets, step-up auth, session revocation, or case creation based on source/severity. 4. **Measure:** track ATO prevented, session revocations, and user friction to tune controls. Updated 13 days ago * * * Ask AI --- # Advanced | AD Object Collections ADG includes the ability to create sets of Active Directory **Users**, **Groups**, and **Organizational Units** called **Active Directory Object Collections**. Collections can be used to control: * **Accounts to include/exclude in a scan** * Example: _Scan Employees but Skip Contractors_ * Example: _Scan Employee and Faculty accounts, but Skip Student accounts_ * **Accounts to exclude from a remediation policy** * Example: _Scan Employees and Service Accounts, reset any Employee passwords, but skip Service Accounts_ * * * 🔧 Managing Collections [](https://docs.spycloud.com/public-sc/docs/advanced-ad-object-collections#-managing-collections) ----------------------------------------------------------------------------------------------------------------------------- Navigate to: **Advanced Settings → Collections** in the left navigation. From here, you can: * **Create a new collection** – click **Add** * **Upload a list of users** – supported in version 7.3+ * **Import from file** – emails or distinguished names, one per line * **Edit** an existing collection – click **Edit** * **Delete** a collection – click **Delete** (⚠️ cannot delete if it’s used elsewhere in the product) ![Collections Page](https://files.readme.io/85a20b24e25dff03c3addbfe0c54d638ca8762e212bd29e5d678c5ebc0e0cb54-image92.jpg) * * * 🆕 Creating a Collection [](https://docs.spycloud.com/public-sc/docs/advanced-ad-object-collections#-creating-a-collection) ------------------------------------------------------------------------------------------------------------------------------- When adding a new collection, you must: * Provide a **unique name** in _Active Directory Object Collection Name_ * Add at least **one AD user, group, or OU** (cannot save an empty collection) ![Collections Page](https://files.readme.io/7f4451b966657c45048181efba6d0b18d139193e5412287de9f4d712ec728768-image100.jpg) * * * 🔍 Searching & Adding Objects [](https://docs.spycloud.com/public-sc/docs/advanced-ad-object-collections#-searching--adding-objects) ---------------------------------------------------------------------------------------------------------------------------------------- Use the **Search Active Directory Objects** field to find users, groups, or OUs: * Enter a term (e.g., `svc`) * ADG will display up to the **first 1000 matches** * Select desired objects via checkboxes → click **Add to Collection** ![Collections Page](https://files.readme.io/41f623e5781b353c22b4a9cfb4f6d4354eb032b3fa8d31f7e86a13cbdbb7fa64-image29.jpg) * * * ➖ Removing Objects [](https://docs.spycloud.com/public-sc/docs/advanced-ad-object-collections#-removing-objects) -------------------------------------------------------------------------------------------------------------------- To remove items from a collection: * Select objects in the **Active Directory Object Collection** list * Click **Remove from Collection** * * * 💾 Saving Collections [](https://docs.spycloud.com/public-sc/docs/advanced-ad-object-collections#-saving-collections) ------------------------------------------------------------------------------------------------------------------------- Once you’ve created or edited your collection, click **Save** to finalize it. Updated 5 months ago * * * Ask AI --- # Advanced | Configuring Okta As an additional remediation action, ADG can send a **password reset to Okta** instead of performing it directly in AD. 💡**NOTE** This is useful if your organization uses Okta for identity management and wants password resets handled in Okta. * * * 🛠️ Accessing Okta Settings [](https://docs.spycloud.com/public-sc/docs/advanced-configuring-okta#%EF%B8%8F-accessing-okta-settings) ---------------------------------------------------------------------------------------------------------------------------------------- Navigate to **Advanced Settings → Okta** in the left-hand navigation. From the **Okta Configurations List** page, you can: * View existing Okta configurations * Add a new configuration * Edit or delete an existing configuration ![Okta Configurations List](https://files.readme.io/b709eac64cb5b40820f7108901fcce837c96b71df12fc6fa403b7129ba4f8c81-image44.jpg) * * * ➕ Adding an Okta Configuration [](https://docs.spycloud.com/public-sc/docs/advanced-configuring-okta#-adding-an-okta-configuration) --------------------------------------------------------------------------------------------------------------------------------------- 1. Click **Add** 2. Enter a **Configuration Name** * This name appears as “Match Actions” in Remediation Policies * Example: _Okta Password Reset (Dev)_ or _Okta Password Reset (Prod)_ 3. Enter your **Domain** (e.g., `https://example.okta.com` or `example.okta.com`) 4. Enter your **API Token** (generated in the Okta Admin Console) * * * 🔑 API Token Requirements [](https://docs.spycloud.com/public-sc/docs/advanced-configuring-okta#-api-token-requirements) ---------------------------------------------------------------------------------------------------------------------------- * Generate an API Token in the **Okta Admin Console** * Token must have permissions to: * **View users and their details** * **Reset user passwords** 👉 For details on creating tokens and required permissions, see [Okta Documentation](https://developer.okta.com/docs/reference/api/tokens/) . * * * ✅ Using Okta in Remediation Policies [](https://docs.spycloud.com/public-sc/docs/advanced-configuring-okta#-using-okta-in-remediation-policies) --------------------------------------------------------------------------------------------------------------------------------------------------- Once configured, your Okta setup(s) will be available as an **action option** in **Remediation Policies**. This allows ADG to reset passwords in Okta instead of directly in Active Directory. Updated 5 months ago * * * Ask AI --- # Communicating with Exposed Users > 🔑 > > **How to use this page** > > * Replace placeholders like **\[First Name\]**, **\[Your Company\]**, **CompanyName**, **\[URL\]**, **\[support link\]**, and dates before sending. > * Choose a **transparency level** that fits your support capacity and brand voice. * * * 🧭 Choosing Your Transparency Level [](https://docs.spycloud.com/public-sc/docs/communicating-with-exposed-users#-choosing-your-transparency-level) ------------------------------------------------------------------------------------------------------------------------------------------------------- Choosing a more transparent message arms your customers with the information they need to secure any other online accounts that might use the same password. Knowing more detail about their exposed account may lead them to choose a stronger password or take other security precautions. A message of this type may also include information about the potential risks of account takeover: * Exposure of personally identifiable information like addresses, credit card number and social security number * Takeover of other accounts that use the same or similar password At the same time, the transparency may raise additional questions that your support team may not be equipped to handle. For example: if you name the site or service that was breached, you may receive inquiries related to that site that your front lines may not be able to answer without creating additional training materials or standard responses. Choosing a less transparent message may cut down on user concerns, but leaves the consumer more vulnerable to account takeover across their other online accounts. In addition, an uninformed user may be more inclined to choose a variation of an already-exposed password to replace the previous one because they underestimate the seriousness of the exposure. Whichever level of transparency you choose, we do not recommend understating the risk. We have seen companies deploy notifications that suggest the encryption method for a set of breached passwords cannot be hacked, and that the company “does not believe” that users’ passwords were exposed. The purpose of your notification should be to prompt users to implement a more secure, previously-unused password or take other measures to protect their accounts from fraudulent actions or purchases. * * * ✉️ Communication Templates [](https://docs.spycloud.com/public-sc/docs/communicating-with-exposed-users#%EF%B8%8F-communication-templates) ---------------------------------------------------------------------------------------------------------------------------------------------- ### 🧺 Generic, Proactive Message (regardless of exposure type) [](https://docs.spycloud.com/public-sc/docs/communicating-with-exposed-users#-generic-proactive-message-regardless-of-exposure-type) **Generic Template** **Subject:** Notice Regarding Your Account Security Hi \[First Name\], As part of our commitment to keeping your account safe, we are asking customers to proactively update their CompanyName password. **Your next steps:** 1. Log into your account at \[URL\]. 2. Follow the prompt to reset your password. 3. Choose a strong, unique password that you don’t use elsewhere. For your protection, your current password will expire on \[Insert Date\]. After this date, you’ll be required to reset your password before accessing your account. If you need assistance, please visit \[support link\]. Thank you for taking this important step to help protect your account, The CompanyName Security Team * * * ### 🦠 Malware-Infected User [](https://docs.spycloud.com/public-sc/docs/communicating-with-exposed-users#-malware-infected-user) **▲ HIGH TRANSPARENCY** **Subject:** Reset Your CompanyName Password **or** Action Required: Secure Your Account Hi \[First Name\], One of our cybersecurity monitoring tools identified a malware infection on a device recently used to access your CompanyName account. As a result, it is likely that the login information for your CompanyName account might have been compromised. We strongly encourage you to reset your password to protect your CompanyName account. But first, we recommend installing antivirus protection to remove the malware, deleting browser and cookie history, running a scan to clean your machine, and then resetting your password on CompanyName.com. You can reset your password in three easy steps: 1. Go to CompanyName.com 2. Where you would normally click to sign in, click "Forgot Password?" 3. Create a new, strong password that is unique to your CompanyName account We also recommend that you enable two-factor authentication (where a code is sent to you as an additional verification step) to help ensure the safety of your online accounts. You can enable this for your CompanyName account under your Account Settings. It’s possible that the malware may have compromised your login credentials for other sites as well. You can follow the steps above for any other sites and services you use online and create a strong, unique password for each. We take your security and privacy very seriously, and will immediately reach out if we notice anything unusual in the future. Thank you, The CompanyName Security Team **▼ LOW TRANSPARENCY** **Subject:** Important Notice Regarding Your Account Security Hi \[First Name\], We’re reaching out to let you know that we’ve detected unusual activity related to your account. As a precaution, we recommend that you: 1. Reset your password immediately to ensure your account remains secure. 2. Avoid reusing passwords from other sites or services. 3. Review your recent account activity. Protecting your information is our top priority. Taking these steps now can help reduce the risk of account misuse. If you have questions or need help updating your password, visit \[support link\]. Thank you, The CompanyName Security Team * * * ### 🧷 Third-Party Breach-Exposed User [](https://docs.spycloud.com/public-sc/docs/communicating-with-exposed-users#-third-party-breach-exposed-user) **▲ HIGH TRANSPARENCY** **Subject:** Action Required: Secure Your Account Hi \[First Name\], We’ve identified that your email address and password were found in a data breach of a third-party service not affiliated with \[Your Company\]. Although this activity did not originate within our systems, we recommend you take the following steps to protect your account: * Reset your \[Your Company\] password by going to CompanyName.com and clicking Forgot Password? * Choose a strong, unique password that you haven’t used elsewhere. * Enable multi-factor authentication to add an extra layer of protection. * If you use the same password on other services, we strongly recommend updating those as well. Your security is important to us, and we’re committed to helping you take proactive steps to stay protected. If you need help, visit \[support link\]. Thank you, The CompanyName Security Team **▼ LOW TRANSPARENCY** **Subject:** Action Required: Reset Your Password Hi \[First Name\], We’ve updated our security policies and your password no longer meets our minimum requirements. Take the following steps to reset your password: 1. Reset your \[Your Company\] password by visiting CompanyName.com and clicking Forgot Password? 2. Ensure you are not reusing this password on any other accounts. 3. Enable multi-factor authentication (MFA) if it’s not already active. Your security is important to us, and we’re committed to helping you take proactive steps to stay protected. If you need help, visit \[support link\]. Thank you, The CompanyName Security Team * * * ### 🎣 Phished User [](https://docs.spycloud.com/public-sc/docs/communicating-with-exposed-users#-phished-user) **▲ HIGH TRANSPARENCY** **Subject:** Action Required: Secure Your Account Hi \[First Name\], As part of our continuous security monitoring, we’ve identified that your credentials were likely compromised in a phishing attack. This type of threat tricks users into revealing login information on fraudulent websites designed to look legitimate. While our systems remain secure, this incident increases the risk of unauthorized access to your account. To protect yourself, please take the following steps: * Reset your \[Your Company\] password by visiting CompanyName.com and clicking Forgot Password? * Ensure your new password is unique and not used anywhere else. * Enable multi-factor authentication (MFA) if it’s not already active. * Be cautious of suspicious emails and links, especially those requesting login information. We’re here to help. If you have questions or need assistance securing your account, please contact our support team. Thank you for acting quickly, The CompanyName Security Team **▼ LOW TRANSPARENCY** **Subject:** Important Security Recommendation for Your Account Hi \[First Name\], We’ve identified signs that your account credentials may have been exposed through a third-party incident. While we have no indication of unauthorized access at this time, we recommend taking precautionary steps to protect your account. Here’s what you should do: 1. Reset your \[Your Company\] password by visiting CompanyName.com and clicking Forgot Password? 2. Ensure your new password is unique and not used anywhere else. 3. Enable multi-factor authentication (MFA) if it’s not already active. These steps will help safeguard your account and personal information. If you have questions or need assistance securing your account, please contact our support team. Thank you for acting quickly to protect your account, The CompanyName Security Team Updated 13 days ago * * * Ask AI --- # Best Practices & Optimization **SpyCloud Compass** becomes even more powerful when your alerts, teams, and workflows are optimized to reduce noise and increase speed to action. This page shares filtering strategies, team-specific tips, and scalable automation guidance to help you get the most from **SpyCloud Compass**. * * * 🧼 Filter Smarter, Act Faster [](https://docs.spycloud.com/public-sc/docs/best-practices-optimization#-filter-smarter-act-faster) ------------------------------------------------------------------------------------------------------------------------------------- Use these filters and strategies to zero in on the most relevant alerts: | Filter or Strategy | Why It Helps | | --- | --- | | `severity ≥ 20` | Prioritizes cracked, recent, high-confidence alerts | | `domain_owner_match = true` | Limits view to your managed domains only | | `source_type = malware` | Focuses on actionable malware-derived data | | `password_type = cracked` | Highlights reuse and credential abuse potential | | `malware_family` filter | Investigate campaign-level risk | > Combine filters to create your own “High Risk View” in SpyCloud Compass. * * * ⚙️ Recommended Tagging System [](https://docs.spycloud.com/public-sc/docs/best-practices-optimization#%EF%B8%8F-recommended-tagging-system) ----------------------------------------------------------------------------------------------------------------------------------------------- SpyCloud Compass tags help track alert status across teams. | Tag | Use Case | | --- | --- | | `triaged` | Reviewed, no action required | | `remediated` | Action taken, alert resolved | | `escalated` | Forwarded to SecOps, IAM, or Fraud team | | `vip_exposure` | Exposure tied to executive or privileged user | | `password_reuse` | Flag for repeat password issues | * * * 🧠 Optimization by Team [](https://docs.spycloud.com/public-sc/docs/best-practices-optimization#-optimization-by-team) -------------------------------------------------------------------------------------------------------------------------- 🔒 SOC / IR Teams * Triage alerts by severity + cracked password * Automate playbook via SOAR * Suppress low-risk, external alerts 🧠 CTI / Threat Teams * Use IDLink for selector pivoting * Track malware families and campaigns * Correlate targets by log ID and exposure pattern 💰 Fraud & Risk Teams * Watch for consumer credential exposure * Flag reused credentials before fraud occurs * Alert on trusted domain matches 🔐 SecOps / IAM * Enforce password rotation for cracked users * Use tags to trigger password reset flows * Pair Compass alerts with SSO and IdP telemetry 📋 GRC / Compliance * Use alert exports to document response * Track metrics on MTTR and remediation rate * Align exposures to incident response reporting * * * 📈 Metrics That Matter [](https://docs.spycloud.com/public-sc/docs/best-practices-optimization#-metrics-that-matter) ------------------------------------------------------------------------------------------------------------------------ Consider tracking the following to measure SpyCloud Compass success: | Metric | Description | | --- | --- | | Average time to remediate | Time from alert → action | | Alert volume over time | Helps identify trends & noise | | Top malware families | Track campaigns impacting your org | | Reused passwords across alerts | Indicates hygiene gaps or fraud patterns | | Tags applied per alert | Workflow health indicator | * * * 🤖 Scale with Automation [](https://docs.spycloud.com/public-sc/docs/best-practices-optimization#-scale-with-automation) ---------------------------------------------------------------------------------------------------------------------------- If you're seeing hundreds (or thousands) of alerts per week, automation becomes essential. ### Top Automation Hooks: [](https://docs.spycloud.com/public-sc/docs/best-practices-optimization#top-automation-hooks) * Send high-severity alerts to SOAR or EDR * Auto-generate tickets for `domain_owner_match = true` * Flag cracked passwords in IAM systems * Suppress known benign domains (e.g., SaaS login reuse) * * * 🧩 Schema References [](https://docs.spycloud.com/public-sc/docs/best-practices-optimization#-schema-references) -------------------------------------------------------------------------------------------------------------------- * [Alert Metadata Fields](https://docs.spycloud.com/schema/alerts) * [Automation Integration Guide](https://docs.spycloud.com/api/compass) * [Alert Score Logic](https://docs.spycloud.com/compass/understanding-alerts) * * * 🎯 Final Thought [](https://docs.spycloud.com/public-sc/docs/best-practices-optimization#-final-thought) ------------------------------------------------------------------------------------------------------------ **SpyCloud Compass** works best when it becomes **a signal amplifier**, not a noisy alert feed. By tuning filters, using tags, and automating repeatable actions, your team can move faster, stay focused, and prevent credential-based compromise before it starts. Updated 13 days ago * * * Ask AI --- # Responding & Remediating Once you’ve investigated an alert, **SpyCloud Compass** makes it easy to take next steps – whether you’re remediating manually or integrating alert flows into your SIEM/SOAR tools. This page outlines how to respond to alerts, escalate exposures, and automate key workflows based on risk level. * * * 🔁 Standard Remediation Workflow [](https://docs.spycloud.com/public-sc/docs/responding-remediating#-standard-remediation-workflow) --------------------------------------------------------------------------------------------------------------------------------------- 1. 🕵️ Investigate the alert using metadata and selector pivots 2. 📣 Notify the exposed user or responsible team (via ticket or email) 3. 🔐 Remediate with password resets, MFA enforcement, or device isolation 4. 🧾 Record the resolution in your ticketing system or internal tracker 5. ♻️ Reassess similar alerts by domain, log\_id, or password reuse > Your steps may vary slightly by source type, user role, or automation level. * * * 🔧 Suggested Playbooks [](https://docs.spycloud.com/public-sc/docs/responding-remediating#-suggested-playbooks) ------------------------------------------------------------------------------------------------------------------- | Scenario | Recommended Action | | --- | --- | | Malware alert + cracked password + corp email | Immediate remediation + device isolation | | Third-party exposure + external domain | Triage or monitor — no action required | | Reused password across multiple employees | Escalate to SecOps or IAM for rotation enforcement | | VIP exposure + phished credentials | Notify CISO or IR lead immediately | | Repeated alerts tied to same `log_id` | Investigate campaign-level exposure | * * * 🤖 Automation Recommendations [](https://docs.spycloud.com/public-sc/docs/responding-remediating#-automation-recommendations) --------------------------------------------------------------------------------------------------------------------------------- You can build automated response flows with Compass alert exports or API integrations. ### Suggested Automations [](https://docs.spycloud.com/public-sc/docs/responding-remediating#suggested-automations) * If `severity` ≥ 20 and `domain_owner_match` = true → create Jira ticket * If `source_type` = "malware" → isolate device via CrowdStrike API * If `password_plaintext` is reused → trigger IAM workflow for rotation * Send alert metadata to Splunk or Sentinel for enrichment and alert correlation * * * 📎 Example Ticket Payload (JSON) [](https://docs.spycloud.com/public-sc/docs/responding-remediating#-example-ticket-payload-json) ------------------------------------------------------------------------------------------------------------------------------------- JSON { "event_type": "compass_alert", "email": "[email protected]", "source_type": "malware", "severity": 25, "password_plaintext": "summer2023!", "malware_family": "Redline", "domain_owner_match": true, "log_id": "9ac0...123" } * * * 🔌 Integration Targets [](https://docs.spycloud.com/public-sc/docs/responding-remediating#-integration-targets) ------------------------------------------------------------------------------------------------------------------- Compass integrates with a wide range of platforms. Use alerts as automation triggers or context enrichments across your stack: #### 🔍 SIEM Send Compass alerts to: * Splunk * Microsoft Sentinel * IBM QRadar #### ⚙️ SOAR Trigger remediation playbooks via: * Cortex XSOAR * Tines * Swimlane #### 🛡️ EDR Use alert context for device isolation or tagging in: * Microsoft Defender for Endpoint * CrowdStrike Falcon #### 📝 ITSM / Ticketing Create auto-tickets in: * Jira * ServiceNow Updated 13 days ago * * * Ask AI --- # Investigating Alerts Once you’ve identified a high-risk alert, **SpyCloud Compass** makes it easy to investigate exposure details, evaluate risk, and determine next steps. This page outlines how to dig into alerts and uncover what really happened – without pivoting across multiple tools. * * * 🧭 Where to Start [](https://docs.spycloud.com/public-sc/docs/investigating-alerts#-where-to-start) ------------------------------------------------------------------------------------------------------- From the **Alerts dashboard** or the **Compromised Devices** view: * Click on the selector (email or hostname) in any alert row * You’ll be taken to the **Alert Details Panel**, which includes: * Exposed domains and application logins * Log ID and malware family (for malware sources) * * * 📄 Sample Alert Detail Panel [](https://docs.spycloud.com/public-sc/docs/investigating-alerts#-sample-alert-detail-panel) ----------------------------------------------------------------------------------------------------------------------------- ![Alert Detail Panel](https://files.readme.io/9ccda79c1a0285ebe9712d3b4fa9852ebd32ca86b0d4b9de4f64c996d7a0f42f-image10.png) This view helps analysts evaluate: * What kind of compromise this is (malware vs reused credentials vs phished data) * Whether the exposed identity is internal, external, or third-party * Whether the data is recent and credible * * * 🧠 Questions to Ask [](https://docs.spycloud.com/public-sc/docs/investigating-alerts#-questions-to-ask) ----------------------------------------------------------------------------------------------------------- | Investigation Prompt | Why It Matters | | --- | --- | | Was the password reused? | Indicates account compromise or reuse risk | | Is the domain owned by us? | Helps scope whether the alert is actionable | | Is this a known identity? | Confirm via HRIS or user lookup | | Has this user triggered past alerts? | Pattern detection and potential targeting | * * * 🔍 Pivoting on Selectors [](https://docs.spycloud.com/public-sc/docs/investigating-alerts#-pivoting-on-selectors) --------------------------------------------------------------------------------------------------------------------- Each Compass alert includes enriched metadata you can use to **pivot** into other records: | Selector Type | Use Case Example | | --- | --- | | `email_username` | Find reused credentials across providers | | `password_plaintext` | Search for shared password reuse in your org | | `infected_machine_id` | Link alerts from the same device | | `log_id` | Group multiple alerts from a single malware log | > For deeper investigation, copy the selector and run it in the **Investigations Module** or through the **IDLink API**. * * * 🔗 Using the Device Graph [](https://docs.spycloud.com/public-sc/docs/investigating-alerts#-using-the-device-graph) ----------------------------------------------------------------------------------------------------------------------- If the alert is malware-based, use the **Graph View** to map connections: * Click into the device alias * View all linked accounts, emails, domains, and passwords * Use this to identify lateral movement, reuse, or clustered exposure **👇GRAPH VIEW** ![Graph View](https://files.readme.io/747cc843e88a948c9bcd893c97ab4bc147cb95b3a4a043643748134ce0da9cb0-image12.png) * * * 💡 Tip: Investigate in Tiers [](https://docs.spycloud.com/public-sc/docs/investigating-alerts#-tip-investigate-in-tiers) ---------------------------------------------------------------------------------------------------------------------------- Some alerts need immediate action. Others can wait. Here's a triage strategy: | Priority | Action | | --- | --- | | 🔴 High (Severity 25 + domain match + Malware Source) | Escalate and remediate immediately | | 🟠 Medium (Severity 20 + internal domain + plaintext password) | Review for risk and context | | 🟢 Low (Severity < 10 or external domain) | Monitor, tag, or suppress if appropriate | * * * 📎 Quick Links [](https://docs.spycloud.com/public-sc/docs/investigating-alerts#-quick-links) ------------------------------------------------------------------------------------------------- * [Responding & Remediating in Compass](https://docs.spycloud.com/compass/remediation) * [Best Practices for Filtering & Automation](https://docs.spycloud.com/compass/best-practices) * [Understanding Alert Metadata Fields](https://docs.spycloud.com/schema/alerts) Updated 13 days ago * * * Ask AI --- # Password Exposure API SpyCloud’s Password Exposure API lets you **safely check** whether a password has appeared in past exposures using **k-anonymity**, so you can enforce NIST-aligned policies **without** sending full passwords or full hashes. * * * 🚨 The Challenge [](https://docs.spycloud.com/public-sc/docs/nist-password-api#-the-challenge) -------------------------------------------------------------------------------------------------- Breaches, **infostealer-infected devices**, and **credential phishing** continuously leak passwords. NIST 800-63B recommends checking new and reset passwords against **known-compromised** lists—yet many organizations avoid it over **privacy**, **compliance**, or **security** concerns. * * * ✅ What This API Helps You Do [](https://docs.spycloud.com/public-sc/docs/nist-password-api#-what-this-api-helps-you-do) --------------------------------------------------------------------------------------------------------------------------- * **Block risky passwords**: Detect if proposed passwords (or their hashes) were **seen exposed before** and reject per policy. * **Meet compliance**: Enforce NIST 800-63B guidance using **k-anonymity** so **no full password/hash** leaves your environment. * **Scale securely**: Integrate a **simple REST** check into signup, reset, and rotation flows with minimal latency. > 📝 > > #### > > **Privacy by design:** You only send a **5-character hash prefix**. SpyCloud returns potential matches so you can evaluate locally—your **full hash never leaves** your system. > > [](https://docs.spycloud.com/public-sc/docs/nist-password-api#privacy-by-design-you-only-send-a-5-character-hash-prefix-spycloud-returns-potential-matches-so-you-can-evaluate-locallyyour-full-hash-never-leaves-your-system) * * * ⚙️ How It Works [](https://docs.spycloud.com/public-sc/docs/nist-password-api#%EF%B8%8F-how-it-works) --------------------------------------------------------------------------------------------------------- 1. **Hash the password** — Compute one of the supported hash types (**SHA-1, SHA-256, SHA-512, or NTLM**). 2. **Send the prefix** — Submit the **first 5 hex characters** of the hash with a `type` parameter. 3. **Evaluate locally** — Compare returned **candidate suffixes** (and metadata) against your **full hash** to decide whether to **allow/deny** the password. * * * 🧰 Request & Response [](https://docs.spycloud.com/public-sc/docs/nist-password-api#-request--response) ----------------------------------------------------------------------------------------------------------- **Requests** | Parameter | Purpose | | --- | --- | | `hash_prefix` (5 hex) | First **5 characters** of the password hash. | | `type` | One of: `sha1`, `sha256`, `sha512`, `ntlm`. | **Example** `GET /nist-password-v2/check/hashes/edb9b?type=sha1` (Example: password `_sprinkles_` → SHA-1 `edb9b4a7ec13377a368ba4e88bb9e121c99ed425`) **Responses** Returned as **RESTful JSON** with candidate matches for that prefix. | Field (selected) | What you get | | --- | --- | | `hash_suffix` | Remaining hex **suffix** of the hash (to join with prefix). | | `exposure_count` | Count of times this hash appeared in SpyCloud data. | | `last_seen` | Approximate most recent observation timestamp (UTC ISO-8601). | | `sources` | High-level exposure sources (e.g., breach/malware/phish). | > You compare `hash_prefix + hash_suffix` against your locally computed full hash. If it matches and policy dictates, **reject** or **step-up**. * * * 🧪 Common Uses [](https://docs.spycloud.com/public-sc/docs/nist-password-api#-common-uses) ---------------------------------------------------------------------------------------------- ### Account creation Reject **known-compromised** passwords at signup. ### Password reset Prevent reuse of **exposed** passwords during recovery flows. ### Periodic rotation Enforce policies aligned to **NIST 800-63B** without handling cleartext. * * * 🗃️ Data Sources [](https://docs.spycloud.com/public-sc/docs/nist-password-api#%EF%B8%8F-data-sources) ---------------------------------------------------------------------------------------------------------- SpyCloud aggregates password exposures from **malware-infected devices**, **phishing sites**, and **breaches**, standardizing them for **privacy-preserving** checks via k-anonymity. * * * 📈 Outcomes You Can Target [](https://docs.spycloud.com/public-sc/docs/nist-password-api#-outcomes-you-can-target) ---------------------------------------------------------------------------------------------------------------------- * **Reduce account takeover (ATO)** by eliminating **known-weak** passwords at the gate. * **Improve compliance posture** while maintaining **user privacy**. * **Lower support & fraud costs** by catching risky choices **pre-incident**. * * * 🔍 Selected API Field Reference [](https://docs.spycloud.com/public-sc/docs/nist-password-api#-selected-api-field-reference) -------------------------------------------------------------------------------------------------------------------------------- | Field | Example | Description | | --- | --- | --- | | `hash_prefix` | `edb9b` | First 5 hex chars of the password hash you submit. | | `type` | `sha1` | Hash algorithm used (`sha1`, `sha256`, `sha512`, `ntlm`). | | `hash_suffix` | `4a7ec13377a368ba4e88bb9e121c99ed425` | Suffix you compare locally with your full hash. | | `exposure_count` | `17` | Number of times this hash was observed. | | `last_seen` | `2023-01-01T00:00:00Z` | Most recent observation timestamp (UTC). | | `sources` | `["breach","malware"]` | High-level exposure sources for context. | * * * 📎 Integration Notes [](https://docs.spycloud.com/public-sc/docs/nist-password-api#-integration-notes) ---------------------------------------------------------------------------------------------------------- * **Delivery:** RESTful API with JSON output. * **Privacy:** Only a **5-char prefix** is transmitted; full matching occurs **on your side**. * **Hashing:** Supports **SHA-1**, **SHA-256**, **SHA-512**, **NTLM**. * **Docs:** See API Guidelines for **auth, config, and error handling**; and the **API Reference** for exact schemas and examples. Updated 13 days ago * * * Ask AI --- # Understanding Your Portal The SpyCloud Portal is your command center for **managing watchlists, reviewing exposures, exporting data, and configuring notifications**. This guide covers everything you need to know to get started and stay productive. * * * 🛠️ Requirements [](https://docs.spycloud.com/public-sc/docs/portal-overview#%EF%B8%8F-requirements) -------------------------------------------------------------------------------------------------------- We recommend accessing the Portal on the latest versions of: * Chrome * Firefox Keeping your browser current ensures best performance and compatibility. * * * 📖 Portal Overview [](https://docs.spycloud.com/public-sc/docs/portal-overview#-portal-overview) ---------------------------------------------------------------------------------------------------- The Portal lets you: * Manage your **Watchlist assets** (domains, emails, IPs) * Review and action **Recent Records** * Export exposure data for deeper analysis * Configure **teams**, **API keys**, and **notifications** * * * 📂 Exporting Data [](https://docs.spycloud.com/public-sc/docs/portal-overview#-exporting-data) -------------------------------------------------------------------------------------------------- You can export breach data to CSV files for deeper analysis. 1. Select the records or use “Export All” 2. The system generates large exports in the background 3. You’ll receive an email when the file is ready (available for 6 hours) > ⚠️ > > ### > > If you don’t see the “Export All” option, contact your Customer Success Manager to enable it. > > [](https://docs.spycloud.com/public-sc/docs/portal-overview#if-you-dont-see-the-export-all-option-contact-your-customer-success-manager-to-enable-it) ![](https://files.readme.io/ca45e7791327e07bda4e26b175dc69d9df3f148145f4be58ef9721343d551689-image3.png) * * * 📋 Your Watchlist [](https://docs.spycloud.com/public-sc/docs/portal-overview#-your-watchlist) -------------------------------------------------------------------------------------------------- The **Watchlist** is where you register the identifiers SpyCloud will monitor: * 🌐 Domains * 📧 Email addresses * 🖥️ IP addresses ![](https://files.readme.io/3469b12f36f617a1dbe48093d8abba6a3569ada653646fd86d60ddfa14f27ffb-image4.png) _Image: Example of Watchlist identifiers in the Portal_ > Best practice: Include your corporate domains, executive emails, and key IP ranges. Subdomains are automatically covered if the parent domain is monitored. * * * 🕵️ Recent Records [](https://docs.spycloud.com/public-sc/docs/portal-overview#%EF%B8%8F-recent-records) ------------------------------------------------------------------------------------------------------------ Each time SpyCloud ingests data matching your Watchlist, **new exposures** appear in the **Recent Records tab**. ![](https://files.readme.io/ad84667235e15a271e838913c8f4c147e03601970931c8521020b80dd2022409-image1.png) _Image: Recent Records list_ ### Actions you can take [](https://docs.spycloud.com/public-sc/docs/portal-overview#actions-you-can-take) * 🔎 Open and inspect exposure details * 📂 Export for further analysis * ✅ Close records once addressed ![](https://files.readme.io/dce0a6b7e0a01bf6c8ccdf6adc7b313c2a96904d62defff5fc6ada98f69f3969-image2.png) _Image: Bulk selection and removal of Recent Records_ * * * ⚖️ Breach Severity [](https://docs.spycloud.com/public-sc/docs/portal-overview#%EF%B8%8F-breach-severity) ------------------------------------------------------------------------------------------------------------- SpyCloud categorizes breach records into four severity levels: * **2 – Email Only** 📨 — email-only lists with no passwords * **5 – Informational** ℹ️ — no password or only non-crackable hashes * **20 – High** 🔐 — email + plaintext password * **25/26 – Critical** 🚨 — malware-exfiltrated data (cookies, plaintext credentials, botnet logs) > 🎯 > > ### > > Prioritize **Critical** and **High** severity exposures for fastest remediation. > > [](https://docs.spycloud.com/public-sc/docs/portal-overview#prioritize-critical-and-high-severity-exposures-for-fastest-remediation) 💡**Severity Scores & Source Types** For more info on severity scores and source types, read more about our data [here](https://spycloud-external.readme.io/public-sc/update/docs/severity-score-source-types-metadata#/) . * * * 📢 Notification Preferences [](https://docs.spycloud.com/public-sc/docs/portal-overview#-notification-preferences) ---------------------------------------------------------------------------------------------------------------------- Admins can configure **notifications** under the Admin menu. ![](https://files.readme.io/0770dcc3d04daad1a35f3c5e4a15f8867d48ed8314cfaf6575302aa741b55c28-image5.png) _Image: Notifications settings in the Portal_ ### Weekly ingest email [](https://docs.spycloud.com/public-sc/docs/portal-overview#weekly-ingest-email) * Receive a weekly summary of new exposures * Helps you stay informed without logging in daily ### Webhook notifications [](https://docs.spycloud.com/public-sc/docs/portal-overview#webhook-notifications) * Real-time HTTP POSTs to your systems when new data arrives * Enables automation for faster response * Avoids manual polling > ✅ > > ### > > Remove users from Notification Preferences if they no longer need alerts. > > [](https://docs.spycloud.com/public-sc/docs/portal-overview#remove-users-from-notification-preferences-if-they-no-longer-need-alerts) * * * ✅ Summary [](https://docs.spycloud.com/public-sc/docs/portal-overview#-summary) =================================================================================== Your SpyCloud Portal provides everything you need to: * Verify and manage identifiers * Review **Recent Records** * Understand **Breach Severity** * Export actionable data * Stay on top of exposures via **notifications & webhooks** Updated 13 days ago * * * Ask AI --- # Advanced | Extended Attributes ADG can add up to **four additional attributes** from your Active Directory to include in your **scan results** and **CSV reports**. * * * 🔧 Configuring Extended Attributes [](https://docs.spycloud.com/public-sc/docs/advanced-extended-attributes#-configuring-extended-attributes) ------------------------------------------------------------------------------------------------------------------------------------------------- To configure: 1. Navigate to **Advanced Settings → Extended Attributes** in the left-hand navigation. 2. Enter up to **four attribute names**, one per line. * Attribute names must use the **Ldap-Display-Name** value. * Reference: [Microsoft AD Schema Attributes](https://learn.microsoft.com/en-us/windows/win32/adschema/attributes-all) . > ⚠️ > > ### > > Ensure that you use the correct Ldap-Display-Name. Invalid names will not be included in scan results. > > [](https://docs.spycloud.com/public-sc/docs/advanced-extended-attributes#ensure-that-you-use-the-correct-ldap-display-name-invalid-names-will-not-be-included-in-scan-results) ![](https://files.readme.io/caaaae80e251082bd189f32ae9e76f593e07e0613ecbad95878f3af3e9ef9520-image98.jpg) * * * 📊 Results in Reports [](https://docs.spycloud.com/public-sc/docs/advanced-extended-attributes#-results-in-reports) ----------------------------------------------------------------------------------------------------------------------- * When displayed in **Match Results** and in **CSV exports**, ADG will use the **CN (Common Name)** of the attribute if one exists. * In reports, these appear as **column headers** for clarity. ![](https://files.readme.io/7a4fc3cd797fdba0f0f0abc43709fbda0014930a235b350e0db5dc1da5014063-image50.jpg) Updated 5 months ago * * * Ask AI --- # Compass Malware Remediation 🧭 Getting Started with Compass [](https://docs.spycloud.com/public-sc/docs/compass-malware-remediation#-getting-started-with-compass) ========================================================================================================================================== Welcome to **SpyCloud Compass**, your command center for exposure alerting, prioritization, and identity remediation. This guide will help you understand what Compass is, why it exists, and how to start using it effectively. * * * 🔍 What Is Compass? [](https://docs.spycloud.com/public-sc/docs/compass-malware-remediation#-what-is-compass) ----------------------------------------------------------------------------------------------------------------- Compass is a SaaS module that surfaces **exposure alerts** from SpyCloud’s darknet and malware data, scoring and prioritizing each alert based on severity and context. It helps your team: * Detect exposed employee or contractor credentials * Prioritize alerts based on real identity risk * Take fast, effective remediation actions * Collaborate across SOC, fraud, and identity teams > Unlike traditional breach alerting tools, Compass enriches alerts with **malware context, cracked passwords, risk scoring, and suggested next steps.** * * * ✅ Who Should Use Compass? [](https://docs.spycloud.com/public-sc/docs/compass-malware-remediation#-who-should-use-compass) ------------------------------------------------------------------------------------------------------------------------------ Compass is built for a wide range of teams — each with different goals but a shared need for **identity exposure visibility**: ### 🔒 SOC Analysts Prioritize alerts by severity. Reduce noise. Remediate fast. ### 🛡️ Security Engineering Integrate alerts into your SIEM/SOAR and trigger automated workflows. ### 🧠 CTI & Threat Researchers Correlate identity exposure with threat actor behaviors and campaign activity. ### 💰 Fraud & Risk Teams Protect users exposed via malware or password reuse before abuse occurs. * * * 🗺️ How Compass Fits In [](https://docs.spycloud.com/public-sc/docs/compass-malware-remediation#%EF%B8%8F-how-compass-fits-in) ---------------------------------------------------------------------------------------------------------------------------------- Compass is one layer of SpyCloud’s **Enterprise Protection Suite**, focused on **exposure detection and response**. It works alongside: * **ATO Prevention** – stops exposed credentials from being used to compromise accounts * **IDLink API** – enriches identity graphs across malware, breach, and behavioral data * **Investigations** – powers deeper forensic work from selectors * * * 🛫 First-Time Setup Checklist [](https://docs.spycloud.com/public-sc/docs/compass-malware-remediation#-first-time-setup-checklist) -------------------------------------------------------------------------------------------------------------------------------------- Here’s what to do if you’re logging into Compass for the first time: 1. ✅ Ensure you have access at [compass.spycloud.com](https://compass.spycloud.com/) 2. ✅ Check that your account has the appropriate seat/license assigned 3. ✅ Navigate to the Alerts tab to view prioritized exposure events 4. ✅ Use filters to focus by severity, domain, or source type 5. ✅ Start triaging alerts (e.g., investigate, mark resolved, escalate) 6. ✅ Explore automation or SIEM integration options with your team * * * 📊 What You’ll See Inside [](https://docs.spycloud.com/public-sc/docs/compass-malware-remediation#-what-youll-see-inside) ----------------------------------------------------------------------------------------------------------------------------- Compass is organized around **alert views**: * A dashboard of high-risk identity exposures * Severity scores (5–25) based on context, origin, and exploitability * Filtering by domain, email, source type, malware family, password type * Ability to mark alerts as resolved, under investigation, or escalated * * * 💡 Why Use Compass? [](https://docs.spycloud.com/public-sc/docs/compass-malware-remediation#-why-use-compass) ----------------------------------------------------------------------------------------------------------------- ⚡**Fast Signal. Low Noise.** Compass is built to surface only the **alerts that matter most** — and give you the context to respond confidently. It’s not about drowning you in exposures. It’s about helping you act before attackers do. * * * 🧠 Ready to Go Deeper? [](https://docs.spycloud.com/public-sc/docs/compass-malware-remediation#-ready-to-go-deeper) ----------------------------------------------------------------------------------------------------------------------- Next steps: * 📖 Read [Understanding Alerts & Risk Scoring](https://docs.spycloud.com/compass/understanding-alerts) * 🔍 Learn how to [Investigate Alerts in Compass](https://docs.spycloud.com/compass/investigating-alerts) * 🛠️ Explore [Remediation Workflows & Automation](https://docs.spycloud.com/compass/remediation) * 💡 Review [Compass Best Practices & Optimization](https://docs.spycloud.com/compass/best-practices) * * * Updated 13 days ago * * * Ask AI --- # Employee ATO Prevention SpyCloud’s **Employee ATO Prevention (EAP)** helps organizations stop account takeover (ATO) before it happens by **detecting compromised employee credentials early** and automating remediation — shutting down criminal entry points and reducing risk. * * * ✅ Benefits at a Glance [](https://docs.spycloud.com/public-sc/docs/employee-ato-prevention#-benefits-at-a-glance) --------------------------------------------------------------------------------------------------------------------- **⏱️ Decreased Exposure Window** Reset exposed employee credentials early in the attack lifecycle to block criminal entry points. **🔍 Continuous Credential Monitoring** Gain unmatched visibility into the world’s largest, continuously updated repository of breached, malware-exfiltrated, and phished data. **⚙️ Automated Remediation** Reduce security team workload with automated remediation in existing workflows. **🎯 Prioritize Critical Threats** Focus on the most urgent risks with advanced filtering to quickly resolve what matters most. * * * 🛠️ Key Capabilities [](https://docs.spycloud.com/public-sc/docs/employee-ato-prevention#%EF%B8%8F-key-capabilities) ------------------------------------------------------------------------------------------------------------------------ ### 🕵️ Credential Monitoring Watchlist domains, IPs, and emails against SpyCloud’s massive recaptured darknet dataset. ### ⏰ Real-Time Alerts Get immediate notifications when new employee exposures are detected. ### 🔁 Password Reuse Detection Identify employees reusing exposed credentials and highlight repeat offenders. ### 📊 Executive Reporting Generate on-demand or monthly high-level reports on exposures and ATOs prevented. ### 📂 Data Export Export CSVs for deeper analysis or to build custom reports for specific metrics. ### 🔐 Secure SSO Portal Access a user-friendly dashboard with detailed exposure data and org-level analytics. ### ⚙️ Admin Control Add or remove domains, emails, and IP addresses for tailored protection. ### 🌐 Domain-Specific Monitoring Zero in on critical areas of concern with domain-level exposure insights. ### 🔗 Flexible Integrations Send SpyCloud data into SIEMs, SOARs, IdPs, and TIPs for seamless remediation workflows. * * * 🔍 Why It Matters [](https://docs.spycloud.com/public-sc/docs/employee-ato-prevention#-why-it-matters) ---------------------------------------------------------------------------------------------------------- SpyCloud ingests and analyzes **25B+ pieces of stolen identity data every month**, delivering exposure data within **minutes of discovery**. > By shifting to a **holistic identity-first approach**, organizations reduce ATO risk _before attackers can exploit exposed credentials_. * * * Updated 13 days ago * * * Ask AI --- # Session Identity Protection SpyCloud Session Identity Protection**identifies malware-exfiltrated authentication cookies** tied to your applications and alerts you so you can **invalidate compromised sessions** and **lock criminals out**—even when they try to bypass passwords, passkeys, or MFA. * * * 🚨 The Challenge [](https://docs.spycloud.com/public-sc/docs/session-identity-protection#-the-challenge) ------------------------------------------------------------------------------------------------------------ Modern infostealer malware is prolific and evasive – often executing and auto-deleting before AV tools detect it. Criminals prize **session cookies** because they enable **session hijacking** that **bypasses all forms of authentication**. As long as the cookie remains valid, an attacker can impersonate a trusted device and walk into the account. * * * ✅ What Session Identity Protection Helps You Do [](https://docs.spycloud.com/public-sc/docs/session-identity-protection#-what-session-identity-protection-helps-you-do) --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | Outcome | What it means in practice | | --- | --- | | **Stop targeted ATO** | Invalidate compromised sessions so stolen cookies become worthless. | | **Prevent authentication bypass** | Identify valid cookies criminals could replay to emulate a consumer’s session and bypass security controls. | | **Identify infected consumers** | Pinpoint malware-infected users to protect high-value accounts and notify them with guidance. | * * * ⚙️ How It Works [](https://docs.spycloud.com/public-sc/docs/session-identity-protection#%EF%B8%8F-how-it-works) ------------------------------------------------------------------------------------------------------------------- ![](https://files.readme.io/1752718b8012a7469bbc769ddd6acf853ffa58c8ba622b31b252076a25d05b2d-Screenshot_2025-08-26_at_11.58.23_PM.png) 1. **Query the API** for your target application domain. **Query options include:** `Cookie Domain (required)`, `Cookie Name`, `Cookie Expiration Date`, `Source ID`, `SpyCloud Publish Date`. 2. **Receive results** with the data you need to identify vulnerable accounts, including: `Source ID`, `Cookie Domain`, `Cookie Name`, `Cookie Value`, `Cookie Expiration`, `SpyCloud Publish Date`, `Infected Machine ID`, `IP Addresses`, `User Hostname`, `User System Registered Owner`. 3. **Intervene** to protect accounts: **invalidate compromised cookies** and/or **flag accounts** tied to known-infected devices for increased scrutiny. > 👍 > > #### > > **Why this works:** SpyCloud continuously **recovers malware logs from the criminal underground**, parses cookies relevant to **your** apps, enriches them for identification, and delivers alerts **via a high-volume REST API**—shrinking the exposure window. > > [](https://docs.spycloud.com/public-sc/docs/session-identity-protection#why-this-works-spycloud-continuously-recovers-malware-logs-from-the-criminal-underground-parses-cookies-relevant-to-your-apps-enriches-them-for-identification-and-delivers-alerts-via-a-high-volume-rest-apishrinking-the-exposure-window) * * * 🧭 Recommended Response Patterns [](https://docs.spycloud.com/public-sc/docs/session-identity-protection#-recommended-response-patterns) -------------------------------------------------------------------------------------------------------------------------------------------- * **Immediate session kill:** Invalidate any cookie returned by the API that matches your domains. * **Risk-based friction:** Step-up auth (MFA, re-verify email/phone) on subsequent high-risk actions from affected accounts. * **Infection follow-up:** Notify consumers associated with **Infected Machine ID/IP/Hostname** to remediate malware. * * * 🧰 Request & Response At-a-Glance [](https://docs.spycloud.com/public-sc/docs/session-identity-protection#-request--response-at-a-glance) --------------------------------------------------------------------------------------------------------------------------------------------- **Request filters** _(combine as needed)_ | Filter | Notes | | --- | --- | | Cookie Domain | **Required**; target your app’s cookie domains. | | Cookie Name | Narrow to specific auth cookies. | | Cookie Expiration Date | Focus on still-valid sessions. | | Source ID / Publish Date | Trace back to specific collections/time windows. | **Response fields** _(used to locate & protect accounts)_ | Field | Use | | --- | --- | | Cookie Domain / Name / Value | Match and invalidate sessions on your side. | | Cookie Expiration | Prioritize still-active sessions. | | Infected Machine ID / IP / Hostname / Registered Owner | Correlate to a user profile; trigger outreach or extra scrutiny. | | Source ID / Publish Date | Audit lineage; analyze campaigns over time. | * * * 🧪 Example Playbook [](https://docs.spycloud.com/public-sc/docs/session-identity-protection#-example-playbook) ------------------------------------------------------------------------------------------------------------------ 1. **Poll or query** the API for your cookie domains. 2. **Join results** to customer accounts using cookie metadata & account telemetry. 3. **Expire sessions** matching returned cookies; **step-up** on next login. 4. **Case-manage** repeat infections using machine identifiers to reduce reinfection risk. Updated 13 days ago * * * Ask AI --- # Understanding Alerts & Severity 🖥️ Step 1: View Infected Device List [](https://docs.spycloud.com/public-sc/docs/understanding-alerts-risk-scoring#%EF%B8%8F-step-1-view-infected-device-list) ------------------------------------------------------------------------------------------------------------------------------------------------------------------- Start by reviewing the **Compromised Devices** dashboard. * Devices are sortable by alias, email, IP, and source type. * Click the hostname to investigate further and launch the **Device Graph**. **👇 INFECTED DEVICE LIST** ![Infected Devices List](https://files.readme.io/63beabf5015f27914b4fe55b938e61219bd470ada9c478fa9a07fa38b75f5ecc-image4.png) You can view the detail panel for a specific device \*\*👇DEVICE DETAIL \*\* ![Device Detail Panel](https://files.readme.io/abf04e80a580e03020918000dd6271301d2ad117f8780f8c3521b1998840f740-image10.png) * * * 👤 Step 2: Correlate Employee Status [](https://docs.spycloud.com/public-sc/docs/understanding-alerts-risk-scoring#-step-2-correlate-employee-status) --------------------------------------------------------------------------------------------------------------------------------------------------------- Cross-check exposed identities (e.g., `[[email protected]](https://docs.spycloud.com/cdn-cgi/l/email-protection) `) against internal HRIS or directory data. Compass alerts show: * Domains involved (internal vs third-party) * Selector types (email, IP, password, app login) * Historical matches and risk scoring * * * 🧠 Compass Alert Severity [](https://docs.spycloud.com/public-sc/docs/understanding-alerts-risk-scoring#-compass-alert-severity) ------------------------------------------------------------------------------------------------------------------------------------ Each alert is assigned a severity from **5 (low)** to **25 (high)**, based on: * Source type (malware > phish > breach > combolist) * Password status (cracked, reused, plaintext) * Domain match (does it match your monitored assets?) * Recency and exposure depth | **Severity** | **Meaning** | | --- | --- | | 2 | Email only - typically from a breach or phishing target list | | 5 | Informational - could contain sensitive data, but no plaintext password | | 20 | Credential with plaintext password, could contain sensitive data. | | 25 | Malware log with credentials, infected machine info, and/or behavioral signals | | 26 | Session cookie data taken from a device infected by malware | * * * 🧩 Step 3: Explore the Device Graph [](https://docs.spycloud.com/public-sc/docs/understanding-alerts-risk-scoring#-step-3-explore-the-device-graph) ------------------------------------------------------------------------------------------------------------------------------------------------------- Open the **interactive graph** to explore connections: * Click any node (email, login, device, domain) * Pivot across selectors and linked accounts * Review compromised assets and exposure type **👇DEVICE GRAPH** ![Device Graph](https://files.readme.io/fe8ac5a87e60f55f7b340c0a59b6342882edf8a94db9579921b70aa690d0b488-image12.png) * * * 💻 Step 4: Review Exposed Applications [](https://docs.spycloud.com/public-sc/docs/understanding-alerts-risk-scoring#-step-4-review-exposed-applications) ------------------------------------------------------------------------------------------------------------------------------------------------------------- * Compass surfaces all logins to **enterprise applications** from the infected device. * Easily identify high-risk app access. * Add any new subdomains (e.g., internal tools) to your monitoring list. **👇COMPROMISED APPLICATION VIEW** ![Compromised Applications View](https://files.readme.io/b4ed125447e179e68626110f7935e1fcd7e6b60449e7843d77ef012117aace8a-image11.png) * * * 🔧 Step 5: Recommended Remediation Actions [](https://docs.spycloud.com/public-sc/docs/understanding-alerts-risk-scoring#-step-5-recommended-remediation-actions) --------------------------------------------------------------------------------------------------------------------------------------------------------------------- Based on alert score, metadata, and device context, follow these steps: 1. **🛑 Notify and isolate the user/device** via EDR, MDM, or helpdesk. 2. **🔐 Rotate passwords** for exposed logins or domains. 3. **🧾 Review access logs** in your IdP, SIEM, or app telemetry. 4. **💻 Reimage** the device or perform targeted cleanup. 5. **🌀 Repeat** for any linked app accounts. **👇POST-INFECTION RESPONSE STEPS** ![Post-Infection Response Steps](https://files.readme.io/152c57092e1c46b16d8f549fc1a9806537598fad6331b30eefd51514efb998dc-image6.png) * * * 🧠 Tip: Start with What You Can Automate [](https://docs.spycloud.com/public-sc/docs/understanding-alerts-risk-scoring#-tip-start-with-what-you-can-automate) ----------------------------------------------------------------------------------------------------------------------------------------------------------------- Compass risk scoring and metadata are ideal for: * Feeding SOAR playbooks * Prioritizing human triage * Auto-generating IT tickets based on severity Check out [Responding & Remediation](https://docs.spycloud.com/compass/remediation) for automation examples and integrations. Updated 13 days ago * * * Ask AI --- # FAQs **SpyCloud Employee ATO Prevention** is designed to help organizations detect and respond to employee credential exposures before they can be exploited for account takeover (ATO), ransomware, or other forms of identity-based attacks. The FAQs below address the most common questions about setup, data protection, alerting, and remediation – so you can get started quickly and confidently. Whether you're a security analyst, IT admin, or compliance stakeholder, this resource is here to help you make the most of your SpyCloud solution. ❓ Enterprise Protection FAQs [](https://docs.spycloud.com/public-sc/docs/faqs#-enterprise-protection-faqs) ============================================================================================================== 🚀 How do I get started? To get the most out of the system: * Add all appropriate domains and subdomains owned by your company to the Watchlist. * Add personal email addresses of key employees and executives to the **Personal Email Watchlist**. A verification email will be sent to the owner before monitoring begins. * Add your contact info under **Notification Preferences** to receive real-time automated alerts. * Add IP address ranges used by your organization. Once this is complete, SpyCloud will alert you when your assets are found — no need to log in to gain value. 🔒 Why should I trust SpyCloud with my personal data? SpyCloud is staffed by vetted security professionals with backgrounds in Fortune 500 companies, the U.S. Department of Defense, and threat intelligence fields. Here's how your data is protected: * All shared information is treated as confidential (TLP:RED). * All data, including watchlist items, is encrypted. * Multiple operational security controls (not publicly disclosed) protect your information. 🧬 What’s different about SpyCloud? SpyCloud focuses exclusively on uncovering and acting on cybercrime-related breaches — no software install required. * Monitor domains, personal emails, and more without agent installation. * Specialized in dark web and private forum collection. * Results are enriched, timely, and immediately actionable. 🔍 How do you monitor for my assets? SpyCloud uses human intelligence collection techniques to access stolen credentials and data from underground forums. Analysts validate and ingest records into a central database. Assets are then matched to your watchlist, and alerts are generated automatically when matches are found. 📦 What types of information can SpyCloud find? We detect: * Credentials from internal & external systems (keyloggers, personal use on work devices) * Compromised corporate credentials * IPs, cookies, passwords, and session tokens * Backdoors or infrastructure exposure * Intellectual property in underground markets * Cloud service credentials (Dropbox, Google, etc.) * Personally identifiable information (PII) We monitor both personal and corporate addresses for deep visibility. 📊 How is severity determined? Severity is calculated based on source, exploitability, and password context: * **26**: Session cookie from malware-infected device * **25**: Credential or financial data from malware * **20**: Plaintext password not from malware * **5**: Hashed passwords or sensitive data without a password * **2**: Email/username only (no password or risk context) 📅 How often should I expect to receive an alert? SpyCloud ingests hundreds of breach sources monthly — sometimes exceeding 1 billion new artifacts. * Large orgs may receive several alerts monthly. * Small businesses may receive new alerts every few months. 🛠️ How do I act on the information you share? SpyCloud provides remediation steps in the alert view. General advice includes: * Change the compromised password anywhere it’s used. * Inform affected users and stakeholders immediately. * Enable two-factor authentication. * Implement a password manager for hygiene. Questions? Use the Support button in the portal. 🌐 How are domains handled in the watchlist? When you add a domain (e.g., `acmeinc.com`), we monitor **all matching addresses**, like `[[email protected]](https://docs.spycloud.com/cdn-cgi/l/email-protection) ` or `[[email protected]](https://docs.spycloud.com/cdn-cgi/l/email-protection) ` — no need to add each one individually. ✅ How do I verify a domain after adding it? Domain ownership must be verified to see breach details. * After adding a domain, click **Actions > Verify**. * Choose from 5 verification methods. * If you can’t use automated methods, click **Support** to request manual verification. 📈 Can I upgrade later to add more domains or emails? Yes! You can upgrade at any time. Contact the SpyCloud team via the Support button, and we’ll help expand your scope. 👥 Can I monitor customer credential reuse? Yes — many organizations monitor customer credentials to prevent fraud and identity theft. Contact `[[email protected]](https://docs.spycloud.com/cdn-cgi/l/email-protection) ` for details about our Consumer ATO Provention API and pricing. 🔐 What’s the difference between a Private vs Public breach? * **Private**: Found in criminal forums not accessible to the public — often more urgent. * **Public**: Freely available leaks from Pastebin, public forums, or P2P networks. If we find data in private sources first, it retains its private label, even if it later becomes public. 📆 What dates are used in breach timelines? We track: * Breach date (when the incident occurred) * Acquisition date (when we obtained the data) * Public disclosure date (if known) **Timelines show**: * Acquisition date for private breaches * Public date for public breaches 📧 What are 'personal' emails in the watchlist? Personal emails are typically **non-corporate** (e.g., Gmail, Yahoo) and should be added to the **Personal Email Watchlist** — especially for executives. No need to add work emails here — they’re already monitored through your Domain Watchlist. ⚠️ Should I add my corporate email to both watchlists? If your domain is monitored (e.g., `example.com`), adding `[[email protected]](https://docs.spycloud.com/cdn-cgi/l/email-protection) ` to the personal watchlist may result in **duplicate notifications**. However, if you don’t control the full domain, this can be a good way to monitor personal corporate exposure. 👮 Do you work with law enforcement, ISACs, or CERTs? Yes. When we discover criminal indicators that fall outside customer scope, we coordinate with: * Law enforcement * National CERTs * Industry ISACs * Other intelligence sharing partners Customer data is prioritized and delivered immediately. Non-customer alerts follow best-effort outreach. 📱 What 2FA apps are supported? SpyCloud supports common two-factor authentication apps including: * Google Authenticator * Microsoft Authenticator * Duo Mobile * Authy Updated 13 days ago * * * Ask AI --- # Active Directory Guardian 🛡️ Introduction to Active Directory Guardian (ADG) [](https://docs.spycloud.com/public-sc/docs/active-directory-guardian#%EF%B8%8F-introduction-to-active-directory-guardian-adg) ====================================================================================================================================================================================== Active Directory Guardian (ADG) leverages SpyCloud’s API to protect your corporate Windows domain from Account Takeover (ATO) attacks. The software can be run either manually or on a schedule and checks for exposed credentials that may adversely affect your organization's security posture. * * * 🧩 How It Works [](https://docs.spycloud.com/public-sc/docs/active-directory-guardian#-how-it-works) -------------------------------------------------------------------------------------------------------- **Here is how it works:** ![](https://files.readme.io/b95b182bdfe2d29a21e2fccee9652db897707e4b4522794accc6f0a2cde67cb8-image4.png) * * * 🆕 What’s New in ADG 7.3.0 [](https://docs.spycloud.com/public-sc/docs/active-directory-guardian#-whats-new-in-adg-730) --------------------------------------------------------------------------------------------------------------------------- * ✅ Added the ability to run **Automatic Scans** that run continuously every 5 minutes. * ✅ Added a new screen for configuring **Automatic Scanning**. * ✅ Added the ability to **import distinguished names lists** to Active Directory Object Collections. * * * Updated 5 months ago * * * Ask AI --- # Advanced | Configuring Banned Passwords List To configure the **Banned Password List**, navigate to: **Advanced Settings → Banned Passwords** in the left-hand navigation. From the **Banned Password List** page, you can: * View the current banned password list * Add banned passwords * Import or export a list * Clear the entire list ![Banned Password List Overview](https://files.readme.io/469006249c8e841f9156c3bfc8b0c3855998cd7a9364bccb2e8aa76c00400102-image47.jpg) * * * ➕ Adding Banned Passwords [](https://docs.spycloud.com/public-sc/docs/avanced-configuring-banned-passwords-list#-adding-banned-passwords) --------------------------------------------------------------------------------------------------------------------------------------------- | **Action** | **How to Do It** | | --- | --- | | **Add a single password** | Enter the password in the text field → click **Add Banned Password** | | **Add a list of passwords** | Click **Add List from File** → select your file from the system (one password per line, duplicates removed automatically) | * * * 📤 Exporting & Clearing [](https://docs.spycloud.com/public-sc/docs/avanced-configuring-banned-passwords-list#-exporting--clearing) --------------------------------------------------------------------------------------------------------------------------------------- You can also: * **Export the list** → select **Export List** * **Clear the list** → select **Clear List** to remove all entries * * * 🔎 Notes [](https://docs.spycloud.com/public-sc/docs/avanced-configuring-banned-passwords-list#-notes) ---------------------------------------------------------------------------------------------------------- * Leading/trailing spaces are automatically removed. * Duplicate entries are ignored when importing. * File import format: **one password per line**. Updated 5 months ago * * * Ask AI --- # Account Settings This guide walks you through the most common **account settings** in the SpyCloud Portal: **Language Preferences**, **SSO**, **Two-Factor Authentication (2FA)**, and **Roles & Permissions**. * * * 🌍 Your Language Preference [](https://docs.spycloud.com/public-sc/docs/account-settings#-your-language-preference) ----------------------------------------------------------------------------------------------------------------------- Choose the language you’re most comfortable with for a better Portal experience. * Open **Account Settings** in the Portal. * Locate **Language** and select your preferred option. * Save your changes — the Portal will reflect your new language settings. > 💡 > > ### > > If you work across regions, we recommend setting a **team-wide default** and documenting it internally so everyone sees consistent labels and menus. > > [](https://docs.spycloud.com/public-sc/docs/account-settings#if-you-work-across-regions-we-recommend-setting-a-team-wide-default-and-documenting-it-internally-so-everyone-sees-consistent-labels-and-menus) * * * 🔐 Single Sign-On (SSO) [](https://docs.spycloud.com/public-sc/docs/account-settings#-single-sign-on-sso) ------------------------------------------------------------------------------------------------------------- Use SSO to streamline and secure authentication for your team. * Make sure your identity provider (IdP) is configured for the SpyCloud application. * Assign the application to the users or groups who need access. * Users with company-domain emails will be directed through SSO at sign-in. **Tips** * If a user can’t access via SSO, verify **group membership** and **app assignment** in your IdP. * For VIPs or contractors, consider whether SSO is required or whether an exception process exists in your org. * * * 🧭 Two-Factor Authentication (2FA) [](https://docs.spycloud.com/public-sc/docs/account-settings#-two-factor-authentication-2fa) ----------------------------------------------------------------------------------------------------------------------------------- Add an extra layer of security with an authenticator app (recommended). ### Enable 2FA [](https://docs.spycloud.com/public-sc/docs/account-settings#enable-2fa) 1. Go to **Account Settings**. 2. Select **Enable Two-Factor Authentication**. ![2FA setup in the Portal](https://files.readme.io/470dd642b7c140c9949e907d8e290c4f93a8b1971fbbfe0f56b1ce10c63f7717-image1.png) 3. If you don’t have an authenticator app installed yet, use the links provided in the Portal to download one. 4. **Scan** the QR code with your authenticator app. 5. **Enter** the one-time code displayed in your app to complete setup. ### Troubleshooting [](https://docs.spycloud.com/public-sc/docs/account-settings#troubleshooting) * Update your authenticator app. * Remove the SpyCloud entry in your app and **rescan** the QR code. * Carefully **retype** the one-time code (avoid formatting spaces or autocorrect). * **Clear your browser cache** and try again. > ✅ > > ### > > We recommend enforcing 2FA for users with elevated privileges (Admins/Owners). > > [](https://docs.spycloud.com/public-sc/docs/account-settings#we-recommend-enforcing-2fa-for-users-with-elevated-privileges-adminsowners) * * * 🧑‍💼 Roles & Permissions [](https://docs.spycloud.com/public-sc/docs/account-settings#-roles--permissions) --------------------------------------------------------------------------------------------------------------- Set the right level of access for each team member. ### Administrator Role [](https://docs.spycloud.com/public-sc/docs/account-settings#administrator-role) * Manages **subscription** information * Sets **notification preferences** * Handles **team management** (adding/deleting users) ### User Role [](https://docs.spycloud.com/public-sc/docs/account-settings#user-role) * Accesses the **dashboard** * **Views** breached data * Performs **data exports** > 🔒 > > ### > > Apply the **principle of least privilege**: only give admin rights to those who truly need them. > > [](https://docs.spycloud.com/public-sc/docs/account-settings#apply-the-principle-of-least-privilege-only-give-admin-rights-to-those-who-truly-need-them) * * * ✅ Summary [](https://docs.spycloud.com/public-sc/docs/account-settings#-summary) ==================================================================================== * **Language** — set a comfortable default for the whole team. * **SSO** — assign the SpyCloud app in your IdP for seamless sign-in. * **2FA** — enable and enforce for stronger protection. * **Roles** — grant Administrator only as needed. Updated 13 days ago * * * Ask AI --- # Configuring a Group with 'Least Privilege' 1. Open **Active Directory Users and Computers** and create a new Group. ![](https://files.readme.io/9c3880b82fdaaa7849b696dd25a4ed33014cde76438631846f23a002fc14cb6a-image15.jpg) 2. Name the new group something meaningful (e.g. “SpyCloud ADG Least Privilege”). ![](https://files.readme.io/3f80997130fd7f08f66b8f88a87b9357146fc6dfbc3ab5982429a8914f309b86-image6.jpg) 3. Right-click on the domain container and select **Delegate Control.** ![](https://files.readme.io/f50a33e6a46832dc037250237ea90bc81f54afd02cfd03782e6a75675c722d09-image17.jpg) 4. Click **Next** in the **Delegation of Control Wizard.** ![](https://files.readme.io/f6b52f387680c584149cd5886bec2f3a66428d6aad58ec5483498096f0b38d1f-image69.jpg) 5. Put your new group name in the **Enter the object names to select** field (type in a portion of the group name and click **Check Names** to get a list of groups that match). Once your group is present, click **OK** ![](https://files.readme.io/e006924bab92bed4f3b042d8197227f347d35e12c47227e26099dd942c59270e-image87.jpg) 6. Click \*\*Next \*\*in the following window. ![](https://files.readme.io/727d22ab3153d38b7ce4896d8ae786e2829be6d6291dce0ff0590f2a2766d4fc-image77.jpg) 7. In the **Tasks to Delegate** window, leave **Delegate the following common tasks** select and check the box next to **Reset user passwords and force password change at next logon.** ![](https://files.readme.io/4d8682128329adfad5fd9373bc3dc9a58c3f94d84211dc8bbe2d81679748f7c3-image45.jpg) 8. Click **Next **and then complete this task delegation by clicking on** Finish**. ![](https://files.readme.io/7108e1d055bbc2bb6f67d2f1c05410d24752cab97b90ee6832ea28875477bacd-image14.jpg) 9. Repeat Steps 3 through 6. In the **Tasks to Delegate** window, select **Create a custom task to delegate.** ![](https://files.readme.io/fef4776be2b7414220b9e2fd433ba88e5507f37d21adcbf33f7f194a36c09392-image1.jpg) 10. In the **Active Directory Object Type** window, select\*\* Only the following objects in the folder\*\* and then check the box next to **User objects **and click** Next.** ![](https://files.readme.io/cf118c1d490cc98b22fa797885d6d885c8b791bc838aa68419b0a04e7c645a5b-image18.jpg) 11. In the **Permissions** window, unselect \*\*General \*\*and select **Property-specific**. Under **Permissions**, select \*\*Read lockoutTime \*\*and **Write lockoutTime**. ![](https://files.readme.io/9125e93369698267ced2658f79719c48c45104b7d013afd0ec378a6853f8f15b-image62.jpg) ...and **Read pwdLastSet** and **Write pwdLastSet**. ![](https://files.readme.io/b4852cd7fcfc339761454b628ec6ccb517af05e727b9297c04924592fcf6df0f-image75.jpg) ...and \*\*Read userAccountControl \*\*and **Write userAccountControl**. Then click **Next**. ![](https://files.readme.io/cebc5f5746699ca4219e0cb6748e6618ad3a1b61f0238a4b24218031f809b961-image58.jpg) 12. Complete this task delegation by clicking on **Finish**. ![](https://files.readme.io/b4f5f4004d8c330bf1932b474c97da5768b423a56f6f0d2601956907e9f3ed0b-image14.jpg) 13. Repeat Steps 3 through 6. Repeat Step 9. In the **Active Directory Object Type** window, select **This folder, existing objects in this folder, and creation of new objects in this folder** and click **Next**. ![](https://files.readme.io/dcccf8e578cf6ecec291f712075af430835dbdd41e131567def5c7ed140b9489-image97.jpg) 14. With **General** selected, check the boxes next to **Replicating Directory Changes**. ![](https://files.readme.io/3a3b03bdf5cce50daab4563d42227754caffa1b881512c8cbf2afc45a71dd207-image37.jpg) ...and **Replicating Directory Changes All** then click **Next**. ![](https://files.readme.io/6d8f17841958ee32d9e2d60735f56a074f71cf63832e7d0c69b925b1c910f4ea-image65.jpg) 15. Complete this task delegation by clicking on **Finish.** ![](https://files.readme.io/77f2c67a568ed0111c880957cce01a94da88f2bfc95d548d610bbe3638da7f26-image14.jpg) Your new group is now configured with a ‘least privilege’ configuration for running SpyCloud Active Directory Guardian. Create a new user to be used as your SpyCloud ADG service account and ensure it is added as a Member in your new group so that the delegate controls are properly applied for running the service. > If you have questions – open a Support Ticket via the SpyCloud portal or reach out to [\[email protected\]](https://docs.spycloud.com/cdn-cgi/l/email-protection#285b5d5858475a5c685b58514b44475d4c064b4745) > . Updated 5 months ago * * * Ask AI --- # Remediating Users from the Scan Results Since version **7.0**, ADG has supported applying remediations directly to matches. You can select one, many, or all matches and apply a specific Remediation Policy to just those selected results. > ⚠️ > > ### > > To use this feature, you must have previously configured Remediation Policies (see _Configuring Remediations_). > > [](https://docs.spycloud.com/public-sc/docs/remediating-users-from-the-scan-results#to-use-this-feature-you-must-have-previously-configured-remediation-policies-see-configuring-remediations) * * * 🔧 Applying a Remediation Policy [](https://docs.spycloud.com/public-sc/docs/remediating-users-from-the-scan-results#-applying-a-remediation-policy) -------------------------------------------------------------------------------------------------------------------------------------------------------- Steps to apply remediation: 1. **Search** or **filter** the list of matches. 2. **Select** one or more entries you want to remediate. 3. **Choose** the desired remediation policy. 4. **Click** **Apply Remediation Policy**. ![Apply Remediation Screen](https://files.readme.io/074fc000ee52275bc238a649e2fd79f96ab6ffde16284404f93241d09c05e878-image23.jpg) * * * 📑 Options Summary [](https://docs.spycloud.com/public-sc/docs/remediating-users-from-the-scan-results#-options-summary) ---------------------------------------------------------------------------------------------------------------------------- | **Option** | **Description** | | --- | --- | | **Search/Filter** | Narrow the list of results to specific accounts or match types. | | **Select Matches** | Highlight one, multiple, or all match results. | | **Choose Policy** | Pick a remediation policy from those configured. | | **Apply** | Executes the remediation action(s) against the selected matches. | > 💡 > > _Tip: Start by applying remediation to a**small subset** of results first. This allows you to validate that the configured policy performs as expected before rolling it out more broadly._ Updated 5 months ago * * * Ask AI --- # Advanced | Configuring Remediations ADG supports the creation of **Remediation Policies** that can be applied during scans. Remediation Policies determine: * ✅ Which **actions** ADG will take when a password match is found * ✅ Which **email notifications** ADG will send for matches * ✅ Which **users** are excluded from those actions/notifications * ✅ Which optional **emails** are sent to excluded users * * * 🔧 Managing Remediation Policies [](https://docs.spycloud.com/public-sc/docs/advanced-configuring-remediations#-managing-remediation-policies) -------------------------------------------------------------------------------------------------------------------------------------------------- Navigate to: **Advanced Settings → Remediations** From here, you can: * **Create** a new Remediation Policy * **Edit** an existing policy * **Delete** a policy (⚠️ cannot delete if it’s in use by a scheduled scan) > 💡 > > ### > > You can also create/edit Remediation Policies directly from **Manual Scan** or **Scheduled Scan** configuration pages. > > [](https://docs.spycloud.com/public-sc/docs/advanced-configuring-remediations#you-can-also-createedit-remediation-policies-directly-from-manual-scan-or-scheduled-scan-configuration-pages) ![Remediations List](https://files.readme.io/2d9d8305ba8a24a964736e55c0bf1b240607d7b6631b4a5f9cf5ae0b903f217c-image51.jpg) * * * ➕ Creating a Remediation Policy [](https://docs.spycloud.com/public-sc/docs/advanced-configuring-remediations#-creating-a-remediation-policy) ------------------------------------------------------------------------------------------------------------------------------------------------- 1. Click **Add** 2. Enter a **unique name** in _Remediation Policy Name_ * Best practice: Use descriptive names like * _Force Password Reset and Send User Outreach Email_ * _Disable Account – No Notification_ * * * ### ⚡ Match Actions [](https://docs.spycloud.com/public-sc/docs/advanced-configuring-remediations#-match-actions) Choose which **actions** to perform if a password match occurs: * Disable User * Force Password Reset * Okta Password Reset (requires Okta setup under [Configuring Okta](https://spycloud-external.readme.io/public-sc/docs/advanced-configuring-okta) ) ![Match Actions](https://files.readme.io/e9ca9cb9a527de779d847ae6212ef5b37c4ada98c9d76b7dd354f94325b01f23-image7.jpg) * * * ### ✉️ Email Notifications for Matches [](https://docs.spycloud.com/public-sc/docs/advanced-configuring-remediations#%EF%B8%8F-email-notifications-for-matches) * Choose one or more **User-type Email Templates** * These will be sent to affected AD users when their accounts match * * * ### 🚫 Exclusions [](https://docs.spycloud.com/public-sc/docs/advanced-configuring-remediations#-exclusions) * Select **zero or more AD Object Collections** to exclude from remediation * Example: Exclude **Service Accounts** or **Executive Accounts** 👉 See [Active Directory Object Collections](https://spycloud-external.readme.io/public-sc/update/docs/advanced-ad-object-collections#/) for more details. * * * ### ✉️ Email Notifications for Exclusions [](https://docs.spycloud.com/public-sc/docs/advanced-configuring-remediations#%EF%B8%8F-email-notifications-for-exclusions) For excluded users, you may also configure **emails to notify them** using one or more templates. This lets you track excluded accounts without taking remediation actions. * * * 💾 Saving the Policy [](https://docs.spycloud.com/public-sc/docs/advanced-configuring-remediations#-saving-the-policy) -------------------------------------------------------------------------------------------------------------------------- Once defined, click **Save**. Your policy will then be available when running either: * **Manual Scans** * **Scheduled Scans** Updated 5 months ago * * * Ask AI --- # CSV Reports When a scan completes, ADG generates: * A **Scan Report** * An optional **Shared Password Report** (if that scan option was selected) These reports can be emailed to administrators and are also written to the file system. * * * ✉️ Email Delivery [](https://docs.spycloud.com/public-sc/docs/csv-reports#%EF%B8%8F-email-delivery) ------------------------------------------------------------------------------------------------------- * Both reports can be **attached to Scan Completion Emails**. * They are delivered in **CSV format**. * * * 📑 Scan Report Field Definitions [](https://docs.spycloud.com/public-sc/docs/csv-reports#-scan-report-field-definitions) ---------------------------------------------------------------------------------------------------------------------------- | **Field** | **Description** | | --- | --- | | **startDate** | Scan start date (format: YYYY-MM-DD HH:MM:SS). | | **runType** | Indicates whether the scan was Manual or Scheduled. | | **sAMAccountName** | The user’s `sAMAccountName` attribute. | | **userPrincipalName** | The user’s UPN. | | **displayName** | The user’s display name. | | **emailAddress** | The user’s primary email address (`mail` attribute). | | **status** | The type of match detected (Exact, Banned, Fuzzy, IDLink, etc.). | | **action** | The remediation action applied. | | **actionStatus** | The status of the remediation action. | | **spyCloudEntrySourceSite** | Breach site where the record originated. | | **spyCloudEntrySourceDesc** | Description of the breach source. | | **exposureCount** | For Password-Only matches: how many times the password appeared in SpyCloud’s dataset. | | **exclusion** | Indicates if the account matched but was excluded from remediation. | | **exclusionDetails** | The collection or condition that caused the exclusion. | > 🔎 > > ### > > Note: If extended AD attributes are configured, they will also be included in the Scan Report CSV. > > [](https://docs.spycloud.com/public-sc/docs/csv-reports#note-if-extended-ad-attributes-are-configured-they-will-also-be-included-in-the-scan-report-csv) * * * 📑 Shared Password Report Field Definitions [](https://docs.spycloud.com/public-sc/docs/csv-reports#-shared-password-report-field-definitions) -------------------------------------------------------------------------------------------------------------------------------------------------- | **Field** | **Description** | | --- | --- | | **sAMAccountNames** | Comma-separated list of accounts sharing the same password. | | **count** | Number of accounts using that shared password. | * * * 📁 Report Folder for Automation [](https://docs.spycloud.com/public-sc/docs/csv-reports#-report-folder-for-automation) -------------------------------------------------------------------------------------------------------------------------- CSV reports are saved locally in: C:\\ProgramData\\SpyCloud\\AD Guardian\\7\\Reports * Filenames are timestamped for traceability. * Naming conventions: * `Scan Report_YYYYMMDD_.csv` * `Shared Password Report_YYYYMMDD_.csv` > ⚠️ > > You will not see a Shared Password Report if that option was not selected during the scan. * * * 🔗 Integration & Automation [](https://docs.spycloud.com/public-sc/docs/csv-reports#-integration--automation) ----------------------------------------------------------------------------------------------------------------- These CSV files are ideal for automation pipelines. They can be ingested by: * **SIEM tools** (e.g., Splunk, Sentinel) * **Log analytics platforms** * **SOAR workflows** Once ingested, you can: * Open support tickets automatically * Generate incidents * Launch playbooks to remediate matches Updated 5 months ago * * * Ask AI --- # CAP User Exposure API State and local government agencies – including departments, municipalities, and public education institutions –manage extensive volumes of user accounts across citizen-facing portals, employee systems, student services, and administrative platforms. These accounts often hold highly sensitive data, such as personally identifiable information (PII), financial aid details, government credentials, and payroll information. > If compromised, these accounts can lead to identity theft, fraud, service disruption, and regulatory exposure. \*\*SpyCloud \*\*enables public sector organizations to prevent account takeover (ATO) fraud that targets civil servants, educators, students, and government employees. Cybercriminals who gain unauthorized access can manipulate data, redirect payments, or launch attacks that compromise critical public systems and trust in digital government services. * * * 🚨 Why Account Takeover Is a Growing Threat for SLED [](https://docs.spycloud.com/public-sc/docs/cap-user-exposure-api-2#-why-account-takeover-is-a-growing-threat-for-sled) -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- As public services increasingly shift online and school systems rely more heavily on digital infrastructure, account security has become an essential line of defense. Credential-based attacks are growing due to the following challenges: * **Password reuse:** Constituents, employees, and students often reuse passwords across systems, increasing exposure to credential stuffing. * **Malware and phishing:** Devices infected through phishing emails or fake service notifications can leak login credentials and personal data. * **Fraudulent account actions:** Once attackers gain access to government or education accounts, they may: * Alter student or staff records * Redirect tax refunds, benefit payments, or payroll deposits * Access sensitive records related to education, housing, public health, or benefits * Lock out legitimate users, halting essential services or disrupting academic operations > 🚩 > > These incidents can result in service interruptions, loss of public trust, and increased compliance and legal liabilities. * * * 🛡️ Proactive Defense with SpyCloud [](https://docs.spycloud.com/public-sc/docs/cap-user-exposure-api-2#%EF%B8%8F-proactive-defense-with-spycloud) ------------------------------------------------------------------------------------------------------------------------------------------------------ SpyCloud empowers government agencies and education institutions to identify compromised credentials and exposed data before bad actors exploit them. By leveraging a continuously updated repository of breach, malware, and phishing data, public sector entities can: * Detect vulnerable user accounts in real time—whether belonging to employees, students, or citizens * Prevent fraud, system abuse, and account lockouts * Strengthen IAM (Identity and Access Management) policies and authentication workflows * Minimize the impact of data leaks, breaches, and service disruption * * * 🧰 User Exposure API for Government & Education [](https://docs.spycloud.com/public-sc/docs/cap-user-exposure-api-2#-user-exposure-api-for-government--education) --------------------------------------------------------------------------------------------------------------------------------------------------------------------- SpyCloud’s User Exposure API allows IT and security teams to query our threat intelligence database using common identifiers such as: * Email address * Phone number * Username * IP adress With seamless integration into existing systems, agencies and institutions can: * Block logins using known-exposed credentials found in criminal sources * Detect malware-infected endpoints – from student laptops to administrative workstations * Identify PII exposure and associated risks across more than 200+ data types > 🔍 > > This intelligence gives public organizations real-time visibility into user risk before compromise leads to a larger incident. * * * ⚙️ How It Works [](https://docs.spycloud.com/public-sc/docs/cap-user-exposure-api-2#%EF%B8%8F-how-it-works) --------------------------------------------------------------------------------------------------------------- 1. Submit a user identifier (email, phone number, etc.) via SpyCloud API (plaintext or SHA1 hash). TLS encryption ensures secure data transmission. 2. SpyCloud returns exposure records from our breach, malware, and phishing collection. 3. Your systems evaluate the exposure: * Is the password still active within your environment? * Was the data tied to malware or phishing campaigns? 4. Take action based on risk level: * Force a password reset * Trigger step-up verification (e.g., multi-factor authentication) * Flag the account for investigation or temporarily disable access * * * 🎯 Key Benefits for SLED [](https://docs.spycloud.com/public-sc/docs/cap-user-exposure-api-2#-key-benefits-for-sled) ------------------------------------------------------------------------------------------------------------------------ * Prevent unauthorized access to internal systems, student portals, and public services * Detect compromised accounts tied to payroll, citizen records, or educational data * Minimize fraud risk involving public funds or academic credential manipulation * Reduce help desk load for account lockouts and identity recovery * Support compliance with data privacy regulations like FERPA, CJIS, or state-specific mandates * * * 📌 Why It Matters [](https://docs.spycloud.com/public-sc/docs/cap-user-exposure-api-2#-why-it-matters) ---------------------------------------------------------------------------------------------------------- Exposed credentials and user data – whether from breaches or malware – are actively used by cybercriminals to infiltrate public institutions. For government agencies and schools, the risks include: * Unauthorized changes to sensitive data or services * Loss of funding or delays in critical programs * Public backlash and reputational harm * Regulatory penalties due to improper access controls Integrating SpyCloud’s credential intelligence gives public sector organizations the ability to act quickly – preventing fraud, protecting citizen data, and ensuring continuity of service delivery. Updated 13 days ago * * * Ask AI --- # Compromised Credit Card API In today’s connected landscape, ISP and cable providers manage extensive volumes of sensitive customer data – including stored credit cards for monthly service billing, device purchases, and bundled media subscriptions. Many providers also partner with banks to issue co-branded credit cards, giving subscribers rewards and discounts on services. These cards, however, are not immune to cybercriminal activity. ISP and cable providers can _reduce fraud losses_ and **increase customer trust** by monitoring compromised credit cards – including card numbers, expiration dates, and CVVs exposed via breaches or dark web markets. When this data is integrated into fraud detection systems, it serves as a proactive risk signal – allowing companies to act before fraud occurs. \*\*Providers can directly monitor their co-branded cards \*\*via BINs (Bank Identification Numbers) to detect exposure early and intervene before damage is done. By identifying compromised cards in circulation, ISP and cable providers can: * Prevent fraudulent purchases of modems, routers, streaming devices, and other hardware. * Reduce chargebacks from unauthorized service activations or premium content purchases. * Flag accounts at risk based on exposed payment credentials. * Support investigations into coordinated fraud attacks that target subscription and equipment fraud. * * * 📡 SpyCloud’s Credit Card Intelligence for ISPs & Cable Providers [](https://docs.spycloud.com/public-sc/docs/compromised-credit-card-api-3#-spyclouds-credit-card-intelligence-for-isps--cable-providers) -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- SpyCloud provides unique visibility into recaptured credit card data – specifically cards being actively trafficked by cybercriminals and highly likely to be used for fraud. With **SpyCloud’s Compromised Credit Card API**, risk and fraud teams can: * Access exposed card records linked to their co-branded card BINs. * Integrate exposure alerts into billing systems and fraud scoring engines. * Block, verify, or flag transactions tied to compromised cards at critical stages (signup, upgrade, auto-pay). > 💫 > > By stopping fraud tied to compromised cards, ISPs and cable providers protect both their revenue streams and subscriber relationships. * * * ⚙️ How the Credit Card BIN API Works [](https://docs.spycloud.com/public-sc/docs/compromised-credit-card-api-3#%EF%B8%8F-how-the-credit-card-bin-api-works) --------------------------------------------------------------------------------------------------------------------------------------------------------------- SpyCloud’s Compromised Credit Card API enables automated detection of exposed credit cards via a RESTful JSON API. Organizations query the endpoint with one or more 6-digit BINs (up to 10 per request) and receive: * SHA1-hashed card numbers * Exposure source metadata (e.g., breach, phishing, malware) * Timestamps of compromise * Other relevant contextual data **Common use cases include:** * Flagging at-risk cards during billing setup or checkout flows. * Requiring verification or re-issuance of co-branded cards used in recent fraud attempts. * Monitoring for bulk exposures that could indicate card program abuse or a targeted phishing campaign. * * * 🗃️ Data Sources [](https://docs.spycloud.com/public-sc/docs/compromised-credit-card-api-3#%EF%B8%8F-data-sources) ---------------------------------------------------------------------------------------------------------------------- SpyCloud researchers continuously ingest compromised card data from: * Malware-infected devices (including subscriber phones, infected support agents' machines, or POS terminals). * Phishing kits targeting ISP or cable-branded payment pages. * Data breaches impacting telecom or third-party billing/fulfillment vendors. This proactive threat intelligence gives fraud teams the chance to act before damage is done – stopping fraudulent charges, device losses, and support escalation. * * * 📣 Why This Matters for ISP & Cable Providers [](https://docs.spycloud.com/public-sc/docs/compromised-credit-card-api-3#-why-this-matters-for-isp--cable-providers) ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- Credit card fraud in this sector has tangible and escalating consequences: * Device fraud and inventory loss from fake orders or upgrades. * Revenue disruption from chargebacks and delayed payments. * Reputational risk with banking partners or card networks. * Higher support costs from account lockouts and payment disputes. When customers are proactively alerted that their co-branded card has been compromised – even without active fraud – they feel: * Protected and prioritized * More loyal to their service provider * Motivated to update their payment methods quickly and securely * * * 🎯 Key Benefits for ISP & Cable Providers [](https://docs.spycloud.com/public-sc/docs/compromised-credit-card-api-3#-key-benefits-for-isp--cable-providers) --------------------------------------------------------------------------------------------------------------------------------------------------------------- * Reduce fraud losses and chargebacks linked to card misuse * Block exposed cards in real time before service is delivered * Improve fraud models with verified card exposure intelligence * Enable proactive customer outreach around card replacement and protection * Support investigations into account takeovers and fraud rings targeting ISP credit products Updated 13 days ago * * * Ask AI --- # Launching UI After Installation Once installed, ADG can be launched in the following ways: * **Double-click the installer** * **Open a browser** and go to: `http://localhost:8081` _(If installed on a different port, update the URL accordingly)_ * * * 🔒 Security Considerations [](https://docs.spycloud.com/public-sc/docs/launching-ui-after-installation#-security-considerations) ------------------------------------------------------------------------------------------------------------------------------------ * The ADG **user interface is not remotely accessible** via a browser. * For remote access: * Use **RDP** (Remote Desktop Protocol) to connect to the ADG workstation. * Access ADG as if you were physically at the machine. * The interface is available to any user with **local administrative privileges** on the ADG workstation. * * * ⚠️ Troubleshooting: UI Not Visible [](https://docs.spycloud.com/public-sc/docs/launching-ui-after-installation#%EF%B8%8F-troubleshooting-ui-not-visible) ------------------------------------------------------------------------------------------------------------------------------------------------------------ If you cannot see the ADG UI: 1. Verify that the ADG **service is running**. 2. Open the **Services application** in Windows: * Search for `Services` in the Windows search bar. 3. Confirm that the service is active. | **Service Name** | **Description** | | --- | --- | | SpyCloud AD Guardian 7 | The Windows service powering ADG UI | ![ADG Service Running in Windows Services](https://files.readme.io/d0edb231749aa33a1397dbafc747324b2414f4382681f8a4663ac513bfb2e3f9-image96.jpg) Updated 5 months ago * * * Ask AI --- # Advanced | Email Templates In order for ADG to configure and send emails, **SMTP must be configured**. (See [Configuring SMTP](https://spycloud-external.readme.io/public-sc/docs/settings#%EF%B8%8F-smtp) for instructions.) ADG provides **four default templates** out-of-the-box: * Default Scan Completed Email Template * Default Scan Failed Email Template * Default Password Exposed Email Template * Default Password Reset Email Template Users can use these defaults or create unlimited custom templates. * * * 🗂️ Email Template Types [](https://docs.spycloud.com/public-sc/docs/advanced-email-templates#%EF%B8%8F-email-template-types) --------------------------------------------------------------------------------------------------------------------------------- | **Type** | **Description** | | --- | --- | | **System** | Sent for system-level activities, e.g., scan completion or failure | | **User** | Sent in response to matches tied to an AD user (formerly called “User Outreach” emails) | > ⚠️ > > **Note:** The **Template Type** acts as a filter in the UI. If a template doesn’t appear in configuration, confirm it was created with the correct type. * * * ⚙️ Configuring Email Templates [](https://docs.spycloud.com/public-sc/docs/advanced-email-templates#%EF%B8%8F-configuring-email-templates) ---------------------------------------------------------------------------------------------------------------------------------------------- Navigate to **Advanced Settings → Email Templates** to see all available templates. * **Edit / Delete** → click next to the template (cannot delete if in use by a remediation policy) * **Create new** → click **Add** ![Create Template](https://files.readme.io/4d5049511bd56a98302227d3228421b7a92e2c9379aaa6e3a2b3faad14d45f84-image52.jpg) ### Steps to Create a New Template [](https://docs.spycloud.com/public-sc/docs/advanced-email-templates#steps-to-create-a-new-template) 1. Enter a **unique name** in _Template Name_ 2. Select a **Template Type** (System or User) 3. Define **To**, **Reply To**, and **Sender Name** fields * Supported tags: * `{{smtp_config_default_recipients}}` * `{{smtp_config_default_reply_to}}` * `{{smtp_config_default_sender_name}}` * Multiple recipients allowed (one per line) 4. Enter a **Subject Line** (supports tags for personalization) * Example: `Scan completed for domain: {{ad_domain}}. {{ad_total_accounts_scanned}} accounts scanned.` 5. Choose an **Email Format** (see below) ![Create Template](https://files.readme.io/adacf4250440e5ce85a8ce15a0132e1fefe9c4e1069ca0eca8d7134f89e89b21-image33.jpg) * * * 🎨 Email Format Options [](https://docs.spycloud.com/public-sc/docs/advanced-email-templates#-email-format-options) ----------------------------------------------------------------------------------------------------------------------- ### 🖼️ Default Template [](https://docs.spycloud.com/public-sc/docs/advanced-email-templates#%EF%B8%8F-default-template) * Compose the message body directly in ADG * Add an optional header logo (SpyCloud logo used if none selected) * Supports tagging ![Default Template](https://files.readme.io/7e412630e489102d9804f6239a0ebf3a36f179e46139495f49e2f95622a3630a-image10.jpg) * * * ### ✍️ Plain Text Message [](https://docs.spycloud.com/public-sc/docs/advanced-email-templates#%EF%B8%8F-plain-text-message) * Send as plain text (non-HTML) * Message body supports tagging ![Plain Text Template](https://files.readme.io/c84237201edfd1af84e12f396c1114e75b4c7878e8cc9e5f93a7801f19a68e4a-image66.jpg) * * * ### 💻 Custom HTML Template [](https://docs.spycloud.com/public-sc/docs/advanced-email-templates#-custom-html-template) * Upload an HTML file or create/edit HTML in ADG * Supports tagging * Saved templates undergo **security sanitization** to strip unsafe tags (see below) ![Custom HTML Template](https://files.readme.io/df3f1e6ab1ffea0b61270ed73f77eb29918b8e19035981173cb11cd27096e0b7-image90.jpg) * * * 🧪 Testing & Saving [](https://docs.spycloud.com/public-sc/docs/advanced-email-templates#-testing--saving) -------------------------------------------------------------------------------------------------------------- * **Send Test Email** → saves and sends the template to a test address * **Save** → stores template without sending * * * 🏷️ Email Personalization Tags [](https://docs.spycloud.com/public-sc/docs/advanced-email-templates#%EF%B8%8F-email-personalization-tags) --------------------------------------------------------------------------------------------------------------------------------------------- Tags can be used in: Subject Line, Message, HTML Template, To, Reply To, and Sender Name. ### System Email Tags [](https://docs.spycloud.com/public-sc/docs/advanced-email-templates#system-email-tags) | **Tag** | **Meaning** | | --- | --- | | `{{hostname}}` | Hostname where scan was run | | `{{ad_domain}}` | Local AD Domain scanned | | `{{total_breach_records}}` | Total breach records from Watchlist | | `{{ad_total_accounts_scanned}}` | Count of Local AD accounts scanned | | `{{ad_total_password_matches}}` | Count of Local AD password matches | | `{{ad_exact_matches}}` | Count of exact matches | | `{{ad_banned_matches}}` | Count of banned password matches | | `{{ad_fuzzy_matches}}` | Count of fuzzy matches | | `{{ad_idlink_matches}}` | Count of IDLink matches | | `{{ad_nist_matches}}` | Count of NIST Global matches | | `{{ad_password_reset}}` | Count of password resets performed | | `{{failure_message}}` | Failure message if scan fails | | `{{scan_settings}}` | Shorthand of scan settings chosen | | `{{smtp_config_default_recipients}}` | Value from “Default To” in SMTP config | | `{{smtp_config_default_reply_to}}` | Value from “Default Reply To” | | `{{smtp_config_default_sender_name}}` | Value from “Default Sender Name” | * * * ### User Email Tags [](https://docs.spycloud.com/public-sc/docs/advanced-email-templates#user-email-tags) | **Tag** | **Meaning** | | --- | --- | | `{{hostname}}` | Hostname where ADG is running | | `{{ad_domain}}` | Local AD Domain scanned | | `{{account}}` | SAM Account Name | | `{{email}}` | User’s Mail attribute | | `{{upn}}` | User Principal Name | | `{{display_name}}` | Display Name attribute | | `{{computed_email}}` | Mail if exists, else UPN | | `{{manager_email}}` | Manager’s Mail attribute | | `{{manager_upn}}` | Manager’s UPN | | `{{manager_display_name}}` | Manager’s Display Name | | `{{manager_computed_email}}` | Manager’s mail if exists, else UPN | | `{{match_type}}` | Type of password match | | `{{breach_id}}` | Source ID of breach | | `{{breach_description}}` | Description of breach | | `{{breach_source}}` | Breach source | | `{{exposure_count}}` | Exposure count (NIST matches) | | `{{smtp_config_default_recipients}}` | Value from SMTP config Default To | | `{{smtp_config_default_reply_to}}` | Value from Default Reply To | | `{{smtp_config_default_sender_name}}` | Value from Default Sender Name | * * * 🔒 Custom HTML Sanitization [](https://docs.spycloud.com/public-sc/docs/advanced-email-templates#-custom-html-sanitization) ------------------------------------------------------------------------------------------------------------------------------- When saving an HTML template, ADG strips unsafe HTML. **Allowed tags include:** `a, abbr, acronym, address, area, article, aside, b, blockquote, body, br, button, caption, cite, code, col, colgroup, data, datalist, dd, del, details, dfn, div, dl, dt, em, fieldset, figcaption, figure, footer, form, h1–h6, header, hr, html, i, img, input, ins, kbd, label, li, main, mark, menu, meter, nav, ol, option, output, p, pre, progress, q, s, samp, section, select, small, span, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, time, tr, u, ul, var, wbr` **Allowed attributes include:** `abbr, accept, align, alt, autocomplete, bgcolor, border, checked, cite, class, colspan, contenteditable, dir, disabled, draggable, for, headers, height, href, id, lang, list, maxlength, media, method, name, placeholder, rel, required, rows, selected, size, span, src, style, tabindex, target, title, type, value, width` * * * Updated 5 months ago * * * Ask AI --- # Configuring ADG ⚙️ Configuring Active Directory Guardian [](https://docs.spycloud.com/public-sc/docs/configuration#%EF%B8%8F-configuring-active-directory-guardian) ======================================================================================================================================================= With Active Directory Guardian (ADG) 7.3, users can export and import their configuration via a config file. To configure ADG 7.3 for the first time, follow the steps below. * * * 🔑 Step 1: Enter Your SpyCloud API Key [](https://docs.spycloud.com/public-sc/docs/configuration#-step-1-enter-your-spycloud-api-key) ----------------------------------------------------------------------------------------------------------------------------------------- For steps on how to obtain your API key, reach out to your CSM. ![Enter API Key Screen](https://files.readme.io/5ee414ea1823111ea27480efdbaf19868b97c56a188aa43cd59eb26c342babd9-image83.jpg) * * * 📊 Step 2: Opt Out of Reporting Statistics (Optional) [](https://docs.spycloud.com/public-sc/docs/configuration#-step-2-opt-out-of-reporting-statistics-optional) --------------------------------------------------------------------------------------------------------------------------------------------------------------------- You may opt out of sending reporting statistics to the SpyCloud Portal. > ⚠️ > > ### > > If you opt out, you will not be able to monitor ADG host and scan details from the SpyCloud Portal. > > [](https://docs.spycloud.com/public-sc/docs/configuration#if-you-opt-out-you-will-not-be-able-to-monitor-adg-host-and-scan-details-from-the-spycloud-portal) Click **Next** to continue. ![Opt-Out Screen](https://files.readme.io/5ee414ea1823111ea27480efdbaf19868b97c56a188aa43cd59eb26c342babd9-image83.jpg) * * * 🏢 Step 3: Configure Local Active Directory Scan [](https://docs.spycloud.com/public-sc/docs/configuration#-step-3-configure-local-active-directory-scan) ------------------------------------------------------------------------------------------------------------------------------------------------------------- 1. Select **Setup Local Active Directory**. 2. Add the domain name manually or use **Get My Domain**. * The detected domain depends on the membership of the server/workstation running ADG. 3. Click **Next**. ![Local AD Setup](https://files.readme.io/bfe826e06aeb02fcc36394fe7046a1c65bb2c1cd4039d7f450081047a5a73805-image2.jpg) * * * 🔄 Step 4: Enable Automatic Scanning (Optional) [](https://docs.spycloud.com/public-sc/docs/configuration#-step-4-enable-automatic-scanning-optional) --------------------------------------------------------------------------------------------------------------------------------------------------------- Choose whether to enable **Automatic Scanning** (every 5 minutes). * Helps monitor for newly exposed credentials in near real time * Detected accounts can be handled via **Remediation Policies** ![Automatic Scanning Setup](https://files.readme.io/62b6cd37079bec405b11d7b0f7d874c5e64b9b695f69d2ca0ad5f4360ff6457e-image12.jpg) * * * 🕒 Step 5: Select Scan Type [](https://docs.spycloud.com/public-sc/docs/configuration#-step-5-select-scan-type) ------------------------------------------------------------------------------------------------------------------- * **Save and Configure Automatic Scan** → Runs quick scans every 5 minutes * **Save and Run Manual Scan** → Runs a deeper, comprehensive scan > 📘 > > 💡 _Recommendation_: Use **Automatic Scans** for real-time monitoring and schedule **Full Scans** daily for deeper analytics. ![Save & Scan Options](https://files.readme.io/fea4cfda015cc6e6343bf2c46175ffa84b30ffac64789fd7ef28843ec685effb-image31.jpg) * * * 🔧 Step 6: Create Remediation Policy [](https://docs.spycloud.com/public-sc/docs/configuration#-step-6-create-remediation-policy) ------------------------------------------------------------------------------------------------------------------------------------- If you enable **Automatic Scanning** for the first time, you must click **Create Remediation Policy** on the next screen. ![Remediation Policy Setup](https://files.readme.io/f738cb553eb559f1ff1788a67c12739207cfd6ba57575c5114c27bf4c9bef17d-image5.jpg) * * * 📧 Step 7: Configure Email Notifications [](https://docs.spycloud.com/public-sc/docs/configuration#-step-7-configure-email-notifications) --------------------------------------------------------------------------------------------------------------------------------------------- Add: * **Scan Failure Email** (notifies immediately on failure, throttled to 1/hr) * **Scan Completion Email** For details, see \[[Configuring SMTP Email](https://spycloud-external.readme.io/public-sc/docs/settings#%EF%B8%8F-smtp)\ \]. ![ Email Settings](https://files.readme.io/da63ba3edbfca2882fb2c9b68aea62d301140e86ebab81024d9232b8fb9da549-image27.jpg) * * * 🔄 Exporting & Importing Configuration [](https://docs.spycloud.com/public-sc/docs/configuration#-exporting--importing-configuration) ========================================================================================================================================= ADG 7.3 allows exporting/importing non-sensitive portions of configuration: * Useful for replicating installations or troubleshooting. 1. Navigate to **Advanced Settings → Import/Export**. ![](https://files.readme.io/915ce374abe8c5f50bc640b7f803b792f62e8e2f7eb54c6afbd6898d1e6ee08a-image68.png) 2. Export creates a JSON file: `ADG Config 7.3.0.0.txt`. > ⚠️ > > Do not modify this file — modified files cannot be imported. ![](https://files.readme.io/d7c4a44f3f7430f96f7fec5459a7f865f2b354601927270a56df58587a3f9d02-image70.png) Import the config file to replicate settings. * A green banner confirms success.![](https://docs.spycloud.com/public-sc/docs/images/adg-config-import-export.png) ![](https://files.readme.io/3003889f37d19fec152b03091d94d7cad7d2a7ae4ee5304cf3fd4f82b50fa98e-image56.png) ![](https://docs.spycloud.com/public-sc/docs/images/adg-config-import.png) * * * Updated 5 months ago * * * Ask AI --- # Installation ✅ Installation Checklist [](https://docs.spycloud.com/public-sc/docs/installation#-installation-checklist) ============================================================================================================== Below is a checklist of items that are recommended to have available prior to installation of Active Directory Guardian: 🧾 Required Information [](https://docs.spycloud.com/public-sc/docs/installation#-required-information) ----------------------------------------------------------------------------------------------------------- * API Key * Service Account Username and Password * Or a gMSA Service Account with appropriate permissions * (See: _[Configuring a Group with 'Least Privilege'](https://spycloud-external.readme.io/public-sc/docs/configuring-a-group-with-least-privelege) for ADG_) ### Optional [](https://docs.spycloud.com/public-sc/docs/installation#optional) * SMTP Server Settings (for configuring email notifications) * HTTP Proxy Settings (if required for accessing the SpyCloud API) * * * 🔑 Obtaining Your SpyCloud API Key [](https://docs.spycloud.com/public-sc/docs/installation#-obtaining-your-spycloud-api-key) --------------------------------------------------------------------------------------------------------------------------------- Before proceeding with configuring Active Directory Guardian (ADG), you will need to obtain your SpyCloud API Key. To do this, follow the instructions below. 1. Log in to the SpyCloud portal at [https://portal.spycloud.com](https://portal.spycloud.com/) . 2. Click your email address in the top right corner of the page and select **API Keys**. ![](https://files.readme.io/dc14de2749a03c5fea8d3536910c99040641da5dd7869d92c2ce1b03d305981e-image95.jpg) 3. Find the key labeled **AD Guardian**, click the green eye icon to reveal the key, and copy it. * If you don’t see an ADG API key, please open a support ticket via the portal. ![](https://files.readme.io/22adcc38b6f6b392f86929114a5ba8a0ba2e66dc0425754c209dd5df780f1b75-image9.jpg) * * * 👤 Service Account Details [](https://docs.spycloud.com/public-sc/docs/installation#-service-account-details) ----------------------------------------------------------------------------------------------------------------- During installation, you will be asked to provide: * A domain account username and password for the ADG service * This account needs administrative permissions (see: _[Least Privilege](https://spycloud-external.readme.io/public-sc/docs/configuring-a-group-with-least-privelege) _ section) You may optionally select **Use Group Managed Service Account (gMSA)** — this option does not require a password. ### Optional Configuration During Install: [](https://docs.spycloud.com/public-sc/docs/installation#optional-configuration-during-install) * **Service Port**: You can set a custom port (between `5001` and `49151`) * **Destination Directory**: Change install path from the default if needed * * * 📦 Installing Active Directory Guardian [](https://docs.spycloud.com/public-sc/docs/installation#-installing-active-directory-guardian) ------------------------------------------------------------------------------------------------------------------------------------------- ### 🔽 Downloading ADG from the Customer Portal [](https://docs.spycloud.com/public-sc/docs/installation#-downloading-adg-from-the-customer-portal) 1. The ADG installer is located in the **SpyCloud Portal > Software Downloads** section. * Don’t have portal access? Ask your SpyCloud admin to create an account or download the installer for you. 2. Click **Download** to save the installer to your local machine. * * * ### 🛠 Running the Installer [](https://docs.spycloud.com/public-sc/docs/installation#-running-the-installer) 3. Double-click the downloaded installer file. ![](https://files.readme.io/aedae79c0229c489a35cc1dc06f0c05fe46d29c1b80f47c1ef04c864ad3f8e60-image26.jpg) 4. Click **Next** to proceed or **Quit** to cancel. ![](https://files.readme.io/943f70228556c290caccf5b5ef19331ebe842fca15f15dbbbace64d39028e2ed-image3.jpg) 5. Read the license agreement. Click: * **Back** to return * **Accept** to continue * **Quit** to cancel![](https://docs.spycloud.com/public-sc/docs/images/image5.png) ![](https://files.readme.io/dc27cc63cfd8fb68077c57a5060102d747df332414e4d4e05bfc1686d8a59d86-image38.jpg) 6. Enter your: * **Service Account Username** (`DOMAIN\USER`) * **Password** (unless using gMSA) * Then click **Install** ![](https://files.readme.io/0442bec63bff6cad5c37a3cbcd4b5b91d501a8a0a42bf3f754777a98c7074079-image11.jpg) The installer will complete the service setup locally. 7. After clicking **Finish**, the service will start automatically, and a shortcut will be placed on your desktop. ![](https://files.readme.io/4967c90dc47b421b34cda753b1258b1491e825348dbcfb89824efa3d35dde366-image19.jpg) * * * 🌐 First Launch & Configuration [](https://docs.spycloud.com/public-sc/docs/installation#-first-launch--configuration) -------------------------------------------------------------------------------------------------------------------------- After installation completes: * Your default browser will open a new tab/window * You’ll be redirected to begin configuring Active Directory Guardian ![](https://files.readme.io/d5b3739e6648a40828b59da3c9198e267f16778ed6e5d4fc1e26381345e036a7-image91.jpg) Updated 5 months ago * * * Ask AI --- # LDAPS Configuration Configure LDAPS for Active Directory Guardian (ADG) [](https://docs.spycloud.com/public-sc/docs/ldap-configuration#configure-ldaps-for-active-directory-guardian-adg) ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The **latest version** of ADG eliminates LDAP protocol fallback. Admins must explicitly select **LDAPS-only (secure)** or **LDAP-only** at install or in settings. If the chosen mode does not allow a valid connection, scans and installs will not run until corrected. Clear error messages guide admins in enforcing encrypted directory connections and reducing misconfiguration risk. * * * Key functionality [](https://docs.spycloud.com/public-sc/docs/ldap-configuration#key-functionality) ------------------------------------------------------------------------------------------------------- * **No fallback:** ADG will not downgrade from LDAPS to LDAP or vice versa. * **Explicit mode selection:** Choose LDAPS-only (secure) or LDAP-only at install or in Settings. * **Validation built-in:** If ADG cannot connect in the selected mode, scans and installs cannot proceed until the connection is valid. > **Default behavior:** If you make no changes, ADG continues operating in **LDAP-only (port 389)**. * * * Modes at a glance [](https://docs.spycloud.com/public-sc/docs/ldap-configuration#modes-at-a-glance) ------------------------------------------------------------------------------------------------------- | Mode | Encryption | Port | Fallback | | --- | --- | --- | --- | | **LDAPS-only** | Yes | 636 | None | | **LDAP-only** | No | 389 | None | > **Known limitation:** If **LDAPS-only** is enforced but your domain controllers don’t accept secure connections, ADG will **fail to connect** (by design). * * * Enable LDAPS [](https://docs.spycloud.com/public-sc/docs/ldap-configuration#enable-ldaps) --------------------------------------------------------------------------------------------- ### Option A — During Install [](https://docs.spycloud.com/public-sc/docs/ldap-configuration#option-a--during-install) 1. Run the installer from the **latest version** of ADG. 2. When prompted for directory connection, select **Enforce LDAPS (secure channel only)**. 3. Complete the installer. ADG validates LDAPS connectivity before continuing. 4. You'll have to paste in your domain when setting up when you choose this option due to security limitations. ### Option B — Post-Install (Settings) [](https://docs.spycloud.com/public-sc/docs/ldap-configuration#option-b--post-install-settings) 1. In ADG, go to **Settings → Essentials → LDAP**. 2. Select **LDAPS-only (secure)**. 3. **Save** to trigger a connectivity check. **Permissions:** The ADG service account requirements **do not change** for LDAPS. Use the same account you use for LDAP. * * * Error messages you may see [](https://docs.spycloud.com/public-sc/docs/ldap-configuration#error-messages-you-may-see) ------------------------------------------------------------------------------------------------------------------------- **Install-time failure** Installation Error: The account you provided to run SpyCloud Active Directory Guardian does not have permission to replicate data from Active Directory or is unable to connect using the selected LDAP connection mode. **Post-install save failure (toast)** The local Active Directory domain doesn’t appear to be accessible in LDAPS mode. Please review certificate trust, firewall rules, or domain controller configuration. * * * Troubleshooting [](https://docs.spycloud.com/public-sc/docs/ldap-configuration#troubleshooting) --------------------------------------------------------------------------------------------------- Certificate trust Ensure DCs present a valid Server Authentication cert trusted by the ADG host. Firewall/ports Verify TCP **636** is open between ADG and your DCs. Target DCs If you restrict DCs by name/IP, confirm those hosts accept LDAPS. Account & rights Confirm the ADG service account can connect/bind and replicate as required. TLS inspection Disable middleboxes that break TLS to DCs. * * * How to get the update [](https://docs.spycloud.com/public-sc/docs/ldap-configuration#how-to-get-the-update) --------------------------------------------------------------------------------------------------------------- Download the installer and documentation for the **latest version** from the **SpyCloud Enterprise Portal → Software Downloads**. Updated 4 months ago * * * Ask AI --- # Logging SpyCloud Active Directory Guardian (ADG) generates several logs to assist with general operation and debugging purposes. * * * 🛠️ Installation Log [](https://docs.spycloud.com/public-sc/docs/logging#%EF%B8%8F-installation-log) -------------------------------------------------------------------------------------------------------- * Created during installation * Path: C:\\ProgramData\\SpyCloud\\AD Guardian\\7\\Logs\\installer.log.txt 📝 **NOTE** This file can be used to troubleshoot installation issues and should be shared with SpyCloud support if you are reporting such issues. * * * 📖 General Log [](https://docs.spycloud.com/public-sc/docs/logging#-general-log) ------------------------------------------------------------------------------------ The **General Log** provides a history of ADG activity. Events recorded include: * Scan report could not be saved to database * Scan completion/failure email could not be sent * User email notification failed * User matched but groups could not be loaded (excluded from remediation) * Scan report CSV could not be saved to disk * Password reset failed * User disable failed * Okta password reset failed * Scan canceled * Scan completed * Scan failed * User could not be scanned (e.g., AD load error or API failure like NIST) * Scan started * Telemetry could not be sent to SpyCloud ![](https://files.readme.io/0a0ce077b93420a22edce90a9f3e0985a78afcbf3f68807b1be1b5ffbe364670-image28.jpg) * * * 👤 User Actions Log [](https://docs.spycloud.com/public-sc/docs/logging#-user-actions-log) ---------------------------------------------------------------------------------------------- Captures any **user-related activity** during remediation: * Actions at the conclusion of a scan * Actions applied manually from the **Scan Results** page ![](https://files.readme.io/a7e0941517d7a3a144d1dfcb2a6d88dfdf9b132890f109ce4c15574317d5f56c-image8.jpg) * * * 🐞 Debug & Extended Logging [](https://docs.spycloud.com/public-sc/docs/logging#-debug--extended-logging) ------------------------------------------------------------------------------------------------------------- * Logs stored at: C:\\ProgramData\\SpyCloud\\AD Guardian\\7\\Logs * Format: `debug.YYYYMMDD.txt` * `YYYY` = year * `MM` = month * `DD` = day * Multiple runs per day append to the same file ### 🔧 Extended Logging [](https://docs.spycloud.com/public-sc/docs/logging#-extended-logging) If you encounter difficulties, you may be asked to enable **Extended Logging**. * Enable via a checkbox under **Advanced Settings** in **Manual Scan** and **Scheduled Scan** configuration screens. * Captures more granular details of ADG operations. * * * 📋 Extended Logging Messages [](https://docs.spycloud.com/public-sc/docs/logging#-extended-logging-messages) ---------------------------------------------------------------------------------------------------------------- Extended logging captures: * When a user is scanned and whether they matched * Scan completion/failure email could not be sent (missing required variables like `To`) * Scan completion/failure email sent, but optional variables (e.g., `Reply To`) could not be substituted * User email sent successfully * User email failed (missing required fields like `To`) * User email sent but optional fields (like `Reply To`) could not be substituted * User password reset attempted Updated 5 months ago * * * Ask AI --- # Compromised Credit Card API In today’s healthcare ecosystem, providers manage extensive volumes of sensitive patient and administrative data – including stored credit cards used for copays, recurring medical billing, pharmacy payments, and telehealth services. Many healthcare systems also partner with financial institutions to issue co-branded credit cards, offering rewards, financing options, or health spending incentives. These cards, however, are not immune to cybercriminal misuse. Healthcare providers can reduce fraud losses and enhance patient trust by actively monitoring compromised credit cards – including card numbers, expiration dates, and CVVs exposed via data breaches or dark web marketplaces. When this intelligence is integrated into fraud detection systems and revenue cycle operations, it serves as a proactive risk signal, enabling healthcare organizations to act before fraud is realized. Providers can monitor their co-branded credit cards via Bank Identification Numbers (BINs) to detect exposure early and mitigate potential abuse. By identifying compromised cards in circulation, healthcare organizations can: * Prevent fraudulent payments for services, prescriptions, or medical devices. * Reduce chargebacks tied to unauthorized transactions or identity misuse. * Flag patient accounts at risk based on compromised payment credentials. * Support investigations into coordinated fraud schemes targeting healthcare billing systems. * * * 🧠 SpyCloud’s Credit Card Intelligence for Healthcare [](https://docs.spycloud.com/public-sc/docs/compromised-credit-card-api-2#-spyclouds-credit-card-intelligence-for-healthcare) --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- SpyCloud provides unmatched visibility into recaptured credit card data – specifically cards being actively distributed among cybercriminal networks and highly likely to be used for fraud. Using **SpyCloud’s Compromised Credit Card API**, healthcare billing and fraud teams can: * Access exposed card records linked to their co-branded BINs. * Feed exposure intelligence into payment processing, billing, and fraud prevention workflows. * Block, verify, or flag transactions involving exposed cards before they lead to fraud. > 🔒 > > By disrupting card-based fraud attempts, healthcare providers safeguard patient payment data and maintain integrity in financial operations. * * * ⚙️ How It Works [](https://docs.spycloud.com/public-sc/docs/compromised-credit-card-api-2#%EF%B8%8F-how-it-works) --------------------------------------------------------------------------------------------------------------------- The SpyCloud Compromised Credit Card API enables automated detection of compromised credit cards through a RESTful JSON interface. Healthcare organizations can query the API using one or more 6-digit BINs (up to 10 per request) and receive: * SHA1-hashed credit card numbers * Source metadata (e.g., breach, malware, phishing exposure) * Timestamps of compromise * Additional contextual data **At a glance** | 🔎 Queries | 📤 Output | | --- | --- | | One or more 6-digit BINs (up to 10 per request) | SHA1-hashed credit card numbers; source metadata (e.g., breach, malware, phishing exposure); timestamps of compromise; additional contextual data | * * * 🧪 Example Use Cases [](https://docs.spycloud.com/public-sc/docs/compromised-credit-card-api-2#-example-use-cases) ---------------------------------------------------------------------------------------------------------------------- * Flagging compromised cards during **new patient onboarding or online payment**. * **Verifying payment method risk** before submitting claims or recurring charges. * Monitoring large-scale exposures to identify fraud trends or card abuse affecting your **co-branded card program.** * * * 🗃️ Data Sources [](https://docs.spycloud.com/public-sc/docs/compromised-credit-card-api-2#%EF%B8%8F-data-sources) ---------------------------------------------------------------------------------------------------------------------- SpyCloud researchers aggregate compromised card data from: * Malware-infected devices (including patient phones or staff workstations). * Phishing sites targeting healthcare payment portals. * Breaches involving healthcare, pharmacy, or third-party billing vendors. This intelligence allows healthcare fraud teams to act quickly and decisively, protecting both the organization and its patients from downstream financial harm. * * * 📣 Why This Matters for Healthcare Providers [](https://docs.spycloud.com/public-sc/docs/compromised-credit-card-api-2#-why-this-matters-for-healthcare-providers) ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- Credit card fraud in healthcare has serious implications: * Misuse of co-branded cards to pay for unauthorized services or prescriptions. * Revenue disruption due to chargebacks and billing disputes. * Reputational harm with banking partners, card networks, or regulators. * Strained support resources managing payment issues and patient communications. When patients are proactively notified that their stored or co-branded card has been compromised – even if no fraud has occurred – they feel: * Protected and respected by their provider * Motivated to update their payment method securely * More loyal to a healthcare brand that puts patient security first * * * 🎯 Key Benefits for Healthcare Providers [](https://docs.spycloud.com/public-sc/docs/compromised-credit-card-api-2#-key-benefits-for-healthcare-providers) -------------------------------------------------------------------------------------------------------------------------------------------------------------- ### #1 Reduce chargebacks and financial losses tied to fraudulent card usage ### #2 Block high-risk transactions in real time before billing is processed ### #3 Enhance fraud models using verified card exposure intelligence ### #4 Support compliance and care coordination through secure payment infrastructure ### #5 Enable targeted outreach to patients with at-risk co-branded cards. ### #6 Link identifiers and artifacts (emails, phones, IPs) to threat actor infrastructure. Updated 13 days ago * * * Ask AI --- # Compromised Credit Card API In today’s digital world, telecom providers handle a vast amount of sensitive subscriber data – including stored payment methods for postpaid plans, device financing, and digital content purchases. Many providers also partner with banks to issue co-branded credit cards, giving subscribers rewards and discounts on services. These cards, however, are Telecom operators can reduce fraud losses and increase customer trust by monitoring compromised credit cards – **including card numbers, expiration dates, and CVVs exposed via breaches or dark web markets.** When this data is integrated into fraud detection systems, it serves as a proactive risk signal—allowing companies to act before fraud occurs. By identifying and monitoring credit cards already in the hands of cybercriminals, telecom companies can: * Prevent fraudulent purchases (e.g., devices, SIM cards, premium services). * Reduce chargebacks and unauthorized payments. * Preemptively flag high-risk accounts tied to compromised payment data. * Support broader investigations into organized fraud rings targeting telecom services. * * * 📡 SpyCloud’s Credit Card Intelligence for Telecom [](https://docs.spycloud.com/public-sc/docs/compromised-credit-card-api-1#-spyclouds-credit-card-intelligence-for-telecom) --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- SpyCloud provides deep visibility into recaptured credit card information – cards that are actively circulating among cybercriminals and carry a high risk of misuse. This API enables telecom risk and fraud teams to: * Access exposed card data linked to specific BINs (Bank Identification Numbers). * Integrate threat intelligence into fraud prevention workflows. * Cancel or require verification for transactions involving exposed cards. By preventing fraudulent transactions tied to compromised cards, telecom providers can protect their revenue and preserve subscriber trust. * * * 🧪 How It Works [](https://docs.spycloud.com/public-sc/docs/compromised-credit-card-api-1#-how-it-works) ------------------------------------------------------------------------------------------------------------ The **SpyCloud Compromised Credit Card API** supports automated detection of exposed credit cards through a REST API. Queries are made by submitting one or multiple 6-digit BINs (up to 10 per request) to retrieve all associated credit card records for a specified timeframe. **Output includes:** SHA1-hashed card numbers, exposure sources, timestamps, and metadata. > **Use case:** Automatically flag high-risk cards at point-of-sale or during recurring billing validation. Consider reissuing a new card. **At a glance** | 🔎 Queries | 📤 Output | | --- | --- | | Queries are made by submitting one or multiple 6-digit BINs (up to 10 per request) to retrieve all associated credit card records for a specified timeframe. | SHA1-hashed card numbers, exposure sources, timestamps, and metadata. | * * * 🗃️ Data Sources [](https://docs.spycloud.com/public-sc/docs/compromised-credit-card-api-1#%EF%B8%8F-data-sources) ---------------------------------------------------------------------------------------------------------------------- SpyCloud researchers collect exposed card data from: * Malware-infected devices (e.g., subscriber mobile phones, payment terminals) * Phishing kits and fake telecom bill payment pages * Data breaches targeting telecom or adjacent industries This proactive threat intelligence equips telecom fraud teams with the tools to intervene before charges post or hardware is shipped fraudulently. * * * 📣 Why This Matters for Telecom Providers [](https://docs.spycloud.com/public-sc/docs/compromised-credit-card-api-1#-why-this-matters-for-telecom-providers) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- Credit card fraud in telecom can result in: * Device losses from fraudulent handset or accessory purchases. * Revenue loss from reversed service charges. * Strained relationships with payment processors. * Higher support costs tied to account remediation. When telecom customers are proactively notified that their stored card is at risk—even if no fraud has yet occurred—they feel: * Protected and valued by their provider * Empowered to update their payment details securely * More loyal to a brand that puts their financial safety first * * * 🎯 Key Benefits for Telecom [](https://docs.spycloud.com/public-sc/docs/compromised-credit-card-api-1#-key-benefits-for-telecom) ------------------------------------------------------------------------------------------------------------------------------------ * Reduce chargebacks and revenue leakage * Block high-risk transactions before fulfillment * Strengthen anti-fraud analytics by correlating card exposure to account behavior * Enhance customer care with proactive communication about card security * Support law enforcement or internal investigations into fraud rings Updated 13 days ago * * * Ask AI --- # Scan in Progress While the scan is running, ADG displays a **progress bar** to indicate real-time scan progress. Depending on the environment and configuration, a scan may take **minutes to hours**. The duration depends on the following factors: ⏱️ Factors Affecting Scan Duration [](https://docs.spycloud.com/public-sc/docs/scan-in-progress#%EF%B8%8F-factors-affecting-scan-duration) ---------------------------------------------------------------------------------------------------------------------------------------------- * Number of exposed corporate credentials for your organization * Number of Active Directory accounts being scanned * Scan options chosen * **Check Banned Password List** * **Number of Banned Passwords** * **Check for Fuzzy Matches** * **Check Against All Known Compromised Passwords** * **Audit Shared Passwords** * Speed of connection and response times for **Active Directory** * Speed of connection and response times for the **SpyCloud API** ![](https://files.readme.io/927e50ce18fb8cf7bd922a3a74609d88371b42ec0790b713f837418525417e70-image60.jpg) ![](https://docs.spycloud.com/public-sc/docs/images/adg-scan-progress.png)_Progress bar showing scan status during execution_ Updated 5 months ago * * * Ask AI --- # Configuring Scan Options ### SpyCloud Breach Records [](https://docs.spycloud.com/public-sc/docs/configuring-scan-options#spycloud-breach-records) * Select which breach records to scan against: **All Records**, **Last 6 months**, **Last 3 months**, **Last month**, **Last week**, **Last day** > Recommended: **All Records** (best for detecting password reuse). ![Breach Records Screen](https://files.readme.io/8377447020636f3c08ea41e84c3937b38d56e77195e20b8bb27f8921d344fcd1-image20.png) * * * ### Local Active Directory Scan [](https://docs.spycloud.com/public-sc/docs/configuring-scan-options#local-active-directory-scan) Options: * **Scan Local Active Directory** * **Skip Disabled Accounts** * **Skip Accounts with Expired Passwords** (useful for new hires not yet active) ![Local AD Scan Options](https://files.readme.io/2fba4fb5faac82df995853c1e0ab3578c49efc1072c5946e45e5b6fc1122c594-image16.jpg) 📝 **ADVANCED** Additionally, you can click Advanced and be presented with options for including and/or excluding collections of users. These collections can be configured under Settings → Collections. For more on this, see [Active Directory Object Collection](https://spycloud-external.readme.io/public-sc/docs/advanced-ad-object-collections) . * * * ### Match Type [](https://docs.spycloud.com/public-sc/docs/configuring-scan-options#match-type) The next screen of the scan configuration determines what scan types will be performed, along with advanced settings for notifications, reporting, and logging. ![Match Type Screen](https://files.readme.io/a7053ff8f50417773016390c9f824afa899009a989d1addcbcfce0e247637dd0-image24.png) ADG supports multiple **match types**. * The **Exact Matches** scan type is always enabled by default. * Additional match types can be enabled depending on your organization’s needs. If multiple match types are selected, ADG will evaluate each account **top to bottom**. > 👉 > > For example: if an **Exact Match** is detected, later scan types will not be executed for that account. #### 🧩 Available Match Types [](https://docs.spycloud.com/public-sc/docs/configuring-scan-options#-available-match-types) | **Match Type** | **Description** | | --- | --- | | **Exact Matches** _(Always On)_ | Compares an AD user’s current password against known exposed passwords in SpyCloud breach data. Uses identifiers such as `sAMAccountName`, `UPN`, `mail`, `proxyAddresses`, and `targetAddresses`. | | **Check Banned Password List** | Compares passwords against a configurable banned list. The default list includes common weak passwords, and admins can add custom entries. | | **Check for Fuzzy Matches** | Detects variations of exposed or banned passwords (e.g., slight modifications like `Password1!` → `Password2!`). Helps catch near-reuse that may bypass uniqueness policies but remain exploitable. | | **Check Against All Known Compromised Passwords** | Compares each user’s AD password against SpyCloud’s **entire dataset** of known compromised credentials, regardless of associated identity. | | **Check Against IDLink Matches** | Uses SpyCloud’s proprietary **IDLink identity analytics** to detect reuse between work credentials and personal/external exposures tied to the same employee. | #### 🧠 Why Match Types Matter [](https://docs.spycloud.com/public-sc/docs/configuring-scan-options#-why-match-types-matter) Different match types provide varying depth of coverage: * **Exact Matches** → Quickest detection of confirmed credential reuse * **Banned Password List** → Enforces internal password hygiene policies * **Fuzzy Matches** → Finds “creative” but weak variations employees often use * **All Known Compromised Passwords** → Ensures no employee password has appeared anywhere in SpyCloud’s recaptured data * **IDLink Matches** → Identifies when personal account compromises create corporate risk * * * ### 🔒 Exact Matches (Always On) [](https://docs.spycloud.com/public-sc/docs/configuring-scan-options#-exact-matches-always-on) The **Exact Matches** option is always enabled in ADG. This scan type checks for matches between a user’s current AD password and any of the exposed passwords found in SpyCloud’s enterprise breach data for that user. ADG leverages the following account attributes when identifying breach records: | **Attribute** | **Description** | | --- | --- | | **sAMAccountName** | Windows logon name (legacy username) | | **UPN** | User Principal Name (typically email format) | | **mail** | Primary email address associated with the user | | **proxyAddresses** | Alternate or secondary email addresses | | **targetAddresses** | Targeted or forwarded email addresses | > 💡 > > _Because Exact Match runs first, if an exposed password is identified here, other scan types (like fuzzy or banned password checks) will not be attempted for that user account._ * * * ### 🚫 Check Banned Password List [](https://docs.spycloud.com/public-sc/docs/configuring-scan-options#-check-banned-password-list) The **Check Banned Password List** option allows ADG to compare an AD user’s password against a configurable list of banned passwords. * On a default installation, this list includes common weak passwords. * Administrators can edit or expand the list to include custom banned passwords. * The list can be managed in the ADG console by navigating to **Banned Passwords** in the left-hand navigation. | **Feature** | **Description** | | --- | --- | | **Purpose** | Detects weak or common passwords in use by AD accounts. | | **Default List** | Pre-populated with widely used insecure passwords. | | **Customization** | Admins can add their own entries to enforce org-specific policies. | | **Management** | Edit/view list under **Settings → Banned Passwords**. | > 💡 > > _Tip: Keep your banned password list updated to reflect both common global weak passwords and your organization’s known risky patterns (e.g., company name + year)._ * * * ### 🔎 Check for Fuzzy Matches [](https://docs.spycloud.com/public-sc/docs/configuring-scan-options#-check-for-fuzzy-matches) The **Check for Fuzzy Matches** option checks for similarities between a user’s AD password and: * Variations of their previously exposed passwords * Variations of banned password list entries (if that option is enabled) This check helps identify users who reuse the same or very similar password with only slight changes. While these variations may pass uniqueness policy tests, they remain highly exploitable by attackers using common password mutation techniques. #### 📑 Details [](https://docs.spycloud.com/public-sc/docs/configuring-scan-options#-details) | **Feature** | **Description** | | --- | --- | | **Purpose** | Detects weak password reuse patterns across slight variations. | | **Examples** | `Password1!` → `Password2!` or `Summer2023!` → `Summer2024!` | | **Works With** | Variations of both exposed credentials **and** banned password list entries. | | **Benefit** | Flags users who try to “game” uniqueness rules but still use unsafe passwords. | > 💡 > > _Fuzzy matching is critical because attackers often run brute-force attempts with simple password mutations, making these accounts more vulnerable if not detected._ ![](https://files.readme.io/853167012865271fde9ad132c8339bdd606aa761965ceac125dca8724960912c-image49.png) * * * ### 🌍 Check Against All Known Compromised Passwords [](https://docs.spycloud.com/public-sc/docs/configuring-scan-options#-check-against-all-known-compromised-passwords) The **Check Against All Known Compromised Passwords** option compares each AD user’s password against SpyCloud’s **entire dataset** of recaptured credentials. * Ensures detection of password exposure **even if the password has no direct link to that user’s corporate identity**. * Provides the broadest safety net across billions of exposed credentials. #### 📑 Details [](https://docs.spycloud.com/public-sc/docs/configuring-scan-options#-details-1) | **Feature** | **Description** | | --- | --- | | **Scope** | SpyCloud’s full corpus of compromised passwords. | | **Purpose** | Identifies risky passwords even if they have not been linked to your users specifically. | | **Benefit** | Prevents employees from using a password that has ever been exposed, regardless of source or context. | > 💡 > > _This is a more resource-intensive scan but provides maximum assurance that no compromised password is in use across your AD environment._ ![](https://files.readme.io/ba4448c4ea7f1ce91a1bc953a8018057813ec2b7813c2cbdb89696e9c094c7dc-image94.png) * * * ### 🔗 Check Against IDLink Matches [](https://docs.spycloud.com/public-sc/docs/configuring-scan-options#-check-against-idlink-matches) The **Check Against IDLink Matches** option leverages SpyCloud’s proprietary **IDLink™ identity analytics** to identify cross-identity password reuse. * Detects when an AD user’s password matches one exposed in a personal or external account breach. * Highlights risky behavior where employees reuse personal passwords for corporate accounts. #### 📑 Details [](https://docs.spycloud.com/public-sc/docs/configuring-scan-options#-details-2) | **Feature** | **Description** | | --- | --- | | **Scope** | Passwords tied to the employee across **personal and corporate exposures**. | | **Purpose** | Uncovers risk when staff reuse credentials across different accounts or domains. | | **Benefit** | Enables remediation even when compromised credentials originated outside of the work environment. | > 💡 > > _IDLink helps connect the dots between an employee’s personal and professional identities, making it possible to stop attacks stemming from password reuse across ecosystems._ ![](https://files.readme.io/daaf06ddaaa4a375dacd5ab7a26f6b0ea68e581e0016543c02eb25176cde84a3-image30.png) * * * ### 📝 Audit Type [](https://docs.spycloud.com/public-sc/docs/configuring-scan-options#-audit-type) ADG 7.3 currently supports one audit option during scans: **Check for Shared Passwords**. More audit options will be available in future releases. The **Check for Shared Passwords** option allows ADG to identify Active Directory accounts that are using the **same password**. ![Audit Type Screen](https://files.readme.io/8cdff5338e716e96d1fb544353b77871b6396f48b3bd4aa105b8e6e3bd9aa32a-image36.png) #### 📑 Details [](https://docs.spycloud.com/public-sc/docs/configuring-scan-options#-details-3) | **Feature** | **Description** | | --- | --- | | **Purpose** | Detects AD accounts that share identical passwords across users. | | **Benefit** | Highlights risky practices such as shared service accounts or employees reusing a common password. | | **Use Case** | Helps enforce account hygiene and separation of duties by flagging password reuse in your domain. | > 💡 > > _Password sharing significantly increases the risk of account takeover, since compromise of one account can expose multiple accounts at once._ * * * ### 🛠️ Remediation Options [](https://docs.spycloud.com/public-sc/docs/configuring-scan-options#%EF%B8%8F-remediation-options) Once you’ve determined which scan types to run, you can decide what remediation actions ADG should apply when matches are detected. * The **default option** is **No Remediation**. * This is recommended for your **first scan**, so you can review results before enforcing actions. ![Remediation Options Screen](https://files.readme.io/475de75dbf45b0a3a915f004656a14b5472feb9ffa9521a28d152438eeafb8ef-image42.jpg) For configuring remediation policies, you can: * Select **Create Remediation Policy** to define new actions * Or choose **Edit Remediation Policy** to adjust existing ones For more details, see \[[Configuring Remediations](https://spycloud-external.readme.io/public-sc/docs/advanced-configuring-remediations)\ \]. ![Create/Edit Policy Screen](https://files.readme.io/ff3863398551c6693986169c0548a83591091a0a98922563a0a6efcd8c74d3e3-image59.png) #### Options Summary [](https://docs.spycloud.com/public-sc/docs/configuring-scan-options#options-summary) | **Option** | **Description** | | --- | --- | | **No Remediation** _(default)_ | Runs scans but does not enforce actions. Recommended for initial testing. | | **Create Policy** | Define remediation steps to take when matches occur. | | **Edit Policy** | Adjust or refine existing remediation policies. | > 💡 > > _Tip: Run your first few scans with**No Remediation** to validate results, then configure policies for automated remediation once you are confident in your setup._ * * * ### ⚙️ Advanced Scan Settings [](https://docs.spycloud.com/public-sc/docs/configuring-scan-options#%EF%B8%8F-advanced-scan-settings) To choose the email template used for scan failures, select an email template next to **Scan Failure Email**. To choose an email template used for scan completion, select an email template next to **Scan Completion Email**. There are default templates available to use or you can create and customize your own templates. You will not be able to select emails here unless you have configured your SMTP settings here: \[[Configuring SMTP](https://spycloud-external.readme.io/public-sc/docs/settings#%EF%B8%8F-smtp)\ \]. > For information on creating your own email templates, see \[[Email Templates](https://spycloud-external.readme.io/public-sc/docs/advanced-email-templates)\ > \]. ![Advanced Scan Settings Screen](https://files.readme.io/a3d3f557ffefb143ea3e7bfbf42ebae87cc310ed142ee5130837032d0f5a5c37-image80.jpg) If you choose to configure a **Scan Completion Email**, you can then also decide if you want a CSV report of the scan and optional shared password report attached to the completion email by checking **Attach CSV Report to Scan Completion Email**. Additionally, if you’d like the CSV to only contain password matches, select **Skip Email Only Matches in CSV Report.** Turning on **Extended Logging** will cause more details to be written to the debug log file to aid in diagnosing problems. Generally, this should only be used when debugging or if SpyCloud support asks you to do so. (See Debug and Extended Logging for more information). Once you have finished setting up your scan options, you can run the scan by clicking **Run Scan.** Updated 5 months ago * * * Ask AI --- # Requirements This page outlines the software, hardware, permissions, and network configurations required to run Active Directory Guardian (ADG) 7.3 in your environment. * * * 💻 Platform & Browser Compatibility [](https://docs.spycloud.com/public-sc/docs/requirements#-platform--browser-compatibility) ---------------------------------------------------------------------------------------------------------------------------------- | **Component** | **Requirement** | | --- | --- | | **Supported OS** | Windows 10 (workstation)
Windows Server 2012 and later | | **Browser** | ✅ Google Chrome (v89+)
✅ Microsoft Edge (v91+)
❌ Internet Explorer is _not supported_ | | **.NET Framework** | 4.8 or higher (required) | * * * 👤 Required Permissions [](https://docs.spycloud.com/public-sc/docs/requirements#-required-permissions) ----------------------------------------------------------------------------------------------------------- | Permission Type | Details | | --- | --- | | **Local (for install)** | • Install software
• Configure Windows service
• `Log on as a service` permission | | **Active Directory** | • Reset user passwords
• Force password change at next login
• Read/write: `lockoutTime`, `pwdLastSet`, `userAccountControl`
• Replicating Directory Changes
• Replicating Directory Changes All | > Best practice: Assign these permissions to a group via **Delegate Control**, then assign your service account to that group. > ⚠️ > > _Note: If group policy overrides group permissions, grant them directly to the service account._ * * * 🧮 Hardware Specifications [](https://docs.spycloud.com/public-sc/docs/requirements#-hardware-specifications) ----------------------------------------------------------------------------------------------------------------- | **Component** | **Minimum Spec** | **Notes** | | --- | --- | --- | | **Memory** | 8 GB RAM | More is better for large banned password lists or fuzzy scans | | **Storage** | 20 GB | For logs and hash cache | | **CPU** | 2 GHz+ (multi-core) | More cores = faster scanning. ADG uses one thread per core | > 🧠 > > If access to the domain controller or SpyCloud API is **slow**, ADG will limit to one CPU core for processing. **Definition of “Slow”:** When fetching one account from the DC takes longer than scanning it locally. * * * 🌐 Network Access & Ports [](https://docs.spycloud.com/public-sc/docs/requirements#-network-access--ports) -------------------------------------------------------------------------------------------------------------- ADG communicates with internal infrastructure and external APIs using specific ports. The following sections outline the necessary access requirements. ### 🔄 Internet Connectivity [](https://docs.spycloud.com/public-sc/docs/requirements#-internet-connectivity) 🌐**External API Communication** * Port **443 (HTTPS)** is required for outbound access to the SpyCloud API * Make sure `*.spycloud.com` is reachable from the ADG host * * * ### 🖥️ Active Directory Communication [](https://docs.spycloud.com/public-sc/docs/requirements#%EF%B8%8F-active-directory-communication) 🧩**Local AD Connectivity** ADG requires internal network access to your domain controllers on the following ports: * Port **389**: LDAP * Port **135**: MS-DRSR (Active Directory replication) * * * ### 🧱 Proxy Environments [](https://docs.spycloud.com/public-sc/docs/requirements#-proxy-environments) If your environment uses a proxy for outbound traffic: * Open your proxy's specific port for outbound HTTPS * Allow access to `*.spycloud.com` * Ensure DNS resolution is available for external domains * * * ### ✉️ SMTP Configuration (If Using Email Alerts) [](https://docs.spycloud.com/public-sc/docs/requirements#%EF%B8%8F-smtp-configuration-if-using-email-alerts) | Use Case | Common Ports | | --- | --- | | SMTP outbound | `25`, `465`, `587`, `2525` | | Admin Notes | Check with your SMTP administrator to confirm which port is used | 👇**ACTIVE DIRECTORY GUARDIAN** ![](https://files.readme.io/9d37621a3e743418dae182c151d97a28dba1ef773977a485031e2932274e969e-image85.png) Updated 5 months ago * * * Ask AI --- # Scheduling a Scan Once you are satisfied with your scan settings, you can configure a scheduled scan to run at a set time on a recurring schedule. You can create a schedule in two ways: * Click **Schedules** in the navigation menu and select **Add** * Or click **Schedule Scan** from the Dashboard * * * ⚙️ Configuration Options [](https://docs.spycloud.com/public-sc/docs/scheduling-a-scan#%EF%B8%8F-configuration-options) --------------------------------------------------------------------------------------------------------------------------- When creating a schedule: | **Field** | **Description** | | --- | --- | | **Schedule Name** | Enter a descriptive name for the schedule. | | **Run Frequency** | Select how often the scan should run. | | **Run Time** | Set the time of day the scan should run. (Shown for daily/weekly/monthly schedules.) | | **Day of the Week** | Appears if you choose a **weekly** schedule. | | **Day of the Month** | Appears if you choose a **monthly** schedule. | > All remaining settings are identical to those for a manual scan. > Once configured, click **Save**. * * * 📋 Managing Scheduled Scans [](https://docs.spycloud.com/public-sc/docs/scheduling-a-scan#-managing-scheduled-scans) ------------------------------------------------------------------------------------------------------------------------ To view or manage scheduled tasks: 1. Click **Schedules** in the left-hand navigation, or select **View Schedules** from the Dashboard. 2. From here, you can: * **Enable / Disable** a scheduled task * **Edit** the configuration * **Delete** a schedule * **Add multiple scheduled tasks** to run different scans at different times You can also create new scheduled tasks by clicking **Add**. ![Scheduling Screen](https://files.readme.io/4b50e11a282f8c1da864c3c440460ec2a3ea84fb6bd37b27eade6817c4331301-image32.jpg) Updated 5 months ago * * * Ask AI --- # Upgrading Active Directory Guardian Since **Version 7.3**, upgrades are only supported for users already running **7.X**. * If you are running **7.0+**, you can upgrade directly. * If you are running **6.6 or earlier**, ADG 7.3 will install **side-by-side** with your existing version. * * * 💻 Upgrading to Version 7.3 Using the Installer [](https://docs.spycloud.com/public-sc/docs/upgrading-active-directory-guardian#-upgrading-to-version-73-using-the-installer) --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### 1\. Downloading ADG [](https://docs.spycloud.com/public-sc/docs/upgrading-active-directory-guardian#1-downloading-adg) * Log in to your **SpyCloud Customer Portal** → _Software Downloads_ * Find the latest **ADG installer** (with version + release date) * If you do not have portal access, contact a SpyCloud Administrator ![](https://files.readme.io/d9f732b631f0e171d87bfd8fa0d1ca160fc6c13438a2f16036c21834504cf2ae-image3.jpg) * * * ### 2\. Running the Installer [](https://docs.spycloud.com/public-sc/docs/upgrading-active-directory-guardian#2-running-the-installer) 1. Double-click the **7.3 installer executable** 2. Click **Next** to continue 3. If an existing **7.X** version is detected, you’ll be prompted to: * **Upgrade** the existing version * Or **Uninstall** the product 4. Select **Upgrade the existing version** → click **Next** ![](https://files.readme.io/9d2f7f85d3de0032c0970abc0f1cb69ec247e4bc201c880e0a046ac6d7381e70-image73.jpg) 5. Accept the **EULA** ![](https://files.readme.io/b36bdd5f78916c1723f0647a551d17b87f91da5c1b20adee90e93f059b779b4e-image38.jpg) 6. Click **Upgrade** to complete the process ![](https://files.readme.io/aa8c00729dd7915bd4e303c7db576e164cb2c46c045382b960241da3429d35f4-image39.jpg) 7. When finished, click **Finish** ![](https://files.readme.io/1c1a5ae59e2ebd5136eae1b7b6ade450417a5283c3085d9e3b41bef6fc5a0edf-image13.jpg) * * * ### 3\. Verifying Upgrade [](https://docs.spycloud.com/public-sc/docs/upgrading-active-directory-guardian#3-verifying-upgrade) After upgrading, confirm by opening the ADG interface: 👉 `https://localhost:8081` (or the port you installed on) * * * 💻 Upgrading to Version 7.3 Using the CLI [](https://docs.spycloud.com/public-sc/docs/upgrading-active-directory-guardian#-upgrading-to-version-73-using-the-cli) --------------------------------------------------------------------------------------------------------------------------------------------------------------------- To upgrade from the command line you will need to run the installer executable from the command line with the upgrade option like this: ![](https://files.readme.io/c02c2d56035e7787e61f4e588e1defa3b41214c5cad99f6e3ed232fed1c75bf6-image93.png) When the upgrade is completed, you should see a message like this: ![](https://files.readme.io/505e9b8992e341ce37383074f866ffc40f9e702c126ea3ba601df87f9f19fb56-image48.jpg) ### Exit Codes [](https://docs.spycloud.com/public-sc/docs/upgrading-active-directory-guardian#exit-codes) After the upgrade is complete, the exit code for the process will be stored in the errorlevel variable in the environment 0 - The CLI command executed successfully 2 - The CLI command encountered an error and could not execute successfully To see this value, you can echo it using the following command: ![](https://files.readme.io/100957ceaa209d5e2bd5bca1f7865df06718d2562a7f8b3f7a406b0118cf84be-image82.jpg) * * * 💻 Upgrading from Versions Before 7.0 [](https://docs.spycloud.com/public-sc/docs/upgrading-active-directory-guardian#-upgrading-from-versions-before-70) ------------------------------------------------------------------------------------------------------------------------------------------------------------- Upgrading from a version 6.6 or earlier is **not** supported. If you are installing from version 6.6 or prior, you will install version 7.3 side by side with your existing installation. Once you have ADG 7.3 running to your liking, you can uninstall your previous version. Updated 5 months ago * * * Ask AI --- # Uninstalling ADG Using the Installer 🖱️ Uninstalling via Installer [](https://docs.spycloud.com/public-sc/docs/uninstalling-adg-using-the-installer#%EF%B8%8F-uninstalling-via-installer) --------------------------------------------------------------------------------------------------------------------------------------------------------- 1. **Double-click the AD Guardian installer**. > ⚠️ > > If you’ve misplaced the installer, there is one located in your install folder here: C:\\ProgramData\\SpyCloud\\AD Guardian\\7\\Installer.exe 2. After launching, click **Next**. ![Next Screen](https://files.readme.io/a09ce0abeabbc46f002c413d30fe078afd87bd2ad4547d22760956dde544e965-image3.jpg) 3. On the next screen, click **Uninstall**. ![Uninstall Screen](https://files.readme.io/7c026c20becb977886b675b9f15033bb564233dadc10c9d2988445dde501dc83-image25.jpg) Once the uninstall operation finishes, SpyCloud AD Guardian will be removed from the system. * * * 💻 Uninstalling via CLI [](https://docs.spycloud.com/public-sc/docs/uninstalling-adg-using-the-installer#-uninstalling-via-cli) ----------------------------------------------------------------------------------------------------------------------------------- To uninstall from the command line you will need to run the installer executable from the command line with the upgrade option like this: ![](https://files.readme.io/2cc3910e7667e0c0279dfc0574ce3df952a1726bbcec7443ee0596a487ea23b8-image21.png) When the upgrade is completed, you should see a message like this: ![](https://files.readme.io/71342b4bdd5a97d261bd97417b3882e3a6e17365e4fd4839cb10d70dbac0a987-image46.png) ### Exit Codes [](https://docs.spycloud.com/public-sc/docs/uninstalling-adg-using-the-installer#exit-codes) After the uninstall is complete, the exit code for the process will be stored in the errorlevel variable in the environment 0 - The CLI command executed successfully 2 - The CLI command encountered an error and could not execute successfully To see this value, you can echo it using the following command: ![](https://files.readme.io/62ce078a78602871a28cc645233e7eae929085bebc27dc5e3ea6e2746aaf9f9d-image84.jpg) Updated 5 months ago * * * Ask AI --- # Entra ID Guardian SpyCloud’s **Entra ID Guardian** scans credentials within Entra ID against billions of recaptured darknet assets, enabling automated remediation like password resets and account disables to keep your corporate identity secure. * * * Benefits at a Glance [](https://docs.spycloud.com/public-sc/docs/entra-id-guardian#benefits-at-a-glance) ------------------------------------------------------------------------------------------------------------ 🛡️ ### Stay Ahead of Criminals Proactively monitor Entra ID for exposed employee credentials. 🔐 ### Lock Out Bad Actors Protect assets by resetting or disabling accounts linked to breaches, malware, or phishing. 🧠 ### Reduce Your Team’s Workload Automate detection and remediation of exposed passwords. * * * How It Works [](https://docs.spycloud.com/public-sc/docs/entra-id-guardian#how-it-works) -------------------------------------------------------------------------------------------- > Entra ID Guardian is deployed via an **ARM template** in Azure as a container. It integrates with your directory and SMTP environment to continuously scan accounts for password exposures. 1. **Collect** – SpyCloud gathers breach and malware records. 2. **Enrich & Analyze** – Credentials are matched against Entra ID accounts. 3. **Automate** – Enqueue actions like password resets, logging, and email notifications. ![](https://files.readme.io/7b2b153f850df572fd7937a95034a582a74e8f893a484e81c975e6ab8fc8a942-ENTRA_ID-reference_architecture.png) * * * At a Glance: Functional Overview [](https://docs.spycloud.com/public-sc/docs/entra-id-guardian#at-a-glance-functional-overview) ----------------------------------------------------------------------------------------------------------------------------------- | Feature | Description | | --- | --- | | Deployment Method | ARM template – deploys as Azure Container Instance (ACI), no VM required | | Scanning Scope | Full credential checks for active Entra ID accounts (exact-match only) | | Remediation Options | Password reset, log match details, email notifications (user/admin), delayed reset option | | Reporting Dashboard | Scan stats by period: accounts scanned, passwords checked/matched, resets, emails sent | * * * Example Use Case: Corporate Exposures [](https://docs.spycloud.com/public-sc/docs/entra-id-guardian#example-use-case-corporate-exposures) --------------------------------------------------------------------------------------------------------------------------------------------- Entra ID Guardian integrates into Azure environments via ARM deploying an ACI. It scans active employees for credential reuse or exposure, triggering automated remediation workflows as needed. * * * Why It Matters [](https://docs.spycloud.com/public-sc/docs/entra-id-guardian#why-it-matters) ------------------------------------------------------------------------------------------------ > SpyCloud Entra ID Guardian delivers **automated credential hygiene and robust ATO protection** — driving faster detection and remediation in your cloud identity stack while lightening the load on security teams. Updated 5 months ago * * * Ask AI --- # Settings The Settings section in ADG lets you configure **Automatic Scanning**, **Essentials**, **Proxy**, **Reporting**, and **SMTP**. * * * ⚡ Automatic Scanning [](https://docs.spycloud.com/public-sc/docs/settings#-automatic-scanning) -------------------------------------------------------------------------------------------------- Automatic Scanning allows you to check SpyCloud’s database as frequently as every 5 minutes. This ensures you are able to act on critical employee exposures as soon as SpyCloud finds them. * Runs in the background on a **5-minute interval**, plus the time the previous scan took to complete. * Replicates only the **affected AD objects**, making scans fast (seconds or minutes vs. hours). * Does not use the advanced analytics of a full scan (e.g., fuzzy matching, IDLink). **Behavior:** * If no new exposures are found → the cycle restarts after 5 minutes. * If new exposures are found → the scan completes, then the next starts 5 minutes later. **Notifications:** * Emails are sent **only if** an active match is found or a scan fails. * Scans are added to the dashboard **only if new data** is found. > 💡 > > **Recommendation:** Use Automatic Scans for near real-time monitoring, and schedule **Full Scans daily** for richer analytics. **Where to Configure:** * From the **Automatic Scan module** on the dashboard, or * From **Settings → Automatic Scanning** in the left navigation On the Automatic Scanning page, you can enable/disable scans, set a remediation policy (or create one), and configure notification emails. 👉 For steps on **creating a remediation policy**, [click here](https://spycloud-external.readme.io/public-sc/docs/advanced-configuring-remediations) . 👉 For steps on **configuring SMTP email**, [click here](https://spycloud-external.readme.io/public-sc/docs/advanced-email-templates) . > ⚠️ > > On repeated failures: one failure email is sent immediately, then no more than **once per hour**. ![Automatic Scanning](https://files.readme.io/727e8ca63ae34c72eb87d974d5a32f3bb4f147d430b788a971d2a0813ef8d310-image5.jpg) * * * 🧰 Essentials Settings [](https://docs.spycloud.com/public-sc/docs/settings#-essentials-settings) ----------------------------------------------------------------------------------------------------- Go to **Settings → Essentials** to update: * **SpyCloud API Key** configuration * **Local Active Directory** configuration Use this section when credentials or AD connection details change. ![Essentials Settings](https://files.readme.io/e85a3429069b8f1f7346abae8ba1467237a872ec293d0e12f62b87e106460006-image20.png) * * * 🌐 Proxy [](https://docs.spycloud.com/public-sc/docs/settings#-proxy) ------------------------------------------------------------------------- If your environment requires HTTP(S) traffic to go through a proxy: 1. Navigate to **Settings → Proxy** 2. Enter: * **Host** (must include `http://` or `https://`) * **Port** 3. Click **Save** ![Proxy Settings](https://files.readme.io/263cbcd99cc7632db5f58315382a633fa57bac2ed97c079a49334ad0ee276597-image40.jpg) * * * 📈 Reporting [](https://docs.spycloud.com/public-sc/docs/settings#-reporting) --------------------------------------------------------------------------------- ADG can report high level scan statistics and diagnostic data back to your **SpyCloud Enterprise Portal**. This data provides greater insight into exposure risk, helps with debugging, and informs optimization of future ADG releases. Navigate to **Settings → Reporting**. ### Data Collected per Scan [](https://docs.spycloud.com/public-sc/docs/settings#data-collected-per-scan) | **Category** | **Details** | | --- | --- | | **Matches** | Active AD user matches; password matches by type (Exact, Fuzzy, Banned, NIST Global) | | **Resolutions** | Resolved matches grouped by type (Exact, Fuzzy, Banned, NIST Global) | | **Scan Metadata** | Start/end time, scan options, diagnostic data | | **Domain Controller** | Domain, name, OS version | | **ADG Host** | ADG version, uptime, log file size, DB size, memory consumption | | **Host System** | Hostname, OS version, CPU cores, machine ID | **Opting Out:** * Reporting is **enabled by default**. * To disable: check **Opt out of reporting ADG scan statistics**. * Contact support via the SpyCloud portal to delete historical data if needed. ![Reporting Settings](https://files.readme.io/0f65c96af2cf2768dac9d6d45d35c6c3785b06b039e59ec5427b005487895966-image35.jpg) * * * ✉️ SMTP [](https://docs.spycloud.com/public-sc/docs/settings#%EF%B8%8F-smtp) -------------------------------------------------------------------------------- ADG has the ability to send emails in certain situations. In order to send emails, ADG needs to be configured to talk to an SMTP server. Navigate to **Settings → SMTP**. ### SMTP Server [](https://docs.spycloud.com/public-sc/docs/settings#smtp-server) * **Host**: FQDN of the SMTP server * **Port**: 25, 465, 587, or 2525 * **Security**: TLS on a Dedicated Port or StartTLS After Connection * **Sender Email Address**: configure a default sender, then **Save** **Authentication** * Enter **Username** and **Password** if required * Leave blank for **anonymous SMTP** **Testing & Reset** * Send a **Test Email** to confirm operation * **Delete Configuration and Credentials** to clear all fields ![SMTP Server Settings](https://files.readme.io/5e79e97dcba8f9a4d9af5eb5351979b0b8e1ec39d17442ca14c883f9d533fe81-image88.png) ![](https://files.readme.io/98f1952a3952c9de2d99a0dbf18d62f6af2e69dedf26554490337fb3bdc526e5-image63.png) ### Email Template Defaults [](https://docs.spycloud.com/public-sc/docs/settings#email-template-defaults) Set defaults for templates: * **Default To** * **Default Reply To** * **Default Sender Name** > Multiple values can be added line by line. Updated 5 months ago * * * Ask AI --- # Compromised Credit Card API In today’s digital-first travel economy, hospitality and travel brands manage high volumes of sensitive guest data – including stored credit cards for bookings, upgrades, in-app purchases, and loyalty redemptions. Many providers also partner with banks to issue co-branded credit cards, offering rewards such as free nights, airline miles, and elite status. These cards, however, are frequent targets for cybercriminals. Travel and hospitality companies can reduce fraud losses and increase guest trust by monitoring compromised credit cards – including card numbers, expiration dates, and CVVs exposed through data breaches or sold on dark web marketplaces. When integrated into fraud prevention systems, this intelligence acts as an early risk signal, allowing your organization to act before fraudulent transactions occur. Providers can monitor their co-branded cards directly by BINs (Bank Identification Numbers) to identify exposures early and take preventative action. By identifying compromised cards circulating in the wild, travel and hospitality companies can: * Prevent fraudulent bookings, upgrades, or add-on purchases using stolen credentials * Reduce chargebacks associated with unauthorized travel services or loyalty redemptions * Flag at-risk loyalty or guest accounts tied to compromised payment methods * Support investigations into fraud rings abusing travel benefits and card programs * * * 🧠 SpyCloud’s Credit Card Intelligence for Travel & Hospitality [](https://docs.spycloud.com/public-sc/docs/compromised-credit-card-api-4#-spyclouds-credit-card-intelligence-for-travel--hospitality) ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- SpyCloud delivers unmatched visibility into recaptured credit card data – specifically cards actively circulating among cybercriminals and likely to be used in fraudulent transactions. With the SpyCloud Compromised Credit Card API, travel and loyalty fraud teams can: * Access records of exposed credit cards linked to their co-branded BINs * Integrate card exposure intelligence into reservation, loyalty, and fraud detection systems * Block, verify, or flag transactions tied to compromised cards at booking, check-in, or checkout > 💫 > > By stopping fraud tied to compromised cards, travel brands preserve guest trust and protect revenue across digital and physical touchpoints. * * * ⚙️ How the Credit Card BIN API Works [](https://docs.spycloud.com/public-sc/docs/compromised-credit-card-api-4#%EF%B8%8F-how-the-credit-card-bin-api-works) --------------------------------------------------------------------------------------------------------------------------------------------------------------- The SpyCloud Compromised Credit Card API enables automated, real-time detection of exposed credit cards through a RESTful JSON API. Your team can query the endpoint with one or more 6-digit BINs (up to 10 per request) and receive: * SHA1-hashed card numbers * Source metadata (e.g., phishing kits, malware logs, or breach dumps) * Timestamps of compromise * Additional contextual indicators **At a glance** | 🔎 Queries | 📤 Output | | --- | --- | | Your team can query the endpoint with one or more 6-digit BINs (up to 10 per request). | SHA1-hashed card numbers; source metadata (e.g., phishing kits, malware logs, or breach dumps); timestamps of compromise; additional contextual indicators. | * * * 🧪 Common Use Cases [](https://docs.spycloud.com/public-sc/docs/compromised-credit-card-api-4#-common-use-cases) -------------------------------------------------------------------------------------------------------------------- * Flagging exposed cards during checkout, online booking, or payment method updates * Triggering re-verification or reissuance of co-branded travel cards tied to risky accounts * Monitoring for large-scale exposures indicative of program abuse or targeted phishing campaigns * * * 🗃️ Data Sources [](https://docs.spycloud.com/public-sc/docs/compromised-credit-card-api-4#%EF%B8%8F-data-sources) ---------------------------------------------------------------------------------------------------------------------- SpyCloud aggregates compromised card data from: * Malware-infected devices, such as guest phones, kiosks, or hotel POS systems * Phishing kits impersonating airline, hotel, or OTA payment pages * Data breaches targeting travel providers, partners, or third-party payment processors This proactive threat intelligence enables your fraud and security teams to respond before damage is done, stopping fraudulent charges, loyalty theft, and operational disruption. * * * 📣 Why This Matters for Travel & Hospitality Providers [](https://docs.spycloud.com/public-sc/docs/compromised-credit-card-api-4#-why-this-matters-for-travel--hospitality-providers) ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Credit card fraud in travel leads to real-world impacts: * Fraudulent bookings using stolen cards result in lost room nights, no-show inventory waste, or service abuse * Chargebacks from unrecognized charges drive up operational costs and payment network risk * Reputational damage with issuing banks or loyalty members can erode brand trust * Increased support costs tied to account lockouts, refunds, and fraud response When guests are proactively notified that their co-branded card is at risk – even if fraud hasn't occurred – they feel: * Protected and prioritized * More loyal to a brand that values their financial safety * Encouraged to update their payment method proactively * * * 🎯 Key Benefits for Travel & Hospitality Companies [](https://docs.spycloud.com/public-sc/docs/compromised-credit-card-api-4#-key-benefits-for-travel--hospitality-companies) --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- * Reduce fraud and chargebacks linked to stolen card usage * Stop unauthorized transactions tied to loyalty or booking systems * Improve fraud detection models using verified card exposure intelligence * Enhance guest communications around card security and replacement * Support investigations into fraud campaigns targeting your card programs Updated 13 days ago * * * Ask AI --- # Identity Guardians Identity Guardians are SpyCloud’s way of making **compromised password detection and remediation frictionless** for enterprises. Instead of relying on manual checks and guesswork, Identity Guardians **automate the process of testing exposed credentials against your user directories** — protecting against both password reuse and cycling. * * * 🔍 Why Identity Guardians? [](https://docs.spycloud.com/public-sc/docs/identity-guardians#-why-identity-guardians) ---------------------------------------------------------------------------------------------------------------------- Most organizations today rely on directories like: * **Active Directory (AD)** – Microsoft’s on-premises directory * **Entra ID** (formerly Azure AD) – Microsoft’s cloud-based directory * **Okta** – Cloud identity provider (can leverage AD or run standalone) Traditionally, security teams had to: 1. Log in to a portal, 2. Pull records with exposed passwords, 3. Manually check those passwords against directory accounts. ✅ This works for small-scale exposure. ❌ But it doesn’t scale, misses older credentials, and burns analyst hours. * * * ⚡ What Identity Guardians Do [](https://docs.spycloud.com/public-sc/docs/identity-guardians#-what-identity-guardians-do) ---------------------------------------------------------------------------------------------------------------------------- Identity Guardians close this gap by continuously and automatically: * Checking **all credentials** (fresh and historical) against live directories * Running **specialized checks** (ADG only) like: * NIST compliance * IDLink-powered matches * Banned password lists * Fuzzy variations * Shared password detection The result: **better coverage, less manual toil, faster remediation.** * * * 🧰 The Identity Guardians Lineup [](https://docs.spycloud.com/public-sc/docs/identity-guardians#-the-identity-guardians-lineup) ----------------------------------------------------------------------------------------------------------------------------------- 🛡️ ### ACTIVE DIRECTORY GUARDIAN Automates credential resets or disable high-risk accounts – acting on malware exposures in as little as 5 minutes from discovery. ADG offers the most flexible scanning and remediation options. 🛡️ ### ENTRA ID GUARDIAN Extend automated credential protection to Microsoft’s cloud-based directory services. Runs natively in Azure. Perfect for cloud-first orgs, supports continuous scanning & password reset automation. 🛡️ ### OKTA WORKFORCE GUARDIAN Integrates with Okta Workforce Identity to enforce password hygiene and prevent account compromise. Ideal if you run Okta Directory or LDAP. * * * 💡 Key Benefits [](https://docs.spycloud.com/public-sc/docs/identity-guardians#-key-benefits) ------------------------------------------------------------------------------------------------- **SpyCloud Identity Guardians** empower Identity and Access Management (IAM) teams to prevent identity threats by acting on breach, malware, and phishing credential exposures before criminals can. Instead of relying on outdated password policies or manual resets, Identity Guardians deliver continuous monitoring and automated remediation of verified credential exposures – aligned with NIST 800-63B and Zero Trust principles. * Continuous defense against account takeover * Coverage across **on-prem, cloud, and hybrid** setups * Automated remediation (reset, disable, notify) * Proven customer results: * 90% reduction in employee ATO cases (Global Airline) * 1,000+ analyst hours saved (EBSCO Industries) * 3,400 employees notified of password reuse in 3 months (Top Travel Company) * * * 🧭 Choosing the Right Identity Guardian [](https://docs.spycloud.com/public-sc/docs/identity-guardians#-choosing-the-right-identity-guardian) ------------------------------------------------------------------------------------------------------------------------------------------------- With multiple Identity Guardians available, the right fit depends on **your directory setup**. Use this guide to match your environment to the right Identity Guardian. * * * ### 🗂️ Identity Guardian Decision Matrix [](https://docs.spycloud.com/public-sc/docs/identity-guardians#%EF%B8%8F-identity-guardian-decision-matrix) | **Environment** | **Recommended Guardian(s)** | **Why?** | | --- | --- | --- | | **AD Only** | ADG | Simplest use case. Full feature set (Exact, Fuzzy, IDLink, NIST, Shared). | | **AD + Entra ID (Hybrid) – All Accounts Synced** | ADG | Passwords replicate between AD & Entra, so ADG gives max control. | | **AD + Entra ID (Hybrid) – Some Cloud Only Accounts** | ADG + Entra ID Guardian | ADG covers synced users; Entra covers cloud-only users. | | **Entra ID Only** | Entra ID Guardian | Cloud-native, continuous scanning in Azure. | | **Okta with AD as Directory** | ADG + Okta Reset Option | Passwords live in AD; ADG scans them. Use Okta reset for smooth user experience. | | **Okta with Okta Directory/LDAP** | Okta Workforce Guardian | Simplest Okta-native use case. | * * * ### 🌐 Hybrid Environments: Best Practices [](https://docs.spycloud.com/public-sc/docs/identity-guardians#-hybrid-environments-best-practices) Hybrid is the new normal — and our Identity Guardians play well together. * **AD + Entra ID** * Use **ADG** for its broader scan types (fuzzy, banned, NIST, shared). * Add **Entra ID Guardian** if you have **cloud-only accounts**. * Bonus: Entra ID Guardian replaces legacy “Azure scanning” in ADG (v7.3). * **AD + Okta** * Passwords still sit in AD → scan with **ADG**. * For remediation, leverage **Okta password reset integration**. * **Multi-cloud directory mix** * Deploy the right Identity Guardian in each directory. * Centralize reporting for visibility across environments. * * * ### ✅ Pro Tips [](https://docs.spycloud.com/public-sc/docs/identity-guardians#-pro-tips) * Run scans **daily** (or continuously where supported). * Use **as many password check types as possible** (fuzzy, IDLink, banned). * Push for **automated remediation** at least for exact matches. * Right-size quota and scope for your environment. * For ADG, enable **Shared Password Audit** for maximum insight. * * * ### 🚀 Bottom Line [](https://docs.spycloud.com/public-sc/docs/identity-guardians#-bottom-line) No matter your mix of **on-prem, cloud, or hybrid**, there’s a Identity Guardian to match. The key is to **deploy where your passwords live**, then automate remediation to shut down ATO risk _before attackers get a chance_. Updated 5 months ago * * * Ask AI --- # Viewing the Scan Report Once the scan is finished, a new entry will appear in the **Recent Scans** list on the Dashboard, along with summary tiles at the top of the screen. The Dashboard displays the **100 most recent scans**. ![Dashboard Recent Scans](https://files.readme.io/a0a3db9af94cb0cd9dd3d58eef7d8b11802e7b93c258978024c43a55f9987c9b-image22.png) * * * 📈 Dashboard Summary Tiles [](https://docs.spycloud.com/public-sc/docs/viewing-the-scan-report#-dashboard-summary-tiles) ---------------------------------------------------------------------------------------------------------------------------- | **Tile** | **Description** | | --- | --- | | **Exposed Corporate Credentials** | Total number of exposed passwords for your organization, based on watchlist identifiers configured in the SpyCloud Customer Portal. | | **Account Matches** | Number of matches for active AD users. Matches are based on attributes: `mail`, `sAMAccountName`, `userPrincipalName`, `proxyAddress`, `targetAddress`. | | **Password Matches** | Number of password matches for active AD users, based on scan settings. | > 🔎 > > ### > > Note: Running subsequent scans against the same directory with different scan types may change match counts. > > [](https://docs.spycloud.com/public-sc/docs/viewing-the-scan-report#note-running-subsequent-scans-against-the-same-directory-with-different-scan-types-may-change-match-counts) * * * 📑 Detailed Reports [](https://docs.spycloud.com/public-sc/docs/viewing-the-scan-report#-detailed-reports) -------------------------------------------------------------------------------------------------------------- Click a scan line in the **Recent Scans log** to view a **Detailed Report**. ![Detailed Report Screen](https://files.readme.io/d75a859a73feed604576dffc3452eba002037c895ff8cb21003d0867bc157a27-image71.jpg) ### Report Contents [](https://docs.spycloud.com/public-sc/docs/viewing-the-scan-report#report-contents) * **Scan Statistics** at the top (e.g., total AD accounts scanned, errors) * ⚠️ Some errors are expected when reading accounts from AD. * Review the **General Log** if errors seem excessive. * **Results Tabs** at the bottom: * **Match Results** → Shows exact, banned, fuzzy, all compromised, and IDLink matches * **Audit Results** → Shows shared password matches * * * 🔍 Match Results [](https://docs.spycloud.com/public-sc/docs/viewing-the-scan-report#-match-results) -------------------------------------------------------------------------------------------------------- Match Results show detected password matches with options to **Search**, **Filter**, and **Export to CSV**. ### Status Types [](https://docs.spycloud.com/public-sc/docs/viewing-the-scan-report#status-types) | **Status** | **Description** | | --- | --- | | **Email + Exact Password** | Current AD password matched exactly to an exposed password. _(Most severe type of match)_ | | **Email + Banned Password** | Current AD password was found in the Banned Password list. | | **Email + Fuzzy Password** | Current AD password matched a fuzzy variation of an exposed password. | | **Email + Fuzzy Banned Password** | Current AD password matched a fuzzy variation of a banned password. | | **Email + IDLink Password** | Current AD password matched one associated with the employee in SpyCloud’s IDLink analytics. | | **Password-Only** | No account match, but the password exists in SpyCloud’s dataset. Includes **Exposure Count** (number of times the password appeared). | ![ Match Results Screen](https://files.readme.io/18bc6e9fbc055f0647ce6379c3ab0060502faf7ace72cb4677f359351062255b-image72.jpg) * * * 📋 Audit Results [](https://docs.spycloud.com/public-sc/docs/viewing-the-scan-report#-audit-results) -------------------------------------------------------------------------------------------------------- Audit Results show **shared password findings**: | **Column** | **Description** | | --- | --- | | **sAMAccountNames** | List of accounts that share the same password. | | **Count** | Number of accounts using the same password. | Additional capabilities: * **Search**, **sort**, and **export** results to CSV. * Apply predefined remediation policies directly to audit results. ![Audit Results Screen](https://files.readme.io/a4d4a0016fdf6fab8b78f9a8b1def8db22a92b7f9876b5520e5eb8c3019cfc13-image81.png) Updated 5 months ago * * * Ask AI --- # Okta Workforce Guardian SpyCloud’s **Okta Workforce Guardian** integrates with Okta to automatically detect when employee credentials are exposed in breaches, malware infections, or phishing attacks – and take action before criminals can. * * * ✨ Benefits at a Glance [](https://docs.spycloud.com/public-sc/docs/okta-workforce-guardian#-benefits-at-a-glance) --------------------------------------------------------------------------------------------------------------------- 🌀 ### Continuous Protection Validate Okta credentials against SpyCloud’s recaptured malware, phishing, and breached data – updated in near-real-time. ⚙️ ### Automated Remediation Enforce password resets, revoke sessions, or disable high-risk accounts automatically – minimizing manual effort and response time. ⏱️ ### Reduced Dwell Time Terminate active sessions to stop attackers mid-access and eliminate persistent compromise. 🎛️ ### Policy-Driven Flexibility Customize remediation by exposure severity – from user notifications to full account disablement. * * * ⚙️ How It Works [](https://docs.spycloud.com/public-sc/docs/okta-workforce-guardian#%EF%B8%8F-how-it-works) --------------------------------------------------------------------------------------------------------------- > Okta Workforce Guardian continuously checks active employee accounts against nearly 1 trillion recaptured darknet assets in SpyCloud's repository. 1. **Detect** – SpyCloud continuously checks Okta Workforce user credentials against our recaptured darknet dataset. 2. **Enrich & Analyze** – When an exposure is detected and matches your domain, SpyCloud returns enriched identity data to Okta Workflows. 3. **Automate** – Depending on policy configuration, Okta Workforce Guardian can: 1. Notify the exposed user or security team 2. Enforce password resets 3. Revoke active session cookies 4. Disable the user account 5. Change user groups 6. Trigger downstream workflows (SIEM, SOAR, ITSM) ![](https://files.readme.io/0bdd71cb0625d3e3de1ab2d1196f5252f93a0a5f171f47e956a0e320822df7b7-okta-guardian-reference_architecture.png) * * * 🔍 What Gets Checked? [](https://docs.spycloud.com/public-sc/docs/okta-workforce-guardian#-what-gets-checked) ----------------------------------------------------------------------------------------------------------------- | **Exposure Source** | **Action Taken** | | --- | --- | | Breach-stolen credentials | Automated password reset | | Malware-infected devices | User re-authentication | | Successful phishing attempts | Disable or restrict account | | Credential reuse detection | Notify user and assign group | * * * 📂 Example Scenarios [](https://docs.spycloud.com/public-sc/docs/okta-workforce-guardian#-example-scenarios) ---------------------------------------------------------------------------------------------------------------- ### 🧠 Compromised Password from Third-Party Breaches [](https://docs.spycloud.com/public-sc/docs/okta-workforce-guardian#-compromised-password-from-third-party-breaches) > **Detection:** Employee’s Okta username and password appear in a new third-party breach. > **Automated Actions:** > > 🔒 Force password reset > > 🚪 Terminate active sessions > > 👥 Reassign user to “Elevated MFA Required” group until remediation verified ### 💻 Infostealer Malware Infection [](https://docs.spycloud.com/public-sc/docs/okta-workforce-guardian#-infostealer-malware-infection) > **Detection:** SpyCloud identifies credentials and cookies exfiltrated from an employee’s infected laptop. > **Automated Actions:** > > 🔐 Revoke active session tokens > > 🧱 Flag the device for isolation > > ⛔ Disable user account until endpoint cleanup is confirmed ### 🎣 Phishing Compromise [](https://docs.spycloud.com/public-sc/docs/okta-workforce-guardian#-phishing-compromise) > **Detection:** A phishing kit captures a valid corporate login, which SpyCloud ingests and publishes within hours of detection. > **Automated Actions:** > > 🚫 Disable user temporarily > > 🔁 Revoke sessions > > 🔑 Trigger forced MFA re-enrollment flow upon reactivation ### 🔁 Password Reuse Across Personal Accounts [](https://docs.spycloud.com/public-sc/docs/okta-workforce-guardian#-password-reuse-across-personal-accounts) > **Detection:** SpyCloud detects a reused password between a corporate account and a personal account compromised in a breach. > **Automated Actions:** > > 🔄 Force password reset > > 📧 Send user awareness notification discouraging credential reuse ### 🚨 Suspicious Recurrent Exposure [](https://docs.spycloud.com/public-sc/docs/okta-workforce-guardian#-suspicious-recurrent-exposure) > **Detection:** A user has **3+ exposures within 90 days**. > **Automated Actions:** > > ⚠️ Move user to “High-Risk Identity” group > > 🧩 Require step-up authentication for all logins > > 🗓️ Flag account for HR + Security awareness training * * * 📊 Visibility & Reporting [](https://docs.spycloud.com/public-sc/docs/okta-workforce-guardian#-visibility--reporting) ------------------------------------------------------------------------------------------------------------------------- Okta Workforce Guardian provides insight into identity **exposure trends** and **remediation performance**. | 📈 Metric | Description | | --- | --- | | 🧑‍💻 Exposed Corporate Credentials | Count of unique, exposed corporate credentials | | 🪪 Account Matches | Number of corporate identities matched to SpyCloud data | | 🔑 Password Matches | Reused or compromised passwords detected | | 🧹 Remediation Actions Applied | Actions automatically triggered via Okta workflows | * * * ⚙️ Technical Requirements [](https://docs.spycloud.com/public-sc/docs/okta-workforce-guardian#%EF%B8%8F-technical-requirements) ----------------------------------------------------------------------------------------------------------------------------------- | Requirement | Description | | --- | --- | | 🧱 **Okta Workforce Environment** | With Workflow Admin or higher privileges | | 🔑 **SpyCloud API Key** | Enterprise Protection API access + connectivity | | 🧩 **Workflow Templates** | 25 modular customizable Okta Workflow templates | | 🛰️ **Optional Integrations** | Connect to SIEM/SOAR tools via webhooks | | 🧍‍♂️ **Least-Privilege Ready** | No Super Admin required | * * * 🚀 Getting Started [](https://docs.spycloud.com/public-sc/docs/okta-workforce-guardian#-getting-started) ------------------------------------------------------------------------------------------------------------ 1. **Enable** the SpyCloud Enterprise Protection API for your organization. 2. **Install** the Okta Workforce Guardian templates from the SpyCloud Workflow Library. 3. **Configure** remediation actions based on exposure severity and policy. 4. **Monitor** results within your Okta Workflow logs and dashboards. * * * Why It Matters [](https://docs.spycloud.com/public-sc/docs/okta-workforce-guardian#why-it-matters) ------------------------------------------------------------------------------------------------------ > SpyCloud Okta Workforce Guardian ensures **faster detection, automated remediation, and reduced risk of ATO (Account Takeover)** – keeping your workforce safe without adding burden to your security team. Updated 3 months ago * * * Ask AI --- # Compromised Applications ![](https://files.readme.io/3d256f0835fe15ccc932248bfde1e14c0dec943b40b3a1e0a480648ee5ee89e7-Screenshot_2026-01-13_at_12.47.30_PM.png) View the Top 10 internal and external applications by infected devices Understanding Compromised Applications [](https://docs.spycloud.com/public-sc/docs/compromised-applications#understanding-compromised-applications) ======================================================================================================================================================= The **Top Compromised Applications** view highlights business applications exposed on **malware-infected vendor devices**. This component helps you understand **which applications attackers may already have access to** and which exposures present the greatest downstream risk. Applications are ranked by the **number of infected devices**, making it easier to prioritize investigation and remediation. * * * What this shows [](https://docs.spycloud.com/public-sc/docs/compromised-applications#what-this-shows) --------------------------------------------------------------------------------------------------------- Top Compromised Applications summarizes **applications observed in malware data** that are associated with a company. Key characteristics: * Based exclusively on **malware records** * Ranked by **unique infected devices** * Includes both **internal** and **external** applications * Designed to surface **unauthorized access**, not configuration weaknesses * * * How it works [](https://docs.spycloud.com/public-sc/docs/compromised-applications#how-it-works) --------------------------------------------------------------------------------------------------- SpyCloud associate records to a company using the **record’s domain**, which is derived from an email address. **Top Compromised Applications** adds an important enhancement. ### Standard association [](https://docs.spycloud.com/public-sc/docs/compromised-applications#standard-association) * Records are associated when the record’s **domain** matches one of the company’s monitored domains. ### Special case: domainless malware records [](https://docs.spycloud.com/public-sc/docs/compromised-applications#special-case-domainless-malware-records) * Some malware records do **not** contain a domain. * Supply Chain Threat Protection can still associate these records **indirectly** if: * The domainless malware record shares an **`infected_machine_id`** with another record **with a domain** that belongs to the company This allows SpyCloud to capture application exposure that would otherwise be missed. > This is especially important for malware data, where application URLs are often captured without a clear company domain. * * * Understanding the view [](https://docs.spycloud.com/public-sc/docs/compromised-applications#understanding-the-view) ----------------------------------------------------------------------------------------------------------------------- The Top Compromised Applications component includes several key metrics to help interpret exposure. ### Summary fields [](https://docs.spycloud.com/public-sc/docs/compromised-applications#summary-fields) | Field | Definition | | --- | --- | | **Total** | Total number of records associated with the company’s domain or subdomain. Includes malware records directly associated with the company and those indirectly associated via `infected_machine_id`. | * * * Internal applications [](https://docs.spycloud.com/public-sc/docs/compromised-applications#internal-applications) --------------------------------------------------------------------------------------------------------------------- Internal applications are applications **owned or operated by the company**. **How they are identified:** * The application’s **subdomain + registrable domain** match the company’s domains **Example:** * `console.spycloud.com` is an internal application for `spycloud.com` **What is shown:** * Top **10 internal applications** * Sorted by **number of infected devices** * * * External applications [](https://docs.spycloud.com/public-sc/docs/compromised-applications#external-applications) --------------------------------------------------------------------------------------------------------------------- External applications are **third-party applications** used by the company’s workforce. **How they are identified:** * The application’s **subdomain** matches the second-level domain of one of the company’s domains **Example:** * `spycloud.example.com` is external for `spycloud.com` **What is shown:** * Top **10 external applications** * Sorted by **number of infected devices** * * * Application entries [](https://docs.spycloud.com/public-sc/docs/compromised-applications#application-entries) ----------------------------------------------------------------------------------------------------------------- Each listed application includes: | Field | Definition | | --- | --- | | **Target URL** | The application URL captured by malware on infected devices. | | **Infected Devices** | Total number of **unique `infected_machine_id` values** associated with that application. | * * * How to use this data [](https://docs.spycloud.com/public-sc/docs/compromised-applications#how-to-use-this-data) ------------------------------------------------------------------------------------------------------------------- * **Prioritize investigations** on applications with the highest infected-device counts * **Assess business impact** by identifying apps tied to sensitive data or privileged access * **Engage vendors** with concrete evidence of exposed applications * **Track changes over time** to validate remediation and reduced exposure Updated 13 days ago * * * Ask AI --- # Tips for Strong Passwords 🔑 Stronger Passwords, Stronger Security [](https://docs.spycloud.com/public-sc/docs/tips-for-strong-passwords#-stronger-passwords-stronger-security) ========================================================================================================================================================= We recognize the challenge of managing passwords and the global impact of weak and stolen passwords, which contribute to **over 80% of data breaches**. At SpyCloud, we are dedicated to tackling this issue and ensuring stronger account protection. Here are our **top 5 recommendations** for creating stronger passwords and enhancing overall account security: * * * 1\. Opt for Complex, 16+ Character Passwords or Passphrases [](https://docs.spycloud.com/public-sc/docs/tips-for-strong-passwords#1-opt-for-complex-16-character-passwords-or-passphrases) ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Despite repeated advice, many users still rely on guessable passwords. Common examples like `123456`, `password`, or `qwerty` appear **millions of times** in breach data. ✅ Choose complex passwords of **16+ random letters, numbers, and symbols**. 💡 Even with advanced cracking tools, these would take centuries to break. > 🔒 > > Let’s take responsibility for our account security by creating stronger, unique credentials. * * * 2\. Maintain Unique Passwords Across Accounts [](https://docs.spycloud.com/public-sc/docs/tips-for-strong-passwords#2-maintain-unique-passwords-across-accounts) -------------------------------------------------------------------------------------------------------------------------------------------------------------------- Password reuse is one of the **biggest drivers of account takeover**. Cybercriminals exploit reused credentials with automated **credential stuffing** tools. ✅ Use a **password manager** to generate and store unique logins. ❌ Avoid reusing even small variations of the same password. * * * 3\. Keep Business and Personal Logins Separate [](https://docs.spycloud.com/public-sc/docs/tips-for-strong-passwords#3-keep-business-and-personal-logins-separate) ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- More than **76% of Fortune 1000 employees** reuse passwords across personal and work accounts. This creates a serious risk: 👀 If your personal account is compromised, your **work accounts could also be exposed**. ✅ Always use **distinct, unrelated passwords** for business and personal logins. * * * 4\. Utilize Multi-Factor Authentication (MFA) [](https://docs.spycloud.com/public-sc/docs/tips-for-strong-passwords#4-utilize-multi-factor-authentication-mfa) ------------------------------------------------------------------------------------------------------------------------------------------------------------------ MFA adds an **extra layer of protection** by combining: * Something you know (password) * Something you are (biometrics) * Something you have (smartphone token) > ⚠️ > > While attackers can bypass MFA in some cases, it still **stops the majority of opportunistic attacks**. Enable MFA wherever possible. * * * 5\. Follow NIST Guidelines [](https://docs.spycloud.com/public-sc/docs/tips-for-strong-passwords#5-follow-nist-guidelines) ------------------------------------------------------------------------------------------------------------------------------ The **National Institute of Standards and Technology (NIST)** offers widely adopted guidance on password security. Key points: ❌ Prohibit use of **previously breached passwords**, no matter their complexity. ✅ Use **third-party services** to augment directory services like Microsoft Active Directory. 🟢 As an individual, enable **proactive breach monitoring** (SpyCloud will notify you if your credentials are found in the criminal underground). * * * 🧠 Final Thoughts [](https://docs.spycloud.com/public-sc/docs/tips-for-strong-passwords#-final-thoughts) ============================================================================================================ Frequent breaches make **password reuse a top security threat**. ✅ Password managers ✅ Continuous monitoring for exposed credentials ✅ Ongoing user education …are all critical to establishing a strong security culture. > 👍 > > These practices are **first steps toward a robust password framework** for both individuals and organizations. Updated 5 months ago * * * Ask AI --- # Introduction 🛡️ Enterprise Protection [](https://docs.spycloud.com/public-sc/docs/introduction-2#%EF%B8%8F-enterprise-protection) ========================================================================================================================= Every user connected to your business – employees, contractors, third parties – can be an entry point for cybercriminals. SpyCloud Enterprise Protection gives you **automated identity threat protection** that moves you beyond passive intel: to detect exposed identities fast and trigger remediation across your existing stack (IdP, SIEM, SOAR, EDR, ticketing). 🛡️ Continuously detects employee/contractor identity exposures from breaches, malware, and successful phishes 🔐 Remediates high-risk users (e.g., reset credentials, revoke sessions, re-auth, disable) within minutes of discovery 🧠 Operationalizes detections via Enterprise Protection APIs and native integrations * * * 💡 The Identity Gap [](https://docs.spycloud.com/public-sc/docs/introduction-2#-the-identity-gap) ----------------------------------------------------------------------------------------------------- Traditional endpoint + perimeter tools miss identity-specific indicators (e.g., passwords, cookies, tokens siphoned by infostealers). > Recent analysis shows **~66% of malware infections occur on devices that already had endpoint security installed**—which means identity artifacts can still be exposed and abused. 🎯 **Enterprise Protection** gives you the missing layer: _post-infection, identity-centric evidence_ to stop ATO, session hijacking, lateral movement, and ransomware precursors. * **Shrink exposure window** — find and fix exposed identities _before_ they’re used in attacks. * **Automate the boring** — route events to SIEM/SOAR/IdP and apply policy-driven remediation. * **Cut analyst toil** — prioritize by reliable, identity-centric risk signals (plaintext creds, cookies, tokens). * * * 🧩 What’s included [](https://docs.spycloud.com/public-sc/docs/introduction-2#-whats-included) -------------------------------------------------------------------------------------------------- * **Continuous monitoring** of your workforce & third parties for exposed credentials/artifacts (breach, malware, phish). * **APIs & integrations** to enrich alerts and drive consistent remediation in your tools. * **Actionable dashboard** for visibility into exposures, trends, and time-to-remediate. * * * 🔗 Where it integrates (starter map) [](https://docs.spycloud.com/public-sc/docs/introduction-2#-where-it-integrates-starter-map) ------------------------------------------------------------------------------------------------------------------------------------- | Stack Area | What you get | Examples | | --- | --- | --- | | **Identity Providers (IdP/IAM)** | Automate resets, re-auth, disable, group changes | Azure AD/Entra, Okta (via APIs/flows) :contentReference\[oaicite:10\]{index=10} | | **Endpoint & EDR** | Post-infection signals to find compromised users/apps | Use SpyCloud data to close gaps EDR missed :contentReference\[oaicite:11\]{index=11} | | **SIEM** | Enrich events, correlate identity exposures, create incidents | Microsoft Sentinel solution content available :contentReference\[oaicite:12\]{index=12} | | **SOAR** | Run playbooks for identity-driven IR | Reset creds, revoke sessions, notify users :contentReference\[oaicite:13\]{index=13} | > Tip: Start by plumbing **SIEM + IdP**. Add SOAR after you’ve proven the workflow. * * * 🧭 How the workflow feels (expandable) [](https://docs.spycloud.com/public-sc/docs/introduction-2#-how-the-workflow-feels-expandable) ----------------------------------------------------------------------------------------------------------------------------------------- **1) Detect** — new exposure arrives SpyCloud ingests breach, malware, and phish data; matches to your identities; flags high-risk records (e.g., plaintext credentials, session cookies). **2) Decide** — enrich & prioritize Forward to SIEM/SOAR with context (source, severity, artifact type), correlate with local telemetry, and pick the action path. **3) Act** — remediate policy-driven Reset password, force re-auth, revoke sessions/tokens, disable account, notify user—via IdP/SOAR integrations. **4) Prove** — measure & report Use the Enterprise Protection dashboard to track time-to-remediate, volume of exposures, and trends over time. * * * 🏁 Get started [](https://docs.spycloud.com/public-sc/docs/introduction-2#-get-started) ------------------------------------------------------------------------------------------- 1. **Identify** your primary identity systems (IdP) and telemetry sink (SIEM). 2. **Connect** Enterprise Protection APIs; enable the Microsoft Sentinel content if applicable. 3. **Automate** resets & revocations for high-confidence events; notify users for lower-risk finds. 4. **Measure** time-to-remediate and drive it down using the dashboard. Updated 5 months ago * * * Ask AI --- # Supply Chain Fundamentals ![](https://files.readme.io/c9ee9d7bd0c08a33d04f7e13e986f2cc8ef63061a00128c79b5fd8929c718dd2-Screenshot_2026-01-13_at_11.56.50_AM.png) Recent Identity Exposure Events: See specific malware families, breach sources, and phishing campaigns with number of impacted employees Understanding the data [](https://docs.spycloud.com/public-sc/docs/how-supply-chain-data-works#understanding-the-data) -------------------------------------------------------------------------------------------------------------------------- ### How records are associated with a company [](https://docs.spycloud.com/public-sc/docs/how-supply-chain-data-works#how-records-are-associated-with-a-company) A record is associated with a company using the record’s **`domain`** attribute. Any record whose `domain` matches one of the company’s **monitored domains** is associated with that company. #### Domain derivation (email → domain) [](https://docs.spycloud.com/public-sc/docs/how-supply-chain-data-works#domain-derivation-email--domain) Frequently, the domain is derived from the **email address domain** on the record. **Example** `[[email protected]](https://docs.spycloud.com/cdn-cgi/l/email-protection) ` has an email domain of `sub.domain.com` and can be associated with companies that own `domain.com`. #### Special case: domainless malware + `infected_machine_id` [](https://docs.spycloud.com/public-sc/docs/how-supply-chain-data-works#special-case-domainless-malware--infected_machine_id) **Top Compromised Applications** can also associate some **domainless malware** records to a company indirectly: if a domainless record shares an **`infected_machine_id`** with a record that _does_ have a domain, it may be counted for that company (details below). * * * ![](https://files.readme.io/151e968369bcaa8dd1d9126220107dc66349f86152f4c3e6ec35ecf9954f7b33-Screenshot_2026-01-13_at_11.58.24_AM.png) ### How date ranges work in Supply Chain [](https://docs.spycloud.com/public-sc/docs/how-supply-chain-data-works#how-date-ranges-work-in-supply-chain) The company view includes a **global date range filter**. These ranges contain the most recent days **with complete data (no gaps)** and apply as a filter to many Supply Chain components. | Supported date range | Definition | | --- | --- | | **Last 7 Days** | 7 most recent days with complete data | | **Last 30 Days** | 30 most recent days with complete data | | **Last 3 Months** | 90 most recent days with complete data | | **Last 6 Months** | 180 most recent days with complete data | | **Last 12 Months** | 365 most recent days with complete data | | **All Time** | All days with complete data | Updated 13 days ago * * * Ask AI --- # Supply Chain Threat Protection ![](https://files.readme.io/fda80d7c9a7ac6d1196dc192e5e1d465bf7890c4c3b10d8df3502e9766c45421-FORGEMAX.pdf.png) Monitor identity exposure across your supply-chain in one view, and drill in to analyze malware, phishing, breach, and credential exposure trends over time to reveal where identity threats are increasing, and why. Overview [](https://docs.spycloud.com/public-sc/docs/supply-chain-threat-protection#overview) ------------------------------------------------------------------------------------------------- SpyCloud Supply Chain Threat Protection expands identity threat protection across your extended workforce – vendors, contractors, and partners. Instead of relying on surface indicators and static scores, it provides timely access to verified identity threats derived from recaptured breach, malware, phished, and combolist data, enabling teams to act on evidence. The solution continuously analyzes vendor exposure through an **Identity Threat Index** that quantifies risk using recency, volume, credibility, and severity so you can prioritize response, engage vendors with proof, and reduce downstream risk. Benefits at a glance [](https://docs.spycloud.com/public-sc/docs/supply-chain-threat-protection#benefits-at-a-glance) ------------------------------------------------------------------------------------------------------------------------- Expose Active Threats Detect identity exposures from malware, phish, and breaches tied to your suppliers – evidence criminals can use right now. Protect the Extended Perimeter Apply continuous exposure monitoring to your supply chain, just like you do for your internal workforce and endpoints. Replace Guesswork with Evidence Understand source type and frequency of compromise across vendors, with current and historical context. Catch Incidents Before They Cascade See exposures early – when identity data first appears in criminal markets – to prevent unauthorized access and follow-on attacks. Turn Vendors into Partners Collaborate using hard evidence to drive stronger security practices and smarter risk decisions across your ecosystem. * * * How it works [](https://docs.spycloud.com/public-sc/docs/supply-chain-threat-protection#how-it-works) --------------------------------------------------------------------------------------------------------- 1. **Add vendors and start monitoring** Add up to 1,000 vendors by domain and subdomain. SpyCloud recaptures and enriches data continuously, calculating a dynamic Identity Threat Index for each vendor. 2. **Detect exposures as they surface** See current index scores and the latest exposures by source type, with 12-month exposure trends. 3. **Understand what’s driving the risk** Review exposure events, numbers of affected employees, and consult the Source Catalog for data source details. 4. **Track vendor security over time** Measure improvements or degradation based on exposure frequency, recency, and severity. 5. **Investigate exposures that matter**\* Initiate investigations on vendor assets (domain, machine ID, subdomain) directly from the SpyCloud console to assess potential business impact. _Requires [SpyCloud Investigations license](https://docs.spycloud.com/public-sc/docs/investigations-console) ._ * * * Key capabilities [](https://docs.spycloud.com/public-sc/docs/supply-chain-threat-protection#key-capabilities) ----------------------------------------------------------------------------------------------------------------- ### Flexible Vendor List Management Add, remove, or adjust monitored vendors on-demand to match changing business needs. ### Threat Index Insights Identity Threat Index across four data signals, broken down by source type to track posture changes. ### Recent Exposure Visibility Continuous view of the latest breaches, malware infections, phishing campaigns, and combolists affecting suppliers. ### Detailed Source Information Drill into data sources to identify trends and severity of threats per vendor. ### Credential Hygiene Analysis See prevalence of shared passwords across third-party employees to prioritize outreach. ### Exposed Applications Identify internal and third-party applications exposed on malware-infected supplier devices. Updated 13 days ago * * * Ask AI --- # Threat Index Summaries ![](https://files.readme.io/48cf2c74c3ab33a1179a3d31e50e8d54648e6da92dc945129caa9434e00ea231-Screenshot_2026-01-13_at_12.12.52_PM.png) Detect identity exposures from malware infections, phishing campaigns, and data breaches tied to your suppliers Understanding the Summaries [](https://docs.spycloud.com/public-sc/docs/how-to-read-scorecards#understanding-the-summaries) =============================================================================================================================== Once you understand what the **Threat Index Values** are measuring, the next step is learning how to read the **summary rollups** that explain \_what is driving the values. Summaries provide a structured way to understand: * How employees within a company are being exposed * Which threat types are contributing most to vendor risk * Whether vendor exposure is improving or worsening over time * * * Threat Index Summaries (and how to read them) [](https://docs.spycloud.com/public-sc/docs/how-to-read-scorecards#threat-index-summaries-and-how-to-read-them) ----------------------------------------------------------------------------------------------------------------------------------------------------------------- Exposure summaries provide a **synthesized view of identity exposure** across all sources for a given vendor or supplier. They roll up individual exposure events into **index values and summaries** so you can quickly assess: * Overall identity security posture * Dominant exposure types * Recent activity vs. historical exposure * * * Exposure Source breakdown [](https://docs.spycloud.com/public-sc/docs/how-to-read-scorecards#exposure-source-breakdown) --------------------------------------------------------------------------------------------------------------------------- Summaries are organized by **exposure source type** – showing where a company may be falling short or excelling. Each summary is a 0-100 value, with visual trend indicator if the value changed significantly vs. the previous day. Summary Rollups (what’s driving the score) [](https://docs.spycloud.com/public-sc/docs/how-to-read-scorecards#summary-rollups-whats-driving-the-score) ---------------------------------------------------------------------------------------------------------------------------------------------------------- Supply Chain includes **summary rollups** for each exposure type: * Malware * Breaches * Combolists * Phishes These cards complement the indices by answering: * _What changed?_ * _Why did the score move?_ * _How broad is the exposure?_ * * * Malware Index summary [](https://docs.spycloud.com/public-sc/docs/how-to-read-scorecards#malware-index-summary) ------------------------------------------------------------------------------------------------------------------- | Field | Definition | | --- | --- | | **Index** | 0–100 threat level for the latest completed date of data, based on malware records. | | **Source Total** | Total number of malware sources associated with the company. | | **Most Recent Infection** | Date of the most recent malware record containing an `infected_machine_id`. | | **Infected Devices** | Total number of unique `infected_machine_id` values among malware records. | | **Infected Employees** | Total number of unique email values among malware records. | | **Compromised Applications** | See **Top Compromised Applications** for applications exposed on infected devices. | * * * Breach Index summary [](https://docs.spycloud.com/public-sc/docs/how-to-read-scorecards#breach-index-summary) ----------------------------------------------------------------------------------------------------------------- | Field | Definition | | --- | --- | | **Index** | 0–100 threat level for the latest completed date of data, based on breach records. | | **Source Total** | Total number of breach sources associated with the company. | | **Most Recent Exposure** | Date of the most recent breach record. | | **Exposed Records** | Total breach record count. | | **Exposed Employees** | Total number of unique email values among breach records. | | **Plaintext Passwords** | Total number of breach records containing a plaintext password. | * * * Combolist Index summary [](https://docs.spycloud.com/public-sc/docs/how-to-read-scorecards#combolist-index-summary) ----------------------------------------------------------------------------------------------------------------------- | Field | Definition | | --- | --- | | **Index** | 0–100 threat level for the latest completed date of data, based on combolist records. | | **Source Total** | Total number of combolist sources associated with the company. | | **Most Recent Exposure** | Date of the most recent combolist record. | | **Exposed Records** | Total combolist record count. | | **Exposed Employees** | Total number of unique email values among combolist records. | | **Plaintext Passwords** | Total number of combolist records containing a plaintext password. | * * * Phish Index summary [](https://docs.spycloud.com/public-sc/docs/how-to-read-scorecards#phish-index-summary) --------------------------------------------------------------------------------------------------------------- | Field | Definition | | --- | --- | | **Index** | 0–100 threat level for the latest completed date of data, based on phish records. | | **Source Total** | Total number of phish sources associated with the company. | | **Most Recent Exposure** | Date of the most recent phish record. | | **Phishing Records** | Total phish record count. | | **Phished Employees** | Total number of unique email values among phish records. | | **Plaintext Passwords** | Total number of phish records containing a plaintext password. | * * * How to use this data effectively [](https://docs.spycloud.com/public-sc/docs/how-to-read-scorecards#how-to-use-this-data-effectively) ----------------------------------------------------------------------------------------------------------------------------------------- * **Start with the Identity Threat Index** to assess overall risk * **Review individual indices** to identify which exposure type is driving the score * **Use summary cards** to understand scope, recency, and severity * **Track trends over time** to measure vendor improvement or degradation * **Pair scorecards with investigations** to assess real business impact and required action Updated 13 days ago * * * Ask AI --- # Identity Threat Index ![](https://files.readme.io/6efde9d77a7eddf5c83f5b563f5a6f816ba3414832a53583ff1a4d6a2870e326-Screenshot_2026-01-13_at_12.02.57_PM.png) At-a-glance Identity Threat Index helps you instantly identify which vendors pose the greatest risk to your organization based on a composite of darknet data signals Identity threat index decoded [](https://docs.spycloud.com/public-sc/docs/understanding-identity-threat-index-values#identity-threat-index-decoded) ------------------------------------------------------------------------------------------------------------------------------------------------------- These signals are weighted by volume, source credibility, recency, and severity – helping you prioritize threats with meaningful context. View current risk at a glance, or segment by exposure type and timeframe to track whether a third party’s security hygiene is improving or degrading over time “How is this company protecting its employees and the company assets?” * The **index values reflect that company’s exposure**, not their customers’. * Example: if a monitored company is named in a public breach but **no employee credentials were exposed**, the Threat Index may **not** change. **Identity Threat Index (overall)** 0–100 score summarizing overall identity exposure for the latest completed date. Malware Index Exposure from infostealer-infected devices (credentials, session cookies/tokens, app data). Breach Index Exposure from confirmed third-party breaches affecting the company’s identities. Phish Index Exposure from credentials and identity data harvested via successful phishing. Combolist Index Exposure from recycled credentials (e.g., ULP lists) seen in criminal markets. * Where shown, a **trend indicator** reflects a significant change vs. the **previous day**. ### How exposure age affects Threat Index values [](https://docs.spycloud.com/public-sc/docs/understanding-identity-threat-index-values#how-exposure-age-affects-threat-index-values) Threat Index values are designed to reflect **meaningful, actionable exposure**, not every historical event equally. While indices evaluate threat activity across the full history of a company’s domains, each exposure type has a practical **effective lifespan**. As exposure ages, its influence on the Threat Index **decays over time**. This is based on a simplifying assumption: **the value of an exposed asset decreases with age**. For example: * A laptop infected with malware today presents immediate risk * That same device is likely to be re-imaged, replaced, or decommissioned over time * As a result, very old malware exposures should not materially influence current threat interpretation Because of this, older exposure activity contributes **less weight** than recent, credible exposure when calculating index values. #### Beginning of time [](https://docs.spycloud.com/public-sc/docs/understanding-identity-threat-index-values#beginning-of-time) For each company or domain, the **“beginning of time”** is defined as the first SpyCloud publish date that includes that domain. Exposure history and decay calculations are evaluated from this point forward. This approach ensures Threat Index values emphasize **current risk signals** while still preserving historical context for trend analysis. ### Using time windows to evaluate improvement [](https://docs.spycloud.com/public-sc/docs/understanding-identity-threat-index-values#using-time-windows-to-evaluate-improvement) To understand whether a company is getting better, focus on **frequency** of events and compare recent windows: ### 12M vs. 30D rate Check if exposure event frequency is trending down in the most recent month. ### QoQ comparison Use quarterly rollups to align with vendor business reviews and SLAs. ### Severity mix Track whether high-severity sources (e.g., malware) are becoming less common. About mixed timeframes The Overview can present mixed timeframes (e.g., index values based on full history while other metrics respect the selected date range). This is expected—indices summarize long-term exposure, while detail widgets can be scoped to a chosen window. Updated 13 days ago * * * Ask AI --- # How It Works & Set Up **SpyCloud VIP Guardian** helps you extend your employee account takeover prevention strategy to key executives' personal accounts, without invading their privacy. Empower your executives to lock criminals out of vulnerable accounts by giving them visibility of their own breach exposure with SpyCloud. * * * ⚙️ How It Works [](https://docs.spycloud.com/public-sc/docs/how-it-works-set-up#%EF%B8%8F-how-it-works) ----------------------------------------------------------------------------------------------------------- 1. Easily deploy to your executives with privileged access with one link that’s unique to your organization. 2. To control access to the service and prevent abuse, employees must register using an email address from a verified domain in your watchlist (ex, [\[email protected\]](https://docs.spycloud.com/cdn-cgi/l/email-protection#49233a24203d210930263c3b2a262439282730672a2624) ). 3. After creating an account, each user can verify and monitor up to 10 personal email addresses for breach exposures. 4. Executives can view their exposure data within the portal and will receive an email alert when one of their email addresses appears in a new data breach. 5. Track how many executives register for the service within your enterprise portal. > Note: For privacy, executives’ personal information (email addresses, passwords, PII, etc) will not be accessible by your organization. ![](https://files.readme.io/86c0c27bc42aeabed6f6aa5fa25ac0a1268ced22a638e975c52e494d2b268ad9-Screenshot_2025-08-25_at_3.07.50_PM.png) * * * 🛠️ Setting Up VIP Guardian [](https://docs.spycloud.com/public-sc/docs/how-it-works-set-up#%EF%B8%8F-setting-up-vip-guardian) ---------------------------------------------------------------------------------------------------------------------------------- To get started with VIP Guardian, you must have this enabled for your account & have administrator access. > Unsure if you have this set up? Reach out to Support. 1. Head into your VIP Guardian Tab by navigating the left-hand Menu ![](https://files.readme.io/e1d6fad10b1d430d10325722f4eb4aa219571e9dba4df059eefd836e2b370920-Screenshot_2025-08-25_at_3.10.09_PM.png) 2. You will see a link that is unique to your Organization, this is your invite link. You can share this with any emails that have been added to your Enroll Whitelist. 3. Adding an email to your Whitelist: > ⚠️ > > It is important to note that the invite link will only work if these emails have been added to your Enroll Whitelist as a security measure. Select 'Add Email' to expand your enroll list. ![](https://files.readme.io/21fcad0607b04be62cfd119fb9b96989608874384a69caf7cc5d0e1108a26626-Screenshot_2025-08-25_at_3.11.58_PM.png) Once you've entered the email address, ensure you save these changes by selecting 'Update Whitelist'. > Made a mistake? just select actions, delete to remove the email from your Organization. 4. Once you've configured your Enroll list, your link will be enabled & your VIP's can register ![](https://files.readme.io/c595b3d681dc06e0db34971dcf92f37c74284fb2a31ce0a8f9655c4be474cfe4-Screenshot_2025-08-25_at_3.12.04_PM.png) 5. To manage your invitations – you can view whether your invites are pending, or accepted in your VIP Enrollment Tab. From here, you can update, delete and manage your invites. ![](https://files.readme.io/848821e618d3d65196945ed5f7ceb4b7682781a1e8bafcc9961a3a765eeb163f-Screenshot_2025-08-25_at_3.12.09_PM.png) * * * 👀 What My VIPs See? [](https://docs.spycloud.com/public-sc/docs/how-it-works-set-up#-what-my-vips-see) ----------------------------------------------------------------------------------------------------------- 1. Once they accept their invitation, they are prompted to set a password ![](https://files.readme.io/a6d5745a0b30bdee28f346e9e94124338116c6fad2d559e610b29a1a78468687-Screenshot_2025-08-25_at_3.12.16_PM.png) 2. They will be able to view their breach dashboard for their sign-up email 3. Your VIPs can add their email addresses to monitor & remediate their exposures Updated 5 months ago * * * Ask AI --- # VIP Guardian **SpyCloud VIP Guardian** extends your holistic identity threat protection to include VIPs’ personal accounts for an added layer of protection, without invading their privacy. Give executives and VIPs access to their exposure data and empower them to remediate compromises and prevent targeted identity-based attacks. SpyCloud VIP Guardian is managed in the same SpyCloud Enterprise Protection portal – streamlining security resources and maximizing your organization’s security posture. 💪 Key Benefits [](https://docs.spycloud.com/public-sc/docs/vip-guardian#-key-benefits) ------------------------------------------------------------------------------------------- Prevent Security Incidents Identify and secure exposed personal credentials that could serve as entry points for targeted cyberattacks Enhance Cybersecurity Awareness Provide visibility of personal security posture for VIPs to educate them about identity risks and the importance of strong password security Improve Password Hygiene Guide VIPs how to create and manage strong passwords and eliminate weak or reused passwords from their personal accounts * * * 🌟 Key Capabilities [](https://docs.spycloud.com/public-sc/docs/vip-guardian#-key-capabilities) --------------------------------------------------------------------------------------------------- ### EXPOSURE ALERTS Give VIPs visibility and control of their digital identities when their credentials are exposed in the darknet. ### EXTENDED PROTECTION Extend personal account protection with up to 10 personal email addresses for holistic identity protection for different accounts or family members. ### PRIVACY-FIRST MONITORING Protect VIPs without sacrificing their privacy, where individual logins and exposure alerts are visible only to them, not to employers. ### SECURE SSO PORTAL Access a user-facing portal to view recent exposure activity for monitored accounts. ### DEDICATED CUSTOMER SUPPORT Rely on expert support from specialized teams to help VIPs understand exposures and take the right steps to protect their identities. ### VIP REPORTING Track personal account exposures over time with reports and analytics to identify areas where additional security measures may be needed. > 📄 > > Note: For privacy, VIPs’ personal information (email addresses, passwords, PII, etc) will not be accessible by your organization Updated 5 months ago * * * Ask AI --- # VIP Guardian and SSO If your organization has **Single Sign-On (SSO)** enabled, the workflow for **VIP Guardian** may differ from the standard flow. Since SSO is applied org-wide, this authentication method will also be applied to **VIP Guardian invites** if the invited users have email addresses associated with your organization’s domain. * * * 🧭 Options for Managing Invitations & Users [](https://docs.spycloud.com/public-sc/docs/vip-guardian-and-sso#-options-for-managing-invitations--users) ---------------------------------------------------------------------------------------------------------------------------------------------------------- ### Option 1: Use Organization Email (SSO) [](https://docs.spycloud.com/public-sc/docs/vip-guardian-and-sso#option-1-use-organization-email-sso) For users with email addresses under your organization’s domain (e.g., `[[email protected]](https://docs.spycloud.com/cdn-cgi/l/email-protection) `), VIP Guardian will automatically enforce SSO. * Ensure the **SpyCloud application** is assigned to them in your SSO provider. * Users will be prompted to authenticate using SSO. * Once assigned, they can seamlessly proceed with the SSO flow. ### Option 2: Use Personal Email [](https://docs.spycloud.com/public-sc/docs/vip-guardian-and-sso#option-2-use-personal-email) If you’d prefer to bypass SSO, users can sign in with a personal email (e.g., Gmail, Outlook). * Add **one personal account per user** during enrollment. * After signing in, users can **add additional emails** themselves. * Be sure to include the personal email in the **enrollment section** before sending the invite link. * * * 🙋 Need Help? [](https://docs.spycloud.com/public-sc/docs/vip-guardian-and-sso#-need-help) ---------------------------------------------------------------------------------------------- If you have any questions or need assistance, please reach out to our **Support Team** using the support form in the SpyCloud Portal or you can email [\[email protected\]](https://docs.spycloud.com/cdn-cgi/l/email-protection#72010702021d00063201020b111e1d07165c111d1f) . Updated 5 months ago * * * Ask AI --- # Crowdstrike Falcon EDR 🛡️ Enterprise Protection for CrowdStrike Falcon (EDR) [](https://docs.spycloud.com/public-sc/docs/crowdstrike-falcon-edr#%EF%B8%8F-enterprise-protection-for-crowdstrike-falcon-edr) ========================================================================================================================================================================================= Malware-infected devices are a launchpad for identity-based threats: **[plaintext credentials, cookies, and tokens](https://spycloud-external.readme.io/public-sc/docs/data-types-sources#/) ** can be siphoned from endpoints and abused for ATO, session hijacking, and lateral movement. **SpyCloud + CrowdStrike Falcon** delivers the post-infection identity evidence your SOC needs to find compromised users and **remediate fast** – even when malware **bypasses EDR** or lands on **unmanaged devices**. **Integration page:** [https://spycloud.com/products/integrations/crowdstrike-falcon/](https://spycloud.com/products/integrations/crowdstrike-falcon/) ⚠️ **Requirement** SpyCloud Compass license is required to use this integration with Crowdstrike Falcon EDR. * * * 🚀 What you get [](https://docs.spycloud.com/public-sc/docs/crowdstrike-falcon-edr#-what-you-get) ----------------------------------------------------------------------------------------------------- * **Post-infection visibility**: See **compromised endpoints** and the **identity artifacts** criminals can exploit (credentials, cookies/tokens). * **Detect bypass & blind spots**: Identify **infostealer malware** that evaded EDR or infected **unmanaged devices** outside corporate control. * **Automated containment**: **Isolate** compromised endpoints and block ransomware entry points via Crowdstrike Falcon policies. * **Operational workflows**: Route alerts and cases to **Slack, Jira, email**, or your IR tooling for repeatable remediation. > 💡 > > ### > > Bottom line: reduce **MTTD/MTTR** by acting on reliable identity evidence – not just process or network heuristics. > > [](https://docs.spycloud.com/public-sc/docs/crowdstrike-falcon-edr#bottom-line-reduce-mttdmttr-by-acting-on-reliable-identity-evidence--not-just-process-or-network-heuristics) * * * 🧭 Quick start [](https://docs.spycloud.com/public-sc/docs/crowdstrike-falcon-edr#-quick-start) --------------------------------------------------------------------------------------------------- 1. **Connect SpyCloud** post-infection identity data to Crowdstrike Falcon (via your established ingest/automation method). 2. **Validate detections** by listing compromised endpoints and matched identity artifacts (hostnames, usernames, IPs, timestamps). 3. **Create policies/playbooks** to quarantine endpoints, revoke sessions, and reset exposed credentials. 4. **Automate notifications** (Slack/Jira/email) and ticketing to keep owners and responders aligned. * * * 🔎 Investigate & act on real evidence [](https://docs.spycloud.com/public-sc/docs/crowdstrike-falcon-edr#-investigate--act-on-real-evidence) ------------------------------------------------------------------------------------------------------------------------------------------------ Focus on the **identity signals** that matter most: * **Plaintext or previously exposed credentials** tied to the infected host/user * **Malware-sourced session artifacts**: cookies/tokens enabling account abuse * **Indicators of reuse/variations** attackers can easily guess Use Crowdstrike Falcon to: * 🔍 **Locate impacted endpoints/users** and pivot into host telemetry * 🧩 **Correlate** SpyCloud identity evidence with detections, process trees, and network activity * 🧯 **Contain quickly**: isolate endpoints, expire tokens, reset passwords, and enforce re-auth * * * 🛠️ How it works [](https://docs.spycloud.com/public-sc/docs/crowdstrike-falcon-edr#%EF%B8%8F-how-it-works) --------------------------------------------------------------------------------------------------------------- **1) Detect** – identify malware-infected devices & exposed identities SpyCloud surfaces evidence from malware-infected devices (infostealer logs). This includes plaintext credentials and session artifacts that criminals actively resell and reuse. **2) Enrich** – tie identity artifacts to endpoints/users Match credentials, cookies, and tokens to your users and Falcon-managed hosts to understand blast radius and prioritize. **3) Contain** – isolate & block Use Falcon policies to isolate compromised endpoints and block further data exfiltration or lateral movement. **4) Remediate** – reset & revoke Reset exposed passwords, revoke sessions/tokens, and force re-authentication. Notify users and owners via Slack/Jira/email. ![](https://files.readme.io/cca167b6e64020cbf2787c65fe0f6641f607973ca326a180f537319a073b7482-image2.png) * * * 📊 Validation & reporting [](https://docs.spycloud.com/public-sc/docs/crowdstrike-falcon-edr#-validation--reporting) ------------------------------------------------------------------------------------------------------------------------ * Confirm **compromised endpoint lists** and **identity matches** are populating as expected * Track **containment time**, **reset/revoke counts**, and **endpoint quarantine rate** * Trend **infection sources** and **identity artifact types** (password vs. cookie/token) > Tip: Pair Crowdstrike Falcon’s response telemetry with SpyCloud’s identity evidence for clear “before/after” reporting. * * * 🔗 Resources [](https://docs.spycloud.com/public-sc/docs/crowdstrike-falcon-edr#-resources) ----------------------------------------------------------------------------------------------- * Integration page: [https://spycloud.com/products/integrations/crowdstrike-falcon/](https://spycloud.com/products/integrations/crowdstrike-falcon/) * Demo video: [https://spycloud.com/products/integrations/crowdstrike-falcon/?wvideo=ta2xioxzov](https://spycloud.com/products/integrations/crowdstrike-falcon/?wvideo=ta2xioxzov) * * * ✅ Expected outcomes [](https://docs.spycloud.com/public-sc/docs/crowdstrike-falcon-edr#-expected-outcomes) -------------------------------------------------------------------------------------------------------------- * **Faster containment** of malware-infected devices and identity abuse * **Fewer blind spots** (catch infections that **bypass EDR** or occur on **unmanaged** hosts) * **Reduced exposure window** for workforce identities; measurable **MTTD/MTTR** improvements 📸 Image placement map (exact slots) * * * ▶️ Demo [](https://docs.spycloud.com/public-sc/docs/crowdstrike-falcon-edr#%EF%B8%8F-demo) ---------------------------------------------------------------------------------------------- Updated 12 days ago * * * Ask AI --- # Introduction 🏁 SpyCloud Integrations [](https://docs.spycloud.com/public-sc/docs/introduction-3#-spycloud-integrations) =============================================================================================================== SpyCloud operationalizes **recaptured darknet exposure [data](https://spycloud-external.readme.io/public-sc/docs/data-types-sources#/) ** – including identities from **breaches**, **malware-infected devices**, and **successful phishing** – across the tools you already run. > You can either: > > 1. **Send SpyCloud data** directly to the tool of your choice > 2. Use **_[SpyCloud Connect](https://spycloud-external.readme.io/public-sc/docs/spycloud-connect#/) > _**, our **hosted automation service** we build, maintain, and support for you. * * * 🚀 What integrations enable [](https://docs.spycloud.com/public-sc/docs/introduction-3#-what-integrations-enable) --------------------------------------------------------------------------------------------------------------------- * **Faster detection & response** – Shrink the exposure window with high-fidelity, identity-centric signals. * **Consistent playbooks** – Reset credentials, revoke sessions/tokens, force re-auth, disable accounts. * **Less toil** – Triage by **[source](https://spycloud-external.readme.io/public-sc/docs/data-types-sources#/) ** (breach / malware / phished), **[severity](https://spycloud-external.readme.io/public-sc/docs/severity-score-source-types-metadata#/) **, and **artifact type** (passwords, cookies, tokens). * **Proof** – Dashboards & exports to track time-to-respond and remediation throughput. * * * 🧩 Popular integration categories [](https://docs.spycloud.com/public-sc/docs/introduction-3#-popular-integration-categories) --------------------------------------------------------------------------------------------------------------------------------- ### SIEM Ingest, search, trend, and alert on SpyCloud exposures. * Elastic Security * Splunk * Microsoft Sentinel ### SOAR Automate resets, revocations, notifications, and casework. * Tines * Palo Alto Cortex XSOAR ### EDR / EPP Contain compromised endpoints and accelerate IR. * CrowdStrike Falcon * Microsoft Defender for Endpoint ### Identity / IAM Automate identity remediation in your directory. * Okta Workforce Guardian * Entra ID Guardian ### ITSM & Chat Notify users/owners and track remediation. * Jira (ITSM) * Slack * Email ### Data & Analytics Warehouse or lakehouse your identity telemetry. * Snowflake * Databricks * BigQuery ### APIs & Webhooks Push or pull exposure data into any stack. * Enterprise Protection APIs * Webhooks * CSV / bulk export ### Hosted Automation We build, run, and support the workflow for you. * SpyCloud Connect * Managed playbooks ### Everything Else Don’t see your tool? We integrate there too. * Request an integration through your CSM or by contacting [\[email protected\]](https://docs.spycloud.com/cdn-cgi/l/email-protection#dcafa9acacb3aea89cafaca5bfb0b3a9b8f2bfb3b1) > ✳️ > > ### > > If a tool isn’t listed, we can still integrate. Your can **send SpyCloud data** into your stack or let **SpyCloud Connect** handle hosted automation for you. > > [](https://docs.spycloud.com/public-sc/docs/introduction-3#if-a-tool-isnt-listed-we-can-still-integrate-your-can-send-spycloud-data-into-your-stack-or-let-spycloud-connect-handle-hosted-automation-for-you) * * * 🛠️ Two ways to integrate [](https://docs.spycloud.com/public-sc/docs/introduction-3#%EF%B8%8F-two-ways-to-integrate) ------------------------------------------------------------------------------------------------------------------------- ### 1) Bring-your-own tools [](https://docs.spycloud.com/public-sc/docs/introduction-3#1-bring-your-own-tools) * **Ingest & enrich** SpyCloud **breach / malware / phished** exposures in your SIEM/EDR/SOAR. * **Detect** high-risk events (plaintext creds, malware-sourced cookies/tokens, phished accounts). * **Automate** policy-driven actions: reset passwords, revoke sessions/tokens, force re-auth, disable accounts, notify users. ### 2) SpyCloud Connect (hosted automation) [](https://docs.spycloud.com/public-sc/docs/introduction-3#2-spycloud-connect-hosted-automation) * We **build**, **maintain**, and **support** the automation for you. * **Source-aware** logic (breach vs malware vs phished), **severity gating**, notifications, and reporting included. * You keep control of approvals and outcomes; we handle the plumbing and ops. * * * **Want to brainstorm what an integration would look like with your platform? [Become a SpyCloud Alliance Partner](https://spycloud.com/become-a-partner/) ** * * * 🔎 How the data flows [](https://docs.spycloud.com/public-sc/docs/introduction-3#-how-the-data-flows) --------------------------------------------------------------------------------------------------------- **1) Detect** — identity exposures appear SpyCloud continuously recaptures data from **breaches**, **malware-infected devices** (infostealer logs), and **phished credentials**, then matches it to your identities. **2) Decide** — triage by source, severity, artifact Prioritize by _source_ (breach/malware/phished), _severity_ (Critical/High), and _artifact type_ (plaintext passwords, cookies, tokens). **3) Act** — remediate automatically Reset credentials, revoke sessions/tokens, force re-auth, disable accounts, and notify users/owners via your SOAR/IdP/ITSM. **4) Prove** — measure & report Dashboards and exports show exposure trends, time-to-respond, and remediation throughput. * * * 🧭 Getting started [](https://docs.spycloud.com/public-sc/docs/introduction-3#-getting-started) --------------------------------------------------------------------------------------------------- 1. **Pick your path:** BYO tools **or** **SpyCloud Connect** (hosted). 2. **Wire data:** use **APIs/Webhooks/Exports** or an **off-the-shelf connector**. 3. **Enable detections:** focus on **plaintext creds**, **malware-sourced cookies/tokens**, **phished accounts**. 4. **Automate actions:** resets, revocations, re-auth, disable, notifications. 5. **Measure:** track MTTR, exposure counts, and completion rates. * * * 🔐 Security & compliance (quick view) [](https://docs.spycloud.com/public-sc/docs/introduction-3#-security--compliance-quick-view) -------------------------------------------------------------------------------------------------------------------------------------- * **Credential handling:** API keys and secrets are encrypted at rest. * **Data minimization:** tune payloads to limit sensitive fields. * **Auditable workflows:** ticketing & exports support IR and compliance reporting. Updated 12 days ago * * * Ask AI --- # Elastic SIEM 🧩 Enterprise Protection for Elastic SIEM [](https://docs.spycloud.com/public-sc/docs/elastic-siem#-enterprise-protection-for-elastic-siem) =============================================================================================================================================== Leverage SpyCloud’s **recaptured darknet [data](https://spycloud-external.readme.io/public-sc/docs/data-types-sources#/) ** — including exposures from **breaches, malware-infected devices, and successful phishing** — inside **[Elastic Security](https://www.elastic.co/) ** to accelerate detection and remediation of identity-based threats (exposed credentials, infected sessions, risky users). **Integration page:** [https://spycloud.com/products/integrations/elastic-siem/](https://spycloud.com/products/integrations/elastic-siem/) * * * 🚀 What you get (at a glance) [](https://docs.spycloud.com/public-sc/docs/elastic-siem#-what-you-get-at-a-glance) --------------------------------------------------------------------------------------------------------------------- * **Direct ingest** of SpyCloud **breach, malware, and phished** exposure data into **Elastic Security** * **Comprehensive identity exposure visibility** for improved detection & response across all three sources * **Elastic-native alerting & analysis** — respond to SpyCloud records and **push to your [SOAR](https://spycloud-external.readme.io/public-sc/docs/tines-soar#/) ** * **Out-of-the-box dashboards** — confirm ingestion and visualize exposure trends from breach, malware, and phished datasets > 💡 > > ### > > Result: better signal on the _who_ (identity) and the _what_ (credentials, cookies, tokens) drawn from **breach + malware + phished** sources — with faster, automated response paths. > > [](https://docs.spycloud.com/public-sc/docs/elastic-siem#result-better-signal-on-the-who-identity-and-the-what-credentials-cookies-tokens-drawn-from-breach--malware--phished-sources--with-faster-automated-response-paths) * * * 🛠️ How it works [](https://docs.spycloud.com/public-sc/docs/elastic-siem#%EF%B8%8F-how-it-works) ----------------------------------------------------------------------------------------------------- **1) Ingest** — scheduled import of SpyCloud exposure records SpyCloud’s Enterprise Protection for Elastic performs a scheduled ingest of exposure records derived from **breaches**, **malware infections** (infostealer logs), and **phished credentials** into Elastic. Once ingested, you can analyze records, create alerts, and route events for automation (e.g., to SOAR). **2) Analyze** — search & correlate in Elastic Use Elastic queries and visualizations to investigate exposure details, correlate identity artifacts with your telemetry, and identify high-risk users or systems — whether the evidence originated from a **breach**, **malware**, or a **phish**. **3) Alert** — Elastic detections for new/high-risk exposures Configure detections for fresh exposures, **compromised credentials**, **infected sessions** (malware-sourced cookies/tokens), or **phished accounts**. Alerts can drive timely ticketing and IR workflows. **4) Automate** — handoff to SOAR playbooks Push actionable SpyCloud events from Elastic to your SOAR for automated response (e.g., reset credentials, revoke sessions, force re-auth, disable accounts, notify users) — regardless of whether the originating evidence was from a **breach**, **malware**, or a **phish**. * * * 📊 Dashboards & visuals [](https://docs.spycloud.com/public-sc/docs/elastic-siem#-dashboards--visuals) ---------------------------------------------------------------------------------------------------------- Use the packaged dashboard(s) to confirm that data is flowing and to monitor **exposure trends** by source (**breach**, **malware**, **phished**) and by severity over time. Customize visualizations as needed. ![](https://files.readme.io/e88b2b16220399bab14d74515765c7c6e76c39b61bfd76b11c12dfbfb8e72d20-image2.png) * * * 🧭 Get started [](https://docs.spycloud.com/public-sc/docs/elastic-siem#-get-started) ----------------------------------------------------------------------------------------- 1. Visit the **Elastic SIEM integration page** for setup & resources: [https://spycloud.com/products/integrations/elastic-siem/](https://spycloud.com/products/integrations/elastic-siem/) 2. Connect ingest to bring **SpyCloud Enterprise Protection exposure data** (**breach, malware, phished**) into Elastic. 3. Enable or create **detections** for new exposures and high-risk artifacts from any source. 4. Wire **SOAR** handoffs for policy-driven remediation (resets, revocations, notifications). 5. Validate flow using the **dashboard**, then iterate on queries/visuals. > 🎥 > > ### > > Optional: **Watch the Elastic integration demo** > > [](https://docs.spycloud.com/public-sc/docs/elastic-siem#optional-watch-the-elastic-integration-demo) > > [https://spycloud.com/products/integrations/elastic-siem/?wvideo=dnk5u1w6g6](https://spycloud.com/products/integrations/elastic-siem/?wvideo=dnk5u1w6g6) * * * ✅ Outcome [](https://docs.spycloud.com/public-sc/docs/elastic-siem#-outcome) -------------------------------------------------------------------------------- * **Higher-fidelity detection** of identity-based threats from **breach, malware, and phished** exposures inside Elastic * **Faster, automated response** via SOAR handoff (resets, revocations, re-auth, disable) * **Measurable reduction** in exposure window for your workforce identities Updated 12 days ago * * * Ask AI --- # Microsoft Defender for Endpoint 🛡️ Enterprise Protection for Microsoft Defender for Endpoint [](https://docs.spycloud.com/public-sc/docs/microsoft-defender-edr#%EF%B8%8F-enterprise-protection-for-microsoft-defender-for-endpoint) ========================================================================================================================================================================================================= Use SpyCloud’s **post-infection identity evidence** to surface compromised endpoints and the **credentials, cookies, and tokens** criminals can abuse – then **contain and remediate** quickly in Microsoft Defender for Endpoint. **Integrations page**: [https://spycloud.com/products/integrations/microsoft-defender/](https://spycloud.com/products/integrations/microsoft-defender/) > 🔎 > > ### > > **Why this matters:** SpyCloud Labs found **66%** of infostealer-infected devices already had endpoint security installed at compromise – identity artifacts still leaked and can be abused. > > [](https://docs.spycloud.com/public-sc/docs/microsoft-defender-edr#why-this-matters-spycloud-labs-found-66-of-infostealer-infected-devices-already-had-endpoint-security-installed-at-compromise--identity-artifacts-still-leaked-and-can-be-abused) * * * 🚀 Benefits at a glance [](https://docs.spycloud.com/public-sc/docs/microsoft-defender-edr#-benefits-at-a-glance) --------------------------------------------------------------------------------------------------------------------- * **⏱️ Accelerate Response** – Reduce **MTTD/MTTR** by acting earlier in the attack lifecycle. * **🧪 Enhance Detection** – Catch **infostealer malware** that bypasses EDR, including infections on **unmanaged** devices. * **🧯 Prevent Lateral Movement** – **Isolate** compromised endpoints to block ransomware entry points. * * * 🧭 How it works [](https://docs.spycloud.com/public-sc/docs/microsoft-defender-edr#-how-it-works) ----------------------------------------------------------------------------------------------------- **1) Detect** – post-infection identity evidence SpyCloud continuously detects newly recaptured identity records stolen by _infostealer malware_ (e.g., plaintext creds, cookies/tokens) and identifies impacted users/devices. **2) Decide** – policy-driven response Choose actions that fit your playbooks: alert only, or immediately isolate devices, reset/revoke, and notify users/owners. **3) Act** – contain & remediate in MDE Trigger **endpoint isolation**, **live response**, or **script execution** for rapid cleanup and credential/session hygiene. **4) Prove** – measure outcomes Use daily reports and exports to show exposure volume, time-to-contain, and remediation throughput. ![](https://files.readme.io/84fa92838a452c302430d0e4a4b238e3349cb9ec6316be98d44b9c1958bcb87f-Screenshot_2025-08-25_at_9.40.37_PM.png) * * * 🧰 Key capabilities [](https://docs.spycloud.com/public-sc/docs/microsoft-defender-edr#-key-capabilities) ------------------------------------------------------------------------------------------------------------- * **📬 Daily reports** – Lists compromised endpoints + identity data (hostnames, usernames, IPs, infection timestamps). * **🔔 Flexible alerting** – Route alerts to **Slack**, **Jira**, or **email** to fit existing workflows. * **🛡️ Customizable containment** – Automate isolation or require manual review – **your rules**. * **⚙️ Simple setup** – UI-driven configuration with Defender-compatible options. * **🕒 Custom time range** – Search the **last 24 hours** or expand the timeframe as needed. * **💻 Live script execution** – Remotely trigger scripts on Defender-managed devices to accelerate IR. * * * 🛠️ Technical requirements [](https://docs.spycloud.com/public-sc/docs/microsoft-defender-edr#%EF%B8%8F-technical-requirements) ----------------------------------------------------------------------------------------------------------------------------------- * **Microsoft Defender for Endpoint P2** * **API permissions (MDE):** * `Machine.Read.All` – read device information * `Machine.Isolate` – remote endpoint isolation * `Machine.LiveResponse` – live response session actions * `Machine.LiveResponse.Read` – read live response results * **MDE features enabled:** * Device Read Access * Device Isolation * Live Response Actions * Live Response Result Retrieval * **SpyCloud Compass license** + **SpyCloud Enterprise API key** * * * 🧯 Containment & remediation (in practice) [](https://docs.spycloud.com/public-sc/docs/microsoft-defender-edr#-containment--remediation-in-practice) -------------------------------------------------------------------------------------------------------------------------------------------------------- * **Contain**: isolate compromised endpoints from internal resources while keeping Defender cloud access for remediation. * **Remediate**: reset exposed passwords, revoke sessions/tokens, and force re-auth for affected users. * **Notify**: inform users/owners; ticket for auditability. * * * ✅ Expected outcomes [](https://docs.spycloud.com/public-sc/docs/microsoft-defender-edr#-expected-outcomes) -------------------------------------------------------------------------------------------------------------- * **Higher-fidelity detections** of identity-based threats from **infostealer** infections * **Faster containment** and **reduced exposure window** for workforce identities * **Operational proof** of improved time-to-response via reports/exports Updated 12 days ago * * * Ask AI --- # Integration Guide 🛡️ CrowdStrike Falcon (EDR) — Integration Guide [](https://docs.spycloud.com/public-sc/docs/integration-guide#%EF%B8%8F-crowdstrike-falcon-edr--integration-guide) ======================================================================================================================================================================= Use SpyCloud’s post-infection identity evidence to identify **malware-infected devices** and the **credentials/cookies/tokens** attackers can exploit. Pair with **Crowdstrike Falcon** to **isolate endpoints**, **reset/revoke** risky artifacts, and **reduce MTTR**. * * * ✅ Requirements [](https://docs.spycloud.com/public-sc/docs/integration-guide#-requirements) ----------------------------------------------------------------------------------------------- **Licensing & Keys** * **SpyCloud Enterprise Protection** license + **API key** * Request via Support in your SpyCloud Portal, then retrieve at `portal.spycloud.com/api`. * **CrowdStrike Falcon** with **Prevent** (or higher). * Create an **API Client** in Falcon Console → **Support** → **API Clients and Keys**. * Store **Client ID/Secret** securely (the secret is shown **once**). **Minimum Crowdstrike Falcon Scopes** | Permission | Why it’s needed | | --- | --- | | Read: Devices | Read device metadata for correlation | | Read: Device Queries | Search/filter devices by attributes | | **Write: Devices (Host Isolation)** | **Contain/Release** endpoints during response | | Device Control | Execute device actions as required | | Real-Time Response | Optional: memory dump / forensic collection | > 🔒 > > ### > > Apply **least privilege** and review scopes on a regular cadence. > > [](https://docs.spycloud.com/public-sc/docs/integration-guide#apply-least-privilege-and-review-scopes-on-a-regular-cadence) * * * 🔍 Matching Criteria (SpyCloud ↔ Crowdstrike Falcon) [](https://docs.spycloud.com/public-sc/docs/integration-guide#-matching-criteria-spycloud--crowdstrike-falcon) ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- SpyCloud correlates Crowdstrike Falcon device/user context to SpyCloud identity/device context using these pairs: | Falcon | SpyCloud | | | --- | --- | --- | | `mac_address` | `mac_address` | | | `serial_number` | `serial_number` | | | `device_id` | `device_id` | `device_name` | | `hostname` | `hostname` | `user_hostname` | | `device_name` | `device_name` | `device_id` | * If **`last_login_user`** indicates an updated **`device_id`**, the new ID is checked. **Confidence** may be marked **low** until corroborated. * * * 📣 Notifications [](https://docs.spycloud.com/public-sc/docs/integration-guide#-notifications) -------------------------------------------------------------------------------------------------- * Email alerts fire when **new matches** are detected. * Sender: **`[[email protected]](https://docs.spycloud.com/cdn-cgi/l/email-protection) `** (display name **“SpyCloud Connect”**). * Each alert includes a **CSV attachment** with match details. * * * ⏱️ Search Date Range [](https://docs.spycloud.com/public-sc/docs/integration-guide#%EF%B8%8F-search-date-range) ------------------------------------------------------------------------------------------------------------------- * Default search window: **last 24 hours** of malware/log data tied to managed devices. * You can **expand** the window in the integration settings as needed. * * * 🧰 Optional: Real-Time Response (RTR) [](https://docs.spycloud.com/public-sc/docs/integration-guide#-optional-real-time-response-rtr) ----------------------------------------------------------------------------------------------------------------------------------------- * Initiate a **remote memory dump** from Falcon by providing **Device ID** and a **valid file path** on the endpoint. * You’ll receive an **email** when the dump completes. > ⚠️ > > ### > > Ensure RTR permissions/policies allow the operation and target path. > > [](https://docs.spycloud.com/public-sc/docs/integration-guide#ensure-rtr-permissionspolicies-allow-the-operation-and-target-path) * * * 🚀 Setup [](https://docs.spycloud.com/public-sc/docs/integration-guide#-setup) ---------------------------------------------------------------------------------- 1. **Accept the invitation** * You’ll receive an email from SpyCloud with a **unique code** and **registration link**. * Complete account registration. 2. **Configure Crowdstrike Falcon access** * Provide **Client ID**, **Client Secret**, and **API URL** in the SpyCloud configuration. * Set initial **automation options** (you can tune later). 3. **Verify & operate** * Open the dashboard to **review matches**, **configure actions**, and **manage users/alerts**. * * * 🧭 How It Works [](https://docs.spycloud.com/public-sc/docs/integration-guide#-how-it-works) ------------------------------------------------------------------------------------------------ ### Manual review (24-hour spotlight) [](https://docs.spycloud.com/public-sc/docs/integration-guide#manual-review-24-hour-spotlight) Use the integration view to review **new malware-sourced records** (last 24 hours) matched to your endpoints/users: * Download a **combined report** (SpyCloud + Crowdstrike Falcon fields) * Pull **user/device details** for investigation * **Contain** suspect endpoints (see _Endpoint Containment_ below) * Optionally **perform memory dump** (RTR) ### CSV export (what you’ll typically see) [](https://docs.spycloud.com/public-sc/docs/integration-guide#csv-export-what-youll-typically-see) Common fields (exact columns may vary): * From Falcon: `hostname`, `os_version`, `external_ip`, `mac_address`, `last_seen`, `device_id`, `username` * From SpyCloud/Compass: `log_id`, `infected_machine_id`, `infected_path`, `infected_time`, `user_sys_domain`, `user_hostname`, `user_os` > 💡 > > ### > > Use these to tie **identity artifacts** (passwords, cookies, tokens) to a **specific endpoint/user** and owner. > > [](https://docs.spycloud.com/public-sc/docs/integration-guide#use-these-to-tie-identity-artifacts-passwords-cookies-tokens-to-a-specific-endpointuser-and-owner) * * * 🧯 Endpoint Containment [](https://docs.spycloud.com/public-sc/docs/integration-guide#-endpoint-containment) ---------------------------------------------------------------------------------------------------------------- ### What containment does (Crowdstrike Falcon): [](https://docs.spycloud.com/public-sc/docs/integration-guide#what-containment-does-crowdstrike-falcon) * The device is **isolated** from internal resources to stop spread and data exfil. * It remains connected to **CrowdStrike cloud** for monitoring/remediation. * After remediation, **release** the device from containment (use the corresponding release action for the same API family). ### Automation (recommended) [](https://docs.spycloud.com/public-sc/docs/integration-guide#automation-recommended) * Enable **policy-driven isolation** when SpyCloud flags a **Critical/High** identity artifact (e.g., plaintext password, malware-sourced cookies/tokens). * Email or route a **summary** (e.g., to Slack/Jira) with the case link. ### Manual path (alternative) [](https://docs.spycloud.com/public-sc/docs/integration-guide#manual-path-alternative) * Analysts can **manually isolate** endpoints using the same API call, then track outcome/status in your case/ticket. * * * 🔐 Security Details [](https://docs.spycloud.com/public-sc/docs/integration-guide#-security-details) -------------------------------------------------------------------------------------------------------- * **API credentials** are **encrypted at rest** (AES) and stored in hardened systems. * **Configurable data visibility**: restrict or mask specific fields in event payloads to align with policy. * **Compliance posture**: aligned to SOC 2 Type II and ISO/IEC 27001:2022 domains (security, availability, processing integrity, confidentiality). > ✅ > > Keep credentials rotated and scoped minimally; restrict payload fields to the minimum required for your IR workflow. * * * 🙋 Support [](https://docs.spycloud.com/public-sc/docs/integration-guide#-support) -------------------------------------------------------------------------------------- * Sign in to the **SpyCloud Portal** and use the **Support widget** for configuration help, scope adjustments, and best-practice guidance. * Include: environment (dev/prod), account ID, and a sample event/time window to speed triage. Updated 12 days ago * * * Ask AI --- # Microsoft Sentinel SIEM 🧩 Enterprise Protection for Microsoft Sentinel [](https://docs.spycloud.com/public-sc/docs/microsoft-sentinel-siem#-enterprise-protection-for-microsoft-sentinel) ====================================================================================================================================================================== Bring SpyCloud’s **recaptured darknet exposure [data](https://spycloud-external.readme.io/public-sc/docs/data-types-sources#/) ** – from **breaches**, **malware-infected devices**, and **successful phishing** – into **[Microsoft Sentinel](https://www.microsoft.com/en-us/security/business/siem-and-xdr/microsoft-sentinel) ** to speed detection, investigation, and response for identity-based threats (ATO precursors, session hijacking, risky users). **Integration page:** [https://spycloud.com/products/integrations/microsoft-sentinel/](https://spycloud.com/products/integrations/microsoft-sentinel/) * * * 🚀 What you get (at a glance) [](https://docs.spycloud.com/public-sc/docs/microsoft-sentinel-siem#-what-you-get-at-a-glance) -------------------------------------------------------------------------------------------------------------------------------- * **Direct ingest** of SpyCloud **breach / malware / phished** exposure data into **Microsoft Sentinel** * **Decrease MTTR** with normalized, enriched identity evidence you can search, visualize, and alert on * **Create high-priority incidents** automatically for new exposure events tied to your workforce * **Investigate at scale**: query, pivot, and trend identity exposures across your environment > 💡 > > ### > > Result: clearer signal on _who_ (the exposed user) and _what_ (credentials, cookies, tokens), from **breach + malware + phished** sources – and faster, automated response. > > [](https://docs.spycloud.com/public-sc/docs/microsoft-sentinel-siem#result-clearer-signal-on-who-the-exposed-user-and-what-credentials-cookies-tokens-from-breach--malware--phished-sources--and-faster-automated-response) * * * 🧭 Quick start [](https://docs.spycloud.com/public-sc/docs/microsoft-sentinel-siem#-quick-start) ---------------------------------------------------------------------------------------------------- 1. **Connect SpyCloud data** to Microsoft Sentinel (data connector / ingest). 2. **Validate ingestion** with a workbook or basic queries (see _[Dashboards & visuals](https://spycloud-external.readme.io/public-sc/docs/microsoft-sentinel-siem#/-dashboards--visuals) _). 3. **Create analytics rules** for new/high-risk exposures (plaintext credentials, infected sessions, phished accounts). 4. **Automate handoffs** via Logic Apps/Playbooks (reset creds, revoke sessions, force re-auth, notify users). 5. **Track trends** and MTTR with dashboards/KPIs. ![](https://files.readme.io/1c366ee2d761dab2d1fc474b7251191a53f39428e340e300030b44ddfb86bb22-image1.png) * * * 🔎 Investigate & act on real evidence [](https://docs.spycloud.com/public-sc/docs/microsoft-sentinel-siem#-investigate--act-on-real-evidence) ------------------------------------------------------------------------------------------------------------------------------------------------- Spend time on **actionable alerts** by focusing on the highest-risk signals: * **Plaintext or previously exposed credentials** (and reuse/variations) * **Malware-sourced artifacts** (cookies, tokens) that enable session hijacking * **Phished accounts** requiring immediate reset or re-auth Use Microsoft Sentinel to: * 🔍 **Query SpyCloud exposures** across time windows and identities * 🧩 **Correlate** identity evidence with local telemetry (IdP, EDR, VPN, SaaS) * 📝 **Auto-create incidents** for new breach/malware/phished records tied to your users * 🔁 **Trigger playbooks** to remediate: reset credentials, revoke sessions, disable accounts, notify users/admins * * * 🛠️ How it works (expand) [](https://docs.spycloud.com/public-sc/docs/microsoft-sentinel-siem#%EF%B8%8F-how-it-works-expand) -------------------------------------------------------------------------------------------------------------------------------- **1) Ingest** — bring SpyCloud exposure data into Sentinel Scheduled ingest of exposure records sourced from **breaches**, **malware infections** (infostealer logs), and **phished credentials** into Microsoft Sentinel. **2) Search & Correlate** — make identity signals operational Run KQL searches to tie SpyCloud identity evidence (credentials, cookies/tokens) to your hosts, SaaS apps, and users; identify high-risk accounts quickly. **3) Detect** — analytics rules for high-impact events Create analytics rules for fresh exposures, plaintext credentials, malware-sourced sessions, and phished accounts. Prioritize by severity and artifact type. **4) Automate** — playbooks & response Use Logic Apps/Playbooks to reset credentials, revoke sessions, force re-auth, disable accounts, and notify end-users/admins from Sentinel incidents. ![](https://files.readme.io/0a9ae8968b21a79c575cd992195240a6097d3225a67c971e9527882b898f4af7-image2.png) * * * 📊 Dashboards & visuals [](https://docs.spycloud.com/public-sc/docs/microsoft-sentinel-siem#-dashboards--visuals) --------------------------------------------------------------------------------------------------------------------- * Confirm **data ingestion** is healthy (counts by source: **breach**, **malware**, **phished**) * Track **exposure trends** over time; highlight Critical/High * Monitor **remediation throughput** and mean time to response > Tip: Start with a simple “New Exposures by Source & Severity” chart; add “Top Exposed Users” and “Artifacts by Type” (passwords vs. cookies/tokens). * * * ✅ Expected outcomes [](https://docs.spycloud.com/public-sc/docs/microsoft-sentinel-siem#-expected-outcomes) --------------------------------------------------------------------------------------------------------------- * **Higher-fidelity detections** for identity-based threats from **breach / malware / phished** datasets * **Faster, automated response** via playbooks (resets, revocations, re-auth, disable) * **Reduced exposure window** with measurable improvements in MTTR * * * Updated 12 days ago * * * Ask AI --- # Palo Alto Cortex XSOAR 🤖 Enterprise Protection for Cortex XSOAR [](https://docs.spycloud.com/public-sc/docs/palo-alto-cortex-xsoar#-enterprise-protection-for-cortex-xsoar) ========================================================================================================================================================= Use SpyCloud’s **recaptured darknet exposure [data](https://spycloud-external.readme.io/public-sc/docs/data-types-sources#/) ** – from **breaches**, **malware-infected devices**, and **successful phishing** – to **automate incident response** in **Cortex XSOAR**. Generate and triage incidents, enrich with SpyCloud evidence, and run policy-driven playbooks to reset credentials, revoke sessions, notify users, and more. **[Integration page](https://spycloud.com/products/integrations/cortex-xsoar/) ** **[Cortex XSOAR Marketplace listing](https://cortex.marketplace.pan.dev/marketplace/details/SpyCloudEnterpriseProtection/) ** **[Demo](https://spycloud.com/products/integrations/cortex-xsoar/?wvideo=0f40etzxjj) ** ![](https://files.readme.io/209af0e29301fda8fb097ffb65d57d5d2e15b7d9382e959a4ba176bb6395c3e9-image1.png) * * * 🚀 What you get (at a glance) [](https://docs.spycloud.com/public-sc/docs/palo-alto-cortex-xsoar#-what-you-get-at-a-glance) ------------------------------------------------------------------------------------------------------------------------------- * **Ingest & act on identity exposures** from **breach, malware, and phished** sources * **Pre-built playbooks** to standardize triage and remediation * **High-priority incidents** created automatically for fresh exposure matches * **Enrichment on demand**: call SpyCloud APIs directly from XSOAR tasks to pull context > 💡 > > ### > > Result: **lower MTTR** and repeatable response based on _reliable identity evidence_ (plaintext creds, cookies/tokens), not just heuristics. > > [](https://docs.spycloud.com/public-sc/docs/palo-alto-cortex-xsoar#result-lower-mttr-and-repeatable-response-based-on-reliable-identity-evidence-plaintext-creds-cookiestokens-not-just-heuristics) * * * 🧭 Quick start [](https://docs.spycloud.com/public-sc/docs/palo-alto-cortex-xsoar#-quick-start) --------------------------------------------------------------------------------------------------- 1. **Install** the SpyCloud Enterprise Protection integration from **Cortex Marketplace**. 2. **Configure** your [SpyCloud API](https://spycloud-external.readme.io/public-sc/docs/api-guidelines#/) key (with access to breach, malware, and phished datasets). 3. **Import or clone** the **starter playbooks** and set inputs (severity thresholds, notification channels). 4. **Test** with a sample exposure record to validate incident creation + enrichment. 5. **Go live** and monitor incident volume, response times, and completion rates. ![](https://files.readme.io/c1936ee13dc8d64592371cd46305d1eb363db9d40bf1a104c1c4418d6c291cf5-image3.png) * * * 🧱 Playbooks & tasks (customize as needed) [](https://docs.spycloud.com/public-sc/docs/palo-alto-cortex-xsoar#-playbooks--tasks-customize-as-needed) -------------------------------------------------------------------------------------------------------------------------------------------------------- * **Source-aware triage** — branch logic for **breach** vs **malware** vs **phished** * **Artifact-aware actions** — different steps for **plaintext credentials** vs **cookies/tokens** * **Remediate** — reset credentials, revoke sessions, force re-auth, disable accounts * **Notify & document** — Slack/email to users & owners, attach evidence, close with disposition * **Escalate** — queue edge cases to a human (e.g., executives, privileged accounts, repeat offenders) ![](https://files.readme.io/9c89bf68024999f279390714b01692e7ec313f55139bf6e9e5e8ca06e65feccb-image5.png) * * * 🛠️ How it works (expand) [](https://docs.spycloud.com/public-sc/docs/palo-alto-cortex-xsoar#%EF%B8%8F-how-it-works-expand) ------------------------------------------------------------------------------------------------------------------------------- **1) Ingest** — create incidents from SpyCloud exposure data Scheduled jobs pull SpyCloud exposure records from **breach**, **malware** (infostealer logs), and **phished** sources. New matches raise incidents with context (user, artifact type, severity, timestamps). **2) Enrich** — pull more context via SpyCloud API Tasks call SpyCloud API to fetch additional evidence (e.g., previous exposures, password reuse indicators, cookie/token presence) and attach it to the incident. **3) Decide** — route by source, severity, role Playbook branches on _source_ (breach/malware/phished), _severity_ (Critical/High), and _user role_ (VIP/admin) to choose the appropriate actions and notifications. **4) Act** — automate the fix Reset passwords, revoke sessions/tokens, enforce re-auth, disable accounts, and notify affected users/owners. ![](https://files.readme.io/b05212269c83cdfcaa6e226bd9b9acf957930692596feb6eeed1856ae2834156-image2.png) * * * 📊 Validation & reporting [](https://docs.spycloud.com/public-sc/docs/palo-alto-cortex-xsoar#-validation--reporting) ------------------------------------------------------------------------------------------------------------------------ * Confirm **incident creation** for new **breach / malware / phished** matches * Track **time-to-first-action** and overall **MTTR** * Monitor **automation success** (resets, revocations, notifications) * Trend **exposures by source** and **artifact type** (passwords vs cookies/tokens) > Tip: Add a final task to **tag** incidents with source & artifact type for easy reporting. Updated 12 days ago * * * Ask AI --- # Splunk SIEM 🧩 Enterprise Protection for Splunk (SIEM) [](https://docs.spycloud.com/public-sc/docs/splunk-siem#-enterprise-protection-for-splunk-siem) ============================================================================================================================================== Bring SpyCloud’s **recaptured darknet exposure [data](https://spycloud-external.readme.io/public-sc/docs/data-types-sources#/) ** – from **breaches**, **malware-infected devices**, and **successful phishing** – into **[Splunk](https://www.splunk.com/) ** to accelerate investigation and response for ATO, session hijacking, and ransomware precursors. **Integration page:** [https://spycloud.com/products/integrations/splunk/](https://spycloud.com/products/integrations/splunk/) * * * 🚀 What you get (at a glance) [](https://docs.spycloud.com/public-sc/docs/splunk-siem#-what-you-get-at-a-glance) -------------------------------------------------------------------------------------------------------------------- * **Direct ingest** of SpyCloud **breach / malware / phished** exposure data into **Splunk** * **End-to-end visibility** from identity exposure to actions in your IR workflow * **Actionable alerts** that prioritize **high-severity signals** (e.g., plaintext credentials, malware-sourced cookies/tokens) * **Ticketing & automation handoff** from Splunk to your [SOAR](https://spycloud-external.readme.io/public-sc/docs/tines-soar#/) / ITSM for rapid remediation > 💡 > > ### > > Outcome: better signal on the _who_ (identity) and the _what_ (credentials, cookies, tokens) – with faster, measurable time-to-response. > > [](https://docs.spycloud.com/public-sc/docs/splunk-siem#outcome-better-signal-on-the-who-identity-and-the-what-credentials-cookies-tokens--with-faster-measurable-time-to-response) * * * 🧭 Quick start [](https://docs.spycloud.com/public-sc/docs/splunk-siem#-quick-start) ---------------------------------------------------------------------------------------- 1. **Install / configure** the SpyCloud integration in Splunk. 2. **Connect** your [SpyCloud API](https://spycloud-external.readme.io/public-sc/docs/api-guidelines#/) key to begin ingesting **breach / malware / phished** exposures. 3. **Search & visualize** exposure events; validate ingestion with dashboards. 4. **Create detections** for fresh exposures and high-risk artifacts. 5. **Automate**: trigger SOAR/ITSM flows (reset credentials, revoke sessions, notify users). ![](https://files.readme.io/438803a588023ea1774aeaffe11d889a3582321a3f8eeadeb0cd94929aea252a-image3.png) * * * 🔎 Investigate & act on real evidence [](https://docs.spycloud.com/public-sc/docs/splunk-siem#-investigate--act-on-real-evidence) ------------------------------------------------------------------------------------------------------------------------------------- Spend time on **actionable alerts** by focusing on the highest-risk signals: * Plaintext or previously exposed **credentials** (reuse/variations) * **Malware-sourced artifacts** (cookies, tokens) that enable session hijacking * **Phished accounts** that require immediate resets or re-auth Use Splunk to: * 🔍 **Query SpyCloud exposures** for your domains/time windows * 🧩 **Correlate** with internal telemetry (IdP, EDR, VPN, proxy, HRIS) * 📝 **Auto-generate tickets** for breached/malware/phished records * 🔁 **Reset** fuzzy/variation matches that attackers can easily guess * * * 🛠️ How it works (expand) [](https://docs.spycloud.com/public-sc/docs/splunk-siem#%EF%B8%8F-how-it-works-expand) -------------------------------------------------------------------------------------------------------------------- **1) Ingest** – scheduled import into Splunk Bring SpyCloud exposure records from **breaches**, **malware infections** (infostealer logs), and **phished credentials** into Splunk on a cadence that fits your ops. **2) Search & Correlate** – make identity signals operational Build searches and saved queries that tie SpyCloud identity evidence to your environment (hosts, users, SaaS apps) to isolate high-risk users quickly. **3) Detect** – create detections for high-impact events Trigger alerts for new exposures, plaintext credentials, malware-sourced sessions, and phished accounts. Prioritize by severity and artifact type. **4) Automate** – handoff to SOAR / ITSM From Splunk, push incidents to your SOAR or ITSM to reset credentials, revoke sessions, force re-auth, disable accounts, and notify end-users/admins. ![](https://files.readme.io/6fe7dc685e30e28fb7207c5bf16116387db8104dafea23b75ed0951b081a9e04-image1.png) * * * 📊 Dashboards & validation [](https://docs.spycloud.com/public-sc/docs/splunk-siem#-dashboards--validation) --------------------------------------------------------------------------------------------------------------- Use the provided visuals (or build your own) to: * Confirm **data ingestion** is healthy * Track **exposure trends** over time * Monitor **high-priority threats** and remediation throughput ![](https://files.readme.io/6bc26d786d594f376d1498cbd85d716fee67a25c8c34481b1c54abe481d57831-image2.png) * * * ✅ Results you can expect [](https://docs.spycloud.com/public-sc/docs/splunk-siem#-results-you-can-expect) ------------------------------------------------------------------------------------------------------------- * **Higher-fidelity detections** for identity-based threats sourced from **breach / malware / phished** data * **Faster, automated response** via SOAR/ITSM handoff (resets, revocations, re-auth, disable) * **Reduced exposure window** and clearer evidence paths for IR and compliance Updated 12 days ago * * * Ask AI --- # SpyCloud Connect 🤝 SpyCloud Connect — Hosted Automation [](https://docs.spycloud.com/public-sc/docs/spycloud-connect#-spycloud-connect--hosted-automation) ============================================================================================================================================== Security teams want automation **and** trustworthy data. With **[SpyCloud Connect](https://spycloud.com/products/spycloud-connect/) **, you don’t have to choose: we build **hosted custom workflows** that integrate SpyCloud products with the tools you already use – enabling rapid remediation and scalable automation of compromised identities across your tech stack. > **TL;DR:** Tell us the workflow and destinations, and we’ll **build it, maintain it, and support it** for you. * * * ✅ Benefits at a glance [](https://docs.spycloud.com/public-sc/docs/spycloud-connect#-benefits-at-a-glance) -------------------------------------------------------------------------------------------------------------- * **Custom Workflows** – Define your logic for ingesting and remediating identity exposures. * **Development-free** – SpyCloud sets up native connectors and builds the workflows for you. * **Zero Maintenance** – We maintain & support your workflows so your team can focus on priorities. * **Any Data, Anywhere** – Automate in the tools you already use; scale operations confidently. > SpyCloud can integrate with **any tool** – whether you prefer to **send [SpyCloud data](https://spycloud-external.readme.io/public-sc/docs/data-types-sources#/) > ** into your stack directly, or use **SpyCloud Connect** as a **hosted automation service** we build, maintain, and support for you. * * * 🔧 How it works [](https://docs.spycloud.com/public-sc/docs/spycloud-connect#-how-it-works) ----------------------------------------------------------------------------------------------- SpyCloud Connect pulls data from **[SpyCloud Enterprise Protection](https://spycloud-external.readme.io/public-sc/docs/introduction-2#/) ** via API, applies any required transformations, and delivers it to your destinations via **custom connectors** (e.g., SIEM, ticketing, IAM, EDR/XDR). **1) You choose** – desired workflows & destinations Pick your tools and logic (SIEM, SOAR, TIP, EDR/XDR, IdP/IAM, ticketing, etc.). **2) We build** – low-code custom connectors SpyCloud engineers implement ingestion, transforms, and routing for your use cases. **3) We maintain** – zero-maintenance operations Workflows are supported and kept current as _our data lake and ingestion grow in real time_. **4) You run** – in your tools, on your terms Operate and measure outcomes in your own stack; we handle the plumbing. > You can integrate **any combination** of preferred tools (SIEMs, SOARs, TIPs, EDR/XDR, Identity Providers, Ticketing, etc.) ![](https://files.readme.io/58a393d6856aa53f156a716032fd6ad9c82eafa0b3a1772c7332540d89b5ea8f-spycloud-connect-hero-2025-spycloud-960x1024.webp) * * * 📦 What’s included (the service) [](https://docs.spycloud.com/public-sc/docs/spycloud-connect#-whats-included-the-service) ------------------------------------------------------------------------------------------------------------------------------ * **Build + Support + Maintenance** for your **custom workflow(s)** across teams. * The base SKU includes **one custom workflow** with **up to three integration destinations**. * **Downstream data customization** to: * Enforce **least-privilege** (limit sensitive fields). * **Add descriptive elements** to enrich returns. * **Dynamic updates** as SpyCloud’s data lake and ingestion grow — your workflows stay current. ### Additional customization / edits [](https://docs.spycloud.com/public-sc/docs/spycloud-connect#additional-customization--edits) * Need more? We can add **specific transforms** in our **low-code** environment. * If you **change vendors** later, we’ll **swap the destination at no additional cost**. * * * ⏱️ Delivery cycle [](https://docs.spycloud.com/public-sc/docs/spycloud-connect#%EF%B8%8F-delivery-cycle) ------------------------------------------------------------------------------------------------------------ * **SLA:** up to **90 days** for delivery of a custom automation workflow. * **Typical deployments:** **2–4 weeks**, often aligned with onboarding. * * * 🧠 Compatible products & data sources [](https://docs.spycloud.com/public-sc/docs/spycloud-connect#-compatible-products--data-sources) ------------------------------------------------------------------------------------------------------------------------------------------ * Built to operationalize SpyCloud’s identity evidence from **breaches**, **malware-infected devices**, and **successful phishes** across your stack. * Common pairings include **[Compass (Malware Exposure Remediation)](https://spycloud-external.readme.io/public-sc/docs/compass-malware-remediation#/) ** and **[Employee ATO Prevention](https://spycloud-external.readme.io/public-sc/docs/employee-ato-prevention#/) **. * * * 📚 Customer-favorite workflows [](https://docs.spycloud.com/public-sc/docs/spycloud-connect#-customer-favorite-workflows) ----------------------------------------------------------------------------------------------------------------------------- ![](https://files.readme.io/91145c2569ac577a1fe179bbddc0758546ef561058e9a6f8ec492c0fe0edd1e4-Screenshot_2025-08-25_at_10.06.15_PM.png) > These are examples; Connect will implement **your** workflow, not force you into ours. * * * 🧭 Getting started [](https://docs.spycloud.com/public-sc/docs/spycloud-connect#-getting-started) ----------------------------------------------------------------------------------------------------- 1. **Define** goals, destinations, and policy logic (who/what/when). 2. **Approve** data transformations & least-privilege field sets. 3. **Implement** (SpyCloud builds), **UAT**, then **go live**. 4. **Measure** time-to-respond and remediation throughput; iterate. > Contact your CSM to scope a SpyCloud Connect service engagement for your desired workflows. Updated 12 days ago * * * Ask AI --- # Tines SOAR 🤖 Enterprise Protection + Tines [](https://docs.spycloud.com/public-sc/docs/tines-soar#-enterprise-protection--tines) ========================================================================================================================== Use SpyCloud’s **recaptured darknet exposure [data](https://spycloud-external.readme.io/public-sc/docs/data-types-sources#/) ** – from **breaches**, **malware-infected devices**, and **successful phishing** – to **automate response** with **[Tines](https://www.tines.com/) **. Generate cases, triage by source/severity, and run policy-driven playbooks to reset credentials, revoke sessions, notify users, and more. **Integrations page:** [https://spycloud.com/products/integrations/tines/](https://spycloud.com/products/integrations/tines/) ![](https://files.readme.io/8c2ca0a6076aabeb7249c7a33ab65ef6d0541511fddbfabfa1c0fa976925595b-image3.png) * * * 🚀 What you get (at a glance) [](https://docs.spycloud.com/public-sc/docs/tines-soar#-what-you-get-at-a-glance) ------------------------------------------------------------------------------------------------------------------- * **Ingest SpyCloud exposure records** (breach, malware, phished) into **Tines** * **Pre-built, customizable templates** to jump-start automation * **Granular triage** by source/severity to focus on the highest-risk users first * **Case management**: auto-generate new cases when matching exposure records are detected * **Proactive notifications** (e.g., Slack/email) for high-impact events > 💡 > > ### > > Outcome: Shorter exposure windows and repeatable, low-friction response – straight from Tines. > > [](https://docs.spycloud.com/public-sc/docs/tines-soar#outcome-shorter-exposure-windows-and-repeatable-low-friction-response--straight-from-tines) * * * 🧭 Quick start [](https://docs.spycloud.com/public-sc/docs/tines-soar#-quick-start) --------------------------------------------------------------------------------------- 1. **Choose a SpyCloud template** in Tines to start your Story 2. **Add your [SpyCloud API](https://spycloud-external.readme.io/public-sc/docs/api-guidelines#/) key** to begin ingesting exposure data 3. **Automatically ingest** exposures (breach, malware, phished) tied to employee identities and route to cases/notifications ![](https://files.readme.io/795cc327788ee2f37dd8d5b9566b1e3230f506af56dd286a5931d7301820e9a6-image4.png) * * * 🧱 Templates & Stories [](https://docs.spycloud.com/public-sc/docs/tines-soar#-templates--stories) ------------------------------------------------------------------------------------------------------ Kick off with **SpyCloud starter templates** in Tines and extend as needed: * Create **separate paths** per source (breach vs. malware vs. phished) * Enrich with local context (IdP, HRIS, EDR, IAM) * Branch by **[severity](https://spycloud-external.readme.io/public-sc/docs/severity-score-source-types-metadata#/) ** and **artifact type** (plaintext credentials, cookies/tokens, etc.) ![](https://files.readme.io/944683a2333d2fcc728b880bec13e8219433ba31a2582dc1d5cccde420a340ba-image1.png) * * * 🔧 Common use cases [](https://docs.spycloud.com/public-sc/docs/tines-soar#-common-use-cases) ------------------------------------------------------------------------------------------------- * **Tailored response** – Remediate exposed **employee** or **customer** credentials with the specific steps your policy requires * **Granular triage** – Segment **SpyCloud notifications** by _breach_, _malware_, and _phished_ sources; prioritize **Critical/High** first * **Case management** – Detect new SpyCloud exposure records and **auto-create cases** in Tines (only if not already present) * **Proactive notification** – Alert users (Slack/email) when a new exposure is surfaced for their identity * * * 🛠️ How it works (expand to see steps) [](https://docs.spycloud.com/public-sc/docs/tines-soar#%EF%B8%8F-how-it-works-expand-to-see-steps) --------------------------------------------------------------------------------------------------------------------------------------------- **1) Ingest** – bring SpyCloud exposure data into Tines Use the SpyCloud templates to pull exposure records sourced from **breaches**, **malware infections** (infostealer logs), and **phished credentials** into Tines. **2) Triage** – sort by source & severity Route by _exposure source_ (breach/malware/phished), _severity_ (e.g., Critical/High), and _artifact type_ (plaintext password, cookies, tokens) to determine next actions. **3) Act** – run playbooks Automate remediations: reset credentials, revoke sessions, force re-auth, disable accounts, and notify end-users or admins. **4) Prove** – document & measure Create/update cases, track outcomes, and export metrics that show time-to-response and volume of exposures remediated. * * * 📚 Resources [](https://docs.spycloud.com/public-sc/docs/tines-soar#-resources) ----------------------------------------------------------------------------------- * **SpyCloud Enterprise Protection APIs** – use for flexible ingestion & enrichment * **Tines Story Library** – browse/import automation templates [here](https://www.tines.com/library/stories/1189377/?name=process-spycloud-breach-data-and-generate-a-case-in-tines&redirected-from=%2Flibrary%2Ftools%2Fspycloud%2F) * **Contact SpyCloud** – to enable additional datasets or discuss policy/IR playbooks > 🔗 > > ### > > Want to do more with Tines + SpyCloud? See all stories [here](https://www.tines.com/library/tools/spycloud/) > > [](https://docs.spycloud.com/public-sc/docs/tines-soar#want-to-do-more-with-tines--spycloud-see-all-stories-here) * * * ✅ Summary [](https://docs.spycloud.com/public-sc/docs/tines-soar#-summary) ------------------------------------------------------------------------------ * One integration to **ingest & act on breach/malware/phished exposures** * **Templates** to move fast; **Stories** to customize deeply * **Automated, measurable** remediation that shrinks your identity exposure window Updated 12 days ago * * * Ask AI --- # Analyst Credits & Training 💡 What Are Analyst Credits? [](https://docs.spycloud.com/public-sc/docs/analyst-credits#-what-are-analyst-credits) ----------------------------------------------------------------------------------------------------------------------- SpyCloud Analyst Credits give you access to our expert analysts to perform in-depth investigations and research on your behalf. * 🔢 Sold in bundles of **25 credits** * ⏳ Valid for **1 year** from purchase * ⚖️ Minimum of **1 credit per request** * 🧮 **Does not consume** SpyCloud query count * 🕒 Available **Monday–Friday, 8:00 AM – 6:00 PM CT** * * * 🛠️ How It Works [](https://docs.spycloud.com/public-sc/docs/analyst-credits#%EF%B8%8F-how-it-works) -------------------------------------------------------------------------------------------------------- | Step | Timeline | | --- | --- | | RFA Received | Submitted via portal or email | | Acknowledgement | Within 1 business hour | | Analyst Assigned | Within 1 business day | | Results Delivered | Secure delivery upon completion | 📬 Submit your RFA by emailing: **[\[email protected\]](https://docs.spycloud.com/cdn-cgi/l/email-protection#91f0fff0fde8e2e5bce2e4e1e1fee3e5d1e2e1e8f2fdfee4f5bff2fefc) ** * * * 🧾 What’s Included [](https://docs.spycloud.com/public-sc/docs/analyst-credits#-whats-included) --------------------------------------------------------------------------------------------------- SpyCloud Analysts can support: * 🔍 Formal analysis based on indicators * 👥 Peer review of your team’s findings * 🧠 Custom training and briefings * 🕵️ Identity correlation, credential reuse, malware victim profiling * * * 🎯 Common Selectors [](https://docs.spycloud.com/public-sc/docs/analyst-credits#-common-selectors) ------------------------------------------------------------------------------------------------------ Your RFA can include: * Emails, phone numbers, domains * Hashed or plaintext passwords * Malware-infected machine IDs * SSNs or IDs (hashed) * Social media handles ➕ 200+ additional supported selectors * * * 💳 Credit Usage Guidelines [](https://docs.spycloud.com/public-sc/docs/analyst-credits#-credit-usage-guidelines) -------------------------------------------------------------------------------------------------------------------- * 🔹 **Minimum**: 1 credit per request * ⏱️ If >1 hour of work is required, you’ll receive an estimate before work begins * 📌 Credits are consumed **in full** (no partial credits) * * * 🧠 Analyst Services Examples [](https://docs.spycloud.com/public-sc/docs/analyst-credits#-analyst-services-examples) ------------------------------------------------------------------------------------------------------------------------ | Activity | Description | Est. Credits | | --- | --- | --- | | Email or Password Initial Analysis | Simple attribute pull for ≤50 indicators | 1 | | Identity Correlation / Actor Attribution | Identify all accounts linked to email or phone | 3 | | Actor Profiling | Build a full actor profile from indicators | 7 | | Infected Device & User Identification | Map users to known botnet or malware infections | 5 | | Credential Stuffing Origin Analysis | Tie stuffing attack samples to original breach or infected host | 4 | | Public App Exposure to Malware/Botnets | Identify infected users with access to your apps | 2 | | Malicious Campaign Analysis | Profile of criminal campaign + supporting indicators | 10 | | Actor Infrastructure Analysis | Identify infrastructure referenced in actor artifacts | 5 | | Insider Risk (from Work Email) | Build user exposure profile from work email | 4 | | Insider Risk (from Reused Password) | Actor correlation from a reused password | 4 | | Large Data Pull | Request generating 5K–10K queries | 10 | > 📌 > > ### > > For non-standard requests, we’ll provide a quote before proceeding. > > [](https://docs.spycloud.com/public-sc/docs/analyst-credits#for-non-standard-requests-well-provide-a-quote-before-proceeding) * * * 🎓 Analyst Training Course [](https://docs.spycloud.com/public-sc/docs/analyst-credits#-analyst-training-course) -------------------------------------------------------------------------------------------------------------------- ### Course: **Cybercrime Investigations with SpyCloud** [](https://docs.spycloud.com/public-sc/docs/analyst-credits#course-cybercrime-investigations-with-spycloud) Hands-on, in-person training designed to help your team operationalize SpyCloud data and workflows. #### Topics: [](https://docs.spycloud.com/public-sc/docs/analyst-credits#topics) * Overview of open research + SpyCloud data * Understanding recaptured data & actor behavior * Using Maltego transforms + Jupyter notebooks * Attribution & campaign correlation * Reporting + communicating findings * Q&A + advanced techniques #### Format: [](https://docs.spycloud.com/public-sc/docs/analyst-credits#format) * 🎓 Led by experienced SpyCloud Analysts * 🏫 Held onsite at SpyCloud HQ * 🛠️ Hands-on exercises with SpyCloud tools * ⏳ 2.5-day course, includes lunch + snacks * 💻 Access to Maltego + Jupyter included * 🔐 Available to Investigations customers only * * * 📬 Need Help or Want to Register? [](https://docs.spycloud.com/public-sc/docs/analyst-credits#-need-help-or-want-to-register) --------------------------------------------------------------------------------------------------------------------------------- Contact your SpyCloud Customer Success Manager or email 📧 **[\[email protected\]](https://docs.spycloud.com/cdn-cgi/l/email-protection#a4c5cac5c8ddd7d089d7d1d4d4cbd6d0e4d7d4ddc7c8cbd1c08ac7cbc9) ** to: * Purchase Analyst Credits * Submit an RFA * Request training availability Updated 6 months ago * * * Ask AI --- # IDLink API 🧨 The Problem [](https://docs.spycloud.com/public-sc/docs/idlink-api#-the-problem) --------------------------------------------------------------------------------------- Analysts often rely on OSINT and surface-level data that **lacks full visibility into a user's identity** — whether that user is a legitimate employee, customer, or criminal actor. This creates blind spots, delayed decisions, and manual investigative churn. Without access to darknet-sourced identity correlation, teams face: * Fragmented selectors and disconnected exposures * Missed attribution opportunities * Extended MTTD/MTTR for identity threats * * * 🚀 IDLink API Overview [](https://docs.spycloud.com/public-sc/docs/idlink-api#-idlink-api-overview) ------------------------------------------------------------------------------------------------------- **SpyCloud's IDLink API** automates the pivoting process — linking emails, usernames, passwords, phone numbers, and more — to build a **holistic identity view** of your subject. > IDLink reduces manual investigation time by aggregating related identity records and **eliminating dead ends and out-of-scope assets**. * * * ⚡ Benefits at a Glance [](https://docs.spycloud.com/public-sc/docs/idlink-api#-benefits-at-a-glance) -------------------------------------------------------------------------------------------------------- ### Automated Identity Correlation Automatically link matching records across multiple selectors to return deep identity coverage from a single query. ### Remove Noise Filters out low-confidence or irrelevant records that waste analyst time. ### Remove Dead Ends Uncover hidden relationships from a single query — no manual pivoting required. * * * 🧠 Understand the Scope of an Identity — Faster [](https://docs.spycloud.com/public-sc/docs/idlink-api#-understand-the-scope-of-an-identity--faster) -------------------------------------------------------------------------------------------------------------------------------------------------------- **IDLink API** returns a full digital footprint for a queried identity (email, username, or phone), including: * Recaptured and linked selectors (social handles, backups, passwords) * Pivotable relationships (up to 4 layers deep) * Filtered, relevance-scored output > All of this happens without returning disjointed or out-of-scope data. * * * 🔄 How IDLink API Works [](https://docs.spycloud.com/public-sc/docs/idlink-api#-how-idlink-api-works) --------------------------------------------------------------------------------------------------------- 1. **Submit a selector** – email, username, or phone number 2. **Specify pivot depth** – IDLink pivots up to 4 layers deep on linked selectors 3. **Receive enriched identity graph** – Only relevant, high-confidence records are returned * * * 📊 Typical Uplift vs Exact Match Queries (as shown on PDF page 2) [](https://docs.spycloud.com/public-sc/docs/idlink-api#-typical-uplift-vs-exact-match-queries-as-shown-on-pdf-page-2) ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- * **8x more identity records** * **2x more malware records** * **14x more cracked passwords** * **5x more email addresses** > These enhancements reduce blind spots and dramatically expand investigative value. * * * 🔐 Key Capabilities [](https://docs.spycloud.com/public-sc/docs/idlink-api#-key-capabilities) ------------------------------------------------------------------------------------------------- 🧬 Multi-Layered Identity Correlation Link extended identity data points (email, usernames, passwords, phone numbers, social, etc.) to reveal hidden relationships and construct a holistic identity. 🔁 Automated Pivoting Eliminate manual pivot work by automatically connecting matching records across selectors. 📈 Relevance Scoring Returns only high-confidence matches relevant to the subject — reducing false positives and noise. 🔍 Data Enrichment Appends raw data with additional context to support advanced investigations and identity risk profiling. Updated 6 months ago * * * Ask AI --- # Choosing the Right Deployment SpyCloud Investigations helps security and fraud teams uncover identity-based risks using rich, recaptured data from the criminal underground. Whether you’re responding to alerts, investigating threats, or enriching internal data, there’s a deployment method that fits your needs. This guide will help you choose the right way to access SpyCloud Investigations — from quick, manual research to automated, large-scale integrations. Investigations Offerings [](https://docs.spycloud.com/public-sc/docs/choosing-the-right-deployment#investigations-offerings) -------------------------------------------------------------------------------------------------------------------------------- * **[Investigations Module](https://spycloud-external.readme.io/public-sc/docs/investigations-console#/) ** * Available in **Pro**, **Core**, and **Lite** editions depending on features and functionality that align to your outcomes. * **[Investigations API](https://spycloud-external.readme.io/public-sc/update/docs/investigations-api#/) ** * **[IDLink API](https://spycloud-external.readme.io/public-sc/update/docs/idlink-api#/) ** * * * Overview of Each Offering [](https://docs.spycloud.com/public-sc/docs/choosing-the-right-deployment#overview-of-each-offering) ---------------------------------------------------------------------------------------------------------------------------------- | Offering | Access Type | Query Style | Ideal For | | --- | --- | --- | --- | | Investigations Module | SaaS-based console | Manual via UI | Analysts and quick lookups | | Investigations API | REST-based API | Query-based (JSON) | Automated SIEM/SOAR enrichment | | IDLink API | JSON Graph-spec API | Correlation queries | High-volume identity risk correlation | * * * 🎯 Use Case Match-Up [](https://docs.spycloud.com/public-sc/docs/choosing-the-right-deployment#-use-case-match-up) ---------------------------------------------------------------------------------------------------------------------- | **Use Case** | **Recommended Option** | | --- | --- | | Manually investigate an identity | Investigations Module | | Enrich SIEM/SOAR alerts automatically | Investigations API | | Investigate exposure from malware-infected devices | Investigations Module | | Correlate personal and corporate identities | IDLink API | | Review vendor/contractor/employee exposure | IDLink API or Investigations Module | | Upload a list of identities for quick review | Investigations Module | * * * 👥 Who's Using What? [](https://docs.spycloud.com/public-sc/docs/choosing-the-right-deployment#-whos-using-what) -------------------------------------------------------------------------------------------------------------------- | **Team** | **Best Fit Deployment** | | --- | --- | | SOC / IR | Investigations Module or Investigations API | | Threat Intelligence | Investigations API or IDLink API | | Security Engineering | Investigations API | | Fraud / Risk | IDLink API | | MSSPs | Investigations Module (analysts) + API (integrations) | * * * 📊 Volume-Based Guidance [](https://docs.spycloud.com/public-sc/docs/choosing-the-right-deployment#-volume-based-guidance) ------------------------------------------------------------------------------------------------------------------------------ | **Investigation Volume** | **Recommended Option** | | --- | --- | | Low (manual, <100 queries/week) | Investigations Module | | Medium (~10K queries/week) | Investigations API | | High (10K+ lookups, correlations) | Investigations API or IDLink API | * * * 🔌 Integration Style [](https://docs.spycloud.com/public-sc/docs/choosing-the-right-deployment#-integration-style) ---------------------------------------------------------------------------------------------------------------------- | **How You Want to Use It** | **Best Option** | | --- | --- | | No integration — just need quick results | Investigations Module | | Feed exposure data into your SIEM (e.g. Splunk) | Investigations API | | Automate response in SOAR | Investigations API | | Score risk for employees/vendors/customers | IDLink API | | Enrich identities from a CSV — no coding | Investigations Module | * * * 💬 Need Other Options? [](https://docs.spycloud.com/public-sc/docs/choosing-the-right-deployment#-need-other-options) ------------------------------------------------------------------------------------------------------------------------- * [**Analyst Credits**](https://spycloud-external.readme.io/public-sc/docs/analyst-credits#/) – Request expert support for targeted investigations * **[Training Classes](https://spycloud-external.readme.io/public-sc/docs/analyst-credits#/-analyst-training-course) ** – Instructor-led courses for operationalizing SpyCloud data * * * 🙋 Need Help Choosing? [](https://docs.spycloud.com/public-sc/docs/choosing-the-right-deployment#-need-help-choosing) ------------------------------------------------------------------------------------------------------------------------- Not sure which deployment is right for your team? We’re here to help. Contact your SpyCloud representative to walk through your: * Use cases * Data volume * Integration preferences * Team structure & find the best fit for your organization. Updated 6 months ago * * * Ask AI --- # FAQs **SpyCloud Investigations** offers powerful tools to uncover identity-related threats through recaptured breach, malware, and underground data. Whether you’re pivoting across datasets or deep-diving into credential exposure, this FAQ answers common questions from analysts, engineers, and security teams using SpyCloud Investigations. * * * SpyCloud Investigations FAQ [](https://docs.spycloud.com/public-sc/docs/faqs-1#spycloud-investigations-faq) --------------------------------------------------------------------------------------------------------------- ❓ What does Severity stand for? Severity is an internal risk scoring metric that reflects the likelihood and potential impact of abuse tied to a record or identity. It factors in breach source, credential type, password reuse, and links to high-risk actors. 📤 How do I export data? In the Investigations module, the entire Investigations dataset can be downloaded via the detailed results page or the graph page. For a customized dataset to download, find the "Export" button in your detailed results view. You can export selected results or entire query sets as CSV or JSON depending on your needs. 📦 Is there a way to run a batch search? Yes, using the API there are several ways to run a batch search. 🦠 How can I identify who is sending the malware? While SpyCloud does not offer real-time attribution of malware operators, you can analyze: * Infostealer logs for clues like operator infrastructure (hostnames, IPs, file hashes). This requires analyst credits to access. * Repeated patterns in campaign metadata. Use ID Link and third-party tools (e.g., VirusTotal, IPQualityScore) to further enrich your findings. 📉 How do I keep my query count down? Use CSV uploads for bulk searches and filter selectors beforehand to reduce noise. You’ll be charged based on your plan and selected features—using targeted selectors helps optimize value. The API offers the ability to batch certain selectors like email. 🍪 Will cookie data appear in Investigations or notebooks? No. Cookie data is accessible through a separate API and is not included in standard Investigations queries through the Investigations module or notebook. If needed, contact your customer success manager for access to session-level or cookie-based data. Cookie session data can also be queried through analyst credits. 🔍 Can I query a license plate, name, or address? Not directly through the Investigations module or API. However, Analyst Credits can be used to support complex lookups involving real-world identity markers, including license plates, names, and addresses, where possible. 📑 Can I get a report from the Investigations module? Yes. You can generate a custom AI Insight Report, offering a narrative summary of findings. 📊 Can I see an ordered list of queries and counts like in Jupyter Notebooks? Not in the Investigations module. For more detailed query logging and history, use the API or Jupyter Notebook environment, where full tracking of executed queries and response counts is available. 🌐 Can I query OSINT tools like IPQualityScore from within the graph? Not directly within the Investigations module. However, you can copy selectors (e.g., IP addresses, domains) and enrich them externally. For automated enrichment, integrate OSINT tools through API or notebook workflows. 💾 Can I create saved investigations in the Investigations module? No. The Investigations module does not currently support saved investigations. 🔗 Can I share investigations with other users? While full collaborative workflows are not supported in the Investigations module, exported reports and datasets (CSV, JSON) can be shared manually with other analysts. Collaboration is best handled through shared tools like notebooks, case management platforms, or secured internal systems. 📁 Can I bulk search asset types in the Investigations module? This type of searching is not supported in the Investigations module. This type of search is supported through the API using a capable integration or through the Jupyter Notebook environment. Updated 6 months ago * * * Ask AI --- # Understanding Data Sources Data Sources Powering SpyCloud Investigations [](https://docs.spycloud.com/public-sc/docs/understanding-data-sources#data-sources-powering-spycloud-investigations) ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- SpyCloud’s Investigations solutions are powered by a rich, diverse set of underground and open-source intelligence, enabling deep visibility into cybercriminal activity. Our proprietary collection methods surface compromised data types that extend far beyond traditional breach corpuses – offering investigators the critical context needed to link identities, map threat actor infrastructure, and uncover the full extent of exposure. * * * 📦 Data Sources at a Glance [](https://docs.spycloud.com/public-sc/docs/understanding-data-sources#-data-sources-at-a-glance) --------------------------------------------------------------------------------------------------------------------------------- ### 🔓 Data Breaches A breach occurs when an organization’s user data – like usernames, emails, and passwords – is exposed or stolen, often through vulnerabilities or hacking incidents. This data is later found in public or underground databases. ### 🪫 Infostealers Infostealer malware, like RedLine, infects individual computers and secretly captures sensitive information such as saved passwords, cookies, and autofill data. Unlike breaches which come from a centralized hack, infostealers operate on infected endpoints and steal data directly from unsuspecting victims. Often, victim computers are infected through malicious downloads, such a game cheat or file falsely represented as a software patch. ### 🎣 Phishing Phishing attacks trick users into giving up credentials or personal information by masquerading as trustworthy sources through fake emails or websites. Phished data often leads to credential exposure and unauthorized access. ### 📑 Combolists Combolists are large collections of username and password pairs gathered from multiple breaches and leaks, often consolidated into lists used for credential stuffing and automated account takeover attempts. ### 🧪 Password Cracking SpyCloud internally cracks passwords from breached or stolen data with the assumption that if SpyCloud can crack them, attackers likely can as well. These cracked passwords reveal plaintext credentials, enabling the linkage of accounts across breaches, infostealer infections, phishing incidents, and combolists – uncovering broader exposure and threat patterns. 💡**MORE ON DATA SOURCES** Want to learn more about our data? [Explore our data](https://spycloud-external.readme.io/public-sc/docs/data-types-sources#/) . Updated 6 months ago * * * Ask AI --- # Selector Best Practices SpyCloud Investigations is a flexible, analyst-driven solution. This guide outlines how to effectively use selectors to accelerate workflows, uncover hidden links, and avoid false assumptions when querying SpyCloud’s breach, infostealer, phishing, and combolist datasets. 🔒 Privacy-Protected Selectors These selectors are SHA-1 hashed before ingestion. You may submit them in plaintext — SpyCloud will hash them automatically. * Bank account number * Credit card number * Social Security Number (SSN) * Passport number * National ID * Driver’s license number 👤 Identity Selector Best Practices ### **Email** [](https://docs.spycloud.com/public-sc/docs/selector-best-practices#email) Use full email addresses (e.g., `[[email protected]](https://docs.spycloud.com/cdn-cgi/l/email-protection) `) for targeted identity investigations. ### **Email Username** [](https://docs.spycloud.com/public-sc/docs/selector-best-practices#email-username) Search just the portion before `@` (e.g., `jane.doe`) to find reuse across domains. ### **Username** [](https://docs.spycloud.com/public-sc/docs/selector-best-practices#username) Run usernames across multiple selectors to detect reuse. > Common usernames may return a large, noisy set. ### **Social Handle** [](https://docs.spycloud.com/public-sc/docs/selector-best-practices#social-handle) Uncover cross-platform reuse of handles (e.g., Telegram, Instagram, LinkedIn). ### **Phone Number** [](https://docs.spycloud.com/public-sc/docs/selector-best-practices#phone-number) Try multiple formats — with/without country codes. Also test as a password or username. ### **Name** [](https://docs.spycloud.com/public-sc/docs/selector-best-practices#name) Use naming patterns (e.g., `jdoe`, `john.doe`) to build likely selectors. For ambiguous identities, request an analyst investigation. 🧠 Investigative Techniques – Moniker Reuse Strategy ### Reused monikers (e.g., `cyberwolf88`) often appear across: [](https://docs.spycloud.com/public-sc/docs/selector-best-practices#reused-monikers-eg-cyberwolf88-often-appear-across) * Email usernames * Forum usernames * Social handles This strategy helps link personas across breach, malware, and surface-level activity. 🌐 Domain Selector Types ### **Domain** [](https://docs.spycloud.com/public-sc/docs/selector-best-practices#domain) Query a root domain to see all related activity (users, infections, infrastructure). ### **Email Domain** [](https://docs.spycloud.com/public-sc/docs/selector-best-practices#email-domain) Returns only email addresses ending in the domain. ### **Target Domain** [](https://docs.spycloud.com/public-sc/docs/selector-best-practices#target-domain) Logs showing users or infected devices interacting with the domain. 🖥️ Infrastructure Selector Types ### **IP Address** [](https://docs.spycloud.com/public-sc/docs/selector-best-practices#ip-address) Submit individual IPs or CIDR blocks to explore campaign infrastructure. ### **Infected Machine ID** [](https://docs.spycloud.com/public-sc/docs/selector-best-practices#infected-machine-id) Pivot to accounts, passwords, and logs tied to a single infected system. ### **Log ID** [](https://docs.spycloud.com/public-sc/docs/selector-best-practices#log-id) SpyCloud-generated log identifier — track recurrence or clusters. 📅 Date Filter Best Practices ### **Date Behavior** [](https://docs.spycloud.com/public-sc/docs/selector-best-practices#date-behavior) All timestamps reflect **SpyCloud’s publish date**, not the original compromise date. **Best Practice**: Use date filters to: * Focus on new intelligence * Correlate with threat reporting or breach timelines * * * Summary [](https://docs.spycloud.com/public-sc/docs/selector-best-practices#summary) ---------------------------------------------------------------------------------------- SpyCloud Investigations gives analysts powerful, flexible tools — and selectors are at the heart of it. To get the most value: * Understand which selectors are hashed * Think like your adversary: humans reuse data across platforms * Use pivots across selector types to uncover connections Need help refining a strategy or resolving ambiguous data? Use [Analyst Credits](https://spycloud-external.readme.io/public-sc/docs/analyst-credits#/) for expert-guided investigations. Updated 6 months ago * * * Ask AI --- # Use Cases **SpyCloud Investigations** is designed to empower a broad range of teams – from security operations to fraud, compliance, and beyond – with access to actionable identity intelligence. The use cases below illustrate how organizations are leveraging **Investigations** to uncover threats, enhance decision-making, and protect their environments from identity-centric risks. While these examples reflect common and emerging applications across industries, they’re just the beginning. The solution's flexibility enables deeper, custom analysis tailored to your workflows, your risks, and your mission. ### 💳 Fraud Detection & Prevention **Need:** Adversaries use stolen credentials and synthetic identities to commit account takeover, payment fraud, or application fraud. **SpyCloud Benefit:** Detects compromised or fake user data early to prevent fraud at login, sign-up, or transaction. **Target Audience:** Fraud, Trust & Safety **Note:** High-priority for financial and e-commerce platforms. ### 🧾 Know Your Customer (KYC) Verification **Need:** Financial institutions must verify customer identity and risk at onboarding and throughout the customer lifecycle. **SpyCloud Benefit:** Enriches identity validation workflows with breach data to detect anomalies, impersonation, and synthetic IDs. **Target Audience:** Fraud, Compliance, Risk **Note:** Supports regulatory compliance and onboarding checks. ### 🧠 Attribution **Need:** Security teams need to unmask actors behind attacks or infrastructure. **SpyCloud Benefit:** Links exposed credentials, usernames, and emails to uncover true identities and behavioral patterns. **Target Audience:** CTI, Security Operations **Note:** Dramatically increase the speed of attribution across different analyst skill levels. ### 🔒 Trust & Safety **Need:** Enterprises must protect their platforms from bots, fake accounts, abuse, and fraud. **SpyCloud Benefit:** Flags bad actors by detecting reused credentials, behavioral indicators, and shared device fingerprints. **Target Audience:** Trust & Safety, Platform Security **Note:** Ideal fit for social, dating, gig, and gaming platforms. ### 🌍 Fraudulent Remote Workforce / Contractor Vetting **Need:** Fraudsters pose as remote IT workers using fake identities, often from sanctioned regions. **SpyCloud Benefit:** Validates worker identities and detects fraud rings using shared credentials, devices, or locations. **Target Audience:** HR, Vendor Risk, Security **Note:** Ideal fit for remote hiring, compliance, and offboarding. ### 🔗 Supply Chain Exposure Monitoring **Need:** Vendors and partners often have privileged access but may be less secure than the enterprise itself. **SpyCloud Benefit:** Identifies exposed credentials or infrastructure tied to third-party providers, enabling proactive partner risk assessments. **Target Audience:** Vendor Risk, CTI, GRC **Note:** Useful in audits, risk scorecards, or onboarding new vendors. ### 🧑‍💼 Internal Threat / Compromised Employee Investigation **Need:** Employees may unknowingly become compromised, reuse credentials, or be targeted by malware. **SpyCloud Benefit:** Enables analysts to investigate suspicious employee behavior or exposure, flagging credentials reused across personal and work accounts. **Target Audience:** Security Operations, HR, Insider Threat **Note:** Valuable for sensitive roles or high-risk departments. (e.g., finance, executives) ### 🏢 Detect Front Companies **Need:** Threat actors use legitimate-looking companies to obfuscate illicit financial flows or cyber operations. **SpyCloud Benefit:** Reveals domain relationships and shared infrastructure used by adversary-controlled companies. **Target Audience:** CTI, AML, Legal **Note:** Ideal fit for nation-state tracking and AML teams. ### 🚫 Sanctions Evasion Monitoring **Need:** Malicious actors attempt to bypass trade or access restrictions using new identities and front companies. **SpyCloud Benefit:** Detects infrastructure, credentials, and personas that connect back to sanctioned groups or countries. **Target Audience:** CTI, Risk, Legal **Note:** Best when used alongside export compliance tools. ### 🧱 Credential Stuffing Source & Protection **Need:** Stolen credentials are used in automated attacks on user accounts. **SpyCloud Benefit:** Detects if your users’ credentials are exposed, identifies likely attack sources, and blocks attack infrastructure. **Target Audience:** Security, Fraud **Note:** Enhances WAF, login protection, and fraud defense. ### 🛰️ Indicator of Compromise (IOC) Collection & Threat Intel Enrichment **Need:** CTI teams need high-fidelity, fresh IOCs for detection, hunting, and intelligence sharing. **SpyCloud Benefit:** Provides breach-derived indicators (emails, IPs, device fingerprints, etc.) for faster investigation. **Target Audience:** CTI **Note:** Integrates with SIEMs and threat intelligence platforms. ### 🧬 Actor Ecosystem & Tooling Discovery **Need:** Actors often operate in groups, share tools, and reuse credentials across campaigns. **SpyCloud Benefit:** Maps relationships between personas, malware infrastructure, and behavior patterns to reveal ecosystems. **Target Audience:** CTI, DFIR **Note:** Supports long-term adversary tracking. ### 🧪 Synthetic Identity Detection **Need:** Fraudsters create fake identities using pieces of real and fabricated information. **SpyCloud Benefit:** Flags inconsistencies and detects reused or recycled identity attributes across breaches. **Target Audience:** Fraud, Risk **Note:** Ideal fit for onboarding, credit fraud, and AML. ### 🔁 Account Reclamation & Recovery **Need:** Users often lose access to accounts hijacked via credential theft. **SpyCloud Benefit:** Helps support teams verify legitimate users by matching historic breach credentials to claimed identity. **Target Audience:** Support, Fraud **Note:** Ideal fit for low-friction identity resolution at helpdesk. ### 📋 Compliance Exposure Investigations **Need:** Breach exposure of regulated data or systems can trigger compliance violations. **SpyCloud Benefit:** Helps identify credential and identity exposures relevant to PCI-DSS, HIPAA, SOX, or FFIEC, aiding investigations and audit reporting. **Target Audience:** GRC, Legal, Risk **Note:** Useful during breach response, risk register updates, or compliance attestations. ### 🧷 Forensic Device Examination **Need:** SpyCloud’s recaptured identity data is rich with credentials, like plaintext passwords, and other assets for login and accessing sensitive networks. **SpyCloud Benefit:** With legal authority, SpyCloud can provide intelligence used to assist forensic examiners with accessing locked devices. **Target Audience:** Organizations with legal authorization **Note:** Useful to access locked devices for forensic examinations. Updated 6 months ago * * * Ask AI --- # Understanding Searching 🧭 Overview [](https://docs.spycloud.com/public-sc/docs/understanding-searching#-overview) ============================================================================================== **SpyCloud Investigations** lets you surface every appearance of an asset across our data lake and pivot seamlessly into deeper analysis. This guide explains how to launch a search, move between Search, Investigate, and Current Investigation, and interpret the result views. * * * 🗂️ Navigation [](https://docs.spycloud.com/public-sc/docs/understanding-searching#%EF%B8%8F-navigation) ------------------------------------------------------------------------------------------------------------ When you first enter Investigations the left nav shows Search. After you run a query the label changes to Investigate and a new item, Current Investigation, appears directly above it. * Search – visible until the first query is submitted. * Investigate – replaces _Search_ and remains available so you can open additional searches at any time. * Current Investigation – automatically selected after each search; stores every tab and filter for that session. **👇NAVIGATION PANEL** ![Navigation Panel](https://files.readme.io/e2bf33e3f5aec8354c16c917c0064df173b1bbe4f47a16ac6bd4a27067c4699e-image1.png) * * * 🧪 Search Modes [](https://docs.spycloud.com/public-sc/docs/understanding-searching#-search-modes) ------------------------------------------------------------------------------------------------------ ### 🧠 IDLink (Core and Pro Licenses Only) [](https://docs.spycloud.com/public-sc/docs/understanding-searching#-idlink-core-and-pro-licenses-only) * Accepts e‑mail, phone, and username inputs. * Lets you broaden or narrow matching by changing _record depth_. * A header banner displays X of Y records added via IDLink. ### 🔬 Standard (Investigate) [](https://docs.spycloud.com/public-sc/docs/understanding-searching#-standard-investigate) * Supports 15+ asset types, including non‑identity assets such as domains. * Additional scope controls: Source ID picker, Record Date, and Severity selector. * * * 🔎 Searching [](https://docs.spycloud.com/public-sc/docs/understanding-searching#-searching) ------------------------------------------------------------------------------------------------ _Prerequisite: you must be assigned an Investigations Lite or Pro seat._ * Choose to search with IDLink to enable holistic visibility including social identity data or start with the standard Investigate tab. * Choose an asset type (e‑mail, domain, phone, username, etc.). * Enter the asset value you want to investigate. * Optionally adjust record depth (IDLink only), date range, severity, or specify a source. * Click Search. **👇 SEARCH PANEL** ![Search Panel](https://files.readme.io/5ebe745308f04a4302aa3f8859e3afaecb9464a4940a65c3b6b3ac57f7290b48-image3.png) * * * ### 🧬 What happens behind the scenes [](https://docs.spycloud.com/public-sc/docs/understanding-searching#-what-happens-behind-the-scenes) * The asset is matched against _records_ — cleaned, de‑duplicated collections derived from breaches, malware logs, and other sources. * Related records are stitched into an investigation so you can see every leaked identity data point in one place. * When IDLink is enabled, additional social data and indirect matches are appended, and the UI flags how many records came from IDLink. * * * 📋 Working with Results [](https://docs.spycloud.com/public-sc/docs/understanding-searching#-working-with-results) ---------------------------------------------------------------------------------------------------------------------- Results appear in Current Investigation with two tabs: | Tab | Description | | --- | --- | | Results | Tables that break down returned assets, show top sub‑domains, list physical addresses, and provide a searchable detail view you can filter and export to CSV. | | Overview | Dashboards that surface commonly cited metrics: most represented assets, source distribution, and record timeline. | **👇RESULTS & OVERVIEW** ![](https://files.readme.io/01c7402cb5c65cee7938ff4a59a2e59ca67383a07391fc931c45c06c77d436aa-image4.png) * * * ### 🔁 Pivoting [](https://docs.spycloud.com/public-sc/docs/understanding-searching#-pivoting) * Select from assets in the _Assets by Record Count_ table to pivot, adding that asset to your query and expanding scope. * Click submit pivot to confirm the pivot you want to add. * Pivot wait times vary by asset count. **👇PIVOT WORKFLOW** ![Pivot Workflow](https://files.readme.io/a9d294c519611411dda7b0646b64baa6eabe0a783e3844a9084fdba9974fab60-image4.png) * * * ### 📊 Detailed Results [](https://docs.spycloud.com/public-sc/docs/understanding-searching#-detailed-results) * Search by data type or specific source * Use the Filter drawer to combine >50 data attributes and exposure types * Export table to CSV. Filters applied in the UI are respected in the export. **👇DETAILED FILTERED RESULTS** ![](https://files.readme.io/e291d155cced644ce2a64ae41066bc5022c59a73d6f7151e6fabb98f87b5df72-image5.png) Updated 6 months ago * * * Ask AI --- # RBAC 🧭 Overview [](https://docs.spycloud.com/public-sc/docs/rbac#-overview) =========================================================================== In SpyCloud’s console, access to user, organization, and license settings is controlled through two built-in roles you can assign to each member of your security team: * **Admin** – intended for Sec-Tool administrators and SOC leads who need to create enterprise users, reset passwords, assign Investigation (INV) seats, and view or update organization configuration. * **Operator** – designed for Tier 1 & 3 analysts who need to investigate data but should not change users, organizations, or licensing. Assigning the appropriate role ensures that every action – from adding an enterprise operator to pausing a user account – is allowed only for the people who need it. The permissions matrix below details exactly what each role can and cannot do. Behind the scenes, every check is enforced by SpyCloud’s fine-grained authorization (FGA) engine, so least-privilege access is applied consistently across the UI and API. > This article lists the SpyCloud roles and their capabilities. For step-by-step instructions on granting a role, see **Assigning and Updating Roles**. * * * 🔧 Assigning and Updating Roles [](https://docs.spycloud.com/public-sc/docs/rbac#-assigning-and-updating-roles) ------------------------------------------------------------------------------------------------------------------- **Prerequisite:** _Must be an Admin_ ### Assign roles while adding new users to your organization [](https://docs.spycloud.com/public-sc/docs/rbac#assign-roles-while-adding-new-users-to-your-organization) From the role dropdown, simply select your role, and it will take effect once you “Add User.” **👇ADD ROLE ON USER CREATION** ![Add Role on User Creation](https://files.readme.io/bc0dfdf53322937e698827672d9136890787974401d443fc32f48ed83f605b3c-image4.png) * * * ### Update roles for existing users from your organization [](https://docs.spycloud.com/public-sc/docs/rbac#update-roles-for-existing-users-from-your-organization) From the users table under Configuration, click the options button on the right-hand side and then select **Edit**. **👇USER OPTIONS MENU** ![User Options Menu](https://files.readme.io/fdd581f1d30a5868fa3c582b646c1731eab198c96f55afaaf514037ff33a9b68-image1.png) From the role dropdown, simply select your role and it will take effect once you “Save Changes.” **👇UPDATE ROLE IN EDIT SECTION** ![Update Role in Edit Screen](https://files.readme.io/f7d86e16b3507b243f944d043f454d3d3c7c6c2b2a99c0904038880ef9ab4d6d-image2.png) Updated 13 days ago * * * Ask AI --- # Introduction SpyCloud Investigations: Deep Visibility Into Identity-Based Threats [](https://docs.spycloud.com/public-sc/docs/introduction-1#spycloud-investigations-deep-visibility-into-identity-based-threats) ======================================================================================================================================================================================================== SpyCloud Investigations provides security analysts and investigation teams with direct access to rich, actionable intelligence from SpyCloud’s vast data collection of breached credentials, infostealer logs, phishing campaigns, cracked passwords, and combolists. Unlike automated detection tools, the Investigations enables in-depth, analyst-driven exploration of complex identity threats. The data is historical, not live – captured from past breaches and malware infections – providing context and holistic attribution that can reveal long-term exposure and patterns of abuse. ### Additional Investigations Support [](https://docs.spycloud.com/public-sc/docs/introduction-1#additional-investigations-support) #### 🔍 Analyst Credits When investigations require deeper expertise or additional support, organizations can leverage Analyst Credits to engage SpyCloud’s expert investigation team for custom research, enrichment, or guidance. [Learn more →](https://spycloud-external.readme.io/public-sc/docs/analyst-credits#/) #### 🔧 Investigations Training For teams looking to build in-house capabilities and design workflows tailored to their environment, Investigations Training is available to accelerate onboarding and help analysts develop repeatable, effective approaches to identity-centric threat investigations. [Learn more →](https://spycloud-external.readme.io/public-sc/docs/analyst-credits#/) * * * Core Benefits of SpyCloud Investigations [](https://docs.spycloud.com/public-sc/docs/introduction-1#core-benefits-of-spycloud-investigations) ------------------------------------------------------------------------------------------------------------------------------------------------- SpyCloud Investigations is designed for analysts who need direct access to raw, correlated data to support their workflows. It provides comprehensive visibility into breach and malware-exfiltrated data, tools for uncovering relationships between identities and infrastructure, and flexible options for integrating that intelligence into existing systems. Whether you're pivoting across data points, mapping threat actor behavior, or triaging indicators, Investigations is built to support hands-on analysis – augmenting manual investigation with context, historical insight, and automation where it helps, not where it gets in the way. IDLink Analytics Powered by IDLink™ analytics, SpyCloud Investigations automatically connects the dots across exposed assets to build holistic digital identities. Analysts can explore these relationships in an interactive graph and pivot across exposures correlated to their environment and supply chain. AI Insights SpyCloud's Investigations Module now features embedded AI Insights – built on decades of SpyCloud's investigative tradecraft and methodologies – to detect insider threats, surface hidden connections, and close investigative gaps, faster than ever. Analyst-Driven Workflows with Automation Support Empowers security analysts who need detailed, hands-on insights. It simplifies complex cases by providing clear, actionable intelligence – helping analysts investigate faster and more efficiently, often reducing research time from days to hours with smart automation assisting, but not replacing, human judgment. Comprehensive Data Access Query and retrieve detailed breach, infostealer, phishing, and combolist data tied to emails, usernames, phone numbers, and IPs, providing a 360° view of exposure. Entity and Infrastructure Linkage Uncover relationships between identities, compromised credentials, malware infrastructure, and threat actor personas to support attribution and ecosystem mapping. Historical Context and Enrichment Access historical breach timelines and contextual metadata to understand how and when exposures occurred and evolved. Time Saving Investigation Efficiency Reduce manual research time from days to hours through intuitive search, AI-generated leads, and pre- correlated intelligence – accelerating the investigation process. Focused Investigation Support Empower SOCs, CTI teams, fraud analysts, trust & safety teams, and DFIR professionals to pivot from detection to deep-dive investigation, correlating data points and validating hypotheses. Flexible API Integration Integrate investigation workflows into existing analyst tools, case management systems, and custom dashboards for seamless operationalization. * * * Why SpyCloud Investigations? [](https://docs.spycloud.com/public-sc/docs/introduction-1#why-spycloud-investigations) ------------------------------------------------------------------------------------------------------------------------ SpyCloud Investigations bridges the gap between automated alerting and hands-on analysis, giving teams the forensic depth to: ### INVESTIGATE Investigate potential insider threats by linking employee credentials with external exposures. ### CONDUCT Conduct attribution on phishing campaigns or malware attacks using tied identities and infrastructure data. ### VALIDATE Validate suspicious accounts during KYC or fraud investigations by cross-referencing breach intelligence. ### SUPPORT Support compliance audits by providing evidence of credential exposures and investigative context. ### LEVERAGE Leverage malware infected machine data to investigate threat actors, gaining insights of actor TTPs, human interests, and behavioral patterns. ### VET Vet candidates for sensitive positions within an organization by utilizing SpyCloud data, mitigating future insider threats to company assets. Updated 5 months ago * * * Ask AI --- # Audit Logging 🧭 Overview [](https://docs.spycloud.com/public-sc/docs/audit-logging#-overview) ==================================================================================== Audit Logging in SpyCloud’s console allows you to **track and review user activity** across your organization. Each provisioned module generates **specific audit events**, providing transparency into who performed _which actions and when_. * * * 🧰 Audit Logging at a Glance [](https://docs.spycloud.com/public-sc/docs/audit-logging#-audit-logging-at-a-glance) ---------------------------------------------------------------------------------------------------------------------- **Prerequisite: Admin Role** **Log Retention:** 12 months (rolling basis). Older logs are purged automatically. * * * 📊 Viewing Audit Logs [](https://docs.spycloud.com/public-sc/docs/audit-logging#-viewing-audit-logs) -------------------------------------------------------------------------------------------------------- 1. Go to **Configuration → Audit Log**. 2. Review the table of recorded user actions. | Field | Description | | --- | --- | | 👤 User | Who performed the action | | ⚙️ Operation | Action performed | | 🧩 Module | Feature or system area | | 🕒 Timestamp | When it happened | Click any row to view **raw event data**, including: * Timestamp * User name & email * Organization * IP address * User agent These details help you perform internal investigations or meet compliance requirements. **👇AUDIT LOGGING TABLE** ![](https://files.readme.io/6039ff0ff001edf3c6a64f0ade0cf17cdcfdd192f00665a275385aa12fe09643-Audit1.png) **👇DETAILED VIEW OF AUDIT LOGS** ![](https://files.readme.io/c3f736ba33c0659a839547985448c37a2cd7a2ccb288fdd050b7e5fbc8d33d93-Audit2.png) 📤 Exporting Logs [](https://docs.spycloud.com/public-sc/docs/audit-logging#-exporting-logs) ------------------------------------------------------------------------------------------------ Use **filters** to narrow down by user, date, or module – then export for compliance or offline analysis. > ⚠️ > > #### > > **Note:** Audit logs are retained for 12 months on a rolling basis. Logs older than 12 months are automatically deleted. > > [](https://docs.spycloud.com/public-sc/docs/audit-logging#note-audit-logs-are-retained-for-12-months-on-a-rolling-basis-logs-older-than-12-months-are-automatically-deleted) * * * 🧠 After Setup [](https://docs.spycloud.com/public-sc/docs/audit-logging#-after-setup) ------------------------------------------------------------------------------------------ Once you’ve reviewed or exported Audit logs: * Filter by user or module to find trends. * Export for compliance or review. * Combine with SIEM tools for advanced correlation. Updated 13 days ago * * * Ask AI --- # Investigations API 💡**LOOKING FOR API REFERENCE?** For more information about the Investigations API [See API reference](https://spycloud-external.readme.io/public-sc/reference/inv-get-records-by-domain) . * * * 🧨 The Problem [](https://docs.spycloud.com/public-sc/docs/investigations-api#-the-problem) ----------------------------------------------------------------------------------------------- Analysts and investigators increasingly recognize how **OSINT** and breached data can strengthen threat investigations. Underground forums and malware logs often contain data about **the attackers themselves** — allowing analysts to de-anonymize those responsible for breaches, fraud, and identity abuse. SpyCloud collects and operationalizes data from: * Breaches * Malware logs * Criminal communities and forums This enables organizations to protect users, unmask adversaries, and **accelerate critical discovery** workflows. * * * 🚀 Product Overview [](https://docs.spycloud.com/public-sc/docs/investigations-api#-product-overview) --------------------------------------------------------------------------------------------------------- **SpyCloud Investigations API** helps investigators piece together digital breadcrumbs to reveal adversary identities, understand behavior, and prevent future abuse. > It accelerates investigations into commercial compromise, online fraud, malware infections, and insider threats. * * * ⚡ Benefits at a Glance [](https://docs.spycloud.com/public-sc/docs/investigations-api#-benefits-at-a-glance) ---------------------------------------------------------------------------------------------------------------- * **Gain Speed & Efficiency** Return deep results from limited selectors (email, IP, password, domain, etc.) * **Correlate Multiple Data Sources** Enrich with internal tools or third-party OSINT (VirusTotal, Whois, Passive DNS) * **Discover the Undiscoverable** Unmask alternate personas, malware infrastructure, and unknown relationships * * * 🎯 Use Cases [](https://docs.spycloud.com/public-sc/docs/investigations-api#-use-cases) ------------------------------------------------------------------------------------------- ### Threat Actor Attribution Uncover hidden identities and links between cybercriminal personas. ### Insider Risk Analysis Investigate employee or contractor exposure using selector correlation. ### Third-Party Exposure Assess breach impact on vendors and partners through domain lookups. ### Financial Crimes Research Track fraud networks using leaked account data and behavioral metadata. * * * 🛠️ How It Works [](https://docs.spycloud.com/public-sc/docs/investigations-api#%EF%B8%8F-how-it-works) ----------------------------------------------------------------------------------------------------------- SpyCloud’s **REST-based API** integrates seamlessly into link analysis tools like: * Maltego * Jupyter Notebooks * Splunk * Vertex * Synapse Analysts can pivot on any selector — username, password, email, IP — and reveal extensive linked data for graph rendering and deep enrichment. * * * Investigative Capabilities [](https://docs.spycloud.com/public-sc/docs/investigations-api#investigative-capabilities) ------------------------------------------------------------------------------------------------------------------------- 📈 High-Volume Data Analysis Run large queries on domains, plaintext passwords, or infection records and return extensive result sets. 🔗 Associating Results Perform pivots and link related entities to identify patterns, clusters, and anomalies. 🔁 Loop & Batch Queries Support for iterative searches with looped/batched selectors for automation and refinement. * * * Key Capabilities [](https://docs.spycloud.com/public-sc/docs/investigations-api#key-capabilities) ----------------------------------------------------------------------------------------------------- 🕵️ Attribute Cybercrime Reveal true identities of adversaries and alternate personas using selector correlation. 📊 Evaluate Threat Actors Profile accounts, logins, and services tied to malicious actors. 🚨 Assess Risk Understand internal and external exposure across users, employees, and third parties. 🧬 Understand Attacks Trace credential stuffing and botnet activity back to source breaches and malware logs. 📡 Investigate Campaigns Map criminal infrastructure, shared malware, and coordinated attack behaviors. * * * 🔌 Integrations [](https://docs.spycloud.com/public-sc/docs/investigations-api#-integrations) ------------------------------------------------------------------------------------------------- #### Maltego 80+ transforms for visual link analysis. #### Jupyter Notebook workflows for enrichment and visualization. #### Splunk Query enrichment and event correlation in log data. #### Vertex / Synapse Storm commands and flexible enrichment in intelligence fusion platforms. Updated 6 months ago * * * Ask AI --- # Investigating Fraud Investigation into `[[email protected]](https://docs.spycloud.com/cdn-cgi/l/email-protection) ` [](https://docs.spycloud.com/public-sc/docs/investigation-fraud#investigation-into-iyosandavidgmailcom) =========================================================================================================================================================================================================== Primary Identity [](https://docs.spycloud.com/public-sc/docs/investigation-fraud#primary-identity) ------------------------------------------------------------------------------------------------------ * **Email**: `[[email protected]](https://docs.spycloud.com/cdn-cgi/l/email-protection) ` * Found on **infected host** (Redline Stealer) * Machine geo-located in **Nigeria** * Reused across multiple logins; usernames include: `davdvilla`, `@Brkndan50`, `janduvall7` * * * What to Look For [](https://docs.spycloud.com/public-sc/docs/investigation-fraud#what-to-look-for) ------------------------------------------------------------------------------------------------------ ![IMAGE HERE](https://files.readme.io/d72bcd7c35321e47bd6fdd66dae2f2cea2927691a58491b70a48731ec7fb5b0b-image2.png) > Example shown for demonstration purposes only. No assumptions should be made about individual behavior or intent. ### 1\. Multi-State Unemployment Fraud [](https://docs.spycloud.com/public-sc/docs/investigation-fraud#1-multi-state-unemployment-fraud) * Targeted domains include: * `portal.edd.ca.gov` (California) * `beacon.labor.maryland.gov` * `my.my.gov` * `pua.workforcewv.org`, `mobile.connect.myflorida.com`, etc. * Access pattern suggests mass-application across states * Indicators to monitor: * Same IP/device used across multiple state systems * Reused PII data (SSN, DOB, name, etc.) * Unusual claim submission timing or volume ### 2\. Bank and Prepaid Card Access [](https://docs.spycloud.com/public-sc/docs/investigation-fraud#2-bank-and-prepaid-card-access) * Targets: * `bankofamerica.com`, `td-banktrust.com`, `gobank.com` * `secure.bluebird.com` (American Express prepaid) * `firstinterstatebank.com`, `prepaid.bankofamerica.com` * Investigate for: * Account takeovers or new fraudulent account creation * Linking of stolen identities to mule accounts * Shared credentials or device fingerprints ### 3\. Cryptocurrency and Payment Services [](https://docs.spycloud.com/public-sc/docs/investigation-fraud#3-cryptocurrency-and-payment-services) * Accessed: * `login.blockchain.com`, `login.payoneer.com` * Flags: * Potential laundering of stolen funds via crypto * Use of platforms with limited KYC for quick transfers * * * Browsing History = Malicious Intent [](https://docs.spycloud.com/public-sc/docs/investigation-fraud#browsing-history--malicious-intent) ------------------------------------------------------------------------------------------------------------------------------------------- * History shows deliberate access to: * Carding and identity theft forums * Fake document and SSN services * Malware/toolkit panels (e.g., Redline, Raccoon) Strong indication that this is not a passive victim, but an **active participant** in fraud. ![IMAGE HERE](https://files.readme.io/d2cc62990b3d05782d94280bac66af2f703eb689619dd51b52e538bfb166fc3e-image1.png) > Example shown for demonstration purposes only. No assumptions should be made about individual behavior or intent. * * * Pivot Opportunities [](https://docs.spycloud.com/public-sc/docs/investigation-fraud#pivot-opportunities) ------------------------------------------------------------------------------------------------------------ * Look for reuse of: * Passwords (e.g., `@Brkndan50`) across services * Emails or aliases across other datasets * Device fingerprints, session cookies, or browser artifacts * GeoIP matches to Nigerian IPs across fraud attempts * Cross-reference banking or crypto logins tied to exposed credentials * * * Summary for Triage [](https://docs.spycloud.com/public-sc/docs/investigation-fraud#summary-for-triage) ---------------------------------------------------------------------------------------------------------- This case shows strong indicators of **organized financial fraud** activity. The infected device in Nigeria, combined with access to identity theft tools, multiple benefit portals, and banking infrastructure, aligns with known tactics of **West African fraud networks**. > 🛑 > > ### > > This user should be prioritized for deeper linkage and infrastructure mapping. > > [](https://docs.spycloud.com/public-sc/docs/investigation-fraud#this-user-should-be-prioritized-for-deeper-linkage-and-infrastructure-mapping) * * * > The examples featured in this guide are drawn from real-world breach data to showcase how SpyCloud AI Insights enhances identity investigations. They are intended to demonstrate product capabilities and reflect common patterns our platform uncovers in compromised identity ecosystems. > > While based on actual breach intelligence, these case studies are provided for illustrative purposes only. SpyCloud does not make determinations about individual intent or behavior, and the inclusion of specific data points does not imply malicious activity. Updated 6 months ago * * * Ask AI --- # Establishing a Real Identity in a Resume Example of a Good Application: Establishing a Real Identity [](https://docs.spycloud.com/public-sc/docs/establishing-real-identity-in-resume#example-of-a-good-application-establishing-a-real-identity) ============================================================================================================================================================================================================ Subject Email: [\[email protected\]](https://docs.spycloud.com/cdn-cgi/l/email-protection#f2939e978a939c968097dc9193889781b2919a9380869780dc9c9786) [](https://docs.spycloud.com/public-sc/docs/establishing-real-identity-in-resume#subject-email-alexandrecazescharternet) -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- This example demonstrates a **legitimate application** that passes identity verification using **SpyCloud Investigations Module** with AI Insights. The subject’s identity exhibits clear continuity across multiple digital touch points, historical data, and corroborating evidence. 👇 **EXAMPLE RESUME** ![](https://files.readme.io/99d2dc1cf6298a4964958f9475538d30a7f2c036ecadaa1109eb0c82144427a2-image1.png) > Example shown for demonstration purposes only. No assumptions should be made about individual behavior or intent. 👇 **USE IDLINK** ➡️ **START WITH\_"EMAIL"\_ ASSET TYPE** ![](https://files.readme.io/2ef44d4c4d96677ee220abef070088b8a1977f2cfe0bcd306755e162d50b3756-image3.png) * * * IDLink Analysis Summary [](https://docs.spycloud.com/public-sc/docs/establishing-real-identity-in-resume#idlink-analysis-summary) ------------------------------------------------------------------------------------------------------------------------------------- | Attribute | SpyCloud Finding | | --- | --- | | Primary Email | `[[email protected]](https://docs.spycloud.com/cdn-cgi/l/email-protection) ` — confirmed in multiple historical breaches | | Employment History | Previous corporate email(s) at `@ebxtech.com` recovered from historical datasets | | LinkedIn Presence | Recovered LinkedIn profile (breached metadata) consistent with resume details | | Phone Number | Validated Canadian number found in credential recovery flows and breach data | | Geolocation | Canada-based IPs (Toronto, Montreal, Vancouver) observed since 2017 | | Breach Timeline | Records tied to this identity date back to at least 2017 | * * * Why This is a Good Identity [](https://docs.spycloud.com/public-sc/docs/establishing-real-identity-in-resume#why-this-is-a-good-identity) --------------------------------------------------------------------------------------------------------------------------------------------- * **Temporal Depth**: Identity shows digital presence over 8+ years ![](https://files.readme.io/386efa19fa8b0e5f96ff7d3a9718f42a6a06467d5fea1811a31083057cf9d814-image4.png) > Example shown for demonstration purposes only. No assumptions should be made about individual behavior or intent. * **Data Consistency**: Email, phone, employment, and social metadata all align * **Low Risk Indicators**: No evidence of geo-fraud, mismatches, or obfuscation * **Rich Identity Graph**: Connected emails, aliases, logins, and profiles over time 👍 This profile serves as a **baseline for what a real, traceable identity** should look like during screening workflows. It sharply contrasts with synthetic or manipulated identities that lack historical continuity or corroboration. * * * Example of a Suspicious Application: Potential Synthetic Identity [](https://docs.spycloud.com/public-sc/docs/establishing-real-identity-in-resume#example-of-a-suspicious-application-potential-synthetic-identity) ======================================================================================================================================================================================================================== Subject Email: [\[email protected\]](https://docs.spycloud.com/cdn-cgi/l/email-protection#e78f8e829283928489d6d2d1d7a7808a868e8bc984888a) [](https://docs.spycloud.com/public-sc/docs/establishing-real-identity-in-resume#subject-email-hieuducn1560gmailcom) ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ This identity was submitted as part of a resume for a job application. When processed through SpyCloud’s **IDLink with AI Insights**, multiple inconsistencies and risk indicators emerged — suggesting **synthetic identity behavior**. * * * IDLink Analysis Summary [](https://docs.spycloud.com/public-sc/docs/establishing-real-identity-in-resume#idlink-analysis-summary-1) --------------------------------------------------------------------------------------------------------------------------------------- | Attribute | SpyCloud Finding | | --- | --- | | Primary Email | `[[email protected]](https://docs.spycloud.com/cdn-cgi/l/email-protection) ` — no long-term history prior to 2023 | | Employment History | No prior corporate emails; no tie to claimed work history | | LinkedIn Presence | No linked or breached LinkedIn data | | Phone Number | Not found in breach or credential recovery flows | | Geolocation | IP data inconsistent with stated location | | Breach Timeline | No breach records associated before 2023 | ![Synthetic Identity Graph](https://files.readme.io/97eeb51f32cac44de37beb4ab41c32f69d65d2ff3aac284ec0bebbbadf2c432f-image2.png) > Example shown for demonstration purposes only. No assumptions should be made about individual behavior or intent. * * * Red Flags Identified [](https://docs.spycloud.com/public-sc/docs/establishing-real-identity-in-resume#red-flags-identified) ------------------------------------------------------------------------------------------------------------------------------- * **Lack of History**: No exposure before 2023 — likely a newly created identity * **Missing Digital Footprint**: No supporting social, work, or breach data * **No Phone Confirmation**: Phone number cannot be validated in SpyCloud dataset * **Geo Inconsistency**: Location data doesn’t match claimed residence * **No Cross-Linkage**: Identity graph is sparse or nonexistent * * * Assessment [](https://docs.spycloud.com/public-sc/docs/establishing-real-identity-in-resume#assessment) ----------------------------------------------------------------------------------------------------------- This case demonstrates common traits of synthetic or fraudulent identities: * Minimal digital history * No corroborated employment or profile metadata * Region-hopping or masked geolocation behavior ⚠️ Such identities represent **high risk** and may require deeper investigation, secondary verification, or outright rejection depending on your organization’s risk appetite. * * * > The examples featured in this guide are drawn from real-world breach data to showcase how SpyCloud AI Insights enhances identity investigations. They are intended to demonstrate product capabilities and reflect common patterns our platform uncovers in compromised identity ecosystems. > > While based on actual breach intelligence, these case studies are provided for illustrative purposes only. SpyCloud does not make determinations about individual intent or behavior, and the inclusion of specific data points does not imply malicious activity. Updated 6 months ago * * * Ask AI --- # Validating Identities in Cryptocurrency Exchange Example of a Good Application: Establishing a Real Identity [](https://docs.spycloud.com/public-sc/docs/kyc-validating-identities-in-crypto#example-of-a-good-application-establishing-a-real-identity) =========================================================================================================================================================================================================== Subject Email: [\[email protected\]](https://docs.spycloud.com/cdn-cgi/l/email-protection#5839343d2039363c2a3d763b39223d2b183b30392a2c3d2a76363d2c) [](https://docs.spycloud.com/public-sc/docs/kyc-validating-identities-in-crypto#subject-email-alexandrecazescharternet) ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- This example demonstrates a **legitimate account registration** submitted to a cryptocurrency exchange that passes identity verification using \*\*SpyCloud Investigations Module \*\*Pro License (with IDLink and AI Insights). The subject’s identity exhibits clear continuity across multiple digital touchpoints, historical data, and corroborating evidence. This serves as a benchmark for validating identities as part of **Know Your Customer (KYC)** processes and detecting **synthetic identities**. * * * IDLink Analysis Summary [](https://docs.spycloud.com/public-sc/docs/kyc-validating-identities-in-crypto#idlink-analysis-summary) ------------------------------------------------------------------------------------------------------------------------------------ | Attribute | SpyCloud Finding | | --- | --- | | Primary Email | `[[email protected]](https://docs.spycloud.com/cdn-cgi/l/email-protection) ` — confirmed in multiple historical breaches | | Employment History | Previous corporate email(s) at `@ebxtech.com` recovered from historical datasets | | LinkedIn Presence | Recovered LinkedIn profile (breached metadata) consistent with other data points | | Phone Number | Validated Canadian number found in credential recovery flows and breach data | | Geolocation | Consistent Canada-based IPs (Toronto, Montreal, Vancouver) in logs since 2017 | | Breach Timeline | Records associated with this identity date back at least to 2017 | * * * Why This is a Good Identity [](https://docs.spycloud.com/public-sc/docs/kyc-validating-identities-in-crypto#why-this-is-a-good-identity) -------------------------------------------------------------------------------------------------------------------------------------------- * **Temporal Depth**: Breach data and activity logs show a long-standing digital presence of over eight years * **Data Consistency**: Email, phone, social, and professional metadata all align * **Low Risk Indicators**: No evidence of inconsistent geolocation, fraudulent patterns, or obfuscation * **Rich Identity Graph**: Emails, aliases, accounts, and online profiles are interconnected over time 👍 This profile serves as a **baseline for what a real, traceable identity should look like** during KYC or account onboarding workflows. It contrasts sharply with synthetic or manipulated identities that lack this level of historical cohesion. ![](https://files.readme.io/01246551c016e74c95bbadd7b90c010e7a12807c7673752a7872c6c692ff8c00-image1.png) > Example shown for demonstration purposes only. No assumptions should be made about individual behavior or intent. * * * Example of a Suspicious Application: Potential Synthetic Identity [](https://docs.spycloud.com/public-sc/docs/kyc-validating-identities-in-crypto#example-of-a-suspicious-application-potential-synthetic-identity) ======================================================================================================================================================================================================================= Subject Email: [\[email protected\]](https://docs.spycloud.com/cdn-cgi/l/email-protection#ea82838f9f8e9f8984dbdfdcdaaa8d878b8386c4898587) [](https://docs.spycloud.com/public-sc/docs/kyc-validating-identities-in-crypto#subject-email-hieuducn1560gmailcom) ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- This identity was submitted during the account creation process at a digital asset exchange. When processed through SpyCloud’s **IDLink with AI Insights**, several inconsistencies and risk indicators were identified — typical of **synthetic identity** behavior. This highlights a failure scenario in **KYC validation** workflows. * * * IDLink Analysis Summary [](https://docs.spycloud.com/public-sc/docs/kyc-validating-identities-in-crypto#idlink-analysis-summary-1) -------------------------------------------------------------------------------------------------------------------------------------- | Attribute | SpyCloud Finding | | --- | --- | | Primary Email | `[[email protected]](https://docs.spycloud.com/cdn-cgi/l/email-protection) ` — no long-term historical activity found | | Employment History | No prior corporate emails recovered; no verified work metadata | | LinkedIn Presence | No linked or breached LinkedIn accounts associated with this email | | Phone Number | Not found in breach data or recovery flows; not validated | | Geolocation | IP data linked to regions inconsistent with claimed residence | | Breach Timeline | No breach records tied to this identity prior to 2023 | * * * Red Flags Identified [](https://docs.spycloud.com/public-sc/docs/kyc-validating-identities-in-crypto#red-flags-identified) ------------------------------------------------------------------------------------------------------------------------------ * **Lack of History**: No breach records prior to 2023 — possibly newly created identity * **Missing Digital Footprint**: No corroborating social media, employment, or credential data * **No Phone Confirmation**: Phone number unlinked to breach or recovery data * **Geolocation Inconsistency**: IPs don’t match claimed location — possible obfuscation * **No Cross-Linkage**: IDLink fails to establish a rich identity graph or network of linked selectors ![](https://files.readme.io/95b9ec9e3e60f0e9ec5e919e8627dee794ddae41977e6f68fced5d92db58ee61-image2.png) > Example shown for demonstration purposes only. No assumptions should be made about individual behavior or intent. * * * Assessment [](https://docs.spycloud.com/public-sc/docs/kyc-validating-identities-in-crypto#assessment) ---------------------------------------------------------------------------------------------------------- This case demonstrates several typical red flags for **synthetic identities** or **fraudulent applications**: * Minimal digital history * No corroborated personal or professional data * Region-hopping or obfuscated geolocation behavior ⚠️ Such applications are high-risk for fraud or automated identity generation and warrant deeper investigation, secondary verification, or outright rejection depending on your organization’s KYC requirements and fraud prevention protocols. * * * > The examples featured in this guide are drawn from real-world breach data to showcase how SpyCloud AI Insights enhances identity investigations. They are intended to demonstrate product capabilities and reflect common patterns our platform uncovers in compromised identity ecosystems. > > While based on actual breach intelligence, these case studies are provided for illustrative purposes only. SpyCloud does not make determinations about individual intent or behavior, and the inclusion of specific data points does not imply malicious activity. Updated 6 months ago * * * Ask AI --- # Exploring and Filtering Sources The Source Catalog is interactive – built to help you explore where SpyCloud’s identity data originates and how it evolves over time. Filters and search options make it easy to find the most relevant sources for better understanding any exposures or for accelerating your investigations. Browsing the Data [](https://docs.spycloud.com/public-sc/docs/exploring-and-filtering-data-in-the-source-catalog#browsing-the-data) --------------------------------------------------------------------------------------------------------------------------------------- Switch between: * **Timeline view** – visualize ingestion and publishing trends, with summaries of the most recent ingestions per data type * **Table view** – explore detailed information and metadata within each recaptured record Each row represents a unique data source SpyCloud has published. ![](https://files.readme.io/1e640137dee3d1a00012a1f90b64994d25e006ee4450b9e81a82b411c297ab48-Image3.png) Filtering by Date and Type [](https://docs.spycloud.com/public-sc/docs/exploring-and-filtering-data-in-the-source-catalog#filtering-by-date-and-type) --------------------------------------------------------------------------------------------------------------------------------------------------------- Refine your view using filters: * Timeframe: Choose from preselected ranges like last 7 days, last 90 days, all the way to All Time * Source Type: Malware, Phishing, Breach, Combo List * Keyword: Search by source name, malware family, phishing campaign, or other datapoints **💡 Did you know?** New malware and phishing records appear here shortly after ingestion – one of the fastest ways to see identity exposures SpyCloud has captured. Understanding the Table View [](https://docs.spycloud.com/public-sc/docs/exploring-and-filtering-data-in-the-source-catalog#understanding-the-table-view) ------------------------------------------------------------------------------------------------------------------------------------------------------------- Columns include: * Title / Short Title * Source ID * Published Date * Source Type * Total Records * Total Passwords * And more You can sort, filter, or search any column and customize visible fields. ![](https://files.readme.io/41f920e7bfe3bceee91374bb2bf22446ea81be79a21e5348da73e554f3b3b378-Image4.png) 📘 Learn more: Catalog Field Descriptions * * * What Is a Source ID? [](https://docs.spycloud.com/public-sc/docs/exploring-and-filtering-data-in-the-source-catalog#what-is-a-source-id) -------------------------------------------------------------------------------------------------------------------------------------------- A Source ID is a unique identifier for every dataset SpyCloud processes. It acts as a digital fingerprint connecting SpyCloud’s data across modules. Use Source IDs to: * Cross-reference alerts in Investigations or Enterprise Protection offerings * Trace exposures back to origin sources * * * Example Filter Combinations [](https://docs.spycloud.com/public-sc/docs/exploring-and-filtering-data-in-the-source-catalog#example-filter-combinations) ----------------------------------------------------------------------------------------------------------------------------------------------------------- | Goal | Example Filter Combinations | | --- | --- | | View recent malware infections | Type = Malware; Date = Last 30 days | | Identify large phishing kits | Type = Phishing; Sort by Total Records (descending) | | Check for noteworthy breaches | Type = Breach; Keyword = “NPD” | * * * Next Steps [](https://docs.spycloud.com/public-sc/docs/exploring-and-filtering-data-in-the-source-catalog#next-steps) ------------------------------------------------------------------------------------------------------------------------- After finding an interesting source, click its title to open **Source Details** and explore the exposed assets, metadata, and context. Updated 3 months ago * * * * [Using the Source Catalog](https://docs.spycloud.com/public-sc/docs/using-the-source-catalog) Ask AI --- # Investigating a Hijacking Incident SpyCloud Investigation: Orange.es BGP Hijacking Incident [](https://docs.spycloud.com/public-sc/docs/investigating-hijacking-incident#spycloud-investigation-orangees-bgp-hijacking-incident) ================================================================================================================================================================================================= The Situation: Orange.es BGP Hijacking Incident [](https://docs.spycloud.com/public-sc/docs/investigating-hijacking-incident#the-situation-orangees-bgp-hijacking-incident) ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- In January 2024, Orange España, a leading telecommunications provider in Spain, suffered a critical Border Gateway Protocol (BGP) hijacking attack that caused widespread internet connectivity disruptions affecting thousands of customers. The attacker, known by the alias **Snow** (also referenced as **ms\_snow\_0w0**), exploited weak password hygiene to gain unauthorized access to Orange’s RIPE NCC account. This allowed the actor to manipulate BGP routing and RPKI configurations, rerouting traffic and impacting network stability. > This incident highlights vulnerabilities in telecom infrastructure when credential security lapses occur — and underscores the need for strong identity management and proactive threat intelligence. This investigation uses SpyCloud's threat intelligence to trace credential exposure and actor behavior across the following use cases: 🧩 ### Supply Chain Exposure Monitoring 🧑‍💼 ### Internal Threat & Compromised Employee Investigation 📋 ### Compliance Exposure Investigations * * * Step 1: Search for Orange.es Credentials by Email Domain [](https://docs.spycloud.com/public-sc/docs/investigating-hijacking-incident#step-1-search-for-orangees-credentials-by-email-domain) ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The investigation begins by querying SpyCloud’s breach data for credentials tied to the `@orange.es` domain — identifying potential employee or contractor account compromise. **Key actions:** * Filter for email addresses ending in `@orange.es` * Prioritize credentials with **Severity Level 25** (high confidence of compromise or malware infection) * Analyze passwords and breach source * Document high-severity credentials for response **👇 STARTING WITH DOMAIN SELECTOR** ![](https://files.readme.io/dda3275d068f93993f1b9b91238f057fb6b5972edcf0798aee7a120603fcfc6a-image2.png) > Example shown for demonstration purposes only. No assumptions should be made about individual behavior or intent. **👇 SEE ASSET DETAILS** ![](https://files.readme.io/181f6bb1d3c4a4af45573d86f9276327154ea4cd68bb5ecc24609866b175acae-image6.png) * * * Step 2: Filter for Administrative Accounts [](https://docs.spycloud.com/public-sc/docs/investigating-hijacking-incident#step-2-filter-for-administrative-accounts) ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- After identifying exposed credentials, the focus shifts to elevated access accounts — particularly those with `"admin"` in the email. **Key actions:** * SpyCloud filter: * **Field**: Email * **Operator**: Contains * **Value**: `admin` * Identify high-risk accounts like `[[email protected]](https://docs.spycloud.com/cdn-cgi/l/email-protection) ` (linked to RIPE account access) * Flag for enhanced scrutiny and password resets * Recommend MFA and lockdown procedures **👇ACCOUNT DETAILS** ![](https://files.readme.io/836bfec462f600b0adf2e7983721ad53feed658a622611f56a4577be6e9464e7-image4.png) > Example shown for demonstration purposes only. No assumptions should be made about individual behavior or intent. * * * Step 3: Analyze the Infected Machine and User Context [](https://docs.spycloud.com/public-sc/docs/investigating-hijacking-incident#step-3-analyze-the-infected-machine-and-user-context) -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Investigate the machine tied to `adminripe-ipnt` to determine legitimacy of the session. **Key indicators:** * **Operating System**: Windows 10 Pro (typical for corporate devices) * **IP Address**: Located in Spain; no VPN/proxy * **Visited URL**: `access.ripe.net` — aligns with use of elevated credentials 👍**CONCLUSION** Likely a real employee device that was infected. ![](https://files.readme.io/b6f80c71220e372001d602f729752c88504a509f112018f976965342dbd6074d-image3.png) > Example shown for demonstration purposes only. No assumptions should be made about individual behavior or intent. * * * Step 4: Investigate Broader Activity From the Infected Machine [](https://docs.spycloud.com/public-sc/docs/investigating-hijacking-incident#step-4-investigate-broader-activity-from-the-infected-machine) -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Query the Infected Machine ID: `89f3221e-2138-48c9-bbe2-8f68-806e6f6e6963` **Key findings:** * Credentials from other organizations found on the device: * `@satec-es.com` (contractor email) * `[[email protected]](https://docs.spycloud.com/cdn-cgi/l/email-protection) ` * `[[email protected]](https://docs.spycloud.com/cdn-cgi/l/email-protection) ` **Analysis:** * Device likely belongs to a SATEC contractor with elevated access * Reinforces a **supply chain exposure** scenario **Response:** * Forensic review and containment of the device * Notify and coordinate with SATEC and Orange security teams **👇GRAPH VIEW** ![](https://files.readme.io/12f39f4cb992dbc09fdc613a7d57b085798dd2087bc8de4877da691689878eaa-image1.png) > Example shown for demonstration purposes only. No assumptions should be made about individual behavior or intent. * * * Step 5: Investigate Password Reuse Across Orange Accounts [](https://docs.spycloud.com/public-sc/docs/investigating-hijacking-incident#step-5-investigate-password-reuse-across-orange-accounts) ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Credential reuse significantly increases risk in third-party environments. **Key actions:** * Correlate passwords reused across: * `@orange.es` * `@orange.com` * `@satec-es.com` * Detect crossover between contractor and internal users * Flag any reuse across unrelated users or multiple breaches **Concerns:** * Shared credentials between entities * Weak credential hygiene and separation **Remediation:** * Immediate password resets * Enforce credential segmentation between orgs * Notify vendor risk managers **👇 CONCERNS REFLECTED IN RESULTS** ![](https://files.readme.io/96b91097e250b9180bb70d704831b26326804e8173e4dc94e0ef623aabff326c-image5.png) > Example shown for demonstration purposes only. No assumptions should be made about individual behavior or intent. * * * Next Steps [](https://docs.spycloud.com/public-sc/docs/investigating-hijacking-incident#next-steps) ------------------------------------------------------------------------------------------------------- This concludes the first phase of the investigation. ⚠️**RECOMMENDED FOLLOW-UPS** * Map threat actor infrastructure * Extract and share IOCs * Integrate findings into SIEM/SOAR systems for automation * * * > The examples featured in this guide are drawn from real-world breach data to showcase how SpyCloud AI Insights enhances identity investigations. They are intended to demonstrate product capabilities and reflect common patterns our platform uncovers in compromised identity ecosystems. > > While based on actual breach intelligence, these case studies are provided for illustrative purposes only. SpyCloud does not make determinations about individual intent or behavior, and the inclusion of specific data points does not imply malicious activity. Updated 3 months ago * * * Ask AI --- # Using the Source Catalog Using the Source Catalog [](https://docs.spycloud.com/public-sc/docs/using-the-source-catalog#using-the-source-catalog) =========================================================================================================================== The Source Catalog isn’t just informational – it connects directly to how SpyCloud detects, classifies, and contextualizes identity exposures across your products. Viewing a Source [](https://docs.spycloud.com/public-sc/docs/using-the-source-catalog#viewing-a-source) ----------------------------------------------------------------------------------------------------------- Selecting a source name opens its **details page**, showing: * **Source** **ID** and publish date * **Record and device counts** * **Exposure type**(breach, malware, phishing, combo list) * Summary of **identity assets** included ![](https://files.readme.io/9d527867fb47a23ee5fe7bcd145102e3f2e872e188669a458dff2703117410a1-phishing.png) * * * Interpreting Identity Assets [](https://docs.spycloud.com/public-sc/docs/using-the-source-catalog#interpreting-identity-assets) ----------------------------------------------------------------------------------------------------------------------------------- Each source summarizes the \*\*categories of identity assets \*\*contained within. Typical asset types: * Emails, usernames, passwords * IP addresses, device identifiers * Financial and payment data * Personal identifiers (e.g., DOBs, addresses) 💡 **Tip** The broader the asset coverage, the greater the chance criminals can recreate their own attempt of a holistic identity to target identity attacks – key for understanding potential threats * * * Examples of Source Analysis [](https://docs.spycloud.com/public-sc/docs/using-the-source-catalog#examples-of-source-analysis) --------------------------------------------------------------------------------------------------------------------------------- **Malware Source Example** A stealer family may include infected device metadata, OS versions, and hundreds of application credentials. **Phishing Source Example** A phishing kit might expose names, emails, phone numbers, and payment information from active campaigns. ![](https://files.readme.io/7420ac2809a28b448b902bc38bdba4332a205834ce216bc5d4ba0e018d517311-comparison.png) * * * Using Source IDs Across Products [](https://docs.spycloud.com/public-sc/docs/using-the-source-catalog#using-source-ids-across-products) ------------------------------------------------------------------------------------------------------------------------------------------- Source IDs connect the dots between SpyCloud modules: * **Investigations:** Discover where data originated and how it spreads. * **Employee ATO Prevention:** Validate whether employee credentials came from a malware or phishing source. And map compromised records to their source to prioritize remediation. ### How to use Source ID within SpyCloud Investigations [](https://docs.spycloud.com/public-sc/docs/using-the-source-catalog#how-to-use-source-id-within-spycloud-investigations) When starting a new Investigation, you can paste Source ID in the field to focus your search to only recaptured data from this narrowed set. You could investigate a Domain, like “sparefactor.com” to explore records relevant to your domain that were included in the specific Source. ![](https://files.readme.io/e7e60812e02ffee0bf477dfac1a790e6e708b65073d0c04ef970effcaaf91e02-INV_f.png) ### How to use Source ID within SpyCloud Enterprise Protection [](https://docs.spycloud.com/public-sc/docs/using-the-source-catalog#how-to-use-source-id-within-spycloud-enterprise-protection) When exploring a recently malware infected employee, the line item in the table references the name of the source. Clicking this “Detail” loads a view into the source itself to learn more, or copy the Source ID for future investigations. ![](https://files.readme.io/0a398ae8616fa41ff1565b3f42decf39644b561f3a8571fa3d9c4dcc7ca66522-eap_1.png) ![](https://files.readme.io/646545023a965bbf61ac4201f3bcd56122e94ecd10a11f4af7ae58238cfab48f-eap_2.png) Updated 3 months ago * * * Ask AI --- # Data Collection, Parsing & Ingestion 🔄 End-to-End Lifecycle [](https://docs.spycloud.com/public-sc/docs/data-collection-parsing-ingestion#-end-to-end-lifecycle) -------------------------------------------------------------------------------------------------------------------------------- SpyCloud ingests data from a wide range of breach, malware, and combolist sources. The following outlines the lifecycle of how data enters, is parsed, and becomes available in your investigations.![](https://docs.spycloud.com/public-sc/docs/images/pipeline-placeholder.png) * * * _Example: From collection to queryable intelligence_ 📥 Step 1: Data Collection [](https://docs.spycloud.com/public-sc/docs/data-collection-parsing-ingestion#-step-1-data-collection) ------------------------------------------------------------------------------------------------------------------------------------- SpyCloud collects breach, malware, and combolist data via multiple mechanisms: * Monitoring dark web, deep web, Telegram, and invite-only forums * Analyst intelligence, HUMINT, and threat actor engagements * Infostealer logs from over 70 malware families * Paste sites, open leaks, and public combolist aggregators * * * 🔍 Step 2: Parsing & Normalization [](https://docs.spycloud.com/public-sc/docs/data-collection-parsing-ingestion#-step-2-parsing--normalization) ---------------------------------------------------------------------------------------------------------------------------------------------------- After acquisition, datasets are parsed through automated and human-in-the-loop workflows. **Key steps include:** * Extracting usernames, emails, passwords, IPs, cookies, device IDs * Normalizing field values and standardizing formats * Deduplicating across time, source, and record * Cleaning up irrelevant or malformed data SpyCloud’s LLM-powered parsing helps classify and validate attributes across thousands of inconsistent formats. * * * 🧪 Step 3: Classification [](https://docs.spycloud.com/public-sc/docs/data-collection-parsing-ingestion#-step-3-classification) ----------------------------------------------------------------------------------------------------------------------------------- After parsing: * Datasets are labeled by type (e.g., breach, malware, combolist) * Source confidence and breach category are assigned * Records are given severities from 2, 5, 20, 25, 26 based on contents of the record data. * Metadata is enriched with timestamps, selectors, and behavioral traits Both automated tagging and analyst review play a role in this step. * * * 🧬 Step 4: Ingestion into the SpyCloud Data Lake [](https://docs.spycloud.com/public-sc/docs/data-collection-parsing-ingestion#-step-4-ingestion-into-the-spycloud-data-lake) --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Once classified, records are: * Ingested into the identity data platform * Indexed for access across: * Investigations Module * API & IDLink * Compass risk alerts * Graph view + AI Insights * Mapped to selectors (email, phone, device ID, etc.) * Deduplicated globally for consistent investigation experience * * * 🧪 Example Flow: Malware Log [](https://docs.spycloud.com/public-sc/docs/data-collection-parsing-ingestion#-example-flow-malware-log) ----------------------------------------------------------------------------------------------------------------------------------------- > **Scenario:** A Redline infostealer log is posted on a Telegram leak channel. **SpyCloud's ingestion flow:** 1. HUMINT or scraper flags the post 2. Log is parsed into structured selectors: * Emails, usernames, passwords * Cookies, tokens, autofill, IPs 3. Severity score assigned (25) 4. Source labeled as `malware`, tagged as `sensitive` 5. Log becomes searchable across SpyCloud products Updated 4 months ago * * * Ask AI --- # License Assignment 🧭 Overview [](https://docs.spycloud.com/public-sc/docs/assigining-licenses#-overview) ========================================================================================== In the SpyCloud console, access to the Investigations product is granted through **license seats**. Each seat maps one‑to‑one to a user account and belongs to one of three tiers: * **Investigations Pro (seat)** – higher tier which offers Full Search, IDLink, Advanced graphing, and AI Insights * **Investigations Core (seat)** – standard tier which offers Full Search, IDLink, and advanced graphing * **Investigations Lite (seat)** – lower tier which allows for basic search * * * 📦 License Pools [](https://docs.spycloud.com/public-sc/docs/assigining-licenses#-license-pools) ---------------------------------------------------------------------------------------------------- Every customer contract specifies a seat count for each tier (e.g. 1, 4, 25, 100), and corresponding licenses are created by your Customer Success partner. All seats of the same tier combine into a pool of available seats that Admins can allocate. The **License** tab under `Configuration → Licenses` displays for each tier: * Total seats purchased * Seats assigned / available * * * ➕ Assigning a License While Adding Users [](https://docs.spycloud.com/public-sc/docs/assigining-licenses#-assigning-a-license-while-adding-users) ----------------------------------------------------------------------------------------------------------------------------------------------------- **Prerequisite: Admin Role** 1. Navigate to `Configuration → Users` and click **Add User** 2. Toggle **Investigations Lite** or **Investigations Pro** to apply an available seat 3. Click **Add User** 👇**LICENSE ASSIGNMENT** ![](https://files.readme.io/e18b482ca997e20f44420c0b621142376d3a07b66feff9703a9617545d36db64-image3.png) **👇SEAT TOGGLE** ![](https://files.readme.io/39d930c3434ac62d71b435aa8f3bae1353a95b5da0bb86e3cd8cc7b9edea57ac-image2.png) * * * 🔁 Reassigning Seats [](https://docs.spycloud.com/public-sc/docs/assigining-licenses#-reassigning-seats) ------------------------------------------------------------------------------------------------------------ **Prerequisite: Admin Role** 1. From `Configuration → Users`, locate the user holding the seat 2. Click the **⋯ Options** button at the end of the row and select **Edit** 3. In the license toggles, uncheck the assigned tier to free the seat 4. Click **Save Changes** **👇CHOOSE LICENSE** ![](https://files.readme.io/d97a1ef0f734946c373a7b01a5b2ae3d68bf5206236761c23637c41d4e367f1e-image3.png) **👇REASSIGN** ![](https://files.readme.io/893c0f207de360db80f31f7a93d9f108656929787b02a54dc2264dd23d461074-image1.png) Then reverse the process for the user you wish to grant the license and save your changes. Updated 13 days ago * * * Ask AI --- # How We Can Help We’re here to make sure you’re **never** stuck for long. Whether it’s a quick question, a technical hiccup, or a deep dive into best practices, our Support team is just a _click or call_ away. **Your success is our priority**, and we’ve built multiple ways for you to reach us – choose whatever works best: 📧 ### Email Support Shoot us a note at [](https://docs.spycloud.com/cdn-cgi/l/email-protection#03707673736c71774370737a606f6c76672d606c6e) [\[email protected\]](https://docs.spycloud.com/cdn-cgi/l/email-protection#60131510100f121420131019030c0f15044e030f0d) and our Support Engineers will get back to you quickly. No bots, no black holes—just real humans who understand SpyCloud inside and out. 🎫 ### Submit a Ticket Log in to [SpyCloud](https://portal.spycloud.com/) to open a support ticket. This is the best way to track the progress of an issue, attach files, and see status updates in real time. ☎️ ### Call Us Prefer talking it out? Give us a ring between 9am–5pm CST for US based customers, and 9am-5pm GMT for non-US based customers, Monday–Friday. **1-800-513-2502** and press **#5** to reach Support directly. * * * 🤝 Our Promise [](https://docs.spycloud.com/public-sc/docs/how-we-can-help#-our-promise) -------------------------------------------------------------------------------------------- * **Responsive:** We know time matters, and we move fast. * **Expert:** Our team lives and breathes identity intelligence. * **Human:** No canned scripts – just smart people who care about your outcomes. Updated about 11 hours ago * * * Ask AI --- # Understanding IDLink What is SpyCloud IDLink? [](https://docs.spycloud.com/public-sc/docs/understanding-idlink#what-is-spycloud-idlink) ====================================================================================================================== IDLink™ connects the dots between personal and corporate identities to uncover hidden risks. Built into the SpyCloud Investigations ecosystem, it maps identity relationships using recaptured data from the criminal underground — helping organizations understand how exposed personal data can lead to corporate compromise. IDLink supports deeper correlation, actor attribution, and exposure analysis across multiple selectors. * * * 🔍 How SpyCloud IDLink Works [](https://docs.spycloud.com/public-sc/docs/understanding-idlink#-how-spycloud-idlink-works) ----------------------------------------------------------------------------------------------------------------------------- IDLink leverages SpyCloud’s recaptured data — including breach, malware, and infrastructure data — to map identity relationships using graph-based logic. * * * 🔑 Key Capabilities [](https://docs.spycloud.com/public-sc/docs/understanding-idlink#-key-capabilities) ----------------------------------------------------------------------------------------------------------- * **Cross-identity correlation**: Link personal and work email addresses, usernames, and passwords to the same individual * **Password reuse detection**: Detect when personal and corporate credentials share the same password or variations * **Actor profiling**: Build a profile of an identity across multiple exposures * **Malware victim overlap**: Detect if personal and corporate identities were exposed on the same infected device * **Pivoting**: Move across selectors (email, phone, SSN, machine ID, etc.) to uncover deeper identity links * * * 🧭 How IDLink Works [](https://docs.spycloud.com/public-sc/docs/understanding-idlink#-how-idlink-works) ----------------------------------------------------------------------------------------------------------- IDLink starts with a **selector** and performs behind-the-scenes pivots to uncover identity connections. ### 1\. Start with a Selector [](https://docs.spycloud.com/public-sc/docs/understanding-idlink#1-start-with-a-selector) Initiate your query with any of the following: * Email address * Username * Phone number **NOTE** These are known as **query selectors**. ### 2\. Pivot Behind the Scenes [](https://docs.spycloud.com/public-sc/docs/understanding-idlink#2-pivot-behind-the-scenes) IDLink automatically performs pivots on related **identity fields**, including: * Backup emails * Social handles * Machine IDs * SSNs * Passport numbers * National IDs * Log IDs * Bank account numbers **FOR EXAMPLE** If your query email appears in a breach that contains a phone number, IDLink will pivot to data linked to that phone number – and continue exploring additional relationships. * * * 🔁 Pivot Depth Explained [](https://docs.spycloud.com/public-sc/docs/understanding-idlink#-pivot-depth-explained) --------------------------------------------------------------------------------------------------------------------- The **depth level** controls how many rounds of pivoting IDLink performs. | **Depth** | **What It Does** | **Best For** | | --- | --- | --- | | Depth 1 | Only returns direct matches to your query (no pivots) | Quick lookups based on known data | | Depth 2 | Pivots once using high-confidence fields (e.g., password, SSN, machine ID) | ✅ Recommended starting point | | Depth 3 | Additional pivots on Depth 2 results | Deeper investigations | | Depth 4 | Full graph traversal through all Depth 3 connections | Comprehensive profiling; large datasets | SpyCloud applies internal scoring logic to rank confidence and remove weak links from your results. * * * 🧠 What’s Happening Behind the Scenes [](https://docs.spycloud.com/public-sc/docs/understanding-idlink#-whats-happening-behind-the-scenes) ---------------------------------------------------------------------------------------------------------------------------------------------- Under the hood, IDLink uses a proprietary graph-based algorithm to intelligently explore identity connections. ### Behind-the-Scenes Process: [](https://docs.spycloud.com/public-sc/docs/understanding-idlink#behind-the-scenes-process) 1. The **selector** (email, username, phone) is queried across SpyCloud’s dataset 2. Matching records are scanned for pivot fields (e.g., SSNs, machine IDs, social handles) 3. Additional queries are performed on those fields to pull related records 4. Each record is modeled as a **node**; shared fields become **edges** 5. Edges are weighted based on confidence (e.g., shared SSN > shared device) 6. Irrelevant or low-confidence connections are discarded 7. This spidering process continues until: * The selected **depth level** is reached * No new relevant links are found * **Duplication** or noise is detected **NOTE** This allows IDLink to build a context-rich identity graph without overwhelming the user with extraneous data. Updated 6 months ago * * * Ask AI --- # Configuring SSO 🔒 Overview [](https://docs.spycloud.com/public-sc/docs/sso#--overview) =========================================================================== SpyCloud supports Single Sign-On (SSO) through your preferred Identity Provider (Id), letting users securely log in with existing credentials. We support **Okta**, **Entra ID (Azure AD)**, **ADFS**, and any **custom SAML or OIDC provider**. SpyCloud’s console, access to user, organization, and license settings is controlled through two built-in roles you can assign to each member of your security team: 🕒 **Setup time:** ~10 minutes 👤 **Required role:** Administrator ****👇CONFIGURE SSO**** ![](https://files.readme.io/76e2a60474f502761ff640263146cd719c8b85bad0315305c151b55ed7f4ce77-SSO1.png) * * * 🧰 Before You Begin [](https://docs.spycloud.com/public-sc/docs/sso#-before-you-begin) ------------------------------------------------------------------------------------------ | Requirement | Description | | --- | --- | | Admin Access | You must have administrator privileges in your SpyCloud Console. | | IdP Access | Access to Okta, Entra ID, ADFS, or another SAML/OIDC provider. | | Verified Domains | (Optional) Associate your company email domains with SSO. | > ⚠️ > > **Important:** > If you already have **2FA enabled**, it will be **disabled** once SSO is connected. > Your IdP will take over authentication settings, including 2FA, SMS, and password policies. * * * 🚀 Step-by-Step Setup [](https://docs.spycloud.com/public-sc/docs/sso#-step-by-step-setup) ---------------------------------------------------------------------------------------------- 1. Log in to your Console as an **administrator**. 2. Navigate to **Configuration → Settings → Security Settings**. 3. Click **Connect Single Sign-On**. 4. Follow the guided pop-up to complete setup. **👇SECURITY SETTINGS** ![](https://files.readme.io/2c14884eb1fddcccd9d3c97122b36325769cc18c1543fe764b92ae9ecc894117-SSO2.png) * * * 🧩 Choose Your Identity Provider [](https://docs.spycloud.com/public-sc/docs/sso#-choose-your-identity-provider) -------------------------------------------------------------------------------------------------------------------- | Provider | | --- | | Okta | | Entra ID (Azure AD) | | ADFS | | Custom SAML or OIDC Provider | **👇EXAMPLE CONFIGURATION FOR OKTA** ![](https://files.readme.io/b8b827e48b4c49cabb2b7ecb6025e1d471508f5d0dc2c3ca5aced6841968decc-SSO3.png) * * * 🔗 Configure in Your IdP [](https://docs.spycloud.com/public-sc/docs/sso#-configure-in-your-idp) ---------------------------------------------------------------------------------------------------- 1. Add **SpyCloud** as a new application in your IdP. 2. Copy the configuration values shown in SpyCloud: * Redirect URLs * Client IDs * Etc 3. Paste these values into your IdP SSO setup form to establish the connection. 💡 **Tip:** SpyCloud’s SSO workflow is powered by **Auth0**. Refer to [Auth0 documentation](https://auth0.com/docs) for advanced installation and configuration options. \*\*👇EXAMPLE CONFIGURATION FOR OKTA \*\* ![](https://files.readme.io/6f8d0258d064d5bc27b4c5d582446a9d15c558a34f40527a0d8ae34c58da34c8-SSO4.png) * * * 📨 (Optional) Verify Your Domains [](https://docs.spycloud.com/public-sc/docs/sso#-optional-verify-your-domains) -------------------------------------------------------------------------------------------------------------------- You can add and verify domains to streamline user login. For example, users with @example.com will be automatically redirected to your IdP’s login page. * * * ✅ Test & Finalize [](https://docs.spycloud.com/public-sc/docs/sso#-test--finalize) -------------------------------------------------------------------------------------- * Click **Test Connection** to validate setup. * Once successful, select **Enable SSO** to activate. > 🧠 > > ### > > **After Setup:** > > [](https://docs.spycloud.com/public-sc/docs/sso#after-setup) > > * IdP manages all authentication (2FA, password policies). > * Users will sign in via SSO on next login. > * Admins can update IdP or domains anytime under **Configuration → Settings → Security Settings**. Updated 13 days ago * * * Ask AI --- # Data Types & Breach Categories Data Types at a Glance [](https://docs.spycloud.com/public-sc/docs/data-types-sources#data-types-at-a-glance) ----------------------------------------------------------------------------------------------------------------- SpyCloud classifies each dataset into one of three main data types: 🧯 ### BREACH Data taken from a known organization or domain, including exfiltrated employee or customer information – often structured, curated, and cleaned. 🐛 ### MALWARE Data harvested from infostealer-infected machines, including credentials, browser fingerprints, session cookies, and web behavior logs. 📦 ### COMBOLIST Credential pair lists (email:password or username:password) often leaked or traded on forums, not tied to a single known breach source. * * * 🧠 Breach Categories [](https://docs.spycloud.com/public-sc/docs/data-types-sources#-breach-categories) ----------------------------------------------------------------------------------------------------------- SpyCloud further classifies **breach datasets** into sub-categories using two fields: * `breach_main_category` * `breach_category` These categories provide added context for the type of exposure, behavior, or source. * * * 🗃️ Combolist Credential and password pairs (username:password or email:password) found on paste sites, forums, or combolists — often without attribution to a specific breach. Many contain recycled credentials from older exposures or breached datasets. 🔓 Exfiltrated Breaches that have been exfiltrated by threat actors from an identifiable organization, often including customer records, user databases, or internal employee info. Typically has a known breach name and metadata. 🌍 Exposed Publicly accessible or misconfigured data stores (e.g., open S3 buckets, FTPs) — found unintentionally but can contain sensitive credentials or personal data. 🎣 Phished Credentials harvested through phishing campaigns, kits, or spoofed login portals. Often limited in structure but high-fidelity in intent. 🧹 Scraped Usernames, emails, and account metadata scraped from public websites (e.g., social media, forums) — not stolen directly, but aggregated at scale. 🪟 Malware Data captured from infected machines, including: * Login credentials * Cookies * Autofill data * Browsing history * Wallet credentials * Device fingerprinting Collected using infostealer malware such as Redline, Raccoon, Vidar, etc. Richest and most behaviorally complete dataset type in the SpyCloud corpus. Updated 5 months ago * * * Ask AI --- # User Management 🧭 Overview [](https://docs.spycloud.com/public-sc/docs/user-management-1#-overview) ======================================================================================== SpyCloud's console lets admins create, review, and maintain the roster of users who can access your organization. Each account record stores the person’s identity (name & email), their RBAC role (Admin or Operator), any licensed Investigations seats applied, and their status (Active, Pending, or Paused). All changes are enforced by SpyCloud’s fine‑grained authorization (FGA) engine, ensuring least‑privilege across UI and API. * * * 📊 Users Table at a Glance [](https://docs.spycloud.com/public-sc/docs/user-management-1#-users-table-at-a-glance) ---------------------------------------------------------------------------------------------------------------------- **Prerequisite: Admin Role** Navigate to `Configuration → Users` to view a sortable table of every account in the organization. | Column | Description | | --- | --- | | Name / Email | Primary identity fields used at sign‑in | | Role | RBAC role (Admin / Operator) controlling feature access | | Licenses | Lite / Pro seat assignments (if any) | | Status | Active (full access) · Pending (invitation sent) · Paused (log‑ins blocked) | | Actions (⋯) | Edit, Force Reset, Pause, Delete | **👇USERS TABLE** ![](https://files.readme.io/9c5ada7ff10f47b0f7477af908378f6d275f94f95cfc5b44ef536f18a47153ea-image2.png) ➕ Adding a New User [](https://docs.spycloud.com/public-sc/docs/user-management-1#-adding-a-new-user) --------------------------------------------------------------------------------------------------------- **Prerequisite: Admin Role** 1. From `Configuration → Users` click the **Add User** button in the upper‑right corner 2. Fill in Name and Email 3. Choose an RBAC Role (Admin or Operator) 4. Toggle the desired Investigations Lite or Pro license seat 5. Click **Add User** The user receives an activation email and appears in the table with **Pending** status until they complete account setup. **👇ADD USER** ![Add User](https://files.readme.io/1e430e8c7dd55f3b6e9ff78de8bc85fa0ed1419b138508ff66e6225bdf6c40d1-image4.png) * * * 📶 Understanding Account Status [](https://docs.spycloud.com/public-sc/docs/user-management-1#-understanding-account-status) -------------------------------------------------------------------------------------------------------------------------------- | Status | Meaning | Typical Scenarios | | --- | --- | --- | | Pending | Invitation sent; user has not completed login | Newly added employees | | Active | Fully provisioned; can sign in and use features | Day‑to‑day analysts | | Paused | Credentials retained, log‑in blocked | Parental leave, contractor gap | Admins can toggle between **Active** and **Paused** at any time without losing history or seat allocation. * * * ✏️ Editing an Existing User [](https://docs.spycloud.com/public-sc/docs/user-management-1#%EF%B8%8F-editing-an-existing-user) --------------------------------------------------------------------------------------------------------------------------------- **Prerequisite: Admin Role** 1. In the Users table, find the user 2. Click the **⋯ Options** button and select **Edit** 3. Update Name, Email, Role, or License toggles 4. Click **Save Changes** Updates apply immediately; seat counts adjust when license toggles are changed. **👇EDIT USER** ![Edit User](https://files.readme.io/2df671aad97f83290fd1164e74963a4799a9ce19a37741afe8e5794df63bebae-image1.png) * * * 🧯 Advanced User Actions [](https://docs.spycloud.com/public-sc/docs/user-management-1#-advanced-user-actions) ------------------------------------------------------------------------------------------------------------------ **Prerequisite: Admin Role** Within the Edit User dialog, Admins can access advanced controls: * **Force Password Reset** – invalidates current password and sends a reset link * **Pause User** – blocks login without deleting history * **Delete User** – permanently removes the account and reclaims any assigned license **👇ADVANCED CONTROLS** ![Advanced Controls](https://files.readme.io/a6bd8c1003083ca0d47bff772ae0a0f251928f89da74534c41906b95536509b2-image3.png) * * * 🧠 Best Practices & Tips [](https://docs.spycloud.com/public-sc/docs/user-management-1#-best-practices--tips) ----------------------------------------------------------------------------------------------------------------- * Use **Pause** instead of **Delete** for temporary absences to preserve audit history * Assign the minimum RBAC role required for each user’s responsibilities * Review the Users table monthly to off‑board departed staff and reclaim unused seats Updated 13 days ago * * * Ask AI --- # Data FAQs SpyCloud's data ingestion and exposure modeling process produces massive volumes of identity-related data. Below are answers to common questions about trust, fidelity, duplication, and interpretation of the data. * * * 🔁 Why do some credentials appear multiple times? You may encounter the same email, username, or password across several records. This is expected for identities that: * Reuse passwords across different platforms * Are victims of multiple breaches or malware infections * Appear in both structured breaches and combolists SpyCloud preserves these variations so you can assess consistency, exposure frequency, and risk — not just deduplicated selectors. 📦 What are combolists, and why are they included? Combolists are credential pair dumps (email:password) typically sourced from: * Aggregated breach data * Password guessing tools * Cracking community uploads Though often noisy or synthetic, they are operationally useful in identifying reused or recycled passwords and credential stuffing activity. 🔍 Why is my data in a 'fake' or unverifiable breach? Some breaches do not have an associated public disclosure or attribution (e.g., "unverified-saas-2023"). This doesn’t make them fake — it means: * SpyCloud has acquired the dataset * It’s been processed, parsed, and linked to selectors * But the source company or domain hasn’t confirmed the breach This is common for underground-sourced datasets. 🧪 Are duplicates a quality issue? Not necessarily. Duplication in our dataset is often: * Intentional, to reflect multiple sources * Useful for validation and exposure analysis * Avoided where unnecessary via record-level deduplication (same source\_id + same selectors = merged) SpyCloud uses internal logic to collapse records only when duplication adds no investigative value. 🚫 Why does SpyCloud include low-fidelity or noisy sources? While some sources (like combolists or scraped forums) may seem low-quality, they serve use cases such as: * Password hygiene monitoring * Detection of reused credentials across multiple actors * Understanding threat actor tooling and common lists used in attacks Customers can filter by `severity`, `data_type`, or `breach_category` to fine-tune what they ingest or act on. 🔐 How does SpyCloud validate breach data? SpyCloud employs: * **LLM-based parsing** to flag structured data patterns * **Human analyst review** for sensitive, ambiguous, or high-impact breaches * **Cross-matching** with known datasets to eliminate fakes and padded lists * **Selector pivoting** to validate record depth and context 👤 Why are some records tagged 'sensitive' or 'restricted'? These tags are applied to datasets that include: * Government domains * Politically exposed organizations * HUMINT-derived content * Law enforcement subject matter While still searchable, these records may have extra restrictions on visibility, export, or licensing. * * * 🧠 Analyst Tip [](https://docs.spycloud.com/public-sc/docs/faqs-trust-considerations#-analyst-tip) ------------------------------------------------------------------------------------------------------ 💡**Trust the repetition.** If an identity shows up across multiple sources, it's not a glitch — it's a signal. Identity reuse across malware, breach, and combolist sources is a leading indicator of real-world compromise or abuse. Updated 6 months ago * * * Ask AI --- # Understanding AI Insights 🤖 Overview [](https://docs.spycloud.com/public-sc/docs/ai-insights#-overview) ================================================================================== SpyCloud’s **AI Insights** feature transforms raw search and pivot data into an automatically generated findings report. It highlights key patterns, relationships, and behavioral signals — helping investigators move from data collection to actionable conclusions faster. The report type is called **Identity Findings**, which specializes in related assets such as: * Emails * Usernames * Phone numbers ⚠️ **NOTE** This feature does not support domain-based queries. * * * 🧭 Navigation [](https://docs.spycloud.com/public-sc/docs/ai-insights#-navigation) -------------------------------------------------------------------------------------- When working within the **Investigations module**, AI Insights is accessible as the **right-most tab** on the investigation workspace. **👇AI INSIGHTS FEATURE** ![AI Insights Tab](https://files.readme.io/636546554f571008931e1a30ac4122b81f8121857f0ef2f223b353251e1a8dcf-image1.png) * * * ⚙️ Generating an Insights Report [](https://docs.spycloud.com/public-sc/docs/ai-insights#%EF%B8%8F-generating-an-insights-report) ------------------------------------------------------------------------------------------------------------------------------------- 1. Click **Generate** in the _Insights_ tab 2. AI Insights collects: * All records from your searches * All records added through pivots 3. A loading indicator appears while sections are generated in sequence 4. When finished, options to **Download (PDF)** or **Copy as Markdown** appear **👇FINDINGS REPORT** ![Generating Report](https://files.readme.io/f546f6ba346ecd4374ec3a9292cf8c7fc523543f41c5b52d02ad323277700abf-image2.png) * * * 📋 Report Details [](https://docs.spycloud.com/public-sc/docs/ai-insights#-report-details) ---------------------------------------------------------------------------------------------- 🧑 Identity ### Key Identities Discovered [](https://docs.spycloud.com/public-sc/docs/ai-insights#key-identities-discovered) Enumerates each distinct individual, listing: * Primary and secondary emails * Observed aliases and usernames * Common or reused passwords * Inferred location (if present) ### Detected Relationships [](https://docs.spycloud.com/public-sc/docs/ai-insights#detected-relationships) Narrative bullets describing: * Credential sharing * Overlapping infrastructure * Other linkages that indicate aliases or cooperation ### Notable Patterns [](https://docs.spycloud.com/public-sc/docs/ai-insights#notable-patterns) Highlights of: * Naming conventions * Credential-reuse themes * Geography clutering, etc. ### Conclusion [](https://docs.spycloud.com/public-sc/docs/ai-insights#conclusion) Concise assessment tying the identities together and noting investigative implications. 🐛 Malware Infection Footprint ### Infection Timeline [](https://docs.spycloud.com/public-sc/docs/ai-insights#infection-timeline) * Malware family names (e.g., Redline, Mars Stealer) * Infection count and publish date range ### Visited Websites [](https://docs.spycloud.com/public-sc/docs/ai-insights#visited-websites) * Categorized by context: * Job Search * AI Tools * E-commerce * Authentication & Security * Developmental & Technical * Productivity & Design * Authentication & Security ### Conclusion [](https://docs.spycloud.com/public-sc/docs/ai-insights#conclusion-1) Analyst summary of behavioural themes or intent suggested by browsing activity. 🔓 Breach Exposure Highlights ### Breach Count & Window [](https://docs.spycloud.com/public-sc/docs/ai-insights#breach-count--window) * Total breach count * Exposure timeline ### Recent Breaches [](https://docs.spycloud.com/public-sc/docs/ai-insights#recent-breaches) * Up to 5 newest breach names ### Assets Exposed [](https://docs.spycloud.com/public-sc/docs/ai-insights#assets-exposed) List of data classes leaked: * Personal Identifiers * Credentials * Online Activity, etc. 📦 Combolist Presence ### Exposure Volume [](https://docs.spycloud.com/public-sc/docs/ai-insights#exposure-volume) * Number of occurrences across combolists * Unique credential count ### Recent Combolists [](https://docs.spycloud.com/public-sc/docs/ai-insights#recent-combolists) * Names of the most recent lists in which the credentials appear 📎 Appendix ### Visited IPs [](https://docs.spycloud.com/public-sc/docs/ai-insights#visited-ips) * Deduplicated list of domains / IPs captured in telemetry ### Device IPs [](https://docs.spycloud.com/public-sc/docs/ai-insights#device-ips) * IP addresses tied to infected hosts or sessions **👇EXAMPLE OF REPORT DETAILS** ![](https://files.readme.io/8bf30e4141deffc4f46192dacb79167dce0b497371a8a5bb1d710ac492668f2c-image3.png) * * * ✅ Best Practices for Using AI Insights [](https://docs.spycloud.com/public-sc/docs/ai-insights#-best-practices-for-using-ai-insights) ----------------------------------------------------------------------------------------------------------------------------------------- 🟢 Before an Investigation Run an **initial Insights report** immediately after your first search to immediately understand: * Identity clusters * Digital footpring * Breach exposure This early pass helps prioritize which selectors deserve deeper investigation. 🔁 During an Investigation Use the Insights report **in parallel with Graph and Results tabs** to validate or refute assumptions. Best practices: * Regenerate the report after meaningful pivots or data expansions * Use identity summaries to guide additional searches * Look for unexpected malware infections or cross-selector relationships * Use the Appendix section to extract infrastructure clues (IPs, visited URLs) 🧾 After an Investigation Generate a **final Insights report** to serve as: * A summary for reporting or internal handoff * An attachment in case notes or investigation records * A snapshot for regulatory compliance or SOC documentation Export options: * PDF (for reporting) * Markdown (for internal documentation) Consider saving this alongside your CSV export for a complete audit trail. Updated 6 months ago * * * Ask AI --- # Severity, Source Types 📶 Severity Overview [](https://docs.spycloud.com/public-sc/docs/severity-score-source-types-metadata#-severity-overview) ----------------------------------------------------------------------------------------------------------------------------- SpyCloud applies a normalized **severity** to each record in our dataset to help analysts quickly assess risk and relevance. These scores are assigned during parsing based on multiple attributes including: * Source type (malware, breach, combolist, etc.) * Data fidelity (plaintext vs hashed credentials) * Presence of behavioral indicators (e.g., session cookies, malware log context) * * * 🧠**Why It Matters** Severity helps triage results — not all credentials are equally dangerous. A credential from an infostealer-infected machine 25 carries far more risk than one from a recycled combolist 20. * * * 📊 Severity Table [](https://docs.spycloud.com/public-sc/docs/severity-score-source-types-metadata#-severity-table) ----------------------------------------------------------------------------------------------------------------------- | **Severity** | **Meaning** | | --- | --- | | 2 | Email only - typically from a breach or phishing target list | | 5 | Informational - could contain sensitive data, but no plaintext password | | 20 | Credential with plaintext password, could contain sensitive data. | | 25 | Malware log with credentials, infected machine info, and/or behavioral signals | | 26 | Session cookie data taken from a device infected by malware | * * * 📚 Source Types [](https://docs.spycloud.com/public-sc/docs/severity-score-source-types-metadata#-source-types) ------------------------------------------------------------------------------------------------------------------- SpyCloud data spans multiple source types: * **Breach** – Verified datasets from compromised organizations * **Combolist** – Aggregated credential pairs with unknown or mixed sources * **Malware** – Logs from infostealer-infected machines * **Phishing** – Kits and email harvesting data * **Scraped / Exposed** – Publicly accessible or misconfigured datasets * * * ⚠️**Sensitive Source Handling** Some datasets may be flagged as sensitive due to legal, geopolitical, or proprietary reasons. These are still searchable but may have access or export controls. * Government domains * Law enforcement targets * Privately obtained HUMINT Updated 5 months ago * * * Ask AI --- # Detecting Evidence of DPRK Remote IT Workers SpyCloud Investigation: Detecting DPRK Remote IT Worker Employment Fraud [](https://docs.spycloud.com/public-sc/docs/detecting-evidence-of-dprk-remote-it-workers#spycloud-investigation-detecting-dprk-remote-it-worker-employment-fraud) ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- North Korean state-sponsored actors have increasingly infiltrated Western organizations through sophisticated employment fraud schemes. These remote IT workers use false identities and stolen credentials to secure legitimate positions, then exploit their access for espionage, intellectual property theft, and revenue generation to circumvent international sanctions. SpyCloud has observed many of these DPRK fraudulent IT workers inadvertently infect their own workstations with commodity infostealer malware. These self-infections provide unprecedented visibility into their operational tactics, tools, and procedures (TTPs), revealing substantial information about their daily digital activities and organizational targets. > This investigation demonstrates how to identify DPRK remote workers using [SpyCloud Investigations](https://docs.spycloud.com/public-sc/docs/investigations-console#/) > with [AI Insights.](https://docs.spycloud.com/public-sc/docs/ai-insights#/) * * * Step 1: Initial Domain Pivot - VPN Infrastructure Discovery [](https://docs.spycloud.com/public-sc/docs/detecting-evidence-of-dprk-remote-it-workers#step-1-initial-domain-pivot---vpn-infrastructure-discovery) -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The investigation begins by targeting known VPN services heavily used by DPRK workers to obfuscate their true geographical locations. **Key actions:** * Navigate to **Asset Type** section * Perform domain search using: `astrill.com` * Select **Severity Type 25** to focus on malware infections * Prioritize results with highest record counts **Why Astrill VPN:** * DPRK workers primarily operate from Russia and China. Astrill provides reliable access to circumvent regional restrictions, and historical intelligence confirms heavy usage in this campaign **What to Look For:** * High-volume IP addresses with multiple associated records * Consistent geographical patterns (Russia/China-based IPs) * Device fingerprints showing enterprise software access > 👇 > > ### > > **INVESTIGATE AT THE DOMAIN LEVEL** > > [](https://docs.spycloud.com/public-sc/docs/detecting-evidence-of-dprk-remote-it-workers#investigate-at-the-domain-level) > > ![](https://files.readme.io/0507baff267d8c61c1cc0a84d7d604c780892f36640cd795291468d6e6c3a12f-image7.png) * * * Step 2: Identify High-Activity IP Address [](https://docs.spycloud.com/public-sc/docs/detecting-evidence-of-dprk-remote-it-workers#step-2-identify-high-activity-ip-address) -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- From initial results, focus on exposed IP Addresses with the highest record counts to identify more signs that could signify any common DPRK worker activity. **Key actions:** * Select IP addresses with highest record counts in the “Baseball Card” table * Click **"Submit Pivots"** to ingest additional darknet data, beyond the initial Astrill data that you started with. * See the **"Total Records"** count increase (typically 2000+ records) * Document geographical consistency and access patterns **Indicators to Monitor:** * Single devices with extensive job platform activity * Multiple identity management across shared systems * Enterprise collaboration tool usage patterns * Consistent password reuse across identities > 👇 > > ### > > **SELECT MULTIPLE IP ADDRESSES TO PERFORM ADDITIONAL PIVOTS** > > [](https://docs.spycloud.com/public-sc/docs/detecting-evidence-of-dprk-remote-it-workers#select-multiple-ip-addresses-to-perform-additional-pivots) > > ![](https://files.readme.io/61fb442250a5ce52e75eaeb6a39092e013f15a2a40379721edd59963815d099c-image6.png) Step 3: Job Platform Activity Analysis [](https://docs.spycloud.com/public-sc/docs/detecting-evidence-of-dprk-remote-it-workers#step-3-job-platform-activity-analysis) -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Search for employment-related keywords to identify systems engaged in fraudulent hiring activities. DPRK IT workers use job application platforms like Workday, Taleo, BrassRing and others to apply for jobs and we want to identify systems that have a lot of Workday or other job platform connections. **Key search terms:** `mywork`, `workday`, `taleo`, `brassring` * Corporate email domains and HR platforms * Remote work collaboration tools **Critical Finding Pattern:** Multiple email identities using identical passwords (e.g., `Panda0214+`) indicates: * Single actor managing multiple false identities * Systematic approach to employment fraud * Operational security lapses revealing true scope * **WHY?** Different people using a shared system would typically have different passwords. **What to Look For:** 1. **Multiple Job Platforms** * `linkedin.com`, `workday.com`, `greenhouse.io` , `lever.co`, `smartrecruiters.com`, `icims.com` 2. **Identity Management Tools** * Password managers with multiple profiles; Identity verification document tools; VPN switching between applications 3. **Collaboration Platform Access** * `slack.com`, `teams.microsoft.com`, `github.com`, `gitlab.com`, `teamviewer.com`, `anydesk.com` > 👇 > > ### > > **FILTER BY IP AND DOMAINS** > > [](https://docs.spycloud.com/public-sc/docs/detecting-evidence-of-dprk-remote-it-workers#filter-by-ip-and-domains) > > ![](https://files.readme.io/25f9026fd1db57c28cefb27d1019bd2ae5c9e8ef3c5121882c2d5092d39386e2-image10.png) * * * Step 4: Device Isolation and Deep Analysis [](https://docs.spycloud.com/public-sc/docs/detecting-evidence-of-dprk-remote-it-workers#step-4-device-isolation-and-deep-analysis) ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Once suspicious activity is identified, isolate the specific device for comprehensive analysis and followup investigations. This new investigation will now return all of the records captured by the info stealer on this specific device. **Key actions:** * Extract **Infected Machine ID** from detailed record view * Run new search using **"Infected Machine ID"** asset type * Analyze complete device footprint (typically 500+ records) **Device Analysis Framework:** * **Operating System**: Windows 10 Pro (corporate standard) * **Geolocation**: Russia/China IPs with VPN usage * **Software Profile**: Enterprise development tools * **Access Patterns**: Business hours activity in target timezone **Critical Indicators:** * Remote access tools (TeamViewer, AnyDesk, Chrome Remote Desktop) * Multiple LinkedIn profiles (2+ accounts = high fraud indicator) * AI/translation services (language barrier mitigation) * Cryptocurrency platforms (payment obfuscation) * **Why?** Things like LinkedIn, Slack, GitHub, TeamViewer, AnyDesk, AI platforms, language translation services are tools used in the campaign. Any additional job board connections can signal remote employment efforts. > 👇 > > ### > > **CLICK TO VIEW DETAILS FOR RECAPTURED RECORDS** > > [](https://docs.spycloud.com/public-sc/docs/detecting-evidence-of-dprk-remote-it-workers#click-to-view-details-for-recaptured-records) > > ![](https://files.readme.io/a9ece7c3b05f750405b488a338f9e14e733493caa0cf0fea33176cb2a20ae14d-image2.png) > 👇 > > ### > > **COPY INFECTED MACHINE ID FOR NEW INVESTIGATION** > > [](https://docs.spycloud.com/public-sc/docs/detecting-evidence-of-dprk-remote-it-workers#copy-infected-machine-id-for-new-investigation) > > ![](https://files.readme.io/917da10427d66d6f6a7a1de175cda10bd3e9bdd483d898c16538e5bfff199084-image4.png) > 👇 > > ### > > **START NEW INVESTIGATION WITH ‘INFECTED MACHINE ID ‘ ASSET TYPE** > > [](https://docs.spycloud.com/public-sc/docs/detecting-evidence-of-dprk-remote-it-workers#start-new-investigation-with-infected-machine-id--asset-type) > > ![](https://files.readme.io/c950213beedef4200c7e784a939fd185ac022b7682583728b4d9f10a7534cb5e-image5.png) > 👇 > > ### > > **EXPLORE EVERY RECORD SPYCLOUD FOUND FROM INFECTED DEVICE** > > [](https://docs.spycloud.com/public-sc/docs/detecting-evidence-of-dprk-remote-it-workers#explore-every-record-spycloud-found-from-infected-device) > > ![](https://files.readme.io/a9976228d14e40462c536f7041d2f18952a0c345e8cdc20aa289d083ac4878e7-image11.png) * * * Step 5: Multi-Identity Pattern Recognition [](https://docs.spycloud.com/public-sc/docs/detecting-evidence-of-dprk-remote-it-workers#step-5-multi-identity-pattern-recognition) ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Analyze credential patterns to map the full scope of false identity operations. Search through the records for activity related to other job platforms and collaborative tools that are known to be used in the campaign. Things like LinkedIn, Slack, GitHub, TeamViewer, AnyDesk, AI platforms, language translation services are tools used in the campaign. Any additional job board connections can signal remote employment efforts. **LinkedIn Account Analysis:** * **Red Flag**: More than 2 LinkedIn accounts per infected device * **Pattern**: Consistent password schemes across profiles * **Validation**: Cross-reference employment history consistency > 👇 > > ### > > **MULTIPLE LINKEDIN PROFILES COULD BE A RED FLAG** > > [](https://docs.spycloud.com/public-sc/docs/detecting-evidence-of-dprk-remote-it-workers#multiple-linkedin-profiles-could-be-a-red-flag) > > ![](https://files.readme.io/b290ca8ae86aaba297c752daa3413b3a4586e358ba1ba9d626783e08417c250c-image1.png) > 👇 > > ### > > **GITHUB RECORDS COULD BE OTHER INDICATORS** > > [](https://docs.spycloud.com/public-sc/docs/detecting-evidence-of-dprk-remote-it-workers#github-records-could-be-other-indicators) > > ![](https://files.readme.io/52fce7c71595908066f5f49ed7df9482b3297a1a3db7c3fade63208ef4415f11-image3.png) > 👇 > > ### > > **SLACK RECORDS COULD BE OTHER INDICATORS** > > [](https://docs.spycloud.com/public-sc/docs/detecting-evidence-of-dprk-remote-it-workers#slack-records-could-be-other-indicators) > > ![](https://files.readme.io/ea683e87841b3659e960d71cd54c5ea1b9ee9709b42edd745ad503097e4f9101-image8.png) **Password Reuse Patterns:** * Same base password + variations across identities * Seasonal/date-based modifications (e.g., `Panda0214+`, `Panda0224+`) * Consistent complexity meeting corporate requirements > 👇 > > ### > > **TEAMVIEWER IS COMMONLY USED BY DPRK ACTORS** > > [](https://docs.spycloud.com/public-sc/docs/detecting-evidence-of-dprk-remote-it-workers#teamviewer-is-commonly-used-by-dprk-actors) > > ![](https://files.readme.io/fd5a253ea9b9eb5a87cb43a3cb139fd2c6cf43c2352189e6312ba7793466369e-image8.png) Step 6: AI Insights – Generate a Findings Report [](https://docs.spycloud.com/public-sc/docs/detecting-evidence-of-dprk-remote-it-workers#step-6-ai-insights--generate-a-findings-report) --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Turn your investigation signals into a polished, shareable report that captures key findings and supporting evidence of compromise to help your next steps. **What it does (at a glance):** * Synthesizes exposure data you surfaced in Steps 1–5 (VPN use, multi-identity behavior, job platform activity, remote tools, password reuse, geo anomalies). * Correlates assets (emails, usernames, domains, machine IDs, IPs) and highlights known identities. **Key actions:** * Click **Generate** in the _Insights_ tab * AI Insights collects: * All records from your searches * All records added through pivots **_👇FINDINGS REPORT_** ![Generating Report](https://files.readme.io/f546f6ba346ecd4374ec3a9292cf8c7fc523543f41c5b52d02ad323277700abf-image2.png) 📋 Report Details [](https://docs.spycloud.com/public-sc/docs/detecting-evidence-of-dprk-remote-it-workers#-report-details) ------------------------------------------------------------------------------------------------------------------------------- 🧑 Identity ### Key Identities Discovered [](https://docs.spycloud.com/public-sc/docs/detecting-evidence-of-dprk-remote-it-workers#key-identities-discovered) Enumerates each distinct individual, listing: * Primary and secondary emails * Observed aliases and usernames * Common or reused passwords * Inferred location (if present) ### Detected Relationships [](https://docs.spycloud.com/public-sc/docs/detecting-evidence-of-dprk-remote-it-workers#detected-relationships) Narrative bullets describing: * Credential sharing * Overlapping infrastructure * Other linkages that indicate aliases or cooperation ### Notable Patterns [](https://docs.spycloud.com/public-sc/docs/detecting-evidence-of-dprk-remote-it-workers#notable-patterns) Highlights of: * Naming conventions * Credential-reuse themes * Geography clutering, etc. ### Conclusion [](https://docs.spycloud.com/public-sc/docs/detecting-evidence-of-dprk-remote-it-workers#conclusion) Concise assessment tying the identities together and noting investigative implications. 🐛 Malware Infection Footprint ### Infection Timeline [](https://docs.spycloud.com/public-sc/docs/detecting-evidence-of-dprk-remote-it-workers#infection-timeline) * Malware family names (e.g., Redline, Mars Stealer) * Infection count and publish date range ### Visited Websites [](https://docs.spycloud.com/public-sc/docs/detecting-evidence-of-dprk-remote-it-workers#visited-websites) * Categorized by context: * Job Search * AI Tools * E-commerce * Authentication & Security * Developmental & Technical * Productivity & Design * Authentication & Security ### Conclusion [](https://docs.spycloud.com/public-sc/docs/detecting-evidence-of-dprk-remote-it-workers#conclusion-1) Analyst summary of behavioural themes or intent suggested by browsing activity. 🔓 Breach Exposure Highlights ### Breach Count & Window [](https://docs.spycloud.com/public-sc/docs/detecting-evidence-of-dprk-remote-it-workers#breach-count--window) * Total breach count * Exposure timeline ### Recent Breaches [](https://docs.spycloud.com/public-sc/docs/detecting-evidence-of-dprk-remote-it-workers#recent-breaches) * Up to 5 newest breach names ### Assets Exposed [](https://docs.spycloud.com/public-sc/docs/detecting-evidence-of-dprk-remote-it-workers#assets-exposed) List of data classes leaked: * Personal Identifiers * Credentials * Online Activity, etc. 📦 Combolist Presence ### Exposure Volume [](https://docs.spycloud.com/public-sc/docs/detecting-evidence-of-dprk-remote-it-workers#exposure-volume) * Number of occurrences across combolists * Unique credential count ### Recent Combolists [](https://docs.spycloud.com/public-sc/docs/detecting-evidence-of-dprk-remote-it-workers#recent-combolists) * Names of the most recent lists in which the credentials appear 📎 Appendix ### Visited IPs [](https://docs.spycloud.com/public-sc/docs/detecting-evidence-of-dprk-remote-it-workers#visited-ips) * Deduplicated list of domains / IPs captured in telemetry ### Device IPs [](https://docs.spycloud.com/public-sc/docs/detecting-evidence-of-dprk-remote-it-workers#device-ips) * IP addresses tied to infected hosts or sessions ⚠️ **ASSESSMENT** This investigation pattern indicates **sophisticated state-sponsored employment fraud** with the following characteristics: * **Professional operational security** with systematic identity management * **Enterprise target focus** through legitimate employment channels * **Technology sector specialization** via development role infiltration * **Revenue generation model** combining espionage with direct payment ⚠️ **Caution:** This method highlights potential indicators, not definitive proof of threat actors. * * * Common Questions [](https://docs.spycloud.com/public-sc/docs/detecting-evidence-of-dprk-remote-it-workers#common-questions) ------------------------------------------------------------------------------------------------------------------------------- When should I use the Investigations graph view? Use the graph view when you need to visualize relationships between multiple identities, devices, or organizations. It’s especially useful for mapping the **full scope of infiltration** and uncovering connections that aren’t obvious in list-based results. What if initial VPN searches don't yield results? If early searches come up empty, pivot to **alternative asset types**: * Corporate email domains * Remote access tools * Development platform domains Remember: **DPRK workers adapt their infrastructure regularly**, so stay flexible with search parameters. How do I distinguish between legitimate remote workers and DPRK actors? Look for combined indicators such as: * **Multiple identity management** across unrelated accounts * **Geographical inconsistencies** in login patterns * **Password reuse patterns** across different assets * **Access to sensitive development resources** paired with VPN activity Taken together, these patterns often signal coordinated, non-legitimate activity. * * * > _The examples featured in this guide are drawn from real-world exposure data to showcase how SpyCloud Investigations enhances your existing insider threat detection capabilities. The examples are intended to demonstrate product capabilities and reflect common patterns our product uncovers in compromised ecosystems._ > > _While based on actual recaptured darknet data, these examples are provided for illustrative purposes only. SpyCloud does not make determinations about individual intent or behavior, and the inclusion of specific data points does not imply malicious activity._ Updated 3 months ago * * * Ask AI --- # Data Schema > **Full Data Schema Available**. Customers can view the **full data schema** here: > > [View Full Schema (login required)](https://portal.spycloud.com/docs/sc-full-data-schema) 🧭 Introduction [](https://docs.spycloud.com/public-sc/docs/data-schema#-introduction) ========================================================================================== This document describes the schema for SpyCloud's breach data repository. At a high level, our data is organized into two hierarchical structures: **Breach Catalog** and **Breach Records**. * * * 🗂️ SpyCloud Data Hierarchy [](https://docs.spycloud.com/public-sc/docs/data-schema#%EF%B8%8F-spycloud-data-hierarchy) -------------------------------------------------------------------------------------------------------------------------- **Breach Catalog**: A collection of breaches ingested into our platform. Each catalog entry contains metadata like breach title, acquisition date, affected domains, etc. **Breach Record**: A structured collection of data assets extracted from the breach — including credentials, device metadata, and identity attributes grouped per user/persona. > Example: If a breach contains email, password, and phone for five users, we produce 5 records, each with 3 data assets. Some data assets are extracted directly; others are generated by SpyCloud for added value (e.g., `email_username`, `target_domain`). * * * 🧪 Data Normalization [](https://docs.spycloud.com/public-sc/docs/data-schema#-data-normalization) ------------------------------------------------------------------------------------------------------ | **Asset** | **Normalization** | | --- | --- | | `email` | Lowercased for indexing | | `username` | Lowercased | | `social_*` | Lowercased (e.g., `social_twitter`) | | `*_time` | ISO 8601 datetime | | `*_date` | ISO 8601 format | | `dob` | ISO 8601 datetime (time component may be irrelevant) | * * * 🧬 Character Encoding [](https://docs.spycloud.com/public-sc/docs/data-schema#-character-encoding) ------------------------------------------------------------------------------------------------------ All data is normalized to UTF-8. Use UTF-8 handling per language: * **Java**: `new String(bytes, "UTF-8")` * **Python 2**: `unicode(obj, "utf-8")` * **Python 3**: `str(obj, encoding="utf-8")` * **Go**: Native UTF-8 handling * **Perl**: `Encode::decode("utf8", $bytes)` * * * 🗓️ Date and Time Format [](https://docs.spycloud.com/public-sc/docs/data-schema#%EF%B8%8F-date-and-time-format) -------------------------------------------------------------------------------------------------------------------- All timestamps follow ISO 8601 format: `YYYY-MM-DDTHH:MM:SSZ` | Example | Description | | --- | --- | | `2000-01-01T00:00:00Z` | Midnight UTC, Jan 1, 2000 | | `2018-08-01T14:00:00Z` | 2 PM UTC, Aug 1, 2018 | * * * 🔐 Password Cracking [](https://docs.spycloud.com/public-sc/docs/data-schema#-password-cracking) ---------------------------------------------------------------------------------------------------- | Field Combination | Meaning | | --- | --- | | `password_type = plaintext` | Original password was plaintext | | `password_type ≠ plaintext` + `password_plaintext` present | SpyCloud cracked the original hashed password | * * * 🧾 UUIDs [](https://docs.spycloud.com/public-sc/docs/data-schema#-uuids) ---------------------------------------------------------------------------- SpyCloud uses UUID v4 strings to uniquely identify: * Breach catalog entries (`uuid`) * Breach records (`document_id`) Examples: * `ae375975-894b-489c-876b-a294dddf0c96` * `b17d51a7-f4a9-479a-8820-801753e86c05` * * * 📚 Breach Catalog Schema [](https://docs.spycloud.com/public-sc/docs/data-schema#-breach-catalog-schema) ------------------------------------------------------------------------------------------------------------ > SpyCloud-generated assets such as source\_id, domain, email\_domain, target\_domain, target\_subdomain, password\_type, sighting, severity or other related data points. Below is the full list of metadata fields available for each breach in SpyCloud’s breach catalog. | Field | Type | Description | | --- | --- | --- | | `id` | int | Numerical breach ID. Correlates to `source_id` in breach records. | | `uuid` | string | UUID v4 encoded version of breach ID (used in Firehose file naming). | | `title` | string | Breach title (if disclosable). Otherwise uses a generic label. | | `description` | string | Breach description (if disclosable). Otherwise uses a generic summary. | | `site` | string | Website of the breached organization (if known). | | `site_description` | string | Description of the breached organization (if available). | | `type` | string | Indicates if the breach is `public` (found online) or `private` (exclusive to SpyCloud). | | `num_records` | int | Number of records parsed, normalized, and deduplicated from this breach. | | `spycloud_publish_date` | datetime | Date when the breach was ingested and made available to customers. | | `acquisition_date` | datetime | Date SpyCloud first acquired the breach. | | `breach_date` | datetime | Estimated date the breach occurred. | | `public_date` | datetime | When the breach was disclosed publicly. | | `media_urls` | list | List of media URLs referencing the breach. | | `assets` | dictionary | Dictionary mapping each asset to its count in the breach. | | `confidence` | int | Confidence score in the breach source. | | `combo_list_flag` | string | Indicates if the breach is a combo list. | | `breach_main_category` | string | Classifies as `combolist`, `breach`, or `malware`. | | `breach_category` | string | Further categorization: `combolist`, `exfiltrated`, `exposed`, `infostealer`, `phished`, `scraped`, or `unknown`. | | `breached_companies` | list | Companies allegedly or confirmed involved in the breach. | | `targeted_companies` | list | Companies determined to be targeted by the breach. | | `targeted_industries` | list | Industries believed to be targeted by the breach. | | `sensitive_source` | boolean | Indicates whether the source is sensitive or restricted. | | `malware_family` | string | Malware family name (only if `breach_category` is `infostealer`). | | `status` | string | `Pending`: Indicates that a new breach has been identified and is in the process of being ingested. Note: You can start consuming the incomplete breach records even if the catalog entry says as pending.

`Verified`: Indicates that ingestion is complete and all records from the breach have been successfully loaded, validated, and are ready for use. | * * * 🧾 Breach Record Schema [](https://docs.spycloud.com/public-sc/docs/data-schema#-breach-record-schema) ---------------------------------------------------------------------------------------------------------- > Breach Records are collections of data assets parsed and ingested into our data platform. Each Breach Record contains multiple assets, some of which are extracted directly from the parsed data while others are generated by the SpyCloud ingest process. Below is the list of SpyCloud generated assets which will always be present in a breach record. | Field | Type | Description | | --- | --- | --- | | `document_id` | UUID | Unique ID per identity | | `source_id` | int | Links to breach catalog | | `spycloud_publish_date` | datetime | When record was published | | `severity` | int | Numerical value based on record contents (2–26) | * * * 🐛 Infected User Assets [](https://docs.spycloud.com/public-sc/docs/data-schema#-infected-user-assets) ---------------------------------------------------------------------------------------------------------- > Below is a table of all infected user (botnet) assets which might be present in a breach record. | Field | Type | Description | | --- | --- | --- | | `av_softwares` | string | List of antivirus software installed on the machine. | | `display_resolution` | string | The system display resolution. | | `form_cookies_data` | string | Cookie data associated with this person. | | `form_post_data` | string | Form post data associated with this person. | | `infected_machine_id` | string | A unique identifier either extracted from an infostealer log, or an RFC 4122-compliant UUID generated by SpyCloud when none is present. Format and origin may vary by malware family. | | `log_id` | string | A deterministic SHA256 hash computed from the contents of a malware log archive. | | `infected_path` | string | Local path to the malicious software installed on the infected system. | | `infected_time` | string | The time the system was infected with malware. | | `keyboard_languages` | string | Keyboard languages configured in the OS. | | `logon_server` | string | Logon server captured from the infected environment. | | `mac_address` | string | 12-character alphanumeric MAC address of the device. | | `port` | string | Network port paired with IP address. | | `system_install_date` | datetime | Time at which the system OS was installed. | | `system_model` | string | Model identifier of the infected system. | | `target_domain` | string | Second-level domain (SLD) extracted from `target_url`. | | `target_subdomain` | string | Full subdomain + domain extracted from `target_url`. | | `target_url` | string | URL captured via keylogger or form capture. | | `user_agent` | string | Browser user-agent string. | | `user_browser` | string | Browser name used by the infected user. | | `user_hostname` | string | Hostname of the infected system. | | `user_os` | string | Operating system name. | | `user_sys_domain` | string | System domain name. | | `user_sys_registered_organization` | string | Name of the system's registered organization. | | `user_sys_registered_owner` | string | Name of the system's registered owner. | * * * 🔐 Credentials & Account Assets [](https://docs.spycloud.com/public-sc/docs/data-schema#-credentials--account-assets) ------------------------------------------------------------------------------------------------------------------------- > Below is a table of all credential and account related assets that may appear in breach records. | Field | Type | Description | | --- | --- | --- | | `account_caption` | string | Account profile caption. | | `account_id` | string | Account number or ID. | | `account_image_url` | string | Account image URL. | | `account_last_activity_time` | datetime | Timestamp of last account activity (ISO 8601). | | `account_login_time` | datetime | Last account login time (ISO 8601). | | `account_modification_time` | datetime | Account modification date (ISO 8601). | | `account_nickname` | string | Account nickname. | | `account_notes` | string | Account notes. | | `account_password_date` | datetime | Date when account password was set (ISO 8601). | | `account_secret` | string | Account secret answer. | | `account_secret_question` | string | Account secret question. | | `account_signup_time` | datetime | Account signup date (ISO 8601). | | `account_status` | string | Account status. | | `account_title` | string | Account title. | | `account_type` | string | Account type. | | `api_token` | string | API token. | | `api_token_secret` | string | API token secret. | | `backup_email` | string | Backup email address. | | `backup_email_username` | string | Username extracted from `backup_email` (before the `@`). | | `domain` | string | Domain name. | | `email` | string | Email address. | | `email_domain` | string | Extracted domain from `email` (after the `@`). | | `email_username` | string | Extracted username from `email` (before the `@`). | | `num_posts` | int | Number of posts (typically forum-related). | | `password` | string | Account password (original form). | | `password_plaintext` | string | Plaintext version of the password (if cracked). | | `password_type` | string | Password type (e.g., plaintext, SHA1, MD5). | | `private_key` | string | SHA256 hash of private key. | | `private_key_password` | string | Password for the private key. | | `public_key` | string | SHA256 hash of public key. | | `salt` | string | Password salt. | | `service` | string | Service associated with credential (e.g., Spotify, Netflix). | | `service_expiration` | string | Service expiration date (ISO 8601). | | `username` | string | Username. | * * * 🧩**OTHER ASSETS** SpyCloud has 200+ data types we recaptured as identity artifacts with a rich & diverse subset of fields across PII, financial, geographical, and social media assets. 🧬**VERSIONING POLICY** SpyCloud maintains **backward compatibility** during a major version lifecycle. * We never remove or rename existing fields in a current product version * New fields may be added without notice — clients should handle unknown keys * Breaking changes will only happen during a major upgrade (e.g., v1 → v2) * * * Updated 24 days ago * * * Ask AI --- # Investigations Module 🧨 The Problem [](https://docs.spycloud.com/public-sc/docs/investigations-console#-the-problem) --------------------------------------------------------------------------------------------------- Analysts are drowning in data and starved for clarity. The sheer volume of compromised identity assets and OSINT data makes it nearly impossible to: * Correlate digital breadcrumbs * Attribute threats * Spot insider risks — before damage is done Most tools demand deep expertise, limiting success to only seasoned investigators. > SpyCloud Investigations gives teams a faster, smarter path from raw exposure to finished intel — helping organizations act before cybercriminals do. * * * 🚀 Product Overview [](https://docs.spycloud.com/public-sc/docs/investigations-console#-product-overview) ------------------------------------------------------------------------------------------------------------- **SpyCloud Investigations** is a SaaS-based module that helps cyber threat intel, security ops, fraud, and risk teams uncover and act on identity exposures with speed and confidence. It delivers deep identity intelligence by transforming breach, malware, and phished data into: * Holistic identity views * Infrastructure mapping * Interactive graph-based investigation **Powered by IDLink™**, it automatically links exposures to build complete digital profiles. Embedded **AI Insights** then detects identity risks and produces executive-ready reports. * * * ⚡ Benefits at a Glance [](https://docs.spycloud.com/public-sc/docs/investigations-console#-benefits-at-a-glance) -------------------------------------------------------------------------------------------------------------------- ### 🔎 See the Full Picture Query SpyCloud’s vast recaptured dataset to uncover sophisticated insider and external threats. ### ⚡ Accelerate Investigations Reduce discovery time from hours to seconds with AI-assisted detection of identity patterns. ### 🧠 Deliver Finished Intel Turn complex patterns into clean, exportable reports — instantly. ### 📈 Amplify Analyst Impact Empower analysts of any expertise level to focus on critical threats. * * * 🧠 Who It's For [](https://docs.spycloud.com/public-sc/docs/investigations-console#-who-its-for) ---------------------------------------------------------------------------------------------------- ### 🧠 Cyber Threat Intel Attribute adversaries and map digital identities across campaigns. ### 🛡️ SOC & IR Accelerate investigations and pivot faster from detection to action. ### 💰 Fraud & Risk Uncover identities tied to phishing and malware exposures. ### 🔒 Trust & Safety Prevent platform abuse by spotting compromised user accounts early. * * * 🎯 Use Cases Covered [](https://docs.spycloud.com/public-sc/docs/investigations-console#-use-cases-covered) --------------------------------------------------------------------------------------------------------------- * Threat actor attribution * Infected host identification * VIP exposures * Supply chain risks * Insider threats (malicious or unintentional) * KYC & fraud investigations * Trust & Safety escalations * Contractor vetting * Platform abuse analysis * Pattern-of-life investigations * * * 🔧 How It Works [](https://docs.spycloud.com/public-sc/docs/investigations-console#-how-it-works) ----------------------------------------------------------------------------------------------------- SpyCloud Investigations starts with a simple selector (email, phone, IP) and uses **IDLink™** to automatically: * Pivot across exposed identity assets * Reveal deep relationships * Visualize the identity as a connected graph You can explore those links interactively and uncover previously invisible exposures. AI Insights then analyzes the full identity and generates a complete PDF summary for stakeholder escalation or incident response. * * * 🤖 AI Insights [](https://docs.spycloud.com/public-sc/docs/investigations-console#-ai-insights) --------------------------------------------------------------------------------------------------- 📄 What is AI Insights? AI Insights closes the investigation loop by automating the final step — compiling raw identity exposures into executive-ready, exportable reports. It detects: * Identity reuse across breaches and logs * Credential overlap * Suspicious browser behavior * Synthetic identity patterns * Indicators of insider threats The result? Finished intelligence in seconds, not hours. * * * 🧬 How IDLink Works [](https://docs.spycloud.com/public-sc/docs/investigations-console#-how-idlink-works) ------------------------------------------------------------------------------------------------------------- 🔗 IDLink Accelerates Identity Correlation IDLink runs background pivots after a simple query (email, phone, username), linking: * Backup emails * Passwords (hashed + cracked) * PII, usernames, and logins * Over a dozen asset types It filters out irrelevant assets, shows only **high-confidence matches**, and builds the most complete view of the subject. * * * 📊 Analyst Advantage [](https://docs.spycloud.com/public-sc/docs/investigations-console#-analyst-advantage) --------------------------------------------------------------------------------------------------------------- **With IDLink-powered Investigations, analysts typically see:** * 8× more identity records * 2× more malware infections * 14× more cracked passwords * 5× more linked emails These lifts translate to faster attribution and better confidence in conclusions. * * * 💡 Feature Breakdown [](https://docs.spycloud.com/public-sc/docs/investigations-console#-feature-breakdown) --------------------------------------------------------------------------------------------------------------- | Feature | Description | | --- | --- | | **Query** | Search 19+ selector types, including email, domain, IP, and password | | **Pivot** | Investigate connected identity assets using IDLink correlation | | **Graph** | Visualize exposure relationships in a pivotable, interactive UI | | **Act** | Use AI Insights to generate finished intelligence reports in seconds | * * * 🔄 Want More Automation? [](https://docs.spycloud.com/public-sc/docs/investigations-console#-want-more-automation) ---------------------------------------------------------------------------------------------------------------------- > Looking to run batch queries or enrich other OSINT workflows? Check out the [SpyCloud Investigations API](https://docs.spycloud.com/docs/investigations-api) — our REST-based integration for power users. Updated 6 months ago * * * Ask AI --- # Graphing 🧭 Overview [](https://docs.spycloud.com/public-sc/docs/graphing#-overview) =============================================================================== SpyCloud’s graph within investigations is a data visualization tool which allows investigators to explore the assets contained from their results in an intuitive, highly flexible node graph. Here they can parse through high volumes of data to discover and collect findings while visually telling the story for communication afterwards with their team. * * * 🪪 Interpreting the Header [](https://docs.spycloud.com/public-sc/docs/graphing#-interpreting-the-header) ------------------------------------------------------------------------------------------------------------- In the header of the page you’ll see a breakdown of key search data including: * Title of the asset you searched for * Total records returned from search * Total records including those acquired from pivots * “Show details” will drop down the advanced details of your search **👇MENU HEADER** ![Header Display](https://files.readme.io/ef97670c5d6e152f133e1b451c3ad2ddec78acbd3852c161b6d49f2744d8ff9d-image2.png) * * * 🧩 Nodes [](https://docs.spycloud.com/public-sc/docs/graphing#-nodes) ------------------------------------------------------------------------- By default, your results will be displayed in an _organic_ (“wheel”) layout grouped by assets. Assets searched and pivoted on are presented in a rectangular tile that is larger and more visually distinct than standard nodes which live inside rounded squares alongside a volume counter. * **Searches & Pivots**: Assets searched and pivoted on are presented in a rectangular tile that is larger and visually distinct. * **Asset Nodes**: Collections of assets grouped by asset type. They live inside rounded squares alongside their total asset volume counter for the node (e.g., 30 = 30 assets contained) * **Assets Themselves**: Individual data points with a circular icon and record volume counter (e.g., 2 = 2 records appeared in) * * * 🖱️ Interacting with Elements [](https://docs.spycloud.com/public-sc/docs/graphing#%EF%B8%8F-interacting-with-elements) --------------------------------------------------------------------------------------------------------------------------- Each element offers a number of distinct interaction options: ### Searches & Pivots [](https://docs.spycloud.com/public-sc/docs/graphing#searches--pivots) * No options for interaction. ### Asset Nodes [](https://docs.spycloud.com/public-sc/docs/graphing#asset-nodes) * Double click to open and view all assets * Right click an asset to connect it with an arrow to the search or pivot it came from * Right click to present the following options: * Add Pivot: Creates a distinctive pivot point and adds new records * Remove Node: Removes the node from your view * View Details: Opens the record details carousel which allows you to switch back and forth between record sets ### Assets Themselves [](https://docs.spycloud.com/public-sc/docs/graphing#assets-themselves) * Double click to open record details * Right click to present the following options: * Add Pivot: Creates a distinctive pivot point and adds new records * Add Fuzzy Pivot: Creates a distinctive fuzzy logic–based pivot point and adds new records * Remove Node: Removes the node from your view * View Details: Opens the record details carousel which allows you to switch back and forth between record sets **👇GRAPH INTERACTION** ![Graph Interaction](https://files.readme.io/75091c7766ff87928dfc015c457dd521489d1227a7d9276822e8273fefab5987-image1.png) * * * 🕸️ Graph at a Glance [](https://docs.spycloud.com/public-sc/docs/graphing#%EF%B8%8F-graph-at-a-glance) ----------------------------------------------------------------------------------------------------------- The graph has a number of features to help you see the narrative in the data and share it: ### Header [](https://docs.spycloud.com/public-sc/docs/graphing#header) * **View Options** * Hide Legend: Hides the displayed legend * Graph Layout: * Organic: Leverages 365 degrees of visual estate. Works best with massive assets/node volumes * Sequential: Tells the chronological story of searches and pivots (best for multi-pivot investigations or findings sharing) * Structural: Provides long distances and separations between node relationships (best for isolating relationships) * Graph Orientation: Will place searches and pivots in any directional position required * Combine By: * Asset: Groups assets by their type (best for most investigative needs) * None: Removes all groupings (best for drilling into relationships between distinct assets across types) * Record: Groups by record * **Actions** * Undo Pivot: Removes the most recent pivot from the search * Screen Capture: Takes a snapshot of your graph results and exports as a PNG * Full Screen Mode: Puts your investigation into full screen mode * * * ### 🖥️ Body [](https://docs.spycloud.com/public-sc/docs/graphing#%EF%B8%8F-body) * **Asset and Node Legend (left):** * Table: Shows the icon of the given item to aid in interpreting graph results * Hide: Hide any asset or node type by clicking its eye icon * **Control Pad and Zoom (right):** * Pad: Allows you to recenter or move your view incrementally up, down, left, or right * Zoom: The further the dial is scrolled up on the scale, the greater the zoom into the results **👇GRAPH CONTROLS** ![Graph Body Controls](https://files.readme.io/ef9f2bdd2918d2198467e2aa8e9915a83b5be6a682a803beae23778b2e0ec775-image3.png) * * * 📑 Data Table [](https://docs.spycloud.com/public-sc/docs/graphing#-data-table) ----------------------------------------------------------------------------------- Allows you to search for specific data captured from searches and pivots in the graph to their details (best for when you have a specific asset of interest): * **Search**: Search by any value in any column * **Filters**: Multiple ways to pare down the results to precisely what is needed * **Export**: Share filtered search results in CSV format **👇DATA TABLE** ![Data Table](https://files.readme.io/2103917137eadef5bd1cb4406616af980f45384abaf6d9ff44015a5a72e42c22-image4.png) Updated 6 months ago * * * Ask AI --- # API Guidelines SpyCloud's APIs provide a programmatic interface into our vast collection of breach records and surrounding metadata. The API is organized around basic REST principles. It has easy to understand, resource-oriented URLs, and uses HTTP response codes to indicate API errors. JSON is returned by _all_ API responses, including those with errors. * * * Authentication [](https://docs.spycloud.com/public-sc/docs/api-guidelines#authentication) --------------------------------------------------------------------------------------------- You can authenticate your account when using the API by including your secret API key in the request header. They key must be specified in the **x-api-key** header. You can securely access your API key(s) in your [Customer Portal](https://portal.spycloud.com/) account. Your API keys carry many privileges, so be sure to keep them secret. Please do not share your API keys in any publicly accessible areas such as source code repositories, client-side web application code, etc. All API requests must be made over HTTPS. HTTP requests are insecure and should be strictly avoided. API requests without valid authentication will fail with an HTTP 403 status code. ### IP Allow-list [](https://docs.spycloud.com/public-sc/docs/api-guidelines#ip-allow-list) To further secure access to the API we will require a list of IPv4 addresses or IPv4 network CIDRs to allow. If you call the API from a non-whitelisted IP address you will receive an HTTP 403 status code. * * * Configuration [](https://docs.spycloud.com/public-sc/docs/api-guidelines#configuration) ------------------------------------------------------------------------------------------- ### Asset Allow-list [](https://docs.spycloud.com/public-sc/docs/api-guidelines#asset-allow-list) We can return specific assets to you and mask the rest. For example, many users only require email and password. Any other assets that are returned, such as PII, are not needed and can be a liability for the user. All other fields will be masked with a fixed length string of 8 asterisks. You can provide a list of assets to allow or this will be determined by your contract. See [Breach Records](https://spycloud-external.readme.io/public-sc/docs/data-schema#/-breach-catalog-schema) for all possible assets. The following fields will always be displayed: * document\_id * source\_id * spycloud\_publish\_date ### Asset Hashing [](https://docs.spycloud.com/public-sc/docs/api-guidelines#asset-hashing) To further secure the Breach Records returned to you we can hash and salt the assets returned. If this is enabled for your API key we will ask for the following configuration items: * The list of assets to hash. See our [Data Schema](https://spycloud-external.readme.io/public-sc/docs/data-schema#/) for all possible assets. * The hashing algorithm to use. Possible values are _sha1, sha224, sha256, sha384, sha512_ * When creating a hash for an email address, it must first be in lower case. * A 10 to 24 character salt with high entropy. You have the option to pass a dynamic salt in as a query parameter with each API call or use the pre-configured salt. * The position of the salt. We can place the salt to the left or right of the value being hashed. By default the salt will be placed to the right of the asset value. ### API Function Allow-list [](https://docs.spycloud.com/public-sc/docs/api-guidelines#api-function-allow-list) You will either have access to all API functions or specific functions that will be determined by your contract. If you call a function that you do not have access to you will receive an HTTP 403 status code. * * * Pagination [](https://docs.spycloud.com/public-sc/docs/api-guidelines#pagination) ------------------------------------------------------------------------------------- Some SpyCloud APIs have support for paginating response data. SpyCloud utilizes cursor-based pagination via the **cursor** parameter. The API uses a fixed page size of 1,000 records. Any time an API request results in more than one page of records the response will contain a non-empty **cursor** value. That value can then be used to iterate through the next page of results. Due to technical limitations a **cursor** value has a lifespan of 2 minutes, after which it can no longer be used. * * * CORS [](https://docs.spycloud.com/public-sc/docs/api-guidelines#cors) ------------------------------------------------------------------------- We support Cross-Origin Resource Sharing (CORS), allowing you to interact securely with our API from client-side web applications. _A word of caution: please do not expose your API key in any public client-side code as that could allow others to make API calls on your behalf._ * * * Errors [](https://docs.spycloud.com/public-sc/docs/api-guidelines#errors) ----------------------------------------------------------------------------- SpyCloud uses conventional HTTP response codes to indicate the success or failure of an API request. In general, codes in the 2xx range indicate success, codes in the 4xx range indicate an error that failed given the information provided (e.g., a required parameter was omitted, parameter format was not valid, etc.), and codes in the 5xx range indicate an error with our API servers (these are rare). Here are the most common HTTP status codes returned by our API: | Code | Reason | | --- | --- | | 200 | Request was successful. | | 400 | Request failed due to a missing or invalid identifier. Check to make sure the query value and/or query parameters are formatted correctly. | | 403 | You do not have required permissions to access the resource. This is an error you will typically get with an improperly configured API key. You should only see this issue when trying to use an API key from a non-whitelisted IP address, or using an endpoint with a typo. Please contact customer support to help with this issue. | | 429 | 'Too many requests' error due to exceeding the rate limit on your API key. You should wait some amount of time see [API Retry Logic](https://spycloud-external.readme.io/sc-cap-api/docs#api-retry-logic)
and retry the call. | | 429 | ‘Limit exceeded’ error due to exceeding the monthly request quota limit on your API key. It’s still possible to get a ‘Too many requests’ error when you have exceeded your API key quota. That error takes precedence over this one. | | 500 | An unexpected error occurred on our end. We advise you to retry the call and then log the error if all retry attempts fail. You can send errors to SpyCloud support and we will investigate the root cause. | * * * Data Encoding [](https://docs.spycloud.com/public-sc/docs/api-guidelines#data-encoding) ------------------------------------------------------------------------------------------- All data returned by the API is UTF-8 encoded. * * * Versioning [](https://docs.spycloud.com/public-sc/docs/api-guidelines#versioning) ------------------------------------------------------------------------------------- When we make backwards-incompatible changes to the API, we release a new version without affecting the old codebase. We also release a changelog, noting any possible change in behavior. All requests will use your current API version, unless you manually override the version specifier in the request URL. To set the API version on a specific request, modify the version number in the URL. As a precaution, please test a new API version before committing to an upgrade. * * * Date Parameters [](https://docs.spycloud.com/public-sc/docs/api-guidelines#date-parameters) ----------------------------------------------------------------------------------------------- Certain API resources accept date-type parameters. Date-type parameters must follow the standard date ISO 8601 date format of "yyyy-mm-dd" with a four digit year, two digit month, and two digit day. * * * Limitations [](https://docs.spycloud.com/public-sc/docs/api-guidelines#limitations) --------------------------------------------------------------------------------------- * Our API keys do have quota limits. If you are receiving 429 errors, please contact us to discuss the possibility of increasing the quota for your API key(s). * Pagination cursor tokens have a short lifetime, usually around 2 minutes. * Response pages are limited to 1,000 items per page. Beyond that you will have to use pagination. This value is not customizable. * For certain username and password resource requests you will have to URL escape special characters. Your API client will need to do this before issuing the request. * We do not perform any additional normalization of email addresses. For example, we do not remove periods or +string from an email address. * Each API might have specific limitations which will be listed in their respective sections. * * * API Retry Logic [](https://docs.spycloud.com/public-sc/docs/api-guidelines#api-retry-logic) ----------------------------------------------------------------------------------------------- There are a couple of approaches to implementing retry logic in the event you exceed your rate limit or receive an error. The same retry logic can be used for current API endpoints such as the Email endpoint. Each approach assumes a default starting wait time of 3 seconds, though you can modify that. #### Exponential Backoff [](https://docs.spycloud.com/public-sc/docs/api-guidelines#exponential-backoff) 1. Call API endpoint. The call fails. 2. Wait 3 seconds, then retry the call. 3. If the call fails again, exponentially increase the timeout to 9 seconds (3\*3s). Then try the call again. 4. If the call fails again, log the error and fail open. #### Sliding Retry [](https://docs.spycloud.com/public-sc/docs/api-guidelines#sliding-retry) 1. Call API endpoint. The call fails. 2. Wait 3 seconds, then retry the call. 3. If the call fails again, wait for 4 seconds (1+3s). Then try the call again. 4. If the call fails again, log the error and fail open. Updated 3 months ago * * * Ask AI --- # Source Catalog Getting Started with the Source Catalog [](https://docs.spycloud.com/public-sc/docs/source-catalog#getting-started-with-the-source-catalog) =============================================================================================================================================== The **SpyCloud Source Catalog** is where our captured darknet data ecosystem comes to life – a daily view of the identity records SpyCloud continuously ingests, enriches, and publishes for customers. It’s available to all console users and provides a transparent look into the breadth, depth, and speed of SpyCloud’s recaptured data. **Why it matters?** The Source Catalog demonstrates SpyCloud’s unique visibility into criminal activity – not just third-party breaches, but infostealer malware infections, successful phishing attacks, and ULP (username login password) combo lists that reveal real-world identity threats. * * * Overview [](https://docs.spycloud.com/public-sc/docs/source-catalog#overview) --------------------------------------------------------------------------------- The Source Catalog offers a **high-level summary** of all SpyCloud data sources, showing: * Total number of published darknet records and total sources * A timeline graph illustrating growth and publishing rate of data records * A source-type breakdown (breach, malware, phishing, combo list) ![](https://files.readme.io/059756baa2b867960af823f6f5f0d63b2131efdf0c467f6337a97fce11d600ca-Image_1.png) * * * Adjusting the Timeframe [](https://docs.spycloud.com/public-sc/docs/source-catalog#adjusting-the-timeframe) --------------------------------------------------------------------------------------------------------------- By default, the view shows **All Time** data. You can narrow the window to focus on more recent activity of publishing: * Last 7 days * Last 30 days * Last 90 days * Last 6 months * Last 12 months 💡 **Tip** Filtering shorter timeframes shows the pace at which SpyCloud is publishing new data – a real indicator of data freshness and scale. ![](https://files.readme.io/c11eebc9c255558073f8664b27494dd05a472c0062cae04cf8e577b812da0533-Image_2.png) [📘 Learn more: How SpyCloud Publishes and Updates Data](https://docs.spycloud.com/public-sc/update/docs/data-collection-parsing-ingestion) * * * Understanding What You See [](https://docs.spycloud.com/public-sc/docs/source-catalog#understanding-what-you-see) --------------------------------------------------------------------------------------------------------------------- The source catalog provides **aggregated insights** into captured darknet data sources, not raw personal data or PII. You’ll see: * Source IDs (useful for searching within each SpyCloud product) * Record counts * Types of exposed identity assets (e.g., passwords, emails, IP addresses) These summaries reflect SpyCloud’s processed and enriched data — never direct PII. [📘 Learn more: SpyCloud Data Schema Reference](https://docs.spycloud.com/public-sc/update/docs/data-schema#/) * * * ▶️ Source Catalog Overview [](https://docs.spycloud.com/public-sc/docs/source-catalog#%EF%B8%8F-source-catalog-overview) ---------------------------------------------------------------------------------------------------------------------------- * * * Next Steps [](https://docs.spycloud.com/public-sc/docs/source-catalog#next-steps) ------------------------------------------------------------------------------------- * [Explore and Filter Sources](https://docs.spycloud.com/public-sc/update/docs/exploring-and-filtering-data-in-the-source-catalog#/) * [Learn about SpyCloud Investigations](https://docs.spycloud.com/public-sc/update/docs/introduction-1#/) Updated 3 months ago * * * * [Exploring and Filtering Data in the Source Catalog](https://docs.spycloud.com/public-sc/docs/exploring-and-filtering-data-in-the-source-catalog) Ask AI --- # Introduction 🛡️ Welcome to SpyCloud Docs [](https://docs.spycloud.com/public-sc/docs/introduction#%EF%B8%8F-welcome-to-spycloud-docs) ============================================================================================================================= **SpyCloud** delivers the world’s most actionable insights by operationalizing a wide range of underground data – including stolen credentials, session cookies, infostealer logs, PII, phishing infrastructure, botnet activity, and deep/dark web intelligence – to stop cybercrime before it impacts your business. 🙌 This docs site is your guide to **unlocking the full potential** of SpyCloud’s solutions – from automated detection to analyst-driven investigations. * * * 🧭 What You’ll Find Here [](https://docs.spycloud.com/public-sc/docs/introduction#-what-youll-find-here) ------------------------------------------------------------------------------------------------------------ * Product overviews and onboarding guides * API reference and integration examples * Playbooks for investigations and fraud use cases * Enablement content for your SecOps, CTI, and fraud teams * Best practices for getting the most value from your SpyCloud solutions * * * 🚀 Why It Matters [](https://docs.spycloud.com/public-sc/docs/introduction#-why-it-matters) ----------------------------------------------------------------------------------------------- Identity is the new perimeter – and today’s adversaries are bypassing traditional defenses with malware, stolen cookies, and reused credentials. SpyCloud flips the advantage by operationalizing underground data, giving your team the ability to: * Detect compromised users before they’re exploited * Attribute malicious behavior with high-confidence identity data * Uncover fraud, account takeovers, and third-party risk faster than ever * * * 🔓 Unlock New Use Cases [](https://docs.spycloud.com/public-sc/docs/introduction#-unlock-new-use-cases) ----------------------------------------------------------------------------------------------------------- Whether you're defending customers, employees, infrastructure – or all three – this docs site helps you: * Unblock technical challenges in integrating SpyCloud data * Explore advanced use cases like synthetic identity detection, insider threat correlation, and malware campaign attribution * Align SpyCloud’s capabilities with your organization’s goals * * * 🚀 Solutions [](https://docs.spycloud.com/public-sc/docs/introduction#-solutions) ------------------------------------------------------------------------------------- Our holistic identity approach illuminates and eliminates hidden darknet exposures across employees, contractors, customers, and non-human accounts – and allows analysts and investigators to achieve deeper insights and faster outcomes than ever before possible. ### 🏢 Enterprise Protection Reduce risk of account takeover (ATO), credential misuse, and ransomware by acting on verified identity exposures. **Includes:** * Malware Exposure Remediation (Compass) * Employee ATO Prevention * Identity Guardians * VIP Guardian * Third-Party Insight ### 👥 Consumer Risk Protection Safeguard customer accounts by detecting compromised credentials, high-risk sessions, and PII exposures before they become fraud or churn events. **Includes:** * Consumer ATO Prevention * Consumer Session Identity Protection * Compromised Credit Card API * Continuous Dark Web Monitoring ### 🔍 Investigations Accelerate cybercrime investigations with rich identity linking and exposure intelligence from a single platform. **Includes:** * Investigations Module * Investigations API * IDLink API ### 🔗 Integrations Automate identity threat detection and remediation across your existing security ecosystem. **Includes:** * SpyCloud Connect hosted integration workflows for SIEM, SOAR, EDR, IdP, and other tools Updated about 2 months ago * * * Ask AI ---