Live threat monitoring · Multi-source OSINT

Your credentials may already be for sale

Stealer logs. Combolists. Dark web forums. Russian Market. ThreatRiX monitors all of them — and alerts you before attackers use what they found. Passive OSINT only. No systems accessed.

Monitor
Detect
Alert
What we found — across recent assessments
1,000+
Stealer logs per assessment
25
Credential leaks / 12 months (avg)
678
Plaintext passwords found in one report
$10
Price to buy stolen credentials on Russian Market
0
Systems accessed — passive OSINT only
Figures from real ThreatRiX intelligence engagements · Client details anonymised
Intelligence sources
SOCRadar IntelX Blaze Shodan Subfinder crt.sh GitHub OSINT HTTPX · DNSX

8 intelligence sources. One unified report.

Most companies don't know their credentials are exposed until it's too late. ThreatRiX monitors where attackers actually look — not just the surface web.

Primary
Stealer log databases
Infostealer malware logs from infected employee machines. Contains usernames, passwords, URLs, browser cookies. Most critical source.
Primary
Combolists & breach dumps
Credential dumps from known breaches circulating in Telegram channels, paste sites, and underground forums.
Dark web
Russian Market / Genesis
Active marketplaces where stolen credential packages are listed for sale. We check if your domain is listed right now.
Dark web
TOR forums & paste sites
Restricted forums and paste sites where threat actors share initial access, leaked data, and attack tools.
Infrastructure
Subdomain & attack surface
Subfinder, HTTPX, DNSX enumeration of your full digital footprint — discovering assets you may not know are exposed.
Infrastructure
Shodan internet exposure
Public services, open ports, exposed admin panels, legacy software versions visible from the internet.
Email security
DMARC / SPF / DKIM audit
Email authentication configuration that enables Business Email Compromise when misconfigured. Often the highest-risk finding.
Code & OSINT
GitHub & code repositories
Passive search for hardcoded credentials, API keys, connection strings, and internal domain references in public repositories.

What we found across recent engagements

Both anonymised. Both real. Both discovered through passive OSINT — no systems accessed, no authorisation needed to find these.

Leading Indian logistics group Logistics · Azure + AWS + private hosting
1,000+
Stealer log entries from infected machines — M365, Google, Sophos, Webex, Bugzilla, osTicket
25
Employee credential leaks in 12 months across 51 leak sources. Most recent: 10 days before report.
16
Live web applications internet-facing including a public UAT ERP and a Strapi admin panel
IIS 8.5
Legacy server on HRMS and TMS — end of extended support 2023, no security patches
NULL
DMARC enforcement — duplicate DNS records meant zero email authentication. Critical BEC risk.
Global hospitality technology company SaaS · 1,000+ hotel clients
768
Credential records from Blaze — 678 in plaintext, ready to use with no cracking required
$10
Two complete stealer packages listed on Russian Market — Acreed malware. Active at time of report.
3
New credential leaks detected on the day of the assessment — exposure was active in real time
SSO
OneLogin SSO credentials confirmed stolen — master key to every connected application
60
CMS attack records across hotel properties — sustained campaign Aug 2025 to May 2026

What a ThreatRiX intelligence report looks like

Every report combines dual-source corroboration, a findings register with severity ratings, and an actionable remediation plan. Anonymised preview below.

THREATRIX · Dark Web & Credential Exposure Report · [Client] · July 2026 CONFIDENTIAL
Overall risk rating — corroborated by 2 independent sources HIGH
1,000+
Stealer Logs
25
Cred Leaks (12mo)
512
IntelX Text Files
23
Subdomains Mapped
16
Live Web Apps
Findings register (showing 4 of 16)
CRITICAL 1,000+ stealer logs from infected machines — M365, Google, Sophos, Webex, Bugzilla credentials confirmed CONFIRMED
CRITICAL DMARC duplicate records — zero email enforcement. Combined with 25 credential leaks = critical BEC risk CONFIRMED
HIGH Public UAT ERP internet-facing — returns HTTP 200 with welcome page, no authentication prompt CONFIRMED
HIGH 5 database files + 2 pastes referencing client domain in IntelX — restricted, requires subscription access PENDING
Request full sample report →

Choose your monitoring depth

From a one-time assessment to continuous monitoring and full incident response — all pricing on request.

Essential
For companies that need to know their current exposure
Contact us
Domain monitoring — credential leaks, stealer logs
Monthly intelligence report
24hr alert on critical findings
Email security posture audit (DMARC / SPF / DKIM)
Subdomain attack surface mapping
Get started
Advisory
For companies that need intelligence + active remediation support
Contact us
Everything in Intelligence
Full CVE audit on exposed infrastructure
IntelX restricted access validation
Incident response support
vCISO advisory sessions
Remediation tracking & verification
Board-level risk reporting
Credential reset coordination
Get started

Passive only — no systems accessed, ever

All ThreatRiX intelligence is gathered through legal passive OSINT. We never access client systems, never interact with threat actor infrastructure, and never perform active intrusion.

1
You share your domain
We only need your primary domain (e.g. yourcompany.com). No credentials, no access, no install.
2
Multi-source OSINT
We query SOCRadar, IntelX, Blaze, Shodan, Subfinder, HTTPX, GitHub and more across 48–72 hours.
3
Expert analysis
Every finding is manually reviewed, severity rated, and corroborated across multiple sources before inclusion.
4
Confidential report
CONFIDENTIAL-marked PDF with findings register, severity ratings, and 7–16 prioritised remediation actions.
5
Ongoing monitoring
Continuous monitoring alerts within hours of new credential leaks or blackmarket listings — not months later.

Find out what's already exposed — before attackers use it

We've found credentials for sale, stealer logs from live infected machines, and blackmarket listings across every assessment we've run. The question isn't whether your data is out there — it's whether you know about it.

Passive OSINT only · No systems accessed · Confidential report delivered in 72 hours