Dark Web Dashboard – Overview
Let’s uncover more of the power and depth of our system, and see how each section delivers unmatched visibility into dark web threats.
Last Scan
AttackMetricx offers ultra-fast detection of dark web activity, with tunable scanning frequencies. Customers can configure the platform to poll sources as frequently as every 30 minutes, hourly, or daily depending on business needs. Whenever a new breach, botnet, or ransomware event is detected, real-time alerts are instantly dispatched to the recipients you define in the Notifications settings at Alerts, ensuring no critical exposure goes unnoticed.
Located at the top-right corner of the Dark Web Dashboard, directly above the key exposure widgets (Threat Actors, Botnets, Mentions, Breaches, Ransomware).
This strategic placement ensures that before reviewing any metrics, analysts immediately see when the data was last refreshed.
Masking Setting (Data Protection Feature)
Located in the top-right corner of the Dark Web Dashboard, the Settings icon ⚙️ opens the Masking Setting window a crucial privacy control designed to safeguard sensitive information displayed on-screen during analysis.
When enabled, the Masking Setting automatically obscures confidential data such as passwords and credit card numbers, replacing them with asterisks (***).
This prevents accidental exposure of critical credentials during demonstrations, investigations, or collaborative review sessions.
Available Options:
Mask Password When toggled on, all exposed or leaked passwords within the breaches table are visually masked, ensuring they remain hidden from unauthorized viewing.
Mask Credit Card Protects sensitive payment data (e.g.,
1234 56** **** 1234) that might appear within breach intelligence. This is especially relevant when monitoring financial sector exposures or retail/merchant leaks.
At the top of the Dark Web Dashboard, five key widgets provide a quick snapshot of your organization’s underground exposure:
Threat Actors – The number of malicious groups or individuals actively publishing, trading, or discussing your organization’s data.
Botnets – The count of infected machines identified in malware logs, exposing files, credentials, or system information.
Mentions – References to your brand, domains, or assets across Telegram channels, dark web forums, and underground marketplaces, russian markets (specifically tracked due to their high activity in trading corporate and personal data) and onion sites.
Breaches – The total discovered leaks of email addresses, passwords, and sensitive records connected to your organization.
Ransomware – Instances where ransomware groups have targeted, listed, or leaked your company’s data.
VIP – Dedicated monitoring for high-profile executives or key employees of the organization.
Credit Cards – Focused monitoring for stolen or leaked payment card data circulating in underground markets and russian markets.
These widgets are designed for fast visibility, helping executives immediately understand the scale of exposure while enabling analysts to prioritize investigations. Each metric has its own detailed section in the platform, where users can drill down into evidence, view activity timelines, and export data. In this overview, they serve as high-level indicators, with deeper explanations covered later in the documentation.
AttackMetricx also provides monitoring of sensitive identifiers such as VIPs (Very Important Persons) and BINs (Bank Identification Numbers). These represent two of the most frequently exploited categories on the dark web high-profile individuals and financial data. Note: These capabilities require a separate license and are not included by default in Dark Web Monitoring. They will be explained later in detail in the Identifiers.
Now, let’s begin breaking down the Dark Web Dashboard in detail, starting with the Annual Activity chart.
Annual Activity
The Annual Activity chart provides a visual timeline of dark web incidents associated with your organization over the past year. Each bar represents the volume of underground activity detected in a given month, color-coded to reflect severity:
Red bars indicate months with high-severity exposures, such as large credential leaks or significant ransomware threats.
Orange bars highlight moderate incidents, like targeted mentions or smaller data leaks.
Green bars show lower-severity activity, such as minor mentions or isolated infected devices.
What it shows
This chart helps identify patterns and peaks in malicious activity. For example, a sudden spike may suggest a targeted campaign against your organization or the release of stolen credentials on a popular marketplace.
Why it matters
Enables trend analysis, helping security teams anticipate active periods of underground activity.
Provides historical context, showing whether incidents are increasing, decreasing, or stabilizing over time.
Supports executive reporting, translating raw incident data into a clear, easy-to-understand visual.
Example Use Case
Suppose in October the chart displays a red bar indicating high activity. Security teams can drill into that period to discover that a major botnet dump exposed hundreds of employee credentials. This allows the team to correlate the incident with alerts, reset compromised accounts, and prioritize further monitoring during the following months.
Dark Web Rating
The Dark Web Rating is a dynamic risk indicator that consolidates all intelligence gathered from the underground into a single, easy-to-interpret metric. Displayed as a gauge ranging from green (low exposure) to red (critical exposure), it provides executives with an immediate understanding of the organization’s overall dark web posture.
What it shows
A percentage score (0–100%) reflecting how much sensitive data tied to the organization has been discovered across breaches, botnets, mentions, and ransomware sources.
Higher values (closer to 100%) signal greater exposure and higher potential business impact, while lower values indicate a healthier, less visible attack surface on the dark web.
Why it matters
Offers a single source of truth for board-level reporting and executive dashboards.
Enables security teams to track progress over time if remediations, password resets, or takedowns are effective, the risk level should decrease.
Helps prioritize response by highlighting whether the organization is trending toward critical exposure or maintaining controlled visibility.
Unlike static scoring, AttackMetricx leverages machine learning models to correlate breaches, botnets, mentions, and ransomware activity into a unified exposure score. Through integration with external telemetry and SIEM/SOAR platforms, the system contextualizes dark-web findings alongside enterprise security data, providing a single source of truth for executive reporting and SOC operations.
Example Use Case
After a wave of botnet infections leaks hundreds of corporate credentials, the Dark Web Rating spikes to 92%. The security team conducts account resets, applies multi-factor authentication, and initiates takedowns of malicious posts. On the next scan, the score drops to 68%, clearly showing that remediation actions had measurable impact.
In the top-right corner, you’ll find a calendar icon that opens the Dark Web Calendar, an intelligent visual dashboard designed to track exposure trends and evaluate cyber hygiene over time.
This feature enables analysts to monitor dark web threat activity, validate remediation efforts, and detect early signs of credential or data compromise. It empowers both executive and operational teams to correlate security posture with underground intelligence dynamically.
The calendar view offers three analytical perspectives:
Daily View: Displays day-to-day exposure ratings, highlighting fluctuations tied to newly detected breaches or mentions on the dark web.
Monthly View: Aggregates risk levels, allowing visibility into long-term exposure reduction or escalation trends.
Yearly View: Provides an annual perspective of dark web activity, ideal for strategic reporting and compliance auditing.
At the top of the calendar, you can filter by domain to focus analysis on specific assets or subsidiaries. Each cell on the calendar presents the rating grade (A–F) and percentage score (e.g., A – 99%), giving instant clarity on dark web exposure and breach frequency.
Password Hygiene
The Password Hygiene widget evaluates the strength and security of credentials discovered in underground leaks. It highlights whether exposed passwords are weak, reused, or duplicated, providing a clear picture of how poor credential practices may be increasing organizational risk.
What it shows
Overall Score (e.g., 60%) – Reflects the percentage of compromised passwords that meet acceptable security standards versus those considered risky.
Weak Passwords (Red) – Shown in red, these are short, common, system defaults, or easily guessable through brute-force and dictionary attacks.
Re-used Passwords (Yellow) – Marked in yellow, these are credentials where the same password has been used across multiple services, amplifying the risk of credential-stuffing attacks.
Duplicate Passwords (Green) – Displayed in green, these represent identical passwords appearing in different accounts or leaks, reducing uniqueness and increasing the impact radius of a single compromise.
Why it matters
Color coding simplifies prioritization: red indicates urgent remediation, yellow signals medium risk requiring corrective action, and green highlights remaining issues that still weaken password uniqueness.
Exposes poor password practices across employees, partners, or customers.
Helps security teams prioritize account resets for users with high-risk credentials.
Provides measurable insight into credential hygiene over time, especially after enforcing password policies or deploying multi-factor authentication.
Example Use Case
An organization discovers that a large portion of its accounts fall into the red zone with weak passwords such as 123456 or company@2023. After enforcing stronger password policies and MFA, the following scan shows that red indicators have dropped significantly while green and yellow dominate. This demonstrates a clear improvement in password security posture and provides evidence for compliance reporting.
Compromised Folders
The Compromised Folders widget displays the total number of folders that have been exfiltrated and exposed through stealer malware infections or botnet logs. These folders typically contain sensitive business or personal data such as documents, images, or configurations that were harvested from infected devices and sold or shared on the dark web.
What it shows
Numerical Count (e.g., 168) Indicates how many distinct folders have been compromised and made available underground.
This folders high level of risk, as stolen folders may include confidential corporate information, customer data, or even credentials stored in text/config files.
Why it matters
Compromised folders often contain bulk data leaks, not just individual records, which can significantly increase business exposure.
Attackers frequently analyze these folders to extract strategic information (contracts, financial spreadsheets, internal procedures) that can be resold, used for extortion, or weaponized in targeted attacks.
Example Use Case A scan reveals hundreds of compromised folders originating from infected employee laptops.
The compromised folders displayed in this widget are primarily sourced from the Botnets tab. From there, security teams can inspect the actual leaked folders collected by stealer malware and botnet infections. This integration ensures that analysts not only see the total count but also gain full visibility into the compromised directory structures and their contents, making it possible to trace every folder back to the original infection point and execute a targeted incident response.
Compromised Files
The Compromised Files widget identifies the number of individual files that have been stolen and exposed via stealer malware logs, infected endpoints, or underground trading forums. Unlike folders, which represent collections of data, this metric focuses on specific files that may hold sensitive or high-value information.
What it shows
Numerical Count (e.g., 171) – Represents the total number of individual files that were compromised and made available on the dark web.
These files contain high-risk data, such as spreadsheets, personal documents, configuration files, or saved browser sessions that attackers can weaponize.
Why it matters
Even a single compromised file can be enough to trigger severe damage for example, a stolen Excel sheet with customer data, or a configuration file exposing database access.
Attackers frequently combine leaked files with other stolen material (credentials, malware logs) to build a full attack chain.
Gives security teams the ability to assess exposure granularity, understand what exact information has been taken, and determine the potential impact.
Example Use Case A scan reveals dozens of files including payroll spreadsheets, browser auto-fill databases, and internal policy documents. The security team immediately classifies the sensitivity level of each file, initiates data loss notifications, and works with IT to invalidate credentials and rebuild compromised systems. This limits further exploitation and strengthens compliance with data protection regulations.
The compromised files displayed in this widget are primarily sourced from the Botnets tab. From there, security teams can view the actual leaked files harvested by stealer malware and botnet infections. This direct linkage not only shows the count but also provides full visibility into the exposed content, allowing organizations to trace each incident back to the original infection and respond with precision.
Top 10 Compromised Passwords
The Top 10 Compromised Passwords widget provides a quick snapshot of the most frequently exposed credentials associated with your organization. Each entry is color-coded to reflect its strength and security risk level:
Red → Extremely weak passwords (e.g., “123456”, “qwerty”), highly vulnerable to brute-force or dictionary attacks.
Yellow/Orange → Medium-strength credentials, harder to guess but still risky if reused or exposed.
Green → Stronger passwords that meet complexity requirements but may still be compromised through malware or phishing.
This color-coding allows analysts to quickly differentiate between trivial exposures and more resilient, yet still compromised, passwords.
Interactive Options
Hash Icon (#): Clicking this icon opens the NTLM Hash details for the selected password.
Example: For the password "
?", the system displays its NTLM hash (8D3647093E662B9CF9D19C804C4655B6).The NTLM (New Technology LAN Manager) hash is generated using the MD4 function in UTF-16LE encoding.
Security Note: Exposed NTLM hashes can be weaponized in pass-the-hash attacks, enabling attackers to authenticate without knowing the plaintext password. Analysts are advised to treat this data with extreme caution.
Export Button: The Export option (purple button on the top-right) allows users to download the entire list of compromised passwords in a structured format (CSV, XLSX, etc.). This supports further offline analysis, integration with SIEM/SOAR platforms, or evidence preservation for incident reports.
Why It Matters
Helps identify which exposed passwords are most common across the underground ecosystem.
Equips security teams with actionable insights for prioritizing account resets and enforcing stronger credential policies.
Adds forensic depth by exposing the underlying hash values, enabling advanced correlation with malware logs and botnet databases.
Example Use Case
An analyst notices multiple red entries like "0528" and "977656", which are weak and widely reused. By clicking the hash icon, the analyst retrieves the NTLM hash and validates whether these credentials were stolen from botnet infections. The team then exports the full list and integrates it into their SIEM to automatically flag login attempts using any of these compromised credentials.
Top Compromised Operating Systems
The Top Compromised Operating Systems widget identifies which OS versions were most frequently exposed through stealer malware logs, botnet infections, or dark web leaks. This visualization provides insight into which environments attackers are most successful at compromising, allowing defenders to focus hardening efforts where it matters most.
What it shows
A ranked list of operating systems tied to compromised devices.
Color-coded bars represent relative severity and prevalence:
Red → High concentration of compromises (e.g., Windows 10 Pro [x64]). These versions are the most heavily targeted and represent critical exposure.
Orange/Yellow → Moderate compromise levels, indicating noticeable but less severe exposure compared to red.
Green → Lower compromise counts. While still relevant, they indicate less frequent exploitation or newer systems with fewer infections logged.
Why it matters
Highlights which operating systems are most attractive to attackers, often due to larger user bases or slower patch adoption.
Helps security teams prioritize patching, hardening, and EDR deployment on high-risk systems (e.g., legacy Windows 10 builds).
Supports threat hunting and SOC operations, as analysts can cross-check if compromised OS versions align with internal asset inventories.
Provides a strategic view for executives, showing whether the majority of exposures are on outdated or current platforms.
Example Use Case
A scan shows that Windows 10 Pro (x64) and Windows 10 Enterprise (x64) dominate the red zone, representing the majority of compromised endpoints. The SOC team uses this data to:
Verify how many of these OS versions exist internally.
Confirm if exposed machines had outdated patches or weak endpoint protection.
Prioritize those systems for urgent remediation and policy enforcement.
This not only reduces the organization’s dark web footprint but also strengthens the endpoint security posture against future infections.
Top Bypassed Antivirus
The Top Bypassed Antivirus widget illustrates which security products were present on compromised endpoints, yet still failed to prevent infection. This metric provides critical visibility into how attackers are evading endpoint defenses, highlighting potential blind spots in protective technologies.
What it shows
A distribution of antivirus (AV) solutions that were bypassed during stealer malware or botnet infections.
Color-coded segments represent the percentage of infections linked to each AV status:
Red (e.g., Windows Defender – 85%) → Indicates the AV was present but successfully bypassed by attackers. This high percentage demonstrates how widely targeted and frequently evaded Microsoft’s built-in solution is.
Yellow (e.g., ESET Security [Off] – 8%) → Shows devices where the AV was installed but disabled at the time of infection, leaving systems exposed.
Blue (e.g., Windows Defender [On] – 8%) → Reflects devices where AV was running but still circumvented, underscoring that signature-based detection alone is insufficient against modern threats.
On vs. Off – Why it matters
Distinguishing between On and Off states is critical for interpreting the effectiveness of antivirus solutions:
Off → Indicates a policy or user behavior gap, where protection exists but was disabled (intentionally or accidentally). This points to the need for enforced security policies, user awareness, and restrictions that prevent deactivation of critical defenses.
On → Demonstrates that even when AV is fully operational, sophisticated malware can still slip through. This signals the necessity for defense-in-depth strategies, such as Endpoint Detection & Response (EDR), behavioral analytics, and continuous monitoring.
By comparing these states, organizations gain a clearer picture of their true endpoint resilience whether exposures stem from misconfigurations and gaps in enforcement or from limitations of traditional antivirus technology itself.
Why it matters
Reveals which security products attackers most commonly defeat, enabling CISOs to assess whether their endpoint protection stack is sufficient.
Highlights the importance of layered security controls (e.g., EDR, behavioral monitoring, zero-trust policies) instead of relying solely on AV.
Provides threat intelligence for SOC teams, helping them tune detection rules and validate security effectiveness.
Example Use Case
The widget shows that the majority of infections occurred on systems running Windows Defender (85%), either bypassed directly or exploited when disabled. Armed with this insight, the security team decides to:
Deploy an EDR/XDR solution to complement AV.
Enforce policies preventing users from disabling antivirus protection.
Correlate bypassed AV data with botnet logs to identify infection vectors.
This turns the metric into actionable intelligence, allowing the organization to strengthen endpoint resilience against real-world attack techniques.
We can move deeper into the detailed tabs displayed above the dashboard. Threat Actors, Botnets, Mentions, Breaches, and Ransomware provides an in-depth view of the intelligence behind those numbers.
Last updated
Was this helpful?