Labeling

The Labeling module is one of the most powerful features of AttackMetricx, designed to give security teams full control over how breached data is categorized, tagged, and prioritized. Instead of relying only on automated feeds, our system allows analysts to define custom rules, tags, and severity levels, ensuring findings are mapped precisely to business context.

With this feature, you can automatically detect, classify, and prioritize breaches across URL Domains, Email Domains, Usernames. This transforms raw dark web or breach records into actionable intelligence, helping organizations instantly distinguish between a possible customer leak, a potential employee credential exposure, or other sensitive categories.

1. Tags & Add New Tag

• Tags are labels that describe the nature of the finding (e.g., Possible Customer, Possible Employee, CEO, Finance Department).

• They provide contextual meaning to a record so analysts can quickly understand who or what is at risk.

• With Add New Tag, you can create your own categories. For example, if your organization wants to track exposures related to C-level executives or VIP customers, you can add a new tag and assign it to relevant records.

How to Add a New Tag

1. Click “Add New Tag”

   • At the top-right of the Labeling interface, click on the Add New Tag button.

   • This will open a pop-up window labeled “Add A New Tag”.

2. Enter the Tag Name

   • In the input field, type the name of the tag you want to create.

   • Example: Possible Customer, Possible Employee, CEO, Finance Department, VIP Customer.

3. Save the Tag

   • Once you’ve entered the tag name, click Save.

   • The new tag will be added to the system and can now be used when creating or editing records.

After saving, this tag becomes available in the dropdown list under Tags, meaning you can assign it to exposures and make them instantly identifiable with business context.

2. Add New Record

• A record defines a specific keyword or search pattern the system looks for inside breach datasets.

1. Keyword

   • The search term that the system will look for across breach datasets.

   • Can be a username (e.g., ahmad), a path (e.g., wp-login), or a sensitive term (e.g., vpn, backup).

   • This keyword is the trigger for identifying potential exposures.

2. Search In

   • Defines the scope of the search:

     • URL Domain → Checks for exposures inside web URLs and subdomains. Example: vpn.example.com.

     • Email Domain → Searches for breaches tied to emails. Example: @example.com.

     • Username → Scans for usernames that appear in leaked datasets. Example: admin.

3. Severity

   • Indicates the risk impact if this keyword appears in a breach.

   • Options:

     • Critical → Direct and urgent threat (e.g., vpn, admin).

     • High → Severe but not immediate.

     • Medium → Moderate impact exposures.

     • Low → Informational or low-risk findings.

4. Tag

   • Adds contextual meaning to the record so analysts know who or what is affected.

   • Examples:

     • Possible Customer → A breach likely involves customers.

     • Possible Employee → A breach tied to staff accounts.

     • Custom tags can be created (e.g., Finance Dept, VIP, C-Level).

5. Domain Name

   • Restricts the record to a specific monitored domain or applies to all domains.

   • Example:

     • Domain = example.com → Only matches breaches linked to this domain.

     • Domain = All → Searches across every monitored domain in the system.

Steps to Add a New Record

1. Click Add New Record (top-right corner).

2. In Keyword, enter the search term (e.g., vpn).

3. In Search In, select where to search:

   • URL Domain, Email Domain, or Username.

4. In Severity, choose the impact level (Critical, High, Medium, Low).

5. In Tag, assign context (e.g., Possible Employee).

6. In Domain Name, choose a specific domain (e.g., example.com) or select All.

7. Click Save to finalize.

Now, if the system finds any exposure like vpn.example.com in dark web or breach data, it will automatically classify it as a Critical risk, tag it as an Employee-related exposure, and prioritize it for remediation.

3. Add New Group (Multiple Keywords)

• A group allows analysts to track multiple keywords in combination, making it possible to detect more complex or high-risk exposure patterns across breach datasets.

• Each keyword can be assigned its own search scope (URL domain, email domain, or username).

• The group as a whole can be enriched with a severity level, tag, and domain filter to ensure precise classification.

🔎 Example Configuration

• First Keyword: wp-login → Search in URL domain

• Second Keyword: admin → Search in Username

• Severity: Critical

• Tag: Possible Customer

• Domain: example.com

➡️ In this case, if both wp-login and admin are detected together in breach data linked to example.com, the system flags it immediately as a Critical customer-related issue, ensuring it receives top priority in investigation and response.

Steps to Add a New Group

1. Click Add New Group (top-right corner).

2. Enter the First Keyword (e.g., wp-login).

3. Select First Search In (URL domain, email domain, or username).

4. Enter the Second Keyword (e.g., admin).

5. Select Second Search In (URL domain, email domain, or username).

6. Set the Severity (Critical, High, Medium, Low).

7. Choose a Tag (e.g., Possible Customer or Possible Employee).

8. Select the Domain Name to apply the rule (e.g., example.com or All).

9. Click Save to finalize.

This feature is particularly powerful when you want to link multiple risk indicators together (e.g., a login path + a leaked admin username). Instead of isolated alerts, the system correlates them into a single high-value finding, making the intelligence far more actionable.

Why This Matters

• Precision Control → Analysts can define exactly how to classify exposures.

• Automation at Scale → Once rules are defined, AttackMetricx applies them across all breach records automatically.

• Contextual Prioritization → Not all exposures are equal; tagging and severity ensure teams focus on what matters most.

• Enterprise-Ready Customization → Each organization can align labeling rules to its own policies, compliance requirements, or threat models.

In short, the Labeling module turns raw breach data into business-aware, actionable intelligence making AttackMetricx far stronger than platforms that simply dump breach records without context.

4. Labeling Table & Record Management

The Labeling Table displays all the custom rules (records) you have defined to automatically detect and classify breaches. Each row represents a single record with its configuration.

Table Fields:

• # (Number) → The unique index of the record in the table.

• Keyword → The specific word or pattern being searched (e.g., wp-login, vpn, admin).

• Search In → Defines where the keyword will be checked (URL Domain, Email Domain, Username).

• Tag → The contextual label assigned to the finding (e.g., Possible Customer, Possible Employee, CEO).

• Severity → The risk level associated with the finding (Critical, High, Medium, Low).

• Actions → Provides two quick options:

  • ✏️ Edit Record → Modify the details of an existing record.

  • 🗑 Delete Record → Permanently remove the record.

Edit Record

When you click the Edit icon in the Actions column, the Edit Record form opens.

Here you can adjust:

• Keyword → Change the word or phrase being monitored.

• Search In → Update the search location (URL, email, or username).

• Severity → Reclassify the exposure risk (e.g., from High to Critical).

• Tag → Reassign context (e.g., from Possible Customer to Possible Employee).

• Domain Name → Narrow the rule to a specific domain or apply across all domains.

After changes, click Save to update the record.

Delete Record

When you click the Delete icon, the record is removed from the table. This stops the system from detecting or tagging new exposures based on that rule.

This functionality ensures that your team can dynamically refine breach detection rules. You can continuously adjust, expand, or clean up the labeling rules so the system always aligns with your organization’s evolving security priorities.