DARK WEB EXPOSURE ASSESSMENT

[PRINCIPAL / PROTECTEE NAME - ASSESSMENT TITLE]

Defensive, consent-based assessment of a named principal’s exposure across dark-web, deep-web, and encrypted-platform environments - breach corpora, criminal marketplaces, closed forums, encrypted messaging surfaces, and threat-actor chatter. Center of gravity: enumerate what dark-web data exists about the principal through lawful open-source and authorized-access techniques, assess how that data enables harm (credential compromise, account takeover, identity fraud, physical targeting, extortion, reputational attack), and prioritize suppression/remediation. This is the dark-web exposure complementary product to the baseline Digital Footprint & Exposure Assessment. It does NOT: repeat or supplant the clearnet/surface-web exposure picture (see Digital Footprint & Exposure Assessment); attribute, profile, or track specific threat actors or criminal groups operating on the dark web (see Dark-Web Investigation & Attribution Report); model targeted doxxing/harassment attack pathways in depth (see Doxxing Vulnerability & Attack-Surface Assessment); or execute active technical intrusion, account compromise, or real-time forum monitoring (governed under separate operational retainer). It assesses the principal’s OWN dark-web exposure - it is not an investigation of a third party or threat actor.


Document Control

FieldEntry
Report Reference[REF-YYYY-###]
Date of Report[ ]
Classification / Handling[e.g., CONFIDENTIAL // CLIENT EYES ONLY]
Client / Sponsor[ ]
Requesting Party[ ]
Principal(s) Assessed[ ]
Consent / Authority Basis[e.g., signed assessment authorization on file - ref]
Assessment Window (as-of)[e.g., collection start–end dates; dark-web footprint is time-bound and volatile]
Prepared By[ ]
Reviewed By[ ]
Approving Officer[ ]
Version[ ]
Distribution[ ]

State classification/TLP marking; confirm this is a consent-based self-exposure assessment of the named principal conducted on lawful, authorized-access information only - publicly accessible dark-web sources (clear-net gateways, public onion services, open/leak repositories), authorized-access checking of breach/credential corpora against the principal’s selectors (no acquisition, decryption, or use of breached secrets; no account access), and any directly authorized principal accounts on dark-web platforms. Explicitly state that no technical intrusion, no unauthorized access to any private/closed forum, no malware deployment, and no impersonation was used or directed. Note data-protection handling (GDPR/CCPA as applicable) for the principal and for any third-party personal data incidentally surfaced. State that this is not a consumer report and not to be used for FCRA-permissible-purpose decisions. Where suppression/legal-takedown action is contemplated, route to counsel.

Principal Dark-Web Exposure Snapshot

One-glance card: principal identifiers in scope, confirmed dark-web exposure items by severity band, headline exposure rating, the single most urgent remediation - all [ ] placeholders, no findings.

FieldEntry
Principal (role / profile)[e.g., role, public-profile level, threat context]
Selectors in Scope[e.g., count of names/handles/emails/phones/passwords/domains enumerated]
Confirmed Dark-Web Exposure Items[ ] (Critical [ ] / High [ ] / Elevated [ ] / Moderate [ ] / Low [ ])
Headline Exposure Rating[e.g., band per §14 register]
Most Urgent Remediation[ ]
Overall Analytic Confidence[e.g., HIGH / MODERATE / LOW]

Table of Contents

Numbered to the sections below; page numbers populate on export to Word/PDF.

  1. BLUF
  2. Executive Summary
  3. Key Judgments
  4. Priority Intelligence Requirements (PIRs)
  5. Assessment Scope, Profile & Collection Plan
  6. Identity & Selector Inventory
  7. Breach & Credential-Exposure Findings
  8. Dark-Web Marketplace & Venue Exposure
  9. Dark-Web Forum & Chatter Exposure
  10. Encrypted-Messaging & Closed-Platform Exposure
  11. Criminal-Data-Trade & Identity-Fraud Exposure
  12. Dark-Web Reputation & Threat-Actor Targeting
  13. Exposure-to-Harm Pathways
  14. Exposure Severity Register
  15. Verified Findings Summary
  16. Red Flag / Notable Indicators
  17. Analysis of Competing Hypotheses (ACH)
  18. Key Assumptions Check (KAC)
  19. Collection Gaps & RFIs
  20. Remediation Plan & Recommendations
  21. Annex A - Sources & Methodology
  22. Appendices

1. BLUF

2–3 sentences, most critical dark-web exposure first: the headline exposure rating, the single most consequential harm pathway it enables (credential compromise / account takeover / identity fraud / extortion / physical targeting), and the most urgent recommended remediation. No new analysis below it.

[ ]

2. Executive Summary

The triggering requirement (why this assessment, threat context, principal’s risk profile); scope in/out; a short narrative of the principal’s overall dark-web exposure posture and the dominant exposure categories - at altitude, deferring detail to the body sections.

[ ]

3. Key Judgments

The 3–6 load-bearing judgments about the principal’s dark-web exposure. Likelihood (that the exposure is exploitable / leads to harm) and Analytic Confidence (in the evidence base) are SEPARATE columns - never combined (ICD 203). Each judgment carries a change indicator.

#Key JudgmentLikelihood (exploitable → harm)Analytic ConfidenceChange Indicator (what would shift this)
KJ-1[ ][e.g., likely / probable (55–80%)][e.g., MODERATE][ ]
KJ-2[ ][ ][ ][ ]
KJ-3[ ][ ][ ][ ]
KJ-4[ ][ ][ ][ ]

4. Priority Intelligence Requirements (PIRs)

The questions this assessment must answer about the principal’s dark-web exposure, decomposed PIR → Indicator → SIR → source. Each PIR carries an answer/evidence/confidence row plus the summary matrix. Tie each PIR to a harm the client cares about - credential compromise, account takeover, identity fraud, physical targeting, extortion, reputational damage.

  • PIR-1: [e.g., What of the principal’s credentials / PII is present in known breach corpora, and is that data circulating on dark-web markets or forums?]
    • Indicators / SIRs: [ ]
    • Answer / Evidence: [ ]
    • Analytic Confidence: [ ]
  • PIR-2: [ ]
  • PIR-3: [ ]
PIRStatus (answered / partial / open)Key EvidenceConfidenceResidual Gap → RFI
PIR-1[ ][ ][ ][ ]
PIR-2[ ][ ][ ][ ]
PIR-3[ ][ ][ ][ ]

5. Assessment Scope, Profile & Collection Plan

Define the principal’s risk profile that drives dark-web exposure weighting (public visibility, role, prior breach history, credential reuse patterns, high-value digital assets); state what is in/out of scope; record the collection plan as a requirement → dark-web source class → lawful technique matrix with the standing authorized-access-only caveat. Distinguish breach-corpus checking (selector-based, no data download) from dark-web browsing (public onion services, clear-net gateways) from authorized account access (principal-owned accounts). No live tool/broker/marketplace brand names (those live in the dated reference dataset).

RequirementExposure LayerSource ClassLawful TechniqueCoverage / Limitation
[ ][e.g., breach credentialleaked/pwned corpus][e.g., consented selector checking][ ]
[ ][e.g., marketplace listing][e.g., public onion / clear-net gateway][e.g., passive browsing - no account creation][ ]
[ ][e.g., forum / chatter][ ][ ][ ]
[ ][e.g., encrypted-messaging surface][ ][e.g., public-channel / invite-only authorized access only][ ]

6. Identity & Selector Inventory

The pivot set: the principal’s enumerated selectors that are searched against dark-web surfaces - email addresses (primary and aliases), usernames/handles across platforms, phone numbers, physical addresses, legal names and variants, domain names, and any known previous or leaked credentials (hash or plaintext, handled lawfully). State identity-resolution confidence per selector and the namesake/misattribution caveat - every downstream dark-web finding is only as good as the selector→principal link.

SelectorTypeResolution Confidence (Confirmed / Probable / Possible / Unresolved)Notes / Disambiguation
[ ][e.g., email][ ][ ]
[ ][e.g., handle][ ][ ]
[ ][e.g., phone][ ][ ]
[ ][e.g., domain][ ][ ]

7. Breach & Credential-Exposure Findings

Exposure of the principal’s email/credential/identity data in known public breach corpora and dark-web credential dumps, assessed via lawful exposure-checking only (no acquisition, decryption, or use of breached secrets; no account access). Record per breach: selector exposed, data classes implicated, disclosure date/presumed recency, and reuse/account-takeover risk to the principal. Distinguish between credential-exposure (password-hash / plaintext) and PII-exposure (name/address/DOB/SSN/financial) breach items.

Exposed SelectorBreach / Exposure ClassData Classes ImplicatedDisclosure PeriodReuse / ATO RiskSource GradeConfidence
[ ][ ][e.g., email+password, name, DOB, address][ ][ ][ ][ ]

8. Dark-Web Marketplace & Venue Exposure

Presence of the principal’s identity data / credentials / PII being offered for sale, traded, or advertised on dark-web marketplaces, carding shops, identity-broker platforms, and credential-trading venues accessible through lawful public-source methods (clear-net gateways, public onion services). Record listing type, price/volume signals if observable, listing recency, and venue reputation/reliability. Distinguish between active listings and historical/archived references.

Venue / Marketplace ClassData OfferedPrincipal Selector LinkedPrice / Volume SignalListing RecencySource Grade
[ ][e.g., credential set, PII bundle, fullz][ ][ ][ ][ ]

9. Dark-Web Forum & Chatter Exposure

Mentions of the principal’s identity, organization, or selectors in dark-web forums, discussion boards, or chat logs accessible via lawful public-source methods. Assess threat-actor context - targeting intent (opportunistic vs. directed), operational planning signals (reconnaissance, doxxing coordination, attack planning), and the credibility / reliability of the source environment. Distinguish between raw chatter and substantiated claims.

Forum / EnvironmentType (general / targeted)Mention ContextThreat-Actor Attribution (if assessable)SubstantiationSource Grade
[ ][ ][ ][ ][e.g., raw claim / corroborated][ ]

10. Encrypted-Messaging & Closed-Platform Exposure

Exposure attributable to the principal on encrypted-messaging platforms (Telegram public channels/groups, Signal, WhatsApp, Discord, WhatsApp public groups, IRC, Matrix), and other closed-communication surfaces accessed via lawful, authorized, or publicly discoverable means only. Record account attribution confidence, platform posture, leaked/archived message content involving the principal, and platform-specific exploitation vectors (impersonation, social engineering). Deeper investigation of specifically targeted threat-actor communication is deferred to the Dark-Web Investigation & Attribution Report.

Platform / SurfaceAttribution ConfidenceExposed Content / ContextExploitability VectorAuthorized Access Basis
[ ][ ][ ][ ][e.g., public channel / principal-owned account consent]

11. Criminal-Data-Trade & Identity-Fraud Exposure

Evidence that the principal’s bundled identity data (full identity kits, “fullz,” financial profiles, tax/benefit documents, medical records, device fingerprints) is being traded, brokered, or used in identity-fraud operations on the dark web. This section bridges data exposure to active fraud risk. Record the data package contents, the broker/trader context, and any indicators of actual fraudulent use (e.g., synthetic-identity construction, account-opening attempts, loan-application signals).

Identity Package / Data SetData Elements IncludedBroker / Trader ContextFraud-Use IndicatorsSeveritySource Grade
[ ][ ][ ][ ][ ][ ]

12. Dark-Web Reputation & Threat-Actor Targeting

The principal’s / organization’s reputation as discussed among threat actors on dark-web surfaces - including any specific targeting campaigns, doxxing operations, harassment coordination, physical-threat signals, or reputation scoring. This section is the bridge between passive exposure and active threat, and feeds the Protective Intelligence / Subject Threat Assessment product line. Distinguish between general threat-actor chatter and credible, specific targeting.

Threat SignalSource EnvironmentSpecificity / CredibilityDirectness to PrincipalUrgencySource Grade
[ ][ ][ ][ ][ ][ ]

13. Exposure-to-Harm Pathways

Chain individual dark-web exposure items into realistic harm pathways - how an adversary composing breached credentials + marketplace data + forum chatter + encrypted-surface signals enables concrete harm (credential-stuffing/ATO, identity fraud/synthetic identity, social-engineering / pretext, extortion, physical targeting, reputational attack). State the enabling exposures and the disrupting remediation per pathway. Detailed doxxing-specific pathway modeling is deferred to the Doxxing Vulnerability & Attack-Surface Assessment; deep threat-actor attribution is deferred to the Dark-Web Investigation & Attribution Report.

Harm PathwayEnabling Dark-Web Exposures (cross-ref §)Adversary Capability AssumedDisrupting Remediation
[e.g., credential-stuffing / ATO][ ][ ][ ]
[e.g., synthetic identity fraud][ ][ ][ ]
[e.g., social-engineering / pretext][ ][ ][ ]
[e.g., extortion / reputation attack][ ][ ][ ]

14. Exposure Severity Register

Score each material dark-web exposure on Likelihood (exploitability - that an adversary can and would use it) × Impact (harm to the principal if used), inherent → after-remediation residual. Score cells are EMPTY placeholders - this is a blank form. Use the verbatim risk-scoring key in Annex A.

IDExposure Item (cross-ref §)Likelihood (1–5)Impact (1–5)Inherent Score (1–25)BandRemediationResidual Score (1–25)Residual Band
E-1[ ][ ][ ][ ][ ][ ][ ][ ]
E-2[ ][ ][ ][ ][ ][ ][ ][ ]
E-3[ ][ ][ ][ ][ ][ ][ ][ ]

Consolidated exposure heat map and the headline exposure rating derive from this register.

15. Verified Findings Summary

Roll up each material dark-web exposure with a verification status (verified by direct observation / unverified / contradicted), source grade, confidence, and materiality to the principal’s safety. Distinguish what was confirmed from what is inferred.

FindingStatus (verified / unverified / contradicted)Source GradeConfidenceMateriality
[ ][ ][ ][ ][ ]

16. Red Flag / Notable Indicators

Dark-web exposure indicators that warrant priority attention (e.g., actively traded credentials on current-market, specific threat-actor targeting language, verified breach data on critical financial accounts, real-time or near-real-time physical-threat signals). Provide the flag table, the indicator-type definitions, and a severity rollup.

FlagTypeBasis (cross-ref §)Severity
[ ][ ][ ][ ]

Indicator-type definitions: [e.g., define each flag type used above].

17. Analysis of Competing Hypotheses (ACH)

Apply ACH to the central dark-web exposure judgment (e.g., “the principal’s dark-web exposures, individually and in combination, create a realistic path to [named harm pathway] by [assumed adversary capability]”). List competing hypotheses and weigh the evidence for/against each; identify the most diagnostic evidence and what is consistent with multiple hypotheses.

Evidence / IndicatorH1: [ ]H2: [ ]H3: [ ]
[ ][e.g., consistent / inconsistent / N/A][ ][ ]
[ ][ ][ ][ ]

Most diagnostic evidence: [ ]. Hypothesis assessment: [ ].

18. Key Assumptions Check (KAC)

Surface the assumptions underpinning the dark-web exposure assessment (completeness of dark-web surface coverage, accuracy of attribution of found data to the principal, persistence/deletion of exposure items, adversary capability and intent to use the data, lawfulness and non-attribution of the collection methods). For each: basis, confidence, and impact if wrong.

AssumptionBasisConfidenceImpact if Wrong
[ ][ ][ ][ ]

19. Collection Gaps & RFIs

Where the dark-web exposure picture is incomplete (dark-web venues not lawfully accessible, suspected-but-unconfirmed breach data, unconfirmed marketplace or forum postings, unresolved threat-actor targeting signals, data-persistence uncertainty). State the gap, its impact on the assessment, the recommended (lawful, authorized) collection, and priority.

GapImpact on AssessmentRecommended CollectionPriority
[ ][ ][ ][ ]

20. Remediation Plan & Recommendations

Prioritized remediation across the standard lanes - credential/account hygiene (password rotation, MFA enablement, credential monitoring), suppression / removal (breach-data suppression where possible, marketplace-listing takedown via platform reporting, de-indexing), behavioral (credential compartmentation, dark-web account posture), and escalation (law enforcement referral, legal-takedown request, protective-security measures where physical threat is indicated). Each item: action, owner, lawful basis where a legal lever is used, priority, and sequencing. Execution at scale and ongoing dark-web monitoring are deferred to a retained/privacy-protection program; this report scopes and prioritizes.

PriorityRecommendationLane (credential/suppression/behavioral/escalation)OwnerDependency / Sequencing
[ ][ ][ ][ ][ ]

Recommendations are advisory and must respect platform terms and applicable law; legal-takedown, law-enforcement referral, and escalation levers route through counsel. No active technical intrusion, no unauthorized access, and no engagement with or payment to threat actors is authorized or directed.


Annex A - Sources & Methodology

State the collection methods used (all lawful, authorized-access-only, least-intrusive); the source register graded with the Admiralty two-axis code; and the explicit likelihood-vs-confidence separation statement. Reproduce the reference scales below verbatim.

Collection methodology: [Describe the lawful collection approach - breach-corpus selector-checking methodology (no acquisition/decryption/use of breached secrets; no account access), dark-web browsing approach (clear-net gateways, public onion services, no unauthorized account creation or forum access), encrypted-platform public-channel enumeration, authorized principal-account inspection, footprint-minimization measures, and the publicly-available / authorized-access-only boundary. State that no technical intrusion, no malware deployment, no impersonation, and no unauthorized access was used or directed.]

Source register (graded):

#Source / ItemTypeAccessed (date)Reliability (A–F)Credibility (1–6)Notes
[ ][ ][ ][ ][ ][ ][ ]

Source reliability (Admiralty, A–F): A Completely reliable · B Usually reliable · C Fairly reliable · D Not usually reliable · E Unreliable · F Reliability cannot be judged.

Information credibility (Admiralty, 1–6): 1 Confirmed by other sources · 2 Probably true · 3 Possibly true · 4 Doubtful · 5 Improbable · 6 Truth cannot be judged. (Each sourced datum carries a two-character grade, e.g., B2.)

Estimative probability / likelihood (ICD 203): almost no chance / remote (01–05%) · very unlikely / highly improbable (05–20%) · unlikely / improbable (20–45%) · roughly even chance (45–55%) · likely / probable (55–80%) · very likely / highly probable (80–95%) · almost certain / nearly certain (95–99%).

Analytic confidence (evidence base, separate from likelihood): HIGH (multiple independent reliable sources, primary documentation, no significant contradiction) · MODERATE (some corroboration, gaps, minor unresolved inconsistency) · LOW (single / uncorroborated source, significant gaps, plausible alternatives open). Never combine a likelihood term and a confidence level in the same sentence.

Risk scoring: Likelihood (1–5) × Impact (1–5) = 1–25; key: 1–5 Low · 6–10 Moderate · 11–15 Elevated · 16–20 High · 21–25 Critical.

Identity-resolution confidence: Confirmed / Probable / Possible / Unresolved, with the matched identifiers stated - disambiguation is explicit, never assumed.

Appendices

Attach: B - Selector & Identifier Index; C - Full Source Register; D - Dark-Web Exposure Evidence Archive & capture/chain-of-custody pointer (screenshots / archives captured lawfully); E - Breach-Exposure Register; F - Marketplace & Forum Reference Register; G - Glossary; H - Revision History.

  • Appendix B - Selector & Identifier Index: [ ]
  • Appendix C - Full Source Register: [ ]
  • Appendix D - Evidence Archive & Chain-of-Custody Pointer: [ ]
  • Appendix E - Breach-Exposure Register: [ ]
  • Appendix F - Marketplace & Forum Reference Register: [ ]
  • Appendix G - Glossary: [ ]
  • Appendix H - Revision History: [ ]

Verification disclaimer: this assessment reflects the principal’s dark-web and deep-web exposure as observable within the stated assessment window using lawful, authorized-access information only - breach-corpuses were checked via consented selector-based query (no data acquisition or decryption); dark-web browsing was limited to publicly accessible onion services, clear-net gateways, and authorized principal accounts. No technical intrusion, no unauthorized platform access, and no engagement with or payment to threat actors was conducted. Dark-web exposure is dynamic, ephemeral, and may change after the as-of date. Findings are advisory and are not a consumer report under the FCRA.

Document Control (footer): [REF-YYYY-###] · Version [ ] · Classification [ ] · Prepared [ ] · Reviewed [ ] · Approved [ ]

END OF REPORT

Model wiring

Generated from cell frontmatter at publish time.