DARK WEB EXPOSURE ASSESSMENT
[PRINCIPAL / PROTECTEE NAME - ASSESSMENT TITLE]
Defensive, consent-based assessment of a named principal’s exposure across dark-web, deep-web, and encrypted-platform environments - breach corpora, criminal marketplaces, closed forums, encrypted messaging surfaces, and threat-actor chatter. Center of gravity: enumerate what dark-web data exists about the principal through lawful open-source and authorized-access techniques, assess how that data enables harm (credential compromise, account takeover, identity fraud, physical targeting, extortion, reputational attack), and prioritize suppression/remediation. This is the dark-web exposure complementary product to the baseline Digital Footprint & Exposure Assessment. It does NOT: repeat or supplant the clearnet/surface-web exposure picture (see Digital Footprint & Exposure Assessment); attribute, profile, or track specific threat actors or criminal groups operating on the dark web (see Dark-Web Investigation & Attribution Report); model targeted doxxing/harassment attack pathways in depth (see Doxxing Vulnerability & Attack-Surface Assessment); or execute active technical intrusion, account compromise, or real-time forum monitoring (governed under separate operational retainer). It assesses the principal’s OWN dark-web exposure - it is not an investigation of a third party or threat actor.
Document Control
| Field | Entry |
|---|---|
| Report Reference | [REF-YYYY-###] |
| Date of Report | [ ] |
| Classification / Handling | [e.g., CONFIDENTIAL // CLIENT EYES ONLY] |
| Client / Sponsor | [ ] |
| Requesting Party | [ ] |
| Principal(s) Assessed | [ ] |
| Consent / Authority Basis | [e.g., signed assessment authorization on file - ref] |
| Assessment Window (as-of) | [e.g., collection start–end dates; dark-web footprint is time-bound and volatile] |
| Prepared By | [ ] |
| Reviewed By | [ ] |
| Approving Officer | [ ] |
| Version | [ ] |
| Distribution | [ ] |
Handling, Legal & Ethical Caveat
State classification/TLP marking; confirm this is a consent-based self-exposure assessment of the named principal conducted on lawful, authorized-access information only - publicly accessible dark-web sources (clear-net gateways, public onion services, open/leak repositories), authorized-access checking of breach/credential corpora against the principal’s selectors (no acquisition, decryption, or use of breached secrets; no account access), and any directly authorized principal accounts on dark-web platforms. Explicitly state that no technical intrusion, no unauthorized access to any private/closed forum, no malware deployment, and no impersonation was used or directed. Note data-protection handling (GDPR/CCPA as applicable) for the principal and for any third-party personal data incidentally surfaced. State that this is not a consumer report and not to be used for FCRA-permissible-purpose decisions. Where suppression/legal-takedown action is contemplated, route to counsel.
Principal Dark-Web Exposure Snapshot
One-glance card: principal identifiers in scope, confirmed dark-web exposure items by severity band, headline exposure rating, the single most urgent remediation - all [ ] placeholders, no findings.
| Field | Entry |
|---|---|
| Principal (role / profile) | [e.g., role, public-profile level, threat context] |
| Selectors in Scope | [e.g., count of names/handles/emails/phones/passwords/domains enumerated] |
| Confirmed Dark-Web Exposure Items | [ ] (Critical [ ] / High [ ] / Elevated [ ] / Moderate [ ] / Low [ ]) |
| Headline Exposure Rating | [e.g., band per §14 register] |
| Most Urgent Remediation | [ ] |
| Overall Analytic Confidence | [e.g., HIGH / MODERATE / LOW] |
Table of Contents
Numbered to the sections below; page numbers populate on export to Word/PDF.
- BLUF
- Executive Summary
- Key Judgments
- Priority Intelligence Requirements (PIRs)
- Assessment Scope, Profile & Collection Plan
- Identity & Selector Inventory
- Breach & Credential-Exposure Findings
- Dark-Web Marketplace & Venue Exposure
- Dark-Web Forum & Chatter Exposure
- Encrypted-Messaging & Closed-Platform Exposure
- Criminal-Data-Trade & Identity-Fraud Exposure
- Dark-Web Reputation & Threat-Actor Targeting
- Exposure-to-Harm Pathways
- Exposure Severity Register
- Verified Findings Summary
- Red Flag / Notable Indicators
- Analysis of Competing Hypotheses (ACH)
- Key Assumptions Check (KAC)
- Collection Gaps & RFIs
- Remediation Plan & Recommendations
- Annex A - Sources & Methodology
- Appendices
1. BLUF
2–3 sentences, most critical dark-web exposure first: the headline exposure rating, the single most consequential harm pathway it enables (credential compromise / account takeover / identity fraud / extortion / physical targeting), and the most urgent recommended remediation. No new analysis below it.
[ ]
2. Executive Summary
The triggering requirement (why this assessment, threat context, principal’s risk profile); scope in/out; a short narrative of the principal’s overall dark-web exposure posture and the dominant exposure categories - at altitude, deferring detail to the body sections.
[ ]
3. Key Judgments
The 3–6 load-bearing judgments about the principal’s dark-web exposure. Likelihood (that the exposure is exploitable / leads to harm) and Analytic Confidence (in the evidence base) are SEPARATE columns - never combined (ICD 203). Each judgment carries a change indicator.
| # | Key Judgment | Likelihood (exploitable → harm) | Analytic Confidence | Change Indicator (what would shift this) |
|---|---|---|---|---|
| KJ-1 | [ ] | [e.g., likely / probable (55–80%)] | [e.g., MODERATE] | [ ] |
| KJ-2 | [ ] | [ ] | [ ] | [ ] |
| KJ-3 | [ ] | [ ] | [ ] | [ ] |
| KJ-4 | [ ] | [ ] | [ ] | [ ] |
4. Priority Intelligence Requirements (PIRs)
The questions this assessment must answer about the principal’s dark-web exposure, decomposed PIR → Indicator → SIR → source. Each PIR carries an answer/evidence/confidence row plus the summary matrix. Tie each PIR to a harm the client cares about - credential compromise, account takeover, identity fraud, physical targeting, extortion, reputational damage.
- PIR-1: [e.g., What of the principal’s credentials / PII is present in known breach corpora, and is that data circulating on dark-web markets or forums?]
- Indicators / SIRs: [ ]
- Answer / Evidence: [ ]
- Analytic Confidence: [ ]
- PIR-2: [ ]
- PIR-3: [ ]
| PIR | Status (answered / partial / open) | Key Evidence | Confidence | Residual Gap → RFI |
|---|---|---|---|---|
| PIR-1 | [ ] | [ ] | [ ] | [ ] |
| PIR-2 | [ ] | [ ] | [ ] | [ ] |
| PIR-3 | [ ] | [ ] | [ ] | [ ] |
5. Assessment Scope, Profile & Collection Plan
Define the principal’s risk profile that drives dark-web exposure weighting (public visibility, role, prior breach history, credential reuse patterns, high-value digital assets); state what is in/out of scope; record the collection plan as a requirement → dark-web source class → lawful technique matrix with the standing authorized-access-only caveat. Distinguish breach-corpus checking (selector-based, no data download) from dark-web browsing (public onion services, clear-net gateways) from authorized account access (principal-owned accounts). No live tool/broker/marketplace brand names (those live in the dated reference dataset).
| Requirement | Exposure Layer | Source Class | Lawful Technique | Coverage / Limitation |
|---|---|---|---|---|
| [ ] | [e.g., breach credential | leaked/pwned corpus] | [e.g., consented selector checking] | [ ] |
| [ ] | [e.g., marketplace listing] | [e.g., public onion / clear-net gateway] | [e.g., passive browsing - no account creation] | [ ] |
| [ ] | [e.g., forum / chatter] | [ ] | [ ] | [ ] |
| [ ] | [e.g., encrypted-messaging surface] | [ ] | [e.g., public-channel / invite-only authorized access only] | [ ] |
6. Identity & Selector Inventory
The pivot set: the principal’s enumerated selectors that are searched against dark-web surfaces - email addresses (primary and aliases), usernames/handles across platforms, phone numbers, physical addresses, legal names and variants, domain names, and any known previous or leaked credentials (hash or plaintext, handled lawfully). State identity-resolution confidence per selector and the namesake/misattribution caveat - every downstream dark-web finding is only as good as the selector→principal link.
| Selector | Type | Resolution Confidence (Confirmed / Probable / Possible / Unresolved) | Notes / Disambiguation |
|---|---|---|---|
| [ ] | [e.g., email] | [ ] | [ ] |
| [ ] | [e.g., handle] | [ ] | [ ] |
| [ ] | [e.g., phone] | [ ] | [ ] |
| [ ] | [e.g., domain] | [ ] | [ ] |
7. Breach & Credential-Exposure Findings
Exposure of the principal’s email/credential/identity data in known public breach corpora and dark-web credential dumps, assessed via lawful exposure-checking only (no acquisition, decryption, or use of breached secrets; no account access). Record per breach: selector exposed, data classes implicated, disclosure date/presumed recency, and reuse/account-takeover risk to the principal. Distinguish between credential-exposure (password-hash / plaintext) and PII-exposure (name/address/DOB/SSN/financial) breach items.
| Exposed Selector | Breach / Exposure Class | Data Classes Implicated | Disclosure Period | Reuse / ATO Risk | Source Grade | Confidence |
|---|---|---|---|---|---|---|
| [ ] | [ ] | [e.g., email+password, name, DOB, address] | [ ] | [ ] | [ ] | [ ] |
8. Dark-Web Marketplace & Venue Exposure
Presence of the principal’s identity data / credentials / PII being offered for sale, traded, or advertised on dark-web marketplaces, carding shops, identity-broker platforms, and credential-trading venues accessible through lawful public-source methods (clear-net gateways, public onion services). Record listing type, price/volume signals if observable, listing recency, and venue reputation/reliability. Distinguish between active listings and historical/archived references.
| Venue / Marketplace Class | Data Offered | Principal Selector Linked | Price / Volume Signal | Listing Recency | Source Grade |
|---|---|---|---|---|---|
| [ ] | [e.g., credential set, PII bundle, fullz] | [ ] | [ ] | [ ] | [ ] |
9. Dark-Web Forum & Chatter Exposure
Mentions of the principal’s identity, organization, or selectors in dark-web forums, discussion boards, or chat logs accessible via lawful public-source methods. Assess threat-actor context - targeting intent (opportunistic vs. directed), operational planning signals (reconnaissance, doxxing coordination, attack planning), and the credibility / reliability of the source environment. Distinguish between raw chatter and substantiated claims.
| Forum / Environment | Type (general / targeted) | Mention Context | Threat-Actor Attribution (if assessable) | Substantiation | Source Grade |
|---|---|---|---|---|---|
| [ ] | [ ] | [ ] | [ ] | [e.g., raw claim / corroborated] | [ ] |
10. Encrypted-Messaging & Closed-Platform Exposure
Exposure attributable to the principal on encrypted-messaging platforms (Telegram public channels/groups, Signal, WhatsApp, Discord, WhatsApp public groups, IRC, Matrix), and other closed-communication surfaces accessed via lawful, authorized, or publicly discoverable means only. Record account attribution confidence, platform posture, leaked/archived message content involving the principal, and platform-specific exploitation vectors (impersonation, social engineering). Deeper investigation of specifically targeted threat-actor communication is deferred to the Dark-Web Investigation & Attribution Report.
| Platform / Surface | Attribution Confidence | Exposed Content / Context | Exploitability Vector | Authorized Access Basis |
|---|---|---|---|---|
| [ ] | [ ] | [ ] | [ ] | [e.g., public channel / principal-owned account consent] |
11. Criminal-Data-Trade & Identity-Fraud Exposure
Evidence that the principal’s bundled identity data (full identity kits, “fullz,” financial profiles, tax/benefit documents, medical records, device fingerprints) is being traded, brokered, or used in identity-fraud operations on the dark web. This section bridges data exposure to active fraud risk. Record the data package contents, the broker/trader context, and any indicators of actual fraudulent use (e.g., synthetic-identity construction, account-opening attempts, loan-application signals).
| Identity Package / Data Set | Data Elements Included | Broker / Trader Context | Fraud-Use Indicators | Severity | Source Grade |
|---|---|---|---|---|---|
| [ ] | [ ] | [ ] | [ ] | [ ] | [ ] |
12. Dark-Web Reputation & Threat-Actor Targeting
The principal’s / organization’s reputation as discussed among threat actors on dark-web surfaces - including any specific targeting campaigns, doxxing operations, harassment coordination, physical-threat signals, or reputation scoring. This section is the bridge between passive exposure and active threat, and feeds the Protective Intelligence / Subject Threat Assessment product line. Distinguish between general threat-actor chatter and credible, specific targeting.
| Threat Signal | Source Environment | Specificity / Credibility | Directness to Principal | Urgency | Source Grade |
|---|---|---|---|---|---|
| [ ] | [ ] | [ ] | [ ] | [ ] | [ ] |
13. Exposure-to-Harm Pathways
Chain individual dark-web exposure items into realistic harm pathways - how an adversary composing breached credentials + marketplace data + forum chatter + encrypted-surface signals enables concrete harm (credential-stuffing/ATO, identity fraud/synthetic identity, social-engineering / pretext, extortion, physical targeting, reputational attack). State the enabling exposures and the disrupting remediation per pathway. Detailed doxxing-specific pathway modeling is deferred to the Doxxing Vulnerability & Attack-Surface Assessment; deep threat-actor attribution is deferred to the Dark-Web Investigation & Attribution Report.
| Harm Pathway | Enabling Dark-Web Exposures (cross-ref §) | Adversary Capability Assumed | Disrupting Remediation |
|---|---|---|---|
| [e.g., credential-stuffing / ATO] | [ ] | [ ] | [ ] |
| [e.g., synthetic identity fraud] | [ ] | [ ] | [ ] |
| [e.g., social-engineering / pretext] | [ ] | [ ] | [ ] |
| [e.g., extortion / reputation attack] | [ ] | [ ] | [ ] |
14. Exposure Severity Register
Score each material dark-web exposure on Likelihood (exploitability - that an adversary can and would use it) × Impact (harm to the principal if used), inherent → after-remediation residual. Score cells are EMPTY placeholders - this is a blank form. Use the verbatim risk-scoring key in Annex A.
| ID | Exposure Item (cross-ref §) | Likelihood (1–5) | Impact (1–5) | Inherent Score (1–25) | Band | Remediation | Residual Score (1–25) | Residual Band |
|---|---|---|---|---|---|---|---|---|
| E-1 | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] |
| E-2 | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] |
| E-3 | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] |
Consolidated exposure heat map and the headline exposure rating derive from this register.
15. Verified Findings Summary
Roll up each material dark-web exposure with a verification status (verified by direct observation / unverified / contradicted), source grade, confidence, and materiality to the principal’s safety. Distinguish what was confirmed from what is inferred.
| Finding | Status (verified / unverified / contradicted) | Source Grade | Confidence | Materiality |
|---|---|---|---|---|
| [ ] | [ ] | [ ] | [ ] | [ ] |
16. Red Flag / Notable Indicators
Dark-web exposure indicators that warrant priority attention (e.g., actively traded credentials on current-market, specific threat-actor targeting language, verified breach data on critical financial accounts, real-time or near-real-time physical-threat signals). Provide the flag table, the indicator-type definitions, and a severity rollup.
| Flag | Type | Basis (cross-ref §) | Severity |
|---|---|---|---|
| [ ] | [ ] | [ ] | [ ] |
Indicator-type definitions: [e.g., define each flag type used above].
17. Analysis of Competing Hypotheses (ACH)
Apply ACH to the central dark-web exposure judgment (e.g., “the principal’s dark-web exposures, individually and in combination, create a realistic path to [named harm pathway] by [assumed adversary capability]”). List competing hypotheses and weigh the evidence for/against each; identify the most diagnostic evidence and what is consistent with multiple hypotheses.
| Evidence / Indicator | H1: [ ] | H2: [ ] | H3: [ ] |
|---|---|---|---|
| [ ] | [e.g., consistent / inconsistent / N/A] | [ ] | [ ] |
| [ ] | [ ] | [ ] | [ ] |
Most diagnostic evidence: [ ]. Hypothesis assessment: [ ].
18. Key Assumptions Check (KAC)
Surface the assumptions underpinning the dark-web exposure assessment (completeness of dark-web surface coverage, accuracy of attribution of found data to the principal, persistence/deletion of exposure items, adversary capability and intent to use the data, lawfulness and non-attribution of the collection methods). For each: basis, confidence, and impact if wrong.
| Assumption | Basis | Confidence | Impact if Wrong |
|---|---|---|---|
| [ ] | [ ] | [ ] | [ ] |
19. Collection Gaps & RFIs
Where the dark-web exposure picture is incomplete (dark-web venues not lawfully accessible, suspected-but-unconfirmed breach data, unconfirmed marketplace or forum postings, unresolved threat-actor targeting signals, data-persistence uncertainty). State the gap, its impact on the assessment, the recommended (lawful, authorized) collection, and priority.
| Gap | Impact on Assessment | Recommended Collection | Priority |
|---|---|---|---|
| [ ] | [ ] | [ ] | [ ] |
20. Remediation Plan & Recommendations
Prioritized remediation across the standard lanes - credential/account hygiene (password rotation, MFA enablement, credential monitoring), suppression / removal (breach-data suppression where possible, marketplace-listing takedown via platform reporting, de-indexing), behavioral (credential compartmentation, dark-web account posture), and escalation (law enforcement referral, legal-takedown request, protective-security measures where physical threat is indicated). Each item: action, owner, lawful basis where a legal lever is used, priority, and sequencing. Execution at scale and ongoing dark-web monitoring are deferred to a retained/privacy-protection program; this report scopes and prioritizes.
| Priority | Recommendation | Lane (credential/suppression/behavioral/escalation) | Owner | Dependency / Sequencing |
|---|---|---|---|---|
| [ ] | [ ] | [ ] | [ ] | [ ] |
Recommendations are advisory and must respect platform terms and applicable law; legal-takedown, law-enforcement referral, and escalation levers route through counsel. No active technical intrusion, no unauthorized access, and no engagement with or payment to threat actors is authorized or directed.
Annex A - Sources & Methodology
State the collection methods used (all lawful, authorized-access-only, least-intrusive); the source register graded with the Admiralty two-axis code; and the explicit likelihood-vs-confidence separation statement. Reproduce the reference scales below verbatim.
Collection methodology: [Describe the lawful collection approach - breach-corpus selector-checking methodology (no acquisition/decryption/use of breached secrets; no account access), dark-web browsing approach (clear-net gateways, public onion services, no unauthorized account creation or forum access), encrypted-platform public-channel enumeration, authorized principal-account inspection, footprint-minimization measures, and the publicly-available / authorized-access-only boundary. State that no technical intrusion, no malware deployment, no impersonation, and no unauthorized access was used or directed.]
Source register (graded):
| # | Source / Item | Type | Accessed (date) | Reliability (A–F) | Credibility (1–6) | Notes |
|---|---|---|---|---|---|---|
| [ ] | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] |
Source reliability (Admiralty, A–F): A Completely reliable · B Usually reliable · C Fairly reliable · D Not usually reliable · E Unreliable · F Reliability cannot be judged.
Information credibility (Admiralty, 1–6): 1 Confirmed by other sources · 2 Probably true · 3 Possibly true · 4 Doubtful · 5 Improbable · 6 Truth cannot be judged. (Each sourced datum carries a two-character grade, e.g., B2.)
Estimative probability / likelihood (ICD 203): almost no chance / remote (01–05%) · very unlikely / highly improbable (05–20%) · unlikely / improbable (20–45%) · roughly even chance (45–55%) · likely / probable (55–80%) · very likely / highly probable (80–95%) · almost certain / nearly certain (95–99%).
Analytic confidence (evidence base, separate from likelihood): HIGH (multiple independent reliable sources, primary documentation, no significant contradiction) · MODERATE (some corroboration, gaps, minor unresolved inconsistency) · LOW (single / uncorroborated source, significant gaps, plausible alternatives open). Never combine a likelihood term and a confidence level in the same sentence.
Risk scoring: Likelihood (1–5) × Impact (1–5) = 1–25; key: 1–5 Low · 6–10 Moderate · 11–15 Elevated · 16–20 High · 21–25 Critical.
Identity-resolution confidence: Confirmed / Probable / Possible / Unresolved, with the matched identifiers stated - disambiguation is explicit, never assumed.
Appendices
Attach: B - Selector & Identifier Index; C - Full Source Register; D - Dark-Web Exposure Evidence Archive & capture/chain-of-custody pointer (screenshots / archives captured lawfully); E - Breach-Exposure Register; F - Marketplace & Forum Reference Register; G - Glossary; H - Revision History.
- Appendix B - Selector & Identifier Index: [ ]
- Appendix C - Full Source Register: [ ]
- Appendix D - Evidence Archive & Chain-of-Custody Pointer: [ ]
- Appendix E - Breach-Exposure Register: [ ]
- Appendix F - Marketplace & Forum Reference Register: [ ]
- Appendix G - Glossary: [ ]
- Appendix H - Revision History: [ ]
Verification disclaimer: this assessment reflects the principal’s dark-web and deep-web exposure as observable within the stated assessment window using lawful, authorized-access information only - breach-corpuses were checked via consented selector-based query (no data acquisition or decryption); dark-web browsing was limited to publicly accessible onion services, clear-net gateways, and authorized principal accounts. No technical intrusion, no unauthorized platform access, and no engagement with or payment to threat actors was conducted. Dark-web exposure is dynamic, ephemeral, and may change after the as-of date. Findings are advisory and are not a consumer report under the FCRA.
Document Control (footer): [REF-YYYY-###] · Version [ ] · Classification [ ] · Prepared [ ] · Reviewed [ ] · Approved [ ]
END OF REPORT
Model wiring
Generated from cell frontmatter at publish time.