Exposure, market, and competitive intelligence —
delivered as one recurring report.

Those vendors ship SOC-grade threat intel — priced $120k–$300k+/yr and shaped for SIEM-style consumption. We're a Bureau: one recurring report that combines your dark-web exposure, your market metrics, and competitive benchmarks into two quantified scores — CXI (exposure) and MPI (market position). CISM-led methodology, published formulas, peer-cohort benchmarks. Different shape, different buyer — built for the decision-maker, not the SOC.

Because the buyer is a decision-maker, not a SOC analyst. A board, an underwriter, or a diligence lead needs a quantified, trended, defensible answer — not another console to staff and triage. A live dashboard optimizes for analysts who live in the tool; our report optimizes for the person who has to make a pricing, renewal, or go/no-go call and defend it. Building it in-house means standing up licensing, collection, methodology, and peer-benchmarking for a number you compute a handful of times a quarter. We amortize that across clients and publish the methodology, so you can trust the output without owning the pipeline.

Yes — by construction, not by promise. We collect only from licensed data partners and public, indexed sources. We never authenticate to a system we don't own, never bypass an access control, never join invite-only or vouched communities, and never buy or 'validate' stolen data by interacting with sellers. That keeps us clear of CFAA-style unauthorized-access exposure and the legal-grey collection that gets monitoring vendors in trouble. The source whitelist is contractual, and the red lines above are written into every engagement — show them to your legal team.

Source families are explicitly enumerated and contractual: licensed dark-web data partners (DarkOwl, SpyCloud, Constella, Flare), public stealer-log markets via archive mirrors, public ransomware leak sites, public paste sites and forum mirrors, certstream/WHOIS for domain monitoring, and public Telegram channels. The whitelist is contractual — additions or removals require a methodology version bump and 14-day client notice. Full list and per-source weights are on the methodology page.

Identifiers are SHA-256 hashed with a 90-day rotating salt at the collector boundary, before they hit our storage. Only the hash plus breach metadata (source, observation time, severity flags) is persisted. Plaintext dereferencing requires verified domain ownership and a documented lawful basis (GDPR Art. 6(1)(f) + 34). Cross-tenant data never crosses a tenant boundary.

Three controls, all visible to you. (1) Multi-source corroboration: a signal confirmed in two or more independent sources scores higher than a single-source claim, and single-source signals are flagged as such. (2) Every index ships with an 80% confidence interval — we never publish a false-precision point estimate, and a thin or stale evidence base widens the band rather than hiding the uncertainty. (3) Time decay: stale signals lose weight on a category-specific half-life (stealer logs decay in ~30 days, old breach data over ~13 months). You see the confidence band, the top drivers, and the source count behind every number, so any score is auditable rather than a black box.

Attribution is anchored to assets you verify you own — domains, brands, registered marks — not fuzzy name matches. A signal only counts toward your indices once it's matched against your verified asset set. Ambiguous or low-confidence matches are reported separately as candidates, never folded silently into the headline score, and cross-listing identity attribution carries its own confidence band. The result is a number you can defend, not an alarmist count inflated by lookalikes.

Day 1: tenant provisioned, source connectors lit, first scan running. Day 7: weekly index values stabilized. Day 14: first board PDF + first peer-cohort benchmark (assuming cohort is N ≥ 5). Day 30: first methodology review session. Typical first-actionable insight: 72 hours.

Yes — and you should. Our index outputs feed your existing operational stack: takedown queues, registrar dispute portals, IR retainer, GRC tooling. We don't replace those workflows; we make them measurably more effective by ranking the queue against quantified exposure.

Every index output is anchored to (a) the methodology version it was computed under, (b) the inputs at that timestamp, and (c) a SHA-256 hash of the evidence bundle. Signed evidence packages are exportable for litigation and regulatory submission. An independent auditor with read access can replay any historical value.

P0 (critical exposure event — e.g. confirmed IAB listing, ransomware-crew victim disclosure naming the client): inside 15 minutes of first signal. P1 (significant spikes ≥ 3σ on any index — exposure or market): inside 1 hour. P2 (typosquats, competitor launches, low-severity changes): daily digest at 09:00 in your timezone. Webhook + email + Slack/Teams. Sentinel/Fortress tiers include P0; Watchtower starts at P1.

Minimization at ingest: identifiers SHA-256-hashed with a 90-day rotating salt. Documented lawful basis (GDPR Art. 6(1)(f) + 34). 13-month default retention, configurable per data category. CCPA / GDPR Art. 17 deletion endpoint is mandatory before any production tenant goes live. DPA template available; SOC 2 Type I in progress.

Yes. Full export — raw signals attributed to your tenant, all computed historical values, and the methodology version each value was computed under — within 7 business days of off-ramp request. JSON + CSV, no proprietary formats. No hostage data.

Six-month commitment, preferential terms, direct input on the methodology v0.6 cut, quarterly roadmap review, founder Slack access. Three to five logos. Cohort closes when full.