About · operated by a US LLC

A Bureau, not a platform.
Built to deliver a number you can defend.

Exposure Bureau is a US LLC consultancy that produces quantified digital-risk metrics from licensed dark-web data partners and public, indexed sources. The product is a recurring intelligence report — weekly or monthly PDF + executive email digest — built around five focused indices for security, risk, legal, cyber-insurance underwriting, and M&A diligence teams.

01·Principles

What we commit to before any individual index.

Decision-grade, not alert-grade

Most threat-intelligence platforms ship alert streams. Decision-makers — CISOs, underwriters, M&A diligence leads — need numbers they can put in a board deck, a rating model, or a diligence memo. We ship five comparable indices on a recurring cadence. That's the entire product surface.

Quantification over volume

We do not out-collect Recorded Future, Flashpoint, Intel 471, or KELA. We win on quantification: published formulas, peer-cohort benchmarks, audit-replayable methodology, signed evidence packages. Comparable across clients, defensible in front of a regulator.

Defensive posture only

Every collection source is enumerated and contractual. No invite-only forums. No vouched personas. No HUMINT. No participation in markets we observe. Public sources plus licensed data partners (DarkOwl, SpyCloud, Constella, Flare). The collection boundary is part of the math — see the published red lines on the homepage.

CISM-led methodology

The index methodology is led by a CISM-certified practitioner and versioned (v0.4 at time of writing). Every output carries the version it was computed under so an auditor with read access can independently replay any historical value.

02·Structure

How the operation is set up.

Entity

Exposure Bureau LLC, registered in the United States.

Phase

Pre-launch · first cohort outreach (3 of 5 slots open · Q3 2026).

Team

Lean. 1–4 people through the first 18 months by design.

Hosting

Cloudflare Pages (edge) + Supabase (Postgres + RLS). All API routes run on the edge runtime; identifiers hashed at ingest.

Retention

13-month default for collected signals; configurable per category. First-party leads retained until a deletion request fires.

The compliance posture — DPA, security whitepaper, subprocessor list, retention policy — is published on /resources. The deletion path for GDPR Art. 17 / CCPA requests lives at /privacy/delete.

03·What we are not

The clean negative space.

×We are not a law firm and do not provide legal advice. If a finding needs counsel, your counsel walks it from there.
×We are not a SOC. We do not investigate intrusions or do incident response. The recurring report informs your IR retainer; it does not replace it.
×We are not a generalist dark-web monitoring platform. Five focused indices, comparable across clients, on a recurring cadence — that is the product. Anything that drifts toward a SIEM-style alert stream is out of scope.
×We are not a takedown vendor. Our index outputs feed your existing takedown / registrar / DFIR stack. We rank the queue; we do not execute against it.

Talk to us

First cohort is open.

Six-month commitment, preferential terms, methodology input, quarterly roadmap review. Open to corporate security, risk, legal, underwriting, and corp-dev teams. Three to five logos.

Request a sample report →

Read first

The math is published.

Before any conversation, the methodology page is the answer to most questions — formulas, source weighting, confidence intervals, versioning, and red lines. The sample report shows what the recurring deliverable actually looks like.

Methodology →Sample report →