Glossary

The terms behind the numbers.

Plain-English definitions of the five indices, the headline composite, and the methodology, source, and compliance terms they rest on. For the full formulas, see the methodology.

Indices

Composite Exposure IndexCXI#: The headline 0–100 composite — a client-weighted roll-up of the five indices into a single board-level number. No new collection of its own; it summarizes CES, IMI, RPS, BLV, and BIR. Default weights are published; per-client weights are set at onboarding and audited quarterly.
Credential Exposure ScoreCES#: Credentials tied to a domain observed in licensed stealer-log feeds and public breach combolists, severity-weighted (active stealer sessions outrank old combolist entries) and time-decayed. The leading account-takeover precursor; the index behind the free teaser.
IAB Mention IndexIMI#: Volume and severity of initial-access-broker listings referencing a client across public-source channels and licensed dark-web feeds. A near-term, imminent-access signal — brokered access is often the step before a ransomware affiliate buys in.
Ransomware Proximity ScoreRPS#: Exposure to active ransomware crews, combining direct leak-site mentions, supplier-graph overlap with known victims, and cohort-relative incident clustering. The dominant cyber-insurance loss driver, quantified.
Brand Leak VelocityBLV#: The rate at which proprietary brand assets, internal documents, and identifiable data appear across public leak channels and paste sites — a velocity, not a count, so an accelerating leak surfaces before the total volume looks alarming.
Brand Impersonation ReachBIR#: The audience reach of typosquat domains, mirror sites, and impostor social profiles imitating a client, weighted by estimated traffic — so takedown spend is directed at the impersonations that actually reach people.

Methodology

Confidence interval (80% CI)#: Every index ships with an 80% confidence band, not a false-precision point estimate. A thin or stale evidence base widens the band rather than hiding the uncertainty — so the reader sees how much to trust a number, not just the number.
Peer-cohort benchmark#: A score compared against a bucket of peers defined by sector × workforce-size band × revenue band. An observed peer percentile is only reported once a bucket reaches N ≥ 5; below that, the score is benchmarked against a documented modeled baseline, labeled as such — a modeled prior is never presented as an observed percentile.
Time decay (half-life)#: Signals lose weight as they age, on a category-specific half-life — stealer-log hits decay in about 30 days, old breach data over about 13 months. Keeps a score reflecting current exposure rather than historical noise.
Multi-source corroboration#: A signal confirmed in two or more independent sources scores higher than a single-source claim, and single-source signals are flagged. The core control against acting on a plausible-but-wrong finding.
Attribution#: Matching an observed signal to assets a client verifies they own — domains, brands, registered marks — rather than fuzzy name matches. Ambiguous or low-confidence matches are reported separately as candidates, never folded silently into the headline score.
Methodology version#: Every index output is anchored to the methodology version it was computed under. Source-list or formula changes require a version bump and client notice, so any historical value can be replayed and audited under the rules in force at the time.
Evidence package#: A signed bundle of the inputs behind an index value at a timestamp, hashed for integrity. Exportable for litigation or regulatory submission; an independent auditor with read access can replay any historical value.

Sources

Stealer log#: Output of infostealer malware (RedLine, Lumma, Stealc, Vidar) — captured credentials, cookies, and session data from an infected device. High-severity for CES because an active stealer session can bypass a password reset.
Combolist#: A compiled list of email/username + password pairs aggregated from past breaches and circulated publicly. Lower severity than a fresh stealer log, but a volume signal for credential exposure.
Initial Access BrokerIAB#: A threat actor who sells footholds into already-compromised organizations to other criminals (often ransomware affiliates). Listings referencing a client feed the IMI.
Leak site#: A public site, typically run by a ransomware crew, that names victims and publishes stolen data to pressure payment. A direct input to RPS and BLV. We observe these; we never authenticate to or interact with their operators.

Data & compliance

Identifier hashing#: Personal identifiers are SHA-256 hashed with a 90-day rotating salt at the collector boundary, before storage. Only the hash plus observation metadata is persisted. Plaintext dereferencing requires verified domain ownership and a documented lawful basis.
Lawful basis#: The legal ground for processing data. Collected signals rely on legitimate interest with minimization at ingest (GDPR Art. 6(1)(f)); first-party form submissions (waitlist, teaser, resource requests) rely on consent and are stored as given, with a deletion endpoint.
Retention#: Collected signals are kept for a 13-month default, configurable per data category; first-party leads are retained until a deletion request. A GDPR Art. 17 / CCPA deletion endpoint is live before any production tenant.

Want to see an index on your own domain? Start with a free CES teaser, or read why we're a bureau, not a platform.