Exposure Report·EB-SAMPLE-2026-05·Methodology v0.4

TheExampleCO
Exposure posture · Apr 22 – May 22, 2026.

ClientTheExampleCO

Primary domainexample.co

SectorFinancial-services SaaS

Size~600 employees

Revenue band$180M ARR (illustrative)

GeneratedMay 23, 2026

Peer cohortSaaS · mid-market · financial vertical · N=7 cohort

0·Executive summary

Posture moved from cohort P66 to P74 this period.

Cyber Exposure Index

6.8/ 10

[6.4 – 7.1] 80% CI · P74 cohort

↑ +11.5% vs prior period (6.1)

Estimated USD exposure · 30d

$1.42M

[$0.91M – $1.94M] 80% CI

Loss-distribution model · calibrated to cohort incident data.

Alerts fired this period

22 alerts · 1 outstanding P0 awaiting SOC verification.

Narrative

The period's movement is concentrated in three places. CES rose 24% driven by RedLine + Lumma stealer-log inflow — 41 of those carry active-session indicators and are the immediate reset priority. BLV registered a 3σ spike, but the spike is downstream re-uploads of one Q1 PDF, not new exfiltration. IMI added a single new listing that requires SOC verification within 48h.

RPS cohort movement is sector-driven, not specific to TheExampleCO. BIR stays near cohort median, but the ASN 14061 cluster expanded by 8 typosquats — a bundled registrar-abuse filing closes most of that in one motion.

1·Cyber Exposure Index · headline

CXI = 6.8 · composite of CES + RPS + BIR + SCEI client-weighted.

The CXI rolls a client-weighted subset of indices into a single 0–10 number for board reporting. Weights are documented per client at onboarding and audited quarterly. For TheExampleCO, the weight vector applied this period is CES 0.32 · RPS 0.28 · BIR 0.22 · BLV 0.10 · IMI 0.08.

2026-02 (3 months ago)

5.6

2026-03 (2 months ago)

5.9

2026-04 (last period)

6.1

2026-05 (this period)

6.8

2·The five indices · detail

Each index with value, CI, trend, top contributors, and the decision it enables.

2.1

CES

Credential Exposure Score

3,412new credentials · 30d[3,180 – 3,640] 80% CI

3,412 credentials tied to *.example.co observed in licensed stealer-log feeds and public combolists during the window. 41 carry active-session indicators (cookies, saved-card flags) and qualify as P0 reset candidates.

Trend

↑ +24% vs prior 30d

Cohort

P63 within cohort

Methodology

See CES formula →

Top contributors

RedLine stealer family

47%

1,608 records · majority last-30d freshness

Lumma stealer family

23%

784 records · trending upward across cohort

Combolist C-2026-04 (deduplicated)

12%

411 records · 3-vendor agreement

Stealc + Vidar + Raccoon residual

11%

374 records · cross-vendor reconciled

Public breach dumps (recency-weighted)

235 records · low confidence individually

Decision it enables

Force credential rotation on the 41 active-session candidates inside 24h. Cohort-level reset for the top 600 high-severity records this week.

2.2

IMI

IAB Mention Index

4active listings[3 – 5] 80% CI

Four initial-access-broker listings reference example.co during the window. One vouched-seller listing offers VPN access at 2.4 BTC — the active P0 escalation in this report.

Trend

↑ +1 listing in window

Cohort

P81 within cohort

Methodology

See IMI formula →

Top contributors

Telegram resale channel (anonymized)

high

2 listings · 1 vouched · added Apr 28 / May 04

Forum mirror (archive-indexed)

medium

1 listing · low-vouch · added Apr 19

Public stealer-log market index

medium

1 listing · cross-attribution to RedLine corpus

Decision it enables

SOC to verify whether the asset offered ("VPN, persistent") matches a real perimeter component. If confirmed, treat as in-progress intrusion — engage IR retainer.

2.3

RPS

Ransomware Proximity Score

6.4/ 10[5.9 – 6.8] 80% CI

Movement from P64 to P72 is driven by sector clustering, not direct exposure. Two peer firms in the cohort were named on leak sites this quarter; an indirect supplier-overlap signal also contributed.

Trend

↑ P64 → P72 in cohort

Cohort

P72 within cohort

Methodology

See RPS formula →

Top contributors

Sector cohort clustering

w1 · high

3 peer-incident disclosures in the cohort this quarter

Supplier-graph overlap

w2 · medium

Acme Corp 8-K disclosure 2026-04 · supplier overlap = 4 of 18

Direct leak-site mention

w3 · low

Single low-severity claim, BlackCat affiliate, March 2026 — sample only, no exfil claim verified

Decision it enables

Drive the 4 overlapping suppliers through accelerated vendor review (questionnaire + secondary attestation). Reflect cohort movement in the next underwriting renewal conversation.

2.4

BLV

Brand Leak Velocity

12artifacts / week[9 – 15] 80% CI

Velocity spike driven by re-uploads of a single Q1 internal PDF (`TheExampleCO_Internal_2026Q1.pdf` — fingerprinted) across 3 paste-class channels. Not a new exfiltration; downstream amplification.

Trend

↑ 3σ above 4-artifact baseline

Cohort

P92 within cohort

Methodology

See BLV formula →

Top contributors

Paste-class channels (3 distinct)

high

Pastebin-class mirrors · 9 of 12 artifacts

Public Telegram channel re-posts

medium

2 re-posts · cross-attribution by fingerprint

Forum mirror residual

low

1 archive.org-indexed post · low audience reach

Decision it enables

Push the fingerprinted PDF to the takedown vendor queue with elevated priority. Investigate the upstream origin — fingerprint pattern suggests a single source uploader, not coordinated leak.

2.5

BIR

Brand Impersonation Reach

28active impersonators±35% on reach 80% CI

Estimated 14,200 monthly visitors across 28 active impersonator surfaces. Two operator clusters detected by ASN; the ASN 14061 cluster expanded by 8 domains this window — likely a single operator turning up volume.

Trend

↑ +8 typosquats in window

Cohort

P54 within cohort

Methodology

See BIR formula →

Top contributors

ASN 14061 typosquat cluster

high

12 typosquats · single operator inferred · ~9,800 visitors/mo

ASN 16509 typosquat cluster

medium

5 typosquats · second operator · ~3,200 visitors/mo

Social impostors (LinkedIn / X / Telegram)

medium

7 profiles · ~1,200 follower reach combined

Other long-tail typosquats

low

4 surfaces · low traffic estimate

Decision it enables

File registrar abuse against the ASN 14061 cluster as a single operator package. LinkedIn impostor takedowns via the standard platform-reporting path. Defensive registration recommended for the four highest-impression near-misses (list in §6 appendix).

3·Top findings

Five movements that matter this period.

IAB listing offering VPN access

Vouched seller; 2.4 BTC asking. Listing dated Apr 30. Highest-severity item in the report. SOC verification first.

41 credentials with active-session indicators

Captured cookies + saved-card flags; cohort-level reset recommended within 24h.

BLV 3σ spike on a single Q1 PDF

Re-upload pattern (3 paste channels, 2 Telegram re-posts) — fingerprinted; not new exfil. Push to takedown queue.

ASN 14061 typosquat cluster expanded by 8 domains

Single-operator inference. Bundled registrar-abuse filing recommended.

RPS cohort movement P64 → P72

Sector clustering, not direct exposure. Surfaces in cyber-insurance renewal conversations.

4·Peer-cohort benchmark

Cohort N = 7. SaaS · mid-market · financial vertical.

Cohort statistics are computed across hash-blinded peer inputs. No cohort member is identifiable from these percentiles. Buckets are reviewed quarterly and a benchmark is suppressed if the bucket size falls below N ≥ 5.

CES

You · 3,412

Cohort median 2,210

P63

IMI

You · 4

Cohort median 2

P81

RPS

You · 6.4

Cohort median 5.9

P72

BLV

You · 12 / wk

Cohort median 5 / wk

P92

BIR

You · 28

Cohort median 27

P54

5·Recommended mitigations

Five actions, priced by priority and SLA.

Inside 24h

Reset the 41 active-session credentials

Cohort-level password reset across the high-severity CES cluster. Coordinated forced-logout if SSO is integrated.

Owner

Security · Identity

Inside 48h

SOC verification of the IAB listing

Determine if the offered VPN access matches a live perimeter component. If confirmed, escalate to IR retainer.

Owner

Security · SOC

This week

Push the Q1 PDF fingerprint to takedown queue

Elevated priority. Investigate upstream uploader for a single-source pattern.

Owner

Legal · Brand · Takedown vendor

This week

Bundled registrar-abuse filing on ASN 14061 cluster

12 domains under one operator inference. Single coordinated filing.

Owner

Legal · Brand

Next 30 days

Vendor review on the 4 overlapping suppliers

Accelerated questionnaire + secondary attestation against the cohort-clustering signal.

Owner

GRC · Procurement

6·Evidence anchor & methodology

Methodology anchor

+Methodology version: v0.4
+Inputs at: May 23, 2026 00:00 UTC
+Evidence bundle: SHA-256: 4f3a…1c0b (synthetic)
+Report number: EB-SAMPLE-2026-05

In a real report, the bundle hash is replayable by an auditor with read access. Every value above can be independently recomputed from preserved raw signals.

What the real product looks like

The real recurring report ships as PDF + executive email digest on a weekly or monthly cadence, scoped to your domains and brands, with your actual peer cohort and your actual evidence.

Read the methodology Request a real sample →