First cohort · 3 of 5 slots open · Q3 2026

Credential, ransomware, IAB, and brand exposure —
delivered as a recurring intelligence report.

Digital-risk intelligence for security, risk, and legal teams. Five focused indices, delivered as a weekly or monthly report (PDF + executive email) — built to land in a board deck, an underwriting model, or your CISO's quarterly posture review. CISM-led methodology. Licensed data partners and public sources only.

Request a sample report Book a call Read the methodology

focused indices

—

enumerated source whitelist

80%

CI bands · on every output

v0.4

methodology · audit-replayable

The five indices

Five useful numbers over forty thousand alerts.

CES

CISO · Security

Credential Exposure Score

Credentials tied to the client's domains observed in licensed stealer-log feeds (RedLine, Lumma, Stealc, Vidar) and public breach combolists.

→ Force proactive credential resets by cohort. Cut account-takeover risk.

IMI

CISO · Risk

IAB Mention Index

Volume and severity of initial-access-broker listings referencing the client across public-source channels and licensed dark-web feeds.

→ Notify and harden the perimeter before brokered access is sold to a ransomware affiliate.

RPS

CISO · Cyber-insurance

Ransomware Proximity Score

Exposure to active ransomware crews — leak-site mentions, supplier-overlap with known victims, and cohort-relative incident clustering.

→ Quantify ransomware exposure for cyber-insurance pricing, vendor reviews, and board reporting.

BLV

Legal · Brand

Brand Leak Velocity

Rate at which proprietary brand assets, internal documents, and identifiable data appear across public leak channels and paste sites.

→ Prioritize takedown queues and legal escalation when leakage accelerates beyond baseline.

BIR

Legal · Marketing

Brand Impersonation Reach

Audience reach of typosquat domains, mirror sites, and impostor social profiles imitating the client — weighted by estimated traffic.

→ Direct defensive registrar spend, platform reporting, and takedown allocation.

Each index ships with a published formula, source weighting, confidence intervals, and a versioned change log.

Read the full methodology →

Who reads the Bureau's report

Cyber-Insurance Underwriter / Broker

RPS, CES, and IMI translate posture into quantifiable exposure for renewal pricing, sub-limits, and binder decisions — comparable across insureds.

Chief Information Security Officer

Quarterly delta on five indices — credential, IAB, ransomware, leak, impersonation — with peer-cohort context for the board deck and audit-committee.

M&A / Corporate Development

One-shot exposure report on a target's externally-observable risk surface — evidence-grade attribution, methodology-versioned outputs, defensible in diligence.

Deliverable 1

Recurring report

Weekly or monthly PDF — 8–16 pages. Five indices, trend, top findings, USD exposure, peer-anonymous benchmark, mitigation recommendations. Signed evidence bundle attached.

Deliverable 2

Executive email digest

Same cadence as the report. Two-paragraph summary, the three movements that matter, links to the underlying evidence. Built to forward to a CFO or board chair as-is.

Deliverable 3

Exposure-grade alerts

Webhook + email. P0: confirmed IAB listing or ransomware-crew naming. P1: 3σ spikes on CES / IMI / BLV. P2: new typosquats — daily digest.

Pricing

Three tiers. Recurring report · USD, annual. 15% off if paid upfront.

Brief

{{PRICE_BRIEF}}per month · USD

Mid-market firm, 1 primary brand, single business unit

▸1 primary domain + 5 alternates
▸Up to 5 monitored brands / trademarks
▸Monthly report (PDF + executive email)
▸All five indices · methodology-versioned outputs
▸P1 + P2 alerts
▸No quarterly review call
▸13-month retention

Watch

Most common

{{PRICE_WATCH}}per month · USD

Multi-brand corporate, $100M–$2B revenue, regulated industry

▸Up to 20 domains, 25 monitored brands
▸Weekly report (PDF + executive email)
▸Quarterly review call (60 min · recorded for board distribution)
▸P0 critical alerts (24/7)
▸Up to 4 report recipients
▸Signed evidence packages for legal use
▸Slack / Teams integration
▸24-month retention

Mandate

{{PRICE_MANDATE}}per month · USD · from

Large enterprise, holding company, or MSSP white-label

▸Unlimited domains, 100+ monitored brands
▸Weekly report (PDF + executive email)
▸Quarterly review call + ad-hoc analyst sessions
▸Custom indices on intake · per-subsidiary segmentation
▸Full API access · webhook integrations
▸Dedicated support (4h response)
▸Optional MSSP white-label
▸36-month retention

+ Add-on · M&A / Vendor Due-Diligence Exposure Report — {{PRICE_DILIGENCE}} / target, one-shot. 5 business days.

Red lines

What the Bureau will not do. Print this. Show it to your legal team.

×No authentication bypass. No invite-only forums. No vouched-access communities.
×No buying stolen accounts or leaked data 'to validate.' We observe listings; we do not interact with sellers.
×No plaintext PII to clients. Hashes + metadata only. Dereferencing requires verified domain ownership and lawful basis.
×No cross-client data leakage. Peer benchmarks are aggregated and anonymized (N ≥ 5).
×No doxxing. No offensive OSINT. No HUMINT. No undercover personas.
×Zero tolerance for CSAM. Automated detection → immediate NCMEC report → zero retention.

The market has had bad experiences with vendors who promise "monitoring" and end up leaking or reselling the data they collect. The Bureau's red lines are contractual, not aspirational.

Frequently asked

The ten questions we hear in every first call.

01How are you different from Recorded Future, Flashpoint, or DarkOwl?+

Those vendors ship SOC-grade threat intel — priced $120k–$300k+/yr and shaped for SIEM-style consumption. We're a Bureau: five focused, comparable indices delivered as a quantified posture report on a recurring cadence. CISM-led methodology, published formulas, peer-cohort benchmarks. Different shape, different buyer. We are not trying to be a thinner Recorded Future.

02What sources do you collect from? Can we audit the list?+

Source families are explicitly enumerated and contractual: licensed dark-web data partners (DarkOwl, SpyCloud, Constella, Flare), public stealer-log markets via archive mirrors, public ransomware leak sites, public paste sites and forum mirrors, certstream/WHOIS for domain monitoring, and public Telegram channels. The whitelist is contractual — additions or removals require a methodology version bump and 14-day client notice. Full list and per-source weights are on the methodology page.

03How do you handle our customer or subscriber identifiers?+

Identifiers are SHA-256 hashed with a 90-day rotating salt at the collector boundary, before they hit our storage. Only the hash plus breach metadata (source, observation time, severity flags) is persisted. Plaintext dereferencing requires verified domain ownership and a documented lawful basis (GDPR Art. 6(1)(f) + 34). Cross-tenant data never crosses a tenant boundary.

04What does onboarding look like?+

Day 1: tenant provisioned, source connectors lit, first scan running. Day 7: weekly index values stabilized. Day 14: first board PDF + first peer-cohort benchmark (assuming cohort is N ≥ 5). Day 30: first methodology review session. Typical first-actionable insight: 72 hours.

05Can we keep our existing takedown, registrar, or DFIR vendor?+

Yes — and you should. Our index outputs feed your existing operational stack: takedown queues, registrar dispute portals, IR retainer, GRC tooling. We don't replace those workflows; we make them measurably more effective by ranking the queue against quantified exposure.

06What does the legal team get? Chain of custody?+

Every index output is anchored to (a) the methodology version it was computed under, (b) the inputs at that timestamp, and (c) a SHA-256 hash of the evidence bundle. Signed evidence packages are exportable for litigation and regulatory submission. An independent auditor with read access can replay any historical value.

07How quickly do alerts fire?+

P0 (critical exposure event — e.g. confirmed IAB listing, ransomware-crew victim disclosure naming the client): inside 15 minutes of first signal. P1 (significant spikes ≥ 3σ on CES / IMI / BLV): inside 1 hour. P2 (typosquats, low-severity changes): daily digest at 09:00 in your timezone. Webhook + email + Slack/Teams. Sentinel/Fortress tiers include P0; Watchtower starts at P1.

08GDPR / CCPA — what's the posture?+

Minimization at ingest: identifiers SHA-256-hashed with a 90-day rotating salt. Documented lawful basis (GDPR Art. 6(1)(f) + 34). 13-month default retention, configurable per data category. CCPA / GDPR Art. 17 deletion endpoint is mandatory before any production tenant goes live. DPA template available; SOC 2 Type I in progress.

09What if we leave? Do we get our data?+

Yes. Full export — raw signals attributed to your tenant, all computed historical values, and the methodology version each value was computed under — within 7 business days of off-ramp request. JSON + CSV, no proprietary formats. No hostage data.

10What does the first cohort buy?+

Six-month commitment, 40% off list pricing, direct input on the methodology v0.5 cut, quarterly roadmap review, founder Slack access. Three to five logos. Cohort closes when full. Cohort terms convert to standard contract terms at month 7 with right of first refusal on tier upgrades.

Question not here? Send it with the cohort request note — we respond to methodology and contract questions in writing inside 48h.

First cohort · first 5 logos

Cohort terms: 6-month commitment, 40% off list, methodology input, quarterly roadmap review. Open to corporate security, risk, legal, underwriting, and corp-dev teams.