Exposure Intelligence
Monitor credential and identity exposure on domains you own. Domain ownership verified via DNS TXT. Explicit customer consent required. Sensitive fields masked by default; reveal actions audited.
WASViking® Exposure Intelligence matches leaked credential and identity data against domains the customer owns and has explicitly authorized for monitoring. It is a legitimate security monitoring capability with strong guardrails: domain ownership is proven via a DNS TXT record, the operator confirms authorization with a consent attestation, sensitive fields are masked by default, and every reveal action is recorded for audit.
Exposure Intelligence is intended for authorized security monitoring only. Findings may include sensitive or personal data related to security incidents. Fields are masked by default and reveal actions may be logged for audit and abuse prevention.
How a domain enters monitoring
Three steps, gated end-to-end. The flow lives at Settings → System Settings → Add Monitored Domain.
Step 1 — Select a target domain
The dropdown lists only existing targets in the organization. You cannot monitor a domain that is not already a declared asset in your account. This prevents scope abuse: an operator cannot point Exposure Intelligence at a domain the organization does not own.
Step 2 — Customer consent
The operator confirms two things, with a required checkbox:
By continuing, you confirm that you are authorized to monitor this domain and that such monitoring is performed for legitimate security purposes.
You acknowledge that exposure intelligence findings may include sensitive or personal data (such as email addresses or credential indicators), and that access to such data is controlled, may be audited, and must be handled in accordance with applicable laws and your organization's policies.
The attestation is captured in the audit log along with the operator identity and timestamp.
Step 3 — DNS TXT verification
WASViking issues a verification token. The operator adds a DNS TXT
record at the root of the domain's DNS zone (@) with the token as
the value. Once propagated, the operator clicks Verify DNS Record.
| Field | Value |
|---|---|
| Name | @ |
| Type | TXT |
| Value | The verification token issued by WASViking. |
DNS propagation may take up to 48 hours depending on the provider. The token can be re-generated if needed.
Without a successful DNS check, the domain stays unverified and no matches are surfaced. This is the legal proof that the customer controls the domain.
What gets matched
Per monitored domain, WASViking cross-references inbound exposure artifacts against your domain. A match becomes a row in the Leaked Exposure Matches table at Cyber Risk → Exposure Intelligence.
Each row exposes:
| Column | Notes |
|---|---|
| The email address from the artifact, masked by default. Reveal is an explicit, audited action. | |
| Username | The username (if present in the artifact), masked. |
| Password | A masked indicator of presence. Reveal is audited. |
| Application URL | The service the credential was used against. |
| Breach date | When the artifact was added to the upstream feed. |
| Action | Opens the detail view for the match. |
The header carries the page-level guarantee:
Sensitive data is masked by default. All reveal actions may be recorded for audit and security purposes.
Match detail
Click Details on any row. The match detail modal shows everything the platform has on the artifact, organized in four sections.
Exposure Summary
| Field | Meaning |
|---|---|
| Risk level | Computed severity for this match (High, Medium, Low). |
| Confidence | Confidence score in the match. |
| Flags | Whether Email, Username, and Password are present in the artifact. |
Timeline
| Field | Meaning |
|---|---|
| First seen | When WASViking first observed this artifact in the upstream feed. |
| Last seen | Most recent appearance. |
| Provider leak date | The date the upstream feed assigns to the breach. |
Exposed Data
Masked representations of the email, username, and password. A Record Hash identifies the artifact for deduplication and correlation across feeds without exposing the raw content.
Source & Artifact
Provenance metadata:
- Leak Category
- Provider Type
- Media (forum, paste, marketplace, etc.)
- XScore (upstream confidence indicator)
- Detected Family and Detected Type
- Confidence
- Provider Added At
- Artifact Created At
- Tenant Evidence Lines (how many lines in the artifact reference the monitored tenant domain)
Recommended Actions
Per match, WASViking surfaces a short action plan:
- Reset affected credentials immediately and invalidate active sessions.
- Investigate authentication logs for suspicious access or reuse attempts.
- Check for credential reuse across other services and enforce MFA where applicable.
- Continue monitoring this domain for additional exposure matches.
Privacy and access posture
- Masking by default. Email, username, and password fields render masked. Operators must explicitly request a reveal.
- Audited reveals. Every reveal action writes to the customer- facing audit log with the operator identity, the record hash, and the timestamp.
- No raw credential persistence beyond what is needed for matching. Artifacts are stored with the data the operator needs to act, plus the record hash for dedupe.
- Scope limited to verified domains. A match against a domain whose DNS verification has expired is suppressed.
What this is and is not
It is a legitimate security monitoring capability for credential exposures targeting domains the customer has proven ownership of.
It is not a generic breach feed reseller. WASViking does not expose data about domains the operator has not verified, and does not provide bulk access to upstream feeds.
It is not a takedown service. Matches surface the artifact and provenance; takedown coordination with providers is operator work.
Plan availability
Exposure Intelligence is gated per plan and per monitored domain.
| Plan element | Notes |
|---|---|
| Monitored domains | Per-plan cap (e.g., Plan limit: 2 on entry tiers). Tracked at Settings → System Settings → Add Monitored Domain. |
| Continuous monitoring | Pro plan and above. |
| Trial accesses | Exposure Intelligence is excluded from trial accesses by policy and activates on conversion to paid. |
Where it lives in the portal
- Cyber Risk → Exposure Intelligence: Leaked Exposure Matches table and the match detail modal.
- Settings → System Settings: Add and verify monitored domains; rotate verification tokens; revoke a monitored domain.
- Audit Log: every consent attestation, DNS verification, and field reveal action.
Compliance posture
- LGPD / GDPR. Monitoring is limited to domains under operator- attested ownership with documented consent. Sensitive data access is masked and audited.
- ISO 27001:2022 Annex A.5 / A.8. Identity exposure monitoring with documented access control and audit logging.
- Principle of least privilege. The Exposure Intelligence module
inherits RBAC and is gated by the
Exposure Intelligenceper-role permission set (see Inviting your team).