The dark web isn't just a plot device in cybersecurity thrillers. It's a thriving marketplace where information about your organisation — credentials, network access and customer data — is discussed, traded, and in some cases, weaponised.
For scaleups and mid-market organisations without dedicated security teams, understanding what circulates in these underground forums should not be a fear-mongering exercise. But it should help you to make informed decisions with the resources you have.
The Underground Economy: More Organised Than You Think Might Think
The dark web runs with surprising efficiency. Recent analysis shows data breaches posted on underground forums increased by 43% in 2024, with compromised credentials rising 34%. But these aren't random data dumps. They're structured offerings in a marketplace that functions much like any other, complete with vendor reputations, customer reviews, and competitive pricing.
For growing organisations, the economics matter. Initial access brokers — threat actors who specialise in breaking into networks — price their services based on company size and revenue. Access to a mid-sized business might cost anywhere from $1,000 to a few thousand dollars, which puts even less sophisticated attackers in the game. You don’t need elite hacking skills when you can simply buy admin credentials for the price of a laptop.
What's Actually Being Sold
If you look at what’s traded on these marketplaces, you start to see clear patterns:
· Compromised credentials remain the primary offering. Stealer malware like Lumma and Risepro harvest login information from infected machines, and these credential logs are sold in bulk. The most shocking part is that it only costs around $10 to compromise an account. Multi-factor authentication (MFA) bypass techniques are openly discussed and traded, making once-strong defences less reliable.
· Network access represents another lucrative market. These aren't abstract vulnerabilities — they're working credentials to VPNs, Citrix environments, or remote desktop services. Ads often include details like employee numbers and revenue, helping buyers zero in on organisations that match their target profile.
· Data leaks appear following breaches, sometimes before companies realise they've been compromised. Beyond the immediate exposure, these leaks provide intelligence to other attackers about your systems, employees, and security practices.
· Tools and techniques also circulate freely. Malware-as-a-service offerings numbered 384 unique varieties in 2024. This “democratisation” of attack tools means organisations face threats from a broader range of actors, not just elite hacking groups.
The Connection to Your Attack Surface
Here's where dark web monitoring intersects with attack surface management, and why both matter for organisations without extensive security teams.
Your attack surface — every internet-facing asset, cloud service, third-party integration, and employee endpoint — represents potential entry points. The challenge is that modern businesses create new attack surfaces constantly. A developer spins up a test environment in the cloud, a team adopts a new SaaS tool, a company acquisition brings in subsidiary systems you didn't know existed. According to Productiv's analysis of hundreds of SaaS management instances and tens of thousands of apps, shadow IT now makes up 56% of business application portfolios (up from 52% in 2020). For smaller companies with fewer than 500 employees, the figure is even higher at 68%.
The dark web provides visibility into which parts of your attack surface have already been compromised. If credentials from your domain appear in underground markets, you've got an active exposure. If threat actors are discussing vulnerabilities in a specific technology stack you use, you have advance warning about likely attack vectors.
Simply put, attack surface management tells you what you own and where you're exposed. Dark web intelligence tells you what threat actors already know about those exposures and how they're planning to use that information.
For more on how to discover whether your company is being targeted, read our blog “Why can’t I get Threat Intelligence that’s relevant to my business?”
Making This Actionable Without a Security Team
The intersection of these concepts might seem overwhelming when you're wearing multiple hats, but it is possible to approach it in a pragmatic and manageable way:
- Start with visibility. You can't protect what you don't know exists. Basic asset discovery — mapping your internet-facing resources, cloud instances, and third-party connections — provides the foundation. Many attack surface management tools offer automated discovery specifically because manual tracking doesn't scale.
- Prioritise based on actual risk. Not every finding requires immediate action. Focus on internet-facing assets with known vulnerabilities, credentials that appear in dark web forums, or exposures that provide easy access to critical systems. This risk-based approach helps allocate limited resources effectively.
- Establish response protocols. When dark web intelligence surfaces credentials from your organisation, what happens next? Having a basic playbook — even a simple decision tree — prevents analysis paralysis. This might mean forced password resets, reviewing access logs, or temporarily isolating affected accounts. If you have either an internal or managed security operations centre (SOC), they should be able to move immediately from intelligence to action — validating the risk, containing any exposure, and closing the window before an alert becomes an incident.
- Integrate with existing tools. If you're using SIEM, vulnerability management, or cloud security platforms, dark web intelligence can enhance their effectiveness rather than creating another standalone system to monitor. The goal is contextual awareness, not tool sprawl.
- Consider your vendors. Your attack surface extends to third-party providers. If a key supplier's credentials appear on the dark web, that represents risk to your organisation even though you don't control their security practices. Mid-market organisations often have concentrated vendor relationships, making this visibility particularly valuable.
The Real Cost of Ignoring Underground Activity
The business impact of dark web exposure isn't hypothetical. When stolen credentials provide initial access, attackers move laterally through networks, often remaining undetected for weeks or months. The average time to identify a breach continues to be measured in months, not days, giving attackers ample time to locate valuable data, deploy ransomware, or establish persistence.
Double extortion ransomware attacks — where attackers both encrypt systems and threaten to leak stolen data — have proliferated specifically because data leaks are so effective. Ransomware groups maintain "data leak sites" on the dark web, publicly posting stolen information if victims don't pay. This transforms ransomware from an operational disruption into a reputational and regulatory crisis.
For organisations in regulated industries or those handling customer data, these exposures trigger compliance obligations. But beyond regulatory requirements, there's the practical matter of your security posture degrading in real-time while you remain unaware. Each compromised credential, each discussion of your vulnerabilities, each sale of network access shifts the odds further in favour of eventual compromise.
A Measured Approach
The goal isn't to monitor every dark web forum or catalogue every possible threat. That's neither practical nor necessary for most organisations. The goal is awareness — understanding that this intelligence exists, recognising how it intersects with your attack surface, and having mechanisms to act on critical exposures when they surface.
Think of it as augmenting your limited security resources with external threat intelligence. You're leveraging the fact that threat actors often signal their intentions or advertise their capabilities before executing attacks. This advance warning, combined with understanding your actual exposures, creates opportunities for proactive defence even with constrained resources.
The dark web will continue to evolve, and the sophistication of attacks will continue to increase. But the fundamentals remain consistent: attackers target known vulnerabilities, exploit weak credentials, and look for the path of least resistance. Understanding what they know about your organisation—and what parts of your attack surface they're most likely to target — provides the foundation for focused, effective security decisions.
For cybersecurity, IT, and risk leaders in mid-size and growing organisations, the objective should not be to achieve perfect security. Rather, you should focus on making informed trade-offs, protecting what matters most, and ensuring that your digital footprint doesn't become someone else's business opportunity in an underground marketplace.
Learn more about how to detect early indicators of compromise and proactively respond to emerging threats here.
