What is the Darknet Risk Score?
The Darknet Risk Score is a comprehensive, data-driven metric that quantifies an organization’s exposure to risks originating from darknet and deepweb ecosystems. It is designed to measure how much sensitive, leaked, or vulnerable data related to an organization is circulating in cybercriminal ecosystems — including stealer logs, exposed credentials, passive infrastructure scanning, and leaked logins.
The score reflects the overall security posture of the organization from the perspective of a threat actor — providing key insights into:
- Credential exposure and password hygiene
- Infrastructure leaks and attack surface risks
- Employee and third-party behavior with private or external services
- Trends in breach frequency over time
- Presence of vulnerable or poorly configured systems
This score is particularly valuable for CISOs, red teams, cyber insurers, and third-party risk auditors seeking to understand external exposure beyond the traditional perimeter.
How Does It Work?
The risk scoring process can be caluclated in the new dahsboard or initiated via API. We created a sample script to assist you in automation of the calculation. Here's how the pipeline works step-by-step:
1. Authentication The script logs into the LeakCenter API using valid API credentials to receive an access token for all subsequent requests.
2. Company Registration The script checks whether the target domain (e.g. example.com) is already registered: If yes: It reuses the existing company entry. If no: It creates a new entry using the domain, company size, country, and industry.
3. Passive and Active Enumeration Once the company is set:
- The system begins querying a wide variety of deepweb and darknet sources.
- Leaks are extracted using domain-matching logic, email correlation, infrastructure enumeration, and search engines like Shodan/ZoomEye.
- Several technical risk metrics are evaluated (see Risk Metrics JSON).
4. Asynchronous Scoring Engine Once data collection is triggered:
- The backend asynchronously processes terabytes of threat intelligence, leak archives, and infrastructure metadata.
- Each of the 9+ defined risk metrics (e.g. leak volume vs size, password strength, sensitive subdomains, exposed ports) is scored independently.
- These component scores are then weighted and normalized into a composite risk score.
5. Polling & Final Report The script polls the API endpoint every hour until all component scores are marked as complete. ⚠️ Note: Due to the heavy backend workload and scan complexity, the complete risk score generation can take up to 48 hours.
Once ready, the full report is downloaded as a JSON or text file.
