What is a Dark Web Scan?
Learn what a dark web scan finds and what to do when your company’s data shows up.
• A dark web scan searches criminal markets and stealer logs for your company’s exposed credentials. A one-time scan shows you what’s already out there. Continuous monitoring catches new exposures as they appear.
• Free scans give you a snapshot but miss stealer logs, session tokens, and hacker forum data. If you’re evaluating your exposure for the first time, a free scan is a reasonable starting point. For ongoing protection, you need continuous monitoring.
• What matters most isn’t finding the data. It’s what you do next. Reset compromised passwords immediately. Invalidate stolen session tokens. Investigate any endpoints that appear in stealer logs since the device is probably still infected.
• One-time scans and continuous monitoring serve different purposes. Scans answer “are we exposed right now?” Monitoring answers “will we know the next time we’re exposed?” Most security teams need both.
Your employees’ credentials are probably on the dark web right now. The question is whether you know which ones and how recently they were stolen.
A dark web scan answers the first question. It searches criminal markets for your company’s exposed data and tells you what’s already circulating.
Credentials get stolen every day through infostealer malware and third-party breaches. Whether a one-time scan is enough or you need continuous monitoring depends on your team size and risk tolerance.
This guide covers what dark web scans find, how they work, when a free scan is enough, and when you need continuous monitoring instead.
What Is a Dark Web Scan?
A dark web scan searches criminal marketplaces and breach databases for credentials belonging to your company. You give it your domain, and it tells you which employee accounts are exposed.
Dark web scan is a search across criminal data sources for credentials matching your company’s domains. It checks breach compilations, stealer logs, and hacker forums for exposed passwords, email addresses, and session tokens. Results show what’s already circulating and where it came from.
Think of it as a health check for your credential exposure. You might discover that 50 employee passwords from a third-party breach two years ago are still floating around. Or that fresh credentials from an infostealer infection last week just appeared on a criminal market.
The scan itself doesn’t fix anything. It shows you what’s exposed so you can act on it.
How Does a Dark Web Scan Work?
The process is straightforward. You provide your company domain. The dark web scanner searches its data sources for matches. Here’s how to scan the dark web for your company’s credentials.
What It Searches
Good scanners check multiple source types:
Breach compilations contain credentials from past data breaches. When a service your employees used gets hacked, those credentials end up in compilations that circulate for years.
Stealer logs contain credentials extracted from infected devices by infostealer malware. These are the freshest and most dangerous because they include recently stolen passwords and active session tokens.
Hacker forums and criminal marketplaces are where stolen data gets sold. Initial access brokers advertise corporate network access. Credential dumps get posted for sale or shared freely.
Ransomware leak sites publish stolen files when victims refuse to pay. Enterprise scanners search these file dumps for your company name or employee data.
Unsecured databases like misconfigured Elasticsearch or MongoDB instances sometimes expose credentials publicly. Scanners that check these catch exposures before they reach criminal markets.
How Matching Works
The scanner compares your domain against its database. If you submit “yourcompany.com,” it returns every credential associated with that domain: email addresses and passwords (often in plaintext if cracked).
Most scanners show the source (which breach or stealer log the data came from). Better ones also show when the data first appeared, so you can tell whether a credential was stolen last week or leaked two years ago.
What Can a Dark Web Scan Find?
For businesses, dark web scans typically surface:
Employee credentials from third-party breaches. Your employees use their work email to sign up for SaaS tools and online services. When those services get breached, the credentials leak.
Stolen passwords from infostealer infections. When an employee’s device gets infected, the malware extracts every saved password from their browser’s credential database. Corporate VPN and SSO passwords all get harvested.
Dark web monitoring is the continuous version of a dark web scan. Instead of checking once, monitoring services alert you whenever new credentials matching your domains appear on criminal markets. It catches exposures as they happen rather than after the fact.
Session tokens that bypass MFA. Infostealers don’t just steal passwords. They capture active session cookies. An attacker with a stolen session token can access your employee’s accounts without ever entering a password or triggering MFA.
Vendor exposure. Your vendors’ employee credentials appearing in stealer logs can signal supply chain risk. The Verizon 2025 DBIR found third-party breaches doubled to 30% of all incidents. If your vendors’ employees are compromised, your data may be at risk through that connection.
Data from ransomware leaks. When ransomware groups publish stolen files, your company’s data may appear in a vendor’s dump. Enterprise scan tools can search these leaked file dumps by company name or employee name, finding your data inside someone else’s breach.
Exposed databases. Misconfigured Elasticsearch and MongoDB instances sometimes expose credentials or internal data to the internet. Scans that check for your domains in these unsecured databases catch exposures that aren’t on criminal markets yet but are publicly accessible to anyone who looks.
Should You Use a Free Dark Web Scan or Continuous Monitoring?
Free dark web scans and continuous monitoring serve different purposes. Understanding the difference helps you pick the right tool.
When a Free Scan Is Enough
A free dark web scan gives you a snapshot of your current exposure. It’s useful when you want to assess how exposed your company is before investing in monitoring. It answers the question: “How bad is it right now?”
Free scans typically search breach compilations and some public data sources. They won’t cover stealer logs or session tokens. But they’ll show you whether employee credentials from past breaches are still circulating.
When You Need Continuous Monitoring
Credentials get stolen every day. A scan from last month won’t catch an infostealer infection from this morning. Continuous dark web monitoring alerts you when new exposures appear, so you can reset passwords before attackers use them.
Monitoring makes sense when your company has more than a handful of employees, when you need to track vendor exposure, or when your security team wants automated alerting through API integration.
The Practical Approach
Start with a scan to see where you stand. If the results show active exposure, add continuous monitoring. Many teams use the initial scan results to justify the monitoring investment to leadership.
What Should You Do If a Dark Web Scan Finds Your Data?
Finding exposed credentials is only useful if you act on them. Here’s the response process for security teams.
For Credentials from Old Breaches
These are passwords leaked through third-party breaches, sometimes years ago. They’re lower priority but still need attention because employees reuse passwords.
- Force a password reset for affected accounts
- Check if the exposed password matches any current corporate passwords
- Flag affected users for security awareness training on password reuse
For Credentials from Stealer Logs
These are high priority. Stealer log credentials mean an employee’s device was infected with infostealer malware. The damage goes beyond a single leaked password.
- Reset the password immediately
- Invalidate all active sessions (password reset alone doesn’t kill existing sessions)
- Investigate the endpoint for active malware
- Check what other credentials the infostealer may have captured from that device
- Review authentication logs for signs the credentials were already exploited
For Exposed Session Tokens
Session tokens let attackers bypass login and MFA entirely. Treat these as the highest priority.
- Invalidate all sessions for the affected accounts
- Force re-authentication
- Check recent account activity for unauthorized access
- Investigate the source (usually an infostealer infection)
How Do You Choose a Dark Web Scan Tool?
Not all dark web scan tools check the same sources or return the same depth of results.
Source coverage is the most important factor. Most tools now cover stealer logs and breach data. The real differentiator is whether they also index stolen session tokens, data leaked from ransomware attacks, and hacker forum activity. NIST’s cybersecurity guidelines recommend monitoring external threat sources as part of your detection strategy.
Data freshness matters. How recently was the data updated? Stealer log data should be hours or days old. Breach data is acceptable at weeks or months. If the tool can’t tell you when data was last updated, the data is probably stale.
Business vs consumer focus. Consumer scans (like those bundled with identity theft protection) check for personal data like SSNs and credit cards. Business scans check for corporate domain credentials and session tokens. Make sure the tool matches your use case.
Results context. Raw “yes, you’re exposed” isn’t enough. You need to know which accounts are affected, what type of data was exposed, and when it appeared. That context determines your response priority.
For a broader comparison of monitoring platforms, see our dark web monitoring guide.
Conclusion
A dark web scan tells you what’s already exposed. Continuous monitoring catches new exposures as they happen. Most security teams need both.
Start by scanning your exposure to see what’s already out there. If the results show active credential exposure, add continuous monitoring so you catch the next leak before attackers use it.
