See a Real Query
Here’s a stealer log query on a real customer domain. Email and password are sanitized; the SSO context is what it actually returned.
> Any stealer hits on tesla.com from the last 90 days?
Found 1 fresh hit on tesla.com:
[employee]@tesla.com [redacted]
Source: RedLine stealer log
Captured: 2026-04-28
Device: Windows 10, Chrome 124
Used to sign into:
- login.microsoftonline.com (Tesla M365 tenant: tesla.onmicrosoft.com)
- vpn.tesla.com
- workday.tesla.com
The Microsoft 365 entry is the riskiest. Same credential gives
SSO across the Tesla M365 tenant covering email and SharePoint.
Worth checking next:
- /sessions for live cookies tied to this email
- The full RedLine log to see what else this device leaked
Want me to run the session check?
One question, one interpreted answer, a follow-up Claude offers because it makes sense given the hit.
What You Can Ask
These all work the way you’d write them in Slack:
- “Show me stealer logs for acme.com from the last 30 days.”
- “Any live session tokens for our domain right now?”
- “What’s on ransomware leak sites for acme.com or its subsidiaries?”
- “Find leaked AWS keys associated with acme.com.”
- “Search leaked documents for any mention of Project Falcon.”
- “Show me phishing domains that could impersonate acme.com.”
- “Any combo-list hits on the admin@ accounts at acme.com?”
- “Add acme.com to my watchlist and send alerts to security@acme.com.”
Claude routes to the right endpoint. You don’t need to know which one.
Endpoint Coverage
All 10 Breachsense endpoints are loaded as part of the skill.
| Endpoint | What it covers |
|---|
/stealer | Infostealer credentials from RedLine, Lumma, StealC, and similar families |
/combo | Combo lists circulating on hacker forums |
/creds | Third-party breach credentials and unsecured database dumps |
/sessions | Session cookies and auth tokens that bypass MFA |
/nhi | Non-human identities: API keys, OAuth tokens, service credentials |
/darkweb | Ransomware leak site victim listings |
/radar | Hacker forums and underground marketplaces where credentials get sold |
/docs | Full-text search across leaked ransomware files, third-party breaches, and unsecured DB dumps |
/asm | Attack surface: subdomains, exposed services, phishing domains |
/account | Watchlist setup, webhook alerts, test alerts, license rotation |
Same coverage as the Breachsense API. The plugin is a different way to call it, not a subset. If you’d rather call the API directly from scripts or your SIEM, the API workflows page has integration patterns.
License Key Setup
The plugin checks two places, in order. Pick whichever fits your setup.
Option 1: Environment variable. Recommended.
echo 'export BREACHSENSE_API_KEY=your-license-key-here' >> ~/.zshrc
source ~/.zshrc
Restart your Claude Code session after setting it. Claude Code reads the environment at startup, so a running session won’t pick up the new value.
Option 2: Memory file. Use this if you’d rather not touch your shell config.
mkdir -p ~/.claude/breachsense
echo 'your-license-key-here' > ~/.claude/breachsense/license.md
chmod 600 ~/.claude/breachsense/license.md
The file mode keeps the key readable only by you.
If neither is set, the skill loads but every query returns an auth error. Set the key once and you’re done.
