Analyst-led intelligence across the dark web, open web, social graph, domain space, and your executives' digital footprint — validated before it ever becomes an alert, briefed weekly to the people who read briefs, and integrated end-to-end with our 24/7 SOC and our physical executive-protection detail. Intelligence is not a dashboard. It is a human making a judgment on your behalf.
Adversaries live across the dark web, the open web, social platforms, the domain-name system, and — increasingly — the unguarded personal data footprint of your executives. We collect from all five, correlate findings against your specific asset list, and deliver a single synthesized picture rather than five disconnected dashboards.
Persistent analyst access to vetted criminal forums, Tor hidden-service leak sites, ransomware-gang data portals, initial-access-broker listings, and closed-invite Telegram channels. Credential dumps, infostealer logs, corporate-network-access sales, insider-threat recruitment posts.
Continuous scraping of paste sites, public code-repository exposure, search-index disclosure, regulatory breach filings, and litigation dockets naming your vendors or your sector. Open-source intelligence at the scale a human-plus-machine team can actually triage.
Monitoring for impersonation of your brand and named executives across Meta properties, LinkedIn, X, YouTube, TikTok, and Reddit. Also: overshare by the principals themselves — home photos with visible security equipment, itinerary disclosure, family identifiers, and lifestyle signals that inform social-engineering pretexts.
Permutation-based typosquat detection for your corporate domains plus homoglyph, combo-squat, and subdomain-abuse detection. Clone-site fingerprinting against your real web properties. Newly-registered domains with your brand tokens flagged within hours of registration.
Continuous OSINT against the principal's identity — data-broker aggregator records, home and prior-home addresses, spouse and dependent identifiers, vehicle tags, neighbor records, doxxing-forum mentions, and swatting-risk indicators. Ties directly into the physical EP detail when one is in place.
Platform coverage is table stakes; what separates real intelligence from theater is what the analyst does with the output. We operate a blended stack — commercial, open-source, and bespoke collection — because no single vendor covers the full picture, and any vendor claiming to is selling you a dashboard.
Commercial dark-web collection and analyst-grade finished intelligence. Augmented with our own persistent-access accounts on vetted forums and leak sites.
Breach-data and infostealer-log coverage with re-crawled plaintext where legally obtainable. HaveIBeenPwned Enterprise supplements for breadth and historical coverage.
Permutation detection plus registration telemetry plus takedown operational muscle. Certificate transparency logs cross-referenced for clone-site fingerprinting.
Social-platform impersonation detection and principal-OSINT aggregation. Open-source tooling — Maltego, SpiderFoot, custom scrapers — for coverage the platforms miss.
External-attack-surface ratings for your critical third parties. Treated as one input among many — we do not defer to the rating when we have ground-truth dark web signal.
State Department OSAC, regional intelligence subscriptions, and analyst-curated open-source feeds for country-risk, travel, and physical-event context.
Every tier is operated by the same analyst team from the same Memphis bay, with the same validation discipline. What changes tier-to-tier is breadth of coverage, alert SLA, briefing cadence, and access to named analysts. Any tier can be upgraded mid-term without re-onboarding.
Domain and credential monitoring for a single-brand organization that needs baseline coverage without a full intelligence program. Most common fit: a Tennessee or Mississippi mid-market operator with fewer than five hundred employees and a single corporate domain.
Full-spectrum enterprise coverage across dark web, open web, social, domain, and vendor surfaces, plus weekly briefing cadence and a monthly live analyst call. Most common fit: mid-market organizations with regulated data, M&A activity, or a risk committee that reads weekly updates.
Full-spectrum plus geo-political, physical-event OSINT, and travel-threat briefings, with 24/7 named-analyst access, formal monthly board-ready reports, and native integration with our physical executive-protection detail. Fit: principals traveling internationally, public-facing executives, high-net-worth families, multinational operators.
Every finding passes through the same five-stage analyst process before an alert ever reaches a client inbox. Stages two and three are the ones that separate usable intelligence from volume noise — and most platforms skip them entirely.
Continuous ingestion across commercial feeds, bespoke collection, and persistent analyst-operated accounts on dark web forums and leak sites. Raw-signal stage — high volume, low selectivity.
Four-gate human review: attribution (is it yours), freshness (current or stale), exploitability (can adversaries actually use it), context (what else is happening around it). Most signals die here.
Cross-reference against historical context, adversary attribution, sector-peer activity, and your internal asset list. Analyst narrative written. Indicators normalized to STIX for machine ingestion.
Packaged into weekly or monthly brief, or escalated as ad-hoc alert based on severity. Executive summary in plain English, technical appendix for your detection engineers, containment checklist for your operators.
SOC case opened if integrated, takedown filed if applicable, physical-detail lead looped in if principal-adjacent, follow-up watch period started. We close the loop on findings rather than hand them off and move on.
Briefing cadence is a feature, not a quirk. The executive who reads a Monday morning brief is a different person from the executive who receives an unscheduled Thursday alert. We match cadence to the moment and to the decision-maker who will act on it.
| Deliverable | Intel Lite | Intel Core | Intel Executive |
|---|---|---|---|
| Weekly written brief | — | Mondays · 06:00 CT | Mondays · 06:00 CT Plus Thursday supplement |
| Monthly executive report | Board-friendly summary | Board-friendly summary | Formal board packet 8–14 pg signed |
| Live analyst call | Quarterly · scheduled | Monthly · scheduled | Weekly · scheduled Plus ad-hoc on call |
| Ad-hoc critical alerts | 24 hr SLA · business-hour | 4 hr SLA · 24/7 | 1 hr SLA · 24/7 Named analyst call-back |
| Travel-threat briefing | Optional add-on | Optional add-on | Included · 72-hr lead |
| Geo-political brief | — | Monthly regional | Weekly · country-level as needed |
| Vendor-risk appendix | — | Monthly · up to 25 vendors | Monthly · up to 100 vendors |
| Physical-event OSINT | — | On request | Included · protest / event monitoring |
Findings are only as useful as the action they enable. Our intelligence service is designed end-to-end with our 24/7 Managed SOC and our physical executive-protection detail, so a dark web hit can move from analyst validation to SOC containment — or to a protective-detail adjustment — without losing context in handoff.
For Shield of Steel Managed SOC clients, validated indicators flow directly into your tenant — detection rulesets auto-updated, credential-leak findings trigger forced password rotation and MFA re-challenge, suspicious-domain hits become URL blocks across your proxy and email stack. For third-party SOCs, the same findings arrive through STIX/TAXII, MISP, webhook, or structured email — your choice.
For principals enrolled in our physical executive-protection program, the analyst bay and the detail share one picture. Digital doxxing indicators, swatting-forum chatter, and travel-pattern overshare reach the detail lead in real time. Conversely, surveillance patterns observed in the field trigger the analyst bay to run adversary attribution against open-source and dark web chatter.
Names changed, dates rounded, details altered enough that no one could identify the client. The shape of the work, though, is the shape of the work — these are representative of what an average month looks like across our Core and Executive subscribers.
Initial-access-broker listing offering a Memphis regional healthcare network's SSL-VPN credentials for eighteen hundred dollars. Credentials traced to an infostealer infection on a contracted imaging-tech's personal laptop. Validated, forced rotation, tech off-boarded from VPN, watched for seventy-two hours. No intrusion observed.
Home address, vehicle tags, spouse employer, and school-district attendance zones for a principal's dependents posted on a fringe-politics doxxing thread after a regulatory filing. Physical EP detail notified within seventy-five minutes, residence posture elevated overnight, suppression requests filed with seven data-aggregators. Thread taken down at the forum-operator level within ten days.
Homoglyph-swap typosquat of a Nashville financial-services client's corporate domain, hosting a pixel-perfect clone of the customer-portal login. Detected within six hours of registration via certificate-transparency log watch. Registrar abuse-report filed, Google Safe Browsing submission, Microsoft SmartScreen submission. Domain taken down at registrar in twenty-nine hours with zero known credential captures.
If your question isn't answered here, the lead analyst who would run your account will take the call directly — not a sales rep, not a gatekeeper. Dispatch routes you to the analyst bay within business hours or the 24/7 duty-analyst after hours.
Both are in the market, and the difference matters. The theater version is a keyword-scraper bolted to a few leak-site RSS feeds, returning raw hits no one triages — most of what it flags is stale, already-public, or belongs to a different organization entirely. You pay fifteen hundred dollars a month to receive an inbox of junk you archive without reading, and the vendor tells you this is "coverage."
Real dark web monitoring combines automated collection across Tor hidden services, I2P, Telegram criminal channels, dump-site forums, paste sites, and the open clearnet, with human analyst validation before any client sees an alert. Our operators maintain persistent access to a vetted set of intrusion-brokerage forums and ransomware leak sites, correlate hits against your enumerated asset list, strip duplicates, and escalate only confirmed findings.
The practical difference: our Intel Core clients typically see one to three validated alerts per month, not two hundred noise hits. Theater pays nothing. Real intelligence pays for itself the first time a credential leak surfaces before the adversary uses it.
A named analyst validates the finding within the alert SLA for your tier — four hours for Intel Core, one hour for Intel Executive. Validation means confirming the credential belongs to your domain, determining the source breach or infostealer campaign, testing whether the plaintext password is currently valid without triggering your lockout policies, and timestamping how long the credential has been in criminal circulation.
You receive a written alert — source, breach context, affected identity, evidence excerpt, and a recommended containment checklist — routed to the escalation contact you named on contract. If you also run our 24/7 SOC, the analyst opens a case directly in your tenant, triggers a forced password rotation and MFA re-challenge through your identity provider, and watches for post-leak authentication anomalies for seventy-two hours. We do not post the credential in plaintext; evidence is delivered through encrypted channel with the affected portions redacted to the minimum necessary.
Cadence matches the tier. Intel Lite clients receive a monthly written brief plus ad-hoc alerts on critical findings. Intel Core clients receive a weekly written brief on Monday morning and a monthly analyst call. Intel Executive clients receive a weekly written brief, a weekly live analyst call, a formal monthly executive report suitable for board packages, and 24/7 ad-hoc escalation through a named analyst.
Briefings can be scheduled around your board rhythm, your risk-committee cadence, or your quarterly earnings windows — whichever is load-bearing. We have clients who move their monthly call to the first Wednesday to land before their risk-committee read-out, and clients who prefer Thursday so they can action items into Friday change windows. The rhythm is yours. Travel-threat briefings, vendor-breach alerts, and physical-event OSINT are delivered out-of-band as events warrant.
Yes, both our 24/7 Managed SOC and third-party SOCs. For Shield of Steel SOC clients, threat-intelligence findings flow directly into your case-management tenant; validated indicators are automatically ingested into detection rulesets, and containment actions run against your identity and endpoint estate without additional approvals.
For third-party SOCs, we deliver indicators through STIX/TAXII, MISP, a webhook into your SIEM, or a structured email to your detection-engineering alias — your choice at contract. Alerts carry the full analyst narrative plus machine-readable IOCs so your analysts are not re-triaging our work. We can also attend your weekly SOC sync as a standing participant at no additional cost for Core and Executive tiers.
Yes. Intel Executive subscribers request a travel brief with at least seventy-two hours lead time — we return a written packet covering the destination political climate, civil unrest indicators, regional cyber-operator activity, kidnap-for-ransom baseline, hostile-service SIGINT posture, airport and hotel-area crime patterns, medical-infrastructure notes, and communications-security recommendations.
For principals enrolled in our physical executive-protection program, the travel brief is shared with the protective detail lead so the digital threat picture and the physical advance align by default. The detail's pre-travel checklist is generated from the brief rather than alongside it. Short-notice briefs — under seventy-two hours — are supported with reduced depth and a flagged confidence downgrade, and we will not pretend to have finished intelligence we have not had time to finish.
SIEM data is about what is happening inside your environment right now — logs, authentications, process executions, network flows. Threat intelligence is about what adversaries are doing, thinking, or selling outside your environment — on criminal forums, leak sites, in their own infrastructure, against your peers.
The two are complementary. Intelligence tells your SOC what to look for and why it matters; SIEM data tells your SOC whether it is already happening. An organization running only SIEM is reactive by definition — it sees the adversary after entry. An organization running only intelligence has context but no visibility into execution. Mature programs run both and connect them; that is what our integrated intel-plus-SOC stack delivers, and it is the reason we designed the two services to share a tenant and a case-management spine.
Yes, and we treat rating platforms as one input, not the whole picture. Intel Core and Intel Executive subscribers provide a vendor list — up to twenty-five for Core, up to one hundred for Executive — and we monitor each vendor across public breach disclosure, dark web chatter naming them, domain-abuse activity, credential exposure belonging to their staff, and the BitSight or SecurityScorecard rating trend where the client has licensed access.
We do not rely on the rating alone, because rating platforms are backward-looking and slow to reflect active incidents. When a vendor is named in a ransomware leak site or an adversary forum, you hear from us before the rating platform updates — typically by days to weeks. A monthly vendor-risk appendix is included in the Core and Executive briefs, flagging rating movement plus any adjacent intelligence we have seen.
Every finding passes through a four-gate validation sequence before it leaves our analyst bay. Gate one is attribution: does the indicator actually belong to your organization, your domain, your people? Gate two is freshness: is this a current exposure or a rerun of a 2021 breach already long remediated? Gate three is exploitability: would an adversary actually be able to use this against you given your current controls and identity posture? Gate four is context: what is the adjacent criminal activity, is there chatter about targeting your sector, what is the tactical significance?
Only findings that clear all four gates become client alerts. The rest are logged in our internal analyst notes and surfaced in the monthly brief as trend data, not as incidents. This is what keeps the signal-to-noise ratio in the range where executives actually read the briefs — and it is the single biggest difference between a platform and an analyst team.
It is one of the reasons we built the service. For principals enrolled in our physical EP program, our intelligence analysts run continuous OSINT against the principal's digital exposure — home-address aggregator leaks, family-member social-media overshare, doxxing-forum mentions, vehicle and travel-pattern disclosures, swatting-risk indicators. Findings are shared in real time with the protective detail lead, so the physical posture adapts to the digital threat picture.
The reverse also holds: when the detail observes a surveillance pattern or a threatening approach, the analyst bay runs adversary attribution against OSINT and any dark web chatter matching the principal's identifiers. This dual-channel picture — physical and cyber under one firm, one roster, one command — is genuinely rare in the market and is a direct benefit of how Shield of Steel is structured.
Yes. Once we confirm a typosquat domain, a fake social profile impersonating an executive, or a clone of your corporate site being used for phishing, we coordinate takedown directly — filing registrar abuse reports, Google Safe Browsing and Microsoft SmartScreen submissions, Meta and LinkedIn impersonation reports, and escalations to specialized brand-protection registries where the registrar is uncooperative.
Median time from detection to successful takedown, across 2025, has been twenty-six hours for registrar-cooperative cases and five business days for contested cases. We share evidence and correspondence in the weekly brief so you see both the activity and the outcomes — and so the work does not become invisible to the executive who is paying for it.
Yes, and the reason is that adversaries do not care about your operating geography. Ransomware crews, initial-access brokers, credential-stealer operators, and phishing-as-a-service vendors target US SMB and mid-market organizations indiscriminately. A Memphis manufacturer with one hundred employees and a single TN footprint can, and does, appear on the same dark web victim lists and intrusion-broker listings as multinationals. The only difference is whether anyone is looking.
Regional scope does reduce the need for some of the service — geo-political briefings and international travel intel are optional modules, not required ones — but credential monitoring, domain protection, brand protection, and executive OSINT apply identically to a single-state operator and a global one. Our book, today, is roughly seventy percent Tennessee and Mississippi clients.
Tell us the organization, the exposure profile, and the executives who read the briefs. The analyst who would run your account will walk the intake in a seventy-five-minute call and return a scoped proposal — tier recommendation, coverage list, first-ninety-day plan — within five business days. No long-form RFP. No twelve-vendor bake-off.
