What actually ends up on the dark web
The dark web isn't a single place. It's a collection of marketplaces, forums, and private channels — mostly accessible via Tor — where stolen data is bought, sold, and traded. The goods are more mundane than most people imagine: not missile codes, just the credentials and contact data of ordinary businesses and their customers.
Here is what UK businesses most commonly have exposed:
Credentials
Email address and password combinations, often from third-party breaches. Staff reuse passwords across personal and work accounts. That's the attack surface.
Business email accounts
Compromised Office 365 or Google Workspace mailboxes sell for more than consumer accounts. They're used for invoice fraud and supplier impersonation — BEC attacks.
Customer records
Names, addresses, email addresses, sometimes policy or account numbers. Often not the result of a direct attack on your business — leaked by a supplier or CRM platform you use.
Payment card data
Card numbers, CVVs, and billing details. Skimmed from checkout pages, POS systems, or card-not-present environments. Time-sensitive — cards get cancelled.
The route from your business to a dark web listing usually involves one of three things: a phishing email that captures credentials, malware that exfiltrates data silently over weeks, or a breach at a third party that held your data. In all three cases, you find out after it has happened — unless you have controls that prevent it happening in the first place.
What dark web monitoring actually does
Dark web monitoring services scan known breach databases, paste sites, Tor forums, and marketplace listings for data matching your organisation — typically your email domains, known credentials, and sometimes card number ranges.
When they find a match, they send an alert.
That is genuinely useful. An alert that your CFO's email and password have been listed on a marketplace is better than not knowing. But it is important to be clear about what the alert means:
Reactive intelligence
- Your data has already been stolen
- It has already been processed and listed
- It may have already been purchased and used
- You should change the compromised credentials now
- You may have a notification obligation under UK GDPR
What it doesn't do
- How the data was taken from you
- Whether the attacker still has access
- Whether other data was taken that hasn't surfaced yet
- Anything about data sold in private channels that aren't indexed
- How to stop it happening again
Dark web monitoring tools don't have full coverage. Private Telegram channels, closed forums, and direct broker-to-buyer sales are not indexed. A significant proportion of stolen data never appears in the places monitoring tools can see. An alert is signal. Silence is not a guarantee.
The controls that stop data leaving
Prevention is not a product you buy. It's a set of controls that, when in place, make it significantly harder for credentials to be stolen, for malware to persist undetected, and for an attacker to move data off your systems. The NCSC's Cyber Essentials framework covers the core five — and together they address the majority of the attack vectors that result in dark web exposure.
Email authentication — SPF, DKIM, DMARC
The vast majority of credentials end up on the dark web because someone clicked a convincing phishing email. Email authentication makes it significantly harder to spoof your domain and send phishing that looks like it came from you. It also tells you when others are abusing your domain. Our Cyber Vitals scan checks SPF, DKIM, and DMARC configuration for free — across your domain and subdomains.
Multi-factor authentication on everything external
If a credential is stolen and MFA is in place, the credential alone isn't enough to get in. MFA on email, VPN, remote desktop, and cloud services is the single highest-return control for preventing account takeover. This is a mandatory requirement for Cyber Essentials v3.3 on all cloud and remote access services.
Patching and software updates
Malware that exfiltrates data to dark web buyers almost always enters through an unpatched vulnerability. Applying security patches within 14 days is a Cyber Essentials requirement — and it closes the doors that most opportunistic attackers rely on. See also: what happens when malware gets in via phishing.
Access control and least privilege
If an attacker compromises a standard user account, they should not be able to reach your customer database, your finance system, and your email archive simultaneously. Limiting access to what each role actually needs limits what can be exfiltrated if that account is taken over.
Endpoint protection and malware defences
Infostealer malware — the type that quietly harvests credentials and sends them to a C2 server — can persist undetected for months. Maintained endpoint protection with behavioural detection catches it before the harvest is complete. This is not the same as a free antivirus subscription.
These five controls don't just reduce your dark web exposure. They reduce your insurance premium, support your risk assessment posture, and are the requirements you need to meet for Cyber Essentials certification. They address the same attack surface that dark web monitoring observes after the fact.
Cyber Vitals Pulse — the proactive alternative
Monitoring watches the dark web. Cyber Vitals watches your attack surface — the parts of your domain and email infrastructure that are visible to attackers before they even try to get in.
Cyber Vitals — Passive domain and email security scanning
Cyber Vitals runs scheduled passive scans of your domain: SPF, DKIM, DMARC, DNSSEC, SSL certificate validity, open port exposure, and breach intel against your email domain. It surfaces configuration weaknesses that make phishing easier and credentials more vulnerable — before anyone acts on them. No agents, no network access required. Results in minutes.
The Cyber Vitals Pulse plan runs quarterly scheduled scans and notifies you when something changes. It's not monitoring the dark web. It's monitoring the conditions that send data there.
Run a Free Instant Scan →ORA — start with a structured picture of your risk
Before you decide what monitoring or preventative tools to invest in, it helps to know where your actual exposure sits. Our Operational Risk Assessment takes about 15 minutes and covers 30 control areas aligned to Cyber Essentials v3.3 — including email authentication, MFA coverage, patching posture, access control, and endpoint protection.
Operational Risk Assessment (ORA)
ORA gives you a plain-English risk report against the controls most likely to result in data ending up somewhere you don't want it. It flags the gaps, prioritises by exposure, and maps to Cyber Essentials requirements. You get a PDF report and a structured action plan — not a sales pitch.
Start the Assessment →The honest close
We can provide dark web monitoring. It's available through our reseller account at commercial rates, and for some organisations — particularly those in regulated sectors, or those that have already had an incident — it makes sense as one layer of a broader security stack.
Our honest recommendation
If you don't yet have email authentication configured, MFA on all external access, a patching policy in place, and endpoint protection that's actually managed — spend that budget there first. Those controls help to stop the data leaving. Monitoring tells you it's already gone.
Once the preventative controls are in place, monitoring makes more sense as an additional signal layer. Not before.
If you'd like to talk through where your business currently sits, book a free 30-minute consultation. No pitch, no pressure — just an honest assessment of what would actually make a difference for your organisation.