Skip to main content

First Party Service Overview (Business Services)

HackNotice Support
Updated

Introduction

HackNotice’s First Party Domain Monitoring provides continuous visibility into threats impacting your organization’s workforce, domains, and accounts. This service tracks your organization’s digital footprint across the dark web, leaked credential marketplaces, infostealer malware logs, and breach dumps—helping you identify compromised employees before attackers can weaponize their access.

With real-time monitoring, HackNotice detects when employee identities appear in:

  • Infostealer malware logs

  • Credential dumps

  • Breached or leaked third-party datasets

  • Dark web files containing sensitive personal or corporate information

By surfacing this intelligence early, security teams can rapidly intervene, reduce the risk of account takeover (ATO), and prevent phishing, fraud, and other identity-driven attacks. Customizable alerts and workflows help ensure teams are notified only when it matters, reducing noise and alert fatigue.

For a deeper look at how customers use this service operationally, review the First Party Use Case Playbook (link).

To learn how to build customizable alerting workflows to minimize false positives, review the Tiered Alerts - Customized Alerts & Workflows article (link).

Using the First Party Service

Below are the primary areas within the product where you will interact with your First Party monitoring: Timeline, Watchlist, and Dashboard.

Timeline (Business → First Party → Timeline)

Screenshot 2025-09-03 at 3.05.33 PM.png

The Timeline is your central view into all leaked records tied to your monitored domains.

How to Use the Timeline

  • Select the domain you want to review from the dropdown at the top.

  • If you monitor multiple domains, choose All to see a combined stream (“firehose”) of all alerts across all monitored domains.

  • Upon initial setup, HackNotice populates all historical records for your domain from our index.

  • As new exposures appear, they will surface at the top of the timeline and trigger an email or push notification based on your alert settings.

Downloading Alerts

  • Scroll to the bottom of the Timeline to download alerts as CSV.

  • Choose Download All or Download Last Thirty Days.

    • Note: Downloads only work per domain. Default CSV exports are disabled when All domains are selected, but you can still export the current page of results using the 'Excel' icon at the top right of the UI.

Understanding Timeline Fields

Each alert includes several key data points:

  • Event Date — The date HackNotice discovered the exposure on a dark web source. This is the ingestion date, not the date the breach originally occurred.

  • Severity — A calculated score indicating the risk and sensitivity of the leaked information. Higher severity records typically contain passwords, PII, or privileged identifiers.

  • Leak Name — The name of the file being trafficked on the dark web.

  • Exposed Information — The exact data found in the leaked file, displayed in plaintext as it exists in the source.

    • If the record contains a large amount of data, click into the alert to view all exposed information.

Timeline Filters & Sorting

Use the filter options at the top of the timeline to filter results by tag, tier, credentials only, infostealer credentials only, credential dump credentials only, password complexity, and/or date range/hours. You can also filter the timeline to be sorted by Event Date (ingestion date) or Alert Date (date when you were alerted by HackNotice). The 'Redact Password' option redacts the middle characters in all displayed password values.

Check the 'Filters' box to view all available filters and sorting.

To save a set of applied filters, enter a 'Saved Search' name into the 'Search Name' box and press 'Save Search' after your filter and sort options are applied. You can access your Saved Searches any time by using the 'Saved Search' drop down at the top right of the page.

Deep Dive Into an Alert

Clicking the Leak Name opens the detailed alert view, showing:

  • Email/user that triggered the alert

  • Leak and detection dates

  • File name and metadata

  • File description (when available)

  • Legend: All PII types identified by HackNotice’s machine learning

  • Exposed Information: All available PII and metadata, including IP addresses, addresses, phone numbers, reset answers, etc.

  • Hacker Threats: Identified risks based on the content of the exposure

You can share any alert securely—even with someone who does not have a HackNotice account—using the Share Alert feature (Share Alert Article Link).

Watchlist (Business → First Party → Watchlist)

The Watchlist provides a clean list of all domains your organization is currently monitoring.

How Customers Use the Watchlist

  • Quickly confirm whether a domain is included in monitoring

  • Search across large domain inventories (common for customers monitoring dozens or hundreds of domains)

  • Validate onboarding or off-boarding of domains

This section is typically used for administration rather than investigation.

Operational Dashboard (Business → First Party → Dashboard)

The First Party Operational Dashboard gives you a high-level view of leaked record trends tied to your domains. It is designed to help you:

  • Measure exposure trends over time

  • Identify sudden increases in leaked records (spikes)

  • Detect high-risk employees most vulnerable to ATO or social engineering

  • Prioritize remediation efforts based on real-world threat activity

To review the Visual First Party Dashboard (article link), navigate to Dashboards → First Party Dashboard.

Screenshot 2025-09-03 at 3.06.19 PM.png

The dashboard is composed of four sections:

1. First Party Domains with Alerts

Shows the number of unique leaked records tied to each monitored domain across several time ranges.
This helps you pinpoint domains experiencing elevated exposure or long-term risk.

Alerts to Leaked Record Spikes (Week Spike, Month Spike, Total Spike)

A Spike occurs when there is a sudden surge of leaked records associated with a domain.

  • Spikes are tracked historically (as of March 6, 2024).

  • They are based on a year-long study with a major cyber insurance underwriter.

  • The study found a strong correlation between leaked record spikes and breach claims occurring within the next 4–12 weeks.

Why it matters: A spike often signals increased threat-actor attention—a stage that aligns with the reconnaissance phase of the cyber kill chain.

2-4. Top Risk Emails — All Time / Last 12 Months / This Month

These sections surface users experiencing the highest exposure across three time windows.

For each user, you will see:

  • Their monitored domain

  • Their ranking based on leaked record count

  • The total number of unique leaked records tied to that user for the selected timeframe

Users with high exposure counts are at increased risk for targeted phishing, social engineering, and account takeover.

Related articles

Comments

0 comments

Please sign in to leave a comment.