Documentation menu

Docs

Domain Monitoring

Leaked credentials and dark-web mentions for your domain: what the findings mean and what to do about them.

Domain monitoring watches your domain in breach dumps, stealer logs and dark-web sources. When credentials tied to your domain show up somewhere they should not be, you get an alert.

Reading a finding

CategorySeverityWhat it means
employeescriticalCredentials on your own domain's mailboxes (staff accounts).
customershighCredentials of users who registered on your services with the monitored domain.
third_partiesmediumCredentials exposed through unrelated third-party sites.

There are two kinds of findings: credential leaks (actual leaked usernames/passwords, counted per category above) and dark-web mentions (posts or listings that reference your domain).

What to do when an alert arrives

  1. 1

    Acknowledge it

    Marks the finding as seen and stops reminder nudges.

  2. 2

    Reset the affected passwords

    Employee accounts first. They unlock the most. Enable two-factor authentication where you can.

  3. 3

    Resolve the alert

    Once handled, mark it resolved. (Alerts must be acknowledged before they can be resolved.)

Leaks are found in public and criminal data sets. An alert does not mean your server was hacked. It usually means someone reused a password on a site that got breached, or caught malware on their own device.

Compiled from the AegisWhite platform (build 6bffe04, module v1.7.3, 2026-07-14).