A powerful new endpoint for performing advanced compromise intelligence queries using multiple filters, supporting large-scale threat investigations across employee and user data.
🔍 Description
The /advanced-search endpoint enables clients to execute fine-grained searches across potentially compromised domains using a wide range of filters. Designed for advanced use cases like enterprise threat monitoring, incident response, and intelligence aggregation.
📥 Request Body
Supports a JSON payload with at least one filter required. The following filters are available:
We’ve added a new optional field in the additional_fields array of our API:
📂 dir_tree
This field provides the full directory tree structure of a compromised machine, giving deep visibility into its file system layout.
Field name: "dir_tree"
Field type: string (enum value within additional_fields)
Description: Adds the complete directory tree of the compromised machine, which can help uncover sensitive file locations, misconfigurations, or other potential attack vectors.
What it does:
Retrieves and displays the directory hierarchy, including subdirectories and nested files.
Useful for spotting exposed configuration files, backup folders, logs, and other assets that could be leveraged in further attacks.
Added sensitive_applications Field to API (additional_fields)
We’ve added a new optional field in the additional_fields array of our API:
🔍 sensitive_applications
This field enriches external domain results with insight into potentially sensitive applications exposed within the compromised machine’s URL structure.
Field name: "sensitive_applications"
Field type: string (enum value within additional_fields)
Description: Adds detection of sensitive applications based on a predefined list of known high-risk web apps and services.
What it does:
Parses compromised URLs to identify references to sensitive applications (e.g. admin panels, security consoles, developer tools, cloud management platforms, etc.).
Flags presence of these apps to help prioritize remediation based on risk exposure.
{
"_id":"67a08ccd465561f4625e840f",
"stealer":"...",
"stealer_family":"Lumma",
"date_uploaded":"2025-02-03T09:30:52.468Z",
"employeeAt":[
{
"..."
}
],
"clientAt":[
{
"..."
}
],
"date_compromised":"2025-01-25T12:03:26.000Z",
"ip":"...",
"computer_name":"...",
"operating_system":"...",
"malware_path":"...",
"antiviruses":[
{
"..."
}
],
"credentials":[
{
"url":"https://sso.tesla.com/adfs/ls",
"domain":"tesla.com",
"username":"••••••••••,@tesla.com",
"password":"••••••••••",
"type":"employee",
"password_strength":{
"contains":[
"lowercase",
"symbol"
],
"length":10,
"id":1,
"value":"Weak"
}
}
],
"sensitive_applications":[
{
"name":"adfs",
"description":"Active Directory Federation Services, a software component developed by Microsoft, can run on Windows Server operating systems to provide users with single sign-on access to systems and applications located across organizational boundaries."
},
{
"name":"sso",
"description":"Single sign-on is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems. True single sign-on allows the user to log in once and access services without re-entering authentication factors."
}
]
}
Added password_strength Field to API (additional_fields)
We’ve added support for a new optional field in the additional_fields array of our API:
🔐 password_strength
This field enables password strength analysis for each exposed credential returned in external domain results.
It helps assess the quality and security of compromised passwords, and identify weak credentials that may require proactive resets or policy enforcement.
Field name: "password_strength"
Field type: string (enum value within additional_fields)
Description: Adds strength analysis for each password using entropy and pattern checks.
Implementation details:
Categorizes each password as one of: Too weak, Weak, Medium, or Strong.
