Tip

CISO decisions: Weighing costs, benefits of dark web monitoring

Forewarned is forearmed, and dark web monitoring can alert organizations when they're in attacker crosshairs. But for many, the risk and expense make it more trouble than it's worth.

John Burke

By

John Burke, Nemertes Research

Published: 26 Feb 2026

Dark web monitoring can give enterprise cybersecurity teams advance warning of potential attacks before they occur and alert them if corporate data and credentials have already been exposed. By getting insight into what kinds of attacks might be incoming and what systems and users could be targets, organizations can implement proactive defense measures, rather than waiting to react to attacks in motion.

Consider a company that learns through dark web monitoring that attackers have installed an infostealer on a particular user's office computer and are capturing sensitive information such as login credentials. The security team can employ defensive options that range from creating a honeypot to catch the malicious hacker to simply reimaging the computer and tightening configurations to prevent a recurrence.

If, on the other hand, the company doesn't know anything is amiss until someone uses stolen credentials to log into core systems and exfiltrate massive amounts of data, options are limited, and the damage has already been done.

This is not to say that dark web monitoring is worthwhile for every company. CISOs must weigh benefits against costs and risks, and many will find they can better invest resources elsewhere. For some large and high-profile organizations, however, dark web monitoring can provide significant value -- if they know what information to monitor and where to look.

Limitations, costs and risks of dark web monitoring

While enterprises can gather valuable intelligence through dark web monitoring, the practice also has significant limitations.

For one thing, dark web monitoring can uncover only information that threat actors post. If a malicious hacker has privately resolved to breach an enterprise's networks or applications, he or she has no need to advertise that intention in any way, in any forum.

The other major limitation -- especially for organizations conducting DIY dark web monitoring -- is that there are so many places to look. More crop up all the time, and most don't advertise their presence.

In-house dark web monitoring vs. third-party dark web monitoring

Going DIY means either dedicating a lot of valuable -- read: expensive -- staff time to dark web monitoring or doing it poorly. It probably requires buying specialized tools like Maltego or Spiderfoot, and it certainly requires staff to develop expertise using open-source tools such as TorBot or OnionScan.

In-house dark web monitoring also entails programming automated scans and alerts and integrating the threat intelligence stack with other cybersecurity platforms, such as security information and event management; security orchestration, automation and response; and endpoint detection and response.

Enlisting a third-party threat intelligence service that offers dark web monitoring requires less time and effort from in-house cybersecurity staff. It comes with its own significant costs, however, as well as the usual caveats of ensuring the managed service provider is flexible and responsive to customer needs.

Importantly, using a third party to monitor the dark web reduces the risks of gathering firsthand threat intelligence in extralegal spaces. Going DIY means your team is going into dark places. There is always the chance that security staffers will bring something malicious back, or something will follow them home. Using a third party insulates the enterprise from that exposure.

Is dark web monitoring worth it?

For most smaller organizations, dark web monitoring is not worth it. The benefits don't outweigh the costs and risks -- whether engaging a third-party service or going it alone.

The larger an organization gets, or the higher its profile, the more likely this kind of monitoring will be valuable and useful. For most companies, using a third-party service makes more sense; it conserves cybersecurity staff time, and it reduces the risk of attracting unwanted attention by the very act of looking out for it.

The few organizations that might consider tackling dark web monitoring in-house are those that have the following:

Large and well-trained cybersecurity teams that are prepared to spend considerable time and effort on this initiative.
Such high profiles already, that getting out there and turning over stones and looking for threats won't make them greater targets.

What to monitor on the dark web

Security teams that determine dark web monitoring is worthwhile will find a trove of information from and for attackers. Dark web monitoring, whether DIY or third-party service, should look for the following:

Compromised credentials. Credentials on the dark web come from a wide variety of sources. They might have been stolen with spyware, tricked out of a user in a phishing attack or photographed by a passing delivery person off a Post-It note on the corner of a desktop monitor. Some are part of massive data dumps, while others are one-off snatches.

Note that some credentials on the dark web are speculative rather than verified. For example, malicious hackers might guess an employee's corporate username based on how the company typically maps first and last names to usernames. Or they might pair someone's professional email address with a password stolen from a lower-security site, such as a pizza delivery service, on the safe assumption that too many people still reuse their passwords.

Bad actors have even set up honeypot sites and newsletters, knowing that some users will register with their work emails and reuse their corporate passwords. And finally, infostealers can harvest single sign-on information, session cookies and API keys that can, if site security is not tight enough, let attackers bypass second-factor authentication challenges.

Zero days. Sometimes malicious hackers offer to sell, brag about possessing or simply post exploitable vulnerabilities in a given software package.
Company-specific vulnerabilities. One bad actor who breaches an organization can collect copious information on its defenses and weaknesses, then sell it to other attackers who have disruption, extortion or data theft in mind.
Previews of stolen information. Bad actors who infiltrate an enterprise network with ransomware and infostealers often post previews of the stolen information, either to auction it off or to pressure the organization to pay a ransom.
Insider threats. Some sites on the dark web specialize in providing forums for disgruntled employees looking to either buy malicious hacking services or sell insider threat access, information or assistance.
Phishing kits. Malicious actors can easily purchase ready-to-use UI kits to set up fraudulent websites that look just like a company's legitimate portal or that of its partner or supplier.
Phishing sites. Dark web monitoring might lead threat researchers to fraudulent phishing websites on the open web that mirror legitimate organizations' pages, with nearly identical URLs. Such sites mean unsuspecting users are just a typo away from sharing their credentials with threat actors.

Where to look on the dark web

Some sites on the dark web serve as forums for craft and methodology, focusing on attack tools and software vulnerabilities. Others exist as marketplaces of stolen credentials and data, hire-a-hacker job boards and attack-as-a-service platforms.

Brazenly public sites such as exploit (dot) in and, until recently, BreachForums, are relatively easy to find and monitor. The latter was shut down by the FBI in 2025, but such sites have a habit of popping up again after going dark for a time. At the other extreme, countless dark sites are so well hidden behind TOR networks that even getting to them is a challenge.

Finally, forums on Telegram and other secure messaging platforms are increasingly replacing traditional sites on the dark web. There are believed to be thousands of channels in Telegram alone dedicated to selling stolen credentials and other data.

John Burke is CTO and a research analyst at Nemertes Research. Burke joined Nemertes in 2005 with nearly two decades of technology experience. He has worked at all levels of IT, including as an end-user support specialist, programmer, system administrator, database specialist, network administrator, network architect and systems architect.

Dig Deeper on Threats and vulnerabilities

Search Networking

How to build a private 5G network architecture
A private 5G network can provide organizations with a powerful new option for their wireless environments. Here are the major ...
5G security: Everything you should know for a secure network
5G has better security than 4G, including stronger encryption, privacy and authentication. But enterprises need to know the ...
5G fixed wireless access use cases continue to grow
FWA delivers wireless broadband internet to remote regions, temporary setups and other locations not suitable for wired ...

Search CIO

Top CIO conferences, according to the CIOs who attend them
CIOs highlight the conferences they prioritize, including Gartner forums, Dreamforce, AI Summit and SC. These events help them ...
AI job losses: Transformation expected, not mass layoffs
The increasing move of AI into the enterprise may cause job losses, but IT professionals say it will reshape roles and improve ...
OpenClaw and Moltbook explained: The latest AI agent craze
OpenClaw, a viral open source AI agent, promises local control and autonomous task execution. But security, governance and hype ...

Search Enterprise Desktop

How Windows 11 Safe Mode works and when to use it
Windows 11 Safe Mode gives IT leaders a reliable way to diagnose failures, restore access to broken systems and strengthen ...
How Windows 11 Print Management can fix printer issues
IT admins can use Print Management in Windows 11 to manage all printers connected to a device, troubleshoot problems and restart ...
How to migrate applications to Windows 11
As Windows 10 support ends, organizations must plan Windows 11 migrations carefully. Assess apps, data and device configurations ...

Search Cloud Computing

GenAI drives $119B cloud revenue in Q4
Q4 cloud infrastructure service revenues reach $119.1 billion, bringing the 2025 total to $419 billion. See how much market share...
Cloud infrastructure suffers AI growing pains
Will $5 trillion in AI infrastructure investment be enough? Cloud providers facing that question must also yield a return, ...
8 reasons why IT leaders are embracing cloud repatriation
As IT leaders aggressively re-allocate capital to fund new AI initiatives, repatriation offers both savings and greater control, ...

ComputerWeekly.com

Qilin crew continues to dominate ransomware ecosystem
The Qilin ransomware gang remained 'top dog' in January 2026 with over 100 observed cyber attacks to its name, amid a rapidly ...
India AI Impact Summit: Open source gains ground, but sovereignty tensions persist
While open source artificial intelligence gained unprecedented recognition during the latest global AI summit, divisions over ...
Fake UK government website redirect detection time reduced to eight days
It used to take two months, but the UK government has reduced the time it takes to address fake DNS redirects

Close