Threat Monitoring Overview
- What is Threat Monitoring?
- How Threat Monitoring works
- Who Threat Monitoring is for
- Threat credits
- Terms to know
What is Threat Monitoring
Threat Monitoring extends Breach Risk, scanning the open, deep, and dark web to surface leaked data, attacker activity, and impersonation risks before they become incidents. Our AI analyst detects threats, then we analyze those threats, infer risk and severity, and provide actionable guidance.
Discovered threats are queued as either Open or Closed depending on whether or not we’ve determined that your review is prudent. We’ve built and honed our AI Analyst so that it’s capable of closing the vast majority of threats — our goal is to leave you with just the threats you actually need to look into — but you can always choose to open any closed threats.
How Threat Monitoring works
Threat Monitoring is powered by our AI Threat Analyst and is based on years of UpGuard’s experience in cybersecurity doing human-powered monitoring. How Threat Monitoring works:
- You activate your two standard Transforms: one for your primary domain, one for your company name.
- Our AI Threat Analyst scans for your Transforms across multiple sources, tailoring how it scans based on where it’s looking. We learned this from the way our human analysts work. e.g. Searching in GitHub is different than looking in Telegram.*
- Threats are detected and then analyzed so that they can be added into the appropriate queue within Threat Monitoring: Open or Closed.
- You and your team work through open threats, moving them to Investigating and Remediating. The goal is to move all threats to the Closed queue.
You can also review threats that were auto-closed by the AI Analyst and move threats to Investigating as needed.
Who Threat Monitoring is for
Threat Monitoring is designed for security, IT, and SOC teams that need to detect and respond to external risks before they become incidents. It benefits organizations that want to:
- Identify pre-breach threats such as phishing domains, leaked credentials, and brand impersonation attempts.
- Gain visibility across open, deep, and dark web sources without dedicating significant internal resources.
- Reduce alert fatigue with AI-powered triage and prioritization using contextual intelligence.
- Accelerate investigations and response with guided remediation and integrations into existing workflows.
- Demonstrate security posture to leadership, customers, and auditors through compliance-ready reports.
Typical users include SOC analysts, incident responders, IT managers, and information security leaders responsible for protecting their organization’s external attack surface and brand.
Threat credits
All Threat Monitoring accounts come with two standard Transforms and you can purchase threat credits to activate additional Transforms.
How threat credits work:
- Use a credit to activate a Transform.
- Archive a Transform to free up a credit.
- Credits can be used to activate or restore a Transform once every 30 days.
Terms to know
| Term | Definition |
| AI Threat Analyst | Your virtual Tier 1 analyst. It detects threats, infers risks, and provides actionable guidance on how to resolve threats. |
| Keyword | The term that you’re defining for monitoring (can be a domain, brand name, employee email pattern, or something else). This is the starting point for your Transform, it tells the analyst what to scan for. |
| Queue | An individual queue within the overall Threat Monitoring workflow i.e. Open, Investigating, Remediating, or Closed. |
| Signal |
A raw detection related to your organization, such as a leaked credential, suspicious domain registration, or exposed code snippet. Signals are observations that may or may not represent malicious activity. |
| Threat | A validated and prioritized risk to your organization, created by analyzing and enriching one or more signals to determine likelihood and potential impact. |
| Threat workflow | Four queues used to track threats from detection to closed (threats can also be auto-closed by the AI analyst, they do not necessarily need to pass through all four queues). |
| Transform | Where a keyword is a static search object, a Transform is an intelligent, source-aware object. A Transform takes your keyword and fans it out using fuzzy logic. Transforms intelligently adapt, taking attack vectors into account and refining how it scans based on where it’s looking. |
*All product and company names mentioned in this article are trademarks™ or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by those companies.