1/1 evidence rows

Collection running

medium

Watchlist Terms

Searching

No aliases returned

Sources1 shownFreshness2026-06-30Work items1 openRelated alerts0Gaps6 open

Overview

ready

20% confidence

Activity

ready

1 item

Targeting

review

0 rows

Infrastructure

review

0 patterns

Sources

ready

2 provenance rows

Evidence

ready

1 supported

Watchlist relevance

review

1 candidate

Related alerts/cases

review

1 candidate

Collection gaps

review

6 open

Actions

blocked

0/5 ready

Actor actions1 watch terms0 alerts0 cases6 gaps

mediumCollectionSearching

Collection running

0 queued collection tasks, 0 metadata review tasks, 0 unsafe target blocks, 0 rejected sources

First seen

2026-06-30T18:41:36.213Z

Source

TI search service

Confidence

20%

Provenance

live_search

Source context

1 row tied to selected evidence

Source	Timestamp	Confidence	Capture	Next action
Live discovery unavailable Live source discovery is not available from this API process	Not dated	20%	needed	Open the returned source and attach capture evidence before case replay if no capture ID is present.

Source

Timestamp

Confidence

Capture

Next action

Live discovery unavailable

Live source discovery is not available from this API process

Not dated

20%

needed

Open the returned source and attach capture evidence before case replay if no capture ID is present.

Evidence priority

Review missing source, watchlist, alert, or freshness context before routing.

review35/100

Priority basis

1 source row returned.
Watchlist candidates: company: watchlist-terms.
Capture reference is missing.
No related alert ID is attached.
Actor freshness is acceptable for review.

Backed references

source live:search:unavailable

Organization context is required before watchlist, alert, case, or delivery handoff can mutate customer state.
Candidate watchlist terms exist, but no persisted organization watchlist item is attached.
No generated alert ID is attached to this actor result.

Source drilldown

Source rows, capture status, and handoff blockers for the selected queue item.

0/1 ready

Live discovery unavailable

source live:search:unavailable · 20%

capture needed

Live source discovery is not available from this API process

Open the returned source and attach capture evidence before case replay if no capture ID is present.

Source collectionsource queue

Capture ID or source hash is required before replayable case evidence.

Alert handoff

/dashboard/dwm

blocked

Authenticated organization ID; owner/admin/member watchlist permission

Case handoff

case workflow

blocked

DWM alert ID from /v1/dwm/alerts or alert rebuild; Authenticated organization ID

Capture ID or source hash is required before replayable case evidence.; Attach capture IDs or source request IDs to the provenance rows.

Customer Alert Fit

This finding strengthens watchlist and detection context, but should not become a customer alert until it matches a watched organization, domain, vendor, or portfolio term.

context for watchlists

Matched watchlists

Not returned

Watch terms

watchlist-termsWatchlist Terms

Organizations

Not returned

Sectors / countries

Not returned

Evidence

No evidence rows returned yet.

Recommended Analyst Action

Leave this query open while polling continues.
Search an alias, domain, company name, CVE, or supplier term.
Open the customer console for persisted queue work.

Overview

Threat intelligence query

Attribution not returned by the search service

First seen

Not returned

Last seen

2026-06-30

Confidence

20%

Freshness

Current

Freshness gate

Evidence dates are usable, but source coverage still needs capture or provenance references before stronger handoff.

sources reviewhandoff blocked

Newest evidence

Not dated

Generated

2026-06-30

Source rows

Capture rows

Source blockers

Source collection: Attach capture IDs or source request IDs to the provenance rows.

Handoff blockers

Organization: Open the authenticated console and choose the customer organization before saving watchlist terms.
Organization: Create or select the customer watchlist, then rebuild alerts from the saved items.
Alert workflow: Rebuild alerts from persisted watchlist items and return the alert ID.

Next owner: Organization.

Motivation

Not returned

Tooling

Not returned

Campaigns

Not returned

Indicators

Not returned

Targeting

Not returned

Geographies

Not returned

Infrastructure

Not returned

Techniques

No mapped technique rows returned.

blocked

Queue technique enrichment before detection or case routing.

Activity timeline

No dated campaign rows returned.

blocked

Queue campaign enrichment before trend or case review.

Confidence reasoning

1 returned source records are attached to the profile.
No recent activity rows were returned.
No tradecraft rows were returned.

Source coverage

Refresh source coverage before alert-ready handoff.

review

Source rows

Dated rows

Captures

Latest

Not dated

actor profile · 1public ti · 1

Needs report dates, capture references.

Source provenance

Live discovery unavailable

20%

Live source discovery is not available from this API process

Returned source record for watchlist-terms.

Actor profile reference

20%

Live source discovery is not available from this API process

Used to support actor enrichment when newer source rows are not returned.

Operations matrix

TTPs, infrastructure, and targeting rows with source context.

0 rows

Type	Name	Source	Freshness	Confidence	Action

No TTP, infrastructure, or victim rows returned.

Select a row to inspect details.

Country Context

Source-backed country coverage for operator attribution and targeting observations.

Country data pending

Drag to pan · wheel to zoom

Country mapping will appear when this profile has country-level target or origin observations.

Evidence

Actor context packet: Collection running

This finding strengthens watchlist and detection context, but should not become a customer alert until it matches a watched organization, domain, vendor, or portfolio term.

Evidence basis

TI search service; live_search
Timestamp: 2026-06-30T18:41:36.213Z
Confidence: 20%
No evidence rows returned yet.

Routing

Route to alert review, source verification, and customer delivery only after the console workflow persists it.

Watch terms carried forward

watchlist-termsWatchlist Terms

Blocked until

A source URL or internal capture reference is attached.
A watched company, domain, vendor, or portfolio term matches this finding.
Confidence is raised or corroborating evidence is added.

Actions

Decision flow

Actor/query relevance is ready to seed organization watchlists, but no backed watchlist match, generated DWM alert, or case ID is attached to this public result.

watchlist required

Review sources

review

1 provenance row returned; capture metadata still needed.

source ID; capture ID

Open

Prepare watchlist

blocked

1 candidate term; 0 org matches returned.

Authenticated organization ID; owner/admin/member watchlist permission

Open

Rebuild alerts

blocked

Alert rebuild needs watchlist or org context.

Authenticated organization ID; owner/admin/member watchlist permission

Open

Open case

blocked

Case creation needs an alert ID and org-scoped context.

DWM alert ID from /v1/dwm/alerts or alert rebuild; Authenticated organization ID

Deliver webhook

blocked

Delivery needs alert, capture, and destination context.

DWM alert ID from /v1/dwm/alerts or alert rebuild; Active webhook destination ID from /v1/dwm/webhooks

Open

Queue enrichment

review

7 source or enrichment work items available.

Open

Handoff evidence

0 of 5 handoffs have backed IDs, route, and provenance ready for authenticated review.

0/5 ready

Watchlist

/dashboard/dwm

blocked

ID neededLive discovery unavailable

Organization: Open the authenticated console and choose the customer organization before saving watchlist terms.

Alert rebuild

/dashboard/dwm

blocked

ID neededLive discovery unavailable

Alert workflow: Rebuild alerts from persisted watchlist items and return the alert ID.

Case

case workflow

blocked

ID neededLive discovery unavailable

Organization: Open the authenticated console and choose the customer organization before saving watchlist terms.

Delivery

/dashboard/dwm

blocked

ID neededLive discovery unavailable

Organization: Open the authenticated console and choose the customer organization before saving watchlist terms.

Source enrichment

/dashboard/ti/enrichment

blocked

ID neededLive discovery unavailable

Source collection: Attach capture IDs or source request IDs to the provenance rows.

Handoff status

1 of 5 stages ready for console work.

Watchlist

blocked

Create or select the organization watchlist entry.

POST watchlist API1 provenance row3 blockers

Org: Terms: 1

Authenticated organization ID; owner/admin/member watchlist permission

Open

Alerts

blocked

Rebuild alert review from persisted watchlist items.

POST alert API1 provenance row5 blockers

Org: Watchlist: Items:

Authenticated organization ID; owner/admin/member watchlist permission

Open

Case

blocked

Open the related case from alert evidence and capture context.

POST case API1 provenance row6 blockers

Org: Alert: Captures: Case path:

DWM alert ID from /v1/dwm/alerts or alert rebuild; Authenticated organization ID

Webhook

blocked

Prepare a dry-run customer delivery from alert and destination context.

POST delivery API1 provenance row8 blockers

Org: Alert: Destination: Captures: Idempotency:

DWM alert ID from /v1/dwm/alerts or alert rebuild; Active webhook destination ID from /v1/dwm/webhooks

Open

Enrichment

ready

6 enrichment items available for source work.

POST source queue1 provenance row

Tasks: 7Sources: 1

Open

Workflow state

Backed IDs, blockers, and next handoff owner for this result.

degraded

Orgs

Watchlists

Alerts

Captures

Destinations

Organization

missing org

Organization context is required before watchlist, alert, case, or delivery handoff can mutate customer state.

Open the authenticated console and choose the customer organization before saving watchlist terms.

Organization

missing org watchlist

Candidate watchlist terms exist, but no persisted organization watchlist item is attached.

Create or select the customer watchlist, then rebuild alerts from the saved items.

Alert workflow

missing alert

No generated alert ID is attached to this actor result.

Rebuild alerts from persisted watchlist items and return the alert ID.

Source collection

missing capture

No replayable capture ID is attached for case evidence or delivery dry-run.

Attach capture IDs or source request IDs to the provenance rows.

Case workflow

missing case route

No case route or case path is attached to this result.

Return case route or alert case route after case creation is available.

Action exports

Validated request bodies for authenticated review. Copying does not change customer state.

Watchlist add request

Unavailable

watchlist update

1 watchlist term0 org matches1 blocker

Organization: Open the authenticated console and choose the customer organization before saving watchlist terms.

Open

Case draft request

Unavailable

case workflow

1 case candidate0 alerts0 captures4 blockers

Organization: Open the authenticated console and choose the customer organization before saving watchlist terms.

Webhook dry-run request

Unavailable

webhook delivery

0 destinations0 captures4 blockers

Organization: Open the authenticated console and choose the customer organization before saving watchlist terms.

Open

Analyst handoff bundle

Unavailable

/dashboard/dwm

5 workflow stages1 alert candidateevidence window pending0 alerts6 blockers

Organization: Open the authenticated console and choose the customer organization before saving watchlist terms.

Open

Source enrichment request

Unavailable

/dashboard/ti/enrichment

7 intake items0 source requests0 captures1 blocker

Source collection: Attach capture IDs or source request IDs to the provenance rows.

Open

Watchlist relevance

0 organization matches · 1 candidate term · 1 source row · freshness accepted

review

Last seen

2026-06-30

Freshness

Current enough for review

Actor identity

watchlist-terms · Threat intelligence query

Aliases not attached · 0 sectors · 0 regions

Review

Source coverage

1 source · 0 capture-ready · 1 missing capture

Blocked

Live discovery unavailable

public ti · missing capture

Live source discovery is not available from this API process

20%

Watchlist intersections

1 intersection · 0 with alerts · 0 with cases

review

company: watchlist-terms

Attach source evidence · organization needed · watchlist item needed

public ti · capture needed · alert needed

Open the authenticated console and choose the customer organization before saving watchlist terms.

blocked

watchlist update

Enrichment needed

missing actor aliases

Add known aliases before alert or watchlist handoff.

Public TI

missing target sectors

Attach target-sector evidence before routing this actor to a customer watchlist.

Public TI

missing target regions

Attach target-region evidence before regional exposure review.

Public TI

Affected context

vendor: watchlist-terms

company: watchlist-terms

watchlist-terms: Query can be saved as an organization company watchlist term.

candidate

company: watchlist-terms

Persist as watchlist item · watchlist · Organization

Live discovery unavailable · 20% confidence · source live:search:unavailable · Returned source record for watchlist-terms.

watchlist update

Create or select the customer watchlist, then rebuild alerts from the saved items.

blocked

Live discovery unavailable

Attach capture ID · public ti · Source collection

Live discovery unavailable · 20% confidence · source live:search:unavailable · Returned source record for watchlist-terms.

/dashboard/ti/enrichment

Attach capture IDs or source request IDs to the provenance rows.

blocked

Attach organization watchlist match

Check organization alert state generated alert references or watchlist update match context · watchlist · Organization

Evidence metadata pending · The public query result needs an authenticated organization watchlist match before it should alert a customer.

/dashboard/dwm

Open the authenticated console and choose the customer organization before saving watchlist terms.

blocked

Return generated DWM alert ID

/v1/dwm/alerts or alert rebuild · alert · Alert workflow

Evidence metadata pending · Case creation is backed by case workflow and requires a DWM alert ID; this result has no related alert ID attached.

/dashboard/dwm

Rebuild alerts from persisted watchlist items and return the alert ID.

blocked

Attach capture IDs for replay

capture ID · source capture · Source collection

Evidence metadata pending · Source source context is visible, but capture IDs are not attached for replay or case evidence.

/dashboard/ti/enrichment

Attach capture IDs or source request IDs to the provenance rows.

review

Attach capture IDs to source evidence

TI search response capture ID or DWM alert evidence provenance · source capture · Source collection

Evidence metadata pending · Returned sources identify provenance, but no capture IDs are attached for alert replay or case evidence.

/dashboard/ti/enrichment

Attach capture IDs or source request IDs to the provenance rows.

blocked

Organization: Open the authenticated console and choose the customer organization before saving watchlist terms.

Geography

No country-level routing rows returned.

Sources

Live discovery unavailable

capture needed

Live source discovery is not available from this API process

Attach capture ID or source hash for Live discovery unavailable before case replay.

Open console

Related alerts/cases

0 linked records · 0 replay-ready · delivery blocked

Case review intake

1 candidate for watchlist-terms · 0 replay-ready · 0 captures

Collection running

attach capture · 5 reasons · 5 blockers

review

/dashboard/ti/workbench

No alert or case ID is attached yet; rebuild alerts after saving a matching watchlist term or attach capture evidence before case creation.

Collection Gaps

Source enrichment intake · 7 intake items · 0 source requests · 0 captures

Attach organization watchlist match

source gap

watchlistOrganizationreview routeorganization scopewatchlist item

The public query result needs an authenticated organization watchlist match before it should alert a customer. Source family: watchlist. Needs: organization scope, watchlist item. Route: review route.

Return generated DWM alert ID

source gap

alertAlert workflowreview routealert IDrelatedAlerts statuscase route

Case creation is backed by case workflow and requires a DWM alert ID; this result has no related alert ID attached. Source family: alert. Needs: alert ID, relatedAlerts status, case route. Route: review route.

Attach capture IDs for replay

review

source captureSource collectionsource queuesource IDcapture IDsource reference

Source source context is visible, but capture IDs are not attached for replay or case evidence. Source family: source capture. Needs: source ID, capture ID, source reference. Route: source queue.

Attach capture IDs to source evidence

source gap

source captureSource collectionsource queuecapture IDsource IDsource reference

Returned sources identify provenance, but no capture IDs are attached for alert replay or case evidence. Source family: source capture. Needs: capture ID, source ID, source reference. Route: source queue.

Link actor result to generated alerts

source gap

alertAlert workflowreview routealert IDcase routeworkflow route

No related DWM alert IDs were returned, so the public result cannot open or create a backed case yet. Source family: alert. Needs: alert ID, case route, workflow route. Route: review route.

Complete actor enrichment fields

review

actor profileSource collectionsource queueactorIntelligence malwareToolsactorIntelligence campaignssource reference

Actor tools and campaigns are needed to enrich watchlists and explain defensive relevance. Source family: actor profile. Needs: actorIntelligence malwareTools, actorIntelligence campaigns, source reference. Route: source queue.

Complete actor enrichment profile

source gap

Missing tooling, campaigns, infrastructure, confidence reasoning, or source provenance from actor enrichment.

Persist alert review decision

source gap

Scratch notes are session-local. Persisted review needs selected finding ID, review state, owner, rationale, and delivery hold/release state in the authenticated case workflow.

Attach source capture provenance

source gap

The result needs source URLs, capture IDs, or redacted source hashes for every queue item before analyst trust is strong.

Map actor to customer watchlists

source gap

No persisted organization/domain relevance was returned for this public result.

Promote evidence to case queue

source gap

No stable related case id is attached; this page can export a handoff payload but cannot persist the case from public context.

Source Health

7 source rows · 0/7 covered · 0 retry

Actor page

0 covered · 0 alert-ready · 1 blocker

blocked

source capturewatchlistalert

/ti/watchlist-terms

Alert generation

0 covered · 0 alert-ready · 1 blocker

blocked

source capturewatchlistalert

alert rebuild

Source operations

0 covered · 0 alert-ready · 1 blocker

action required

source capturewatchlistalert

/dashboard/ti/enrichment

Attach capture IDs to source evidence

source capture · 2026-06-30 · enrichment queued

source capture evidence request

blocked

capture neededSource collection

Needs: capture ID, source ID, source reference

Returned sources identify provenance, but no capture IDs are attached for alert replay or case evidence.

Open

Attach organization watchlist match

watchlist · 2026-06-30 · enrichment queued

Check organization alert state generated alert references or watchlist update match context

blocked

capture neededOrganization

Needs: organization scope, watchlist item

The public query result needs an authenticated organization watchlist match before it should alert a customer.

Open

Link actor result to generated alerts

alert · 2026-06-30 · enrichment queued

/v1/dwm/alerts or alert rebuild alert ID

blocked

capture neededAlert workflow

Needs: alert ID, case route, workflow route

No related DWM alert IDs were returned, so the public result cannot open or create a backed case yet.

Open

Live discovery unavailable

public ti · 2026-06-30 · capture needed

Live source discovery is not available from this API process

blocked

source live:search:unavailablecapture needed20% confidenceSource collection

Needs: capture ID, source request ID, report date

Attach a capture ID or source request ID in source enrichment.

Open

Return generated DWM alert ID

alert · 2026-06-30 · enrichment queued

/v1/dwm/alerts or alert rebuild

blocked

capture neededAlert workflow

Needs: alert ID, relatedAlerts status, case route

Case creation is backed by case workflow and requires a DWM alert ID; this result has no related alert ID attached.

Open

Session Notes

No local scratch decision recorded yet.

Relevance mark

Session-local mark for watchlist, source review, or case preparation.

unmarked

Case draft

Session-local draft for authenticated case review.

blocked

Intent

watchlist context

Sources

1 row

case workflow

Live discovery unavailable · source live:search:unavailable

Live source discovery is not available from this API process

capture needed

20% confidence · needs Capture ID or source hash is required before replayable case evidence

watchlist-termsWatchlist Terms

DWM alert ID from /v1/dwm/alerts or alert rebuild; Authenticated organization ID; owner/admin/member watchlist permission

Case ownership

Selected evidence mapped to case candidates, replay state, and owner blockers.

blocked

Candidates

Replay ready

Alerts

Captures

owner watchlistcase stage blocked

case workflow

Resolve DWM alert ID from /v1/dwm/alerts or alert rebuild; Authenticated organization ID before assigning this evidence to a case.

Collection running

low · attach capture · 1 source ref

review

Review missing source, watchlist, alert, or freshness context before routing.

Alert ID pending

Organization context is required before watchlist, alert, case, or delivery handoff can mutate customer state.; Candidate watchlist terms exist, but no persisted organization watchlist item is attached.; No generated alert ID is attached to this actor result.

missing_case_route, missing_alert

DWM alert ID from /v1/dwm/alerts or alert rebuild; Authenticated organization ID; owner/admin/member watchlist permission; Capture ID or source hash is required before replayable case evidence.

Case create request

Selected evidence shaped for authenticated case creation with provenance and blockers attached.

blocked

Alerts

Captures

Sources

Terms

POST case API

Resolve DWM alert ID from /v1/dwm/alerts or alert rebuild; Authenticated organization ID before case creation review.

Actor context

Attribution not returned by the search service · 20% confidence

refresh

Aliases

TTPs

Tools

Sources

watchlistalert

Target sectors pending · Geography pending

Watchlist basis

company watchlist-terms is blocked with 2 evidence refs.

blocked

1 term0 alert-ready0/1 replay-readywatchlist-terms

Authenticated organization ID; owner/admin/member watchlist permission; Open the authenticated console and choose the customer organization before saving watchlist terms.

Live discovery unavailable · source live:search:unavailable

Live source discovery is not available from this API process

capture needed

report date pending · 20% confidence · needs Capture ID or source hash is required before replayable case evidence

2 provenance refsevidence:85c7cb2d

POST /v1/cases

Collection running

low · 0 alerts · 0 captures · Organization

missing_case_route, missing_alert

Review missing source, watchlist, alert, or freshness context before routing.

source live:search:unavailableevidence:85c7cb2devidence:88a96728

1 source row returned. Watchlist candidates: company: watchlist-terms.

DWM alert ID from /v1/dwm/alerts or alert rebuild; Authenticated organization ID; owner/admin/member watchlist permission; Capture ID or source hash is required before replayable case evidence.

Watchlist plan

Selected evidence mapped to watchlist terms, organization intersections, and source refs.

blocked

Terms

Matches

Alerts

Captures

/dashboard/dwm

Resolve Authenticated organization ID; owner/admin/member watchlist permission before monitoring this evidence.

company: watchlist-terms

watchlist-terms: Query can be saved as an organization company watchlist term.

matched

company: watchlist-terms

Needs review · 2 evidence refs · source family pending

blocked

Resolve Open the authenticated console and choose the customer organization before saving watchlist terms.; Create or select the customer watchlist, then rebuild alerts from the saved items. before alert rebuild.

Live discovery unavailable · source live:search:unavailable

source family pending · collection date pending · parser status pending

capture needed

Live source discovery is not available from this API process

Returned source record for watchlist-terms.

Organization · candidate termSource collection · source evidenceOrganizationSource collection

Open the authenticated console and choose the customer organization before saving watchlist terms.; Create or select the customer watchlist, then rebuild alerts from the saved items.; Attach capture IDs or source request IDs to the provenance rows.

Alert action plan

Selected evidence mapped to watchlist terms, source refs, and alert rebuild state.

review

Candidates

Matches

Captures

Evidence window

Pending

/dashboard/dwm

Resolve Authenticated organization ID; owner/admin/member watchlist permission before alert rebuild.

watchlist-termsWatchlist Termscompany: watchlist-terms

company: watchlist-terms

candidate term · watchlist · Organization

blocked

Returned source record for watchlist-terms.

capture needed

watchlist update

Candidate watchlist terms exist, but no persisted organization watchlist item is attached.

Live discovery unavailable

source evidence · public ti · Source collection

blocked

Returned source record for watchlist-terms.

capture needed

/dashboard/ti/enrichment

No replayable capture ID is attached for case evidence or delivery dry-run.

missing_case_route; missing_alert

Organization context is required before watchlist, alert, case, or delivery handoff can mutate customer state.; Candidate watchlist terms exist, but no persisted organization watchlist item is attached.; No replayable capture ID is attached for case evidence or delivery dry-run.

Delivery status

Selected evidence mapped to alert, capture, destination, and case route status.

blocked

Alerts

Captures

Destinations

Case routes

/dashboard/dwm

Resolve DWM alert ID from /v1/dwm/alerts or alert rebuild; Active webhook destination ID from /v1/dwm/webhooks before delivery review.

No related alert is attached to the selected evidence yet.

POST /v1/dwm/webhooks/deliver

DWM alert ID from /v1/dwm/alerts or alert rebuild; Active webhook destination ID from /v1/dwm/webhooks; Replayable capture ID from source provenance or DWM alert evidence; Organization context is required before watchlist, alert, case, or delivery handoff can mutate customer state.

Enrichment triage

Selected evidence mapped to source health, intake items, and capture/source-request blockers.

blocked

Sources

Intake

Requests

Captures

/dashboard/ti/enrichment

Live discovery unavailable

public ti · 2026-06-30 · capture needed

blocked

Source collection1 intake itemcapture needed

Attach a capture ID or source request ID in source enrichment.

source queue · /dashboard/ti/enrichment

Actor page1 blocker

Alert generation1 blocker

Source operations1 blocker

Needs capture ID, source request ID, report date.

Case action trail

Metadata-only trail for local decisions, selected evidence, and case replay state.

replay blocked

Selected evidence

2026-06-30

review

Live discovery is still building an evidence-backed answer.

Sources live:search:unavailable

Case handoff blocked

2026-06-30

blocked

Case review needs the missing identifiers or source context listed below before persistence.

Sources live:search:unavailable

DWM alert ID from /v1/dwm/alerts or alert rebuild; Authenticated organization ID; owner/admin/member watchlist permission

Replay export blocked

2026-06-30

blocked

Replay request needs missing_case_route; missing_alert; missing_capture.

Sources live:search:unavailable

Selected review package

Copyable evidence, rationale, and handoff state for authenticated case review. This does not save public-page notes.

alert blockedcase blocked4 evidence rows

A source URL or internal capture reference is attached.; A watched company, domain, vendor, or portfolio term matches this finding.

Staged Handoffs

No handoffs staged in this browser session.

Evidence Timeline

Profile generated

2026-06-30

Searching result from live_search.

Selected evidence

2026-06-30

Live discovery is still building an evidence-backed answer.

Collection Gaps

Waiting

queued

Waiting for live discovery or scheduler telemetry.

Watchlist Relevance

2 candidate terms for monitoring

Candidate actor, alias, sector, country, campaign, tool, and source-domain terms are present only when returned by the profile or source rows.

blocked

company: watchlist-terms

Candidate term requires authenticated organization review before monitoring.

blocked

company: Watchlist Terms

Candidate term requires authenticated organization review before monitoring.

blocked

Authenticated organization ID; owner/admin/member watchlist permission

Sources

Live clear-web search

Included

Real-time public web discovery plus approved scraper captures

Darknet/leak metadata

Monitoring data

Metadata-only actor/victim/date claims; no leaked file downloads

Source Coverage

RansomLook and ransomware.live

Seed coverage

Good starting mix for recent victim claims, actor names, company names, claimed dates, sector/country context, and claimed-data descriptions.

Useful for bootstrapping coverage and cross-checking our captures, but not enough by itself because anyone can index the same public rows.

Direct actor infrastructure collection

Owned monitoring

company-first collection from actor-controlled public leak/extortion infrastructure where policy allows.

This is where defensible value comes from: faster discovery, verified claims, freshness deltas, actor-page changes, and watchlist alerts that are not just copied from another index.

Infostealer and credential-exposure records

Owned monitoring

Potentially high-value if collected as reviewable records and routed through safety review.

Valuable for company/domain exposure alerts, but it must avoid credential values, raw dumps, private access, auth bypass, and unsafe redistribution.

Source Records

Live discovery unavailable

Source

Live source discovery is not available from this API process