Intelligence X
Intelligence X is an independent search engine and data archive that enables cybersecurity professionals to search across the dark web, deep web, and public internet. Unlike traditional search engines that index the current state of the surface web, Intelligence X specializes in preserving and indexing historical, deleted, and hidden content, including data leaks, paste sites, and darknet marketplaces.
Founded by Peter Kleissner, the platform is widely used for Open Source Intelligence (OSINT), threat intelligence, and digital forensic investigations. It differentiates itself by maintaining a permanent archive of results, ensuring that even if a malicious post or leaked document is deleted from its original source, it remains accessible to investigators through the Intelligence X repository.
Core Capabilities and Data Sources
Intelligence X aggregates data from sources that are typically inaccessible to standard crawlers. It focuses on specific "selectors"—unique identifiers that allow analysts to pinpoint data with high precision.
Darknet Indexing: The platform actively crawls and indexes content from the Tor and I2P networks, including forums, marketplaces, and ransomware leak sites.
Data Leaks and Breaches: It archives public and private data dumps, allowing organizations to verify if their compromised credentials or proprietary documents are circulating among threat actors.
Paste Sites: It monitors text-sharing platforms (like Pastebin) where hackers frequently post code snippets, configuration files, or stolen data.
Historical Whois Data: It maintains records of domain registration history, which is critical for attributing malicious infrastructure to specific threat actors.
Selector-Based Search: Unlike keyword searches, which can be broad, Intelligence X is optimized for selectors such as email addresses, domains, IP addresses (IPv4 and IPv6), CIDRs, Bitcoin addresses, and UUIDs.
How Intelligence X Differs from Standard Archives
While tools like the Internet Archive (Wayback Machine) and Google serve specific indexing functions, Intelligence X fills a distinct gap in the cybersecurity ecosystem.
Depth vs. Breadth: Google indexes the surface web for general utility. Intelligence X indexes the dark web and controversial content specifically for security analysis.
Preservation of "Toxic" Data: The Wayback Machine frequently removes content upon request or excludes sites via
robots.txt. Intelligence X preserves data regardless of its nature—including malware source code and personally identifiable information (PII) found in breaches—because this data is essential for forensic analysis.Granular Search: It allows searching within the contents of leaked or scraped files (PDFs, Word documents, Excel spreadsheets), rather than just web page titles.
Key Use Cases for Cybersecurity Professionals
Security teams leverage Intelligence X to support various stages of the cyber defense lifecycle.
Threat Hunting: Analysts use the platform to track threat-actor activity, such as identifying Bitcoin wallet addresses used in a ransomware campaign or locating the source code for a new malware variant.
Third-Party Risk Management: Organizations scan their vendors' domains to identify whether third-party credentials or contracts have been exposed in recent data breaches.
Incident Response: During an active breach, responders search for their organization's assets (IPs or domains) to determine whether attackers are discussing them on dark web forums or whether data is already being auctioned.
Brand Protection: Companies monitor for typo-squatting domains or phishing kits that abuse their brand assets, often identifying these indicators before they are deployed in a large-scale attack.
Frequently Asked Questions
Is Intelligence X free to use? Intelligence X operates on a freemium model. It offers a free tier with limited access to public data and basic search capabilities. Full access to the dark web archive and advanced API features requires a paid enterprise license.
Is using Intelligence X legal? Yes. Intelligence X is a legitimate research tool used by law enforcement, researchers, and corporations. However, because it hosts data that may be stolen or sensitive (such as leaked credentials), users must comply with strict terms of service and applicable local laws governing data handling and privacy.
What is the difference between Intelligence X and Hunter.io? Hunter.io primarily focuses on identifying professional email addresses for marketing and sales lead generation. Intelligence X focuses on finding compromised or leaked email addresses and associated security data for investigation and defense.
Does Intelligence X provide an API? Yes, Intelligence X offers a robust API that enables security teams to integrate its data directly into their Security Information and Event Management (SIEM) systems, SOAR platforms, or custom analysis tools such as Maltego.
How ThreatNG and Intelligence X Work Together
ThreatNG and Intelligence X function as a powerful, synergistic pair in the cybersecurity ecosystem. ThreatNG acts as the "External Attack Surface Management (EASM)" platform that maps and monitors an organization's infrastructure, while Intelligence X serves as a deep "Data Reservoir" providing historical context, dark web records, and leaked data associated with those assets.
By integrating the deep-search capabilities of Intelligence X into the operational workflows of ThreatNG, organizations can move beyond simple asset discovery to a state of Contextual Risk Assurance. ThreatNG finds the asset; Intelligence X tells you if that asset has been compromised, discussed on the dark web, or included in a data leak.
External Discovery with Intelligence X
ThreatNG’s primary role is to define the perimeter. When combined with Intelligence X, this discovery process goes beyond just finding servers—it also locates the data about those servers scattered across the internet.
Correlating Shadow IT with Data Leaks: ThreatNG’s External Discovery engine scans the internet to identify unknown assets, such as "Applications Identified" or "VPNs Identified." Once an asset (like a forgotten marketing subdomain) is found, it can be cross-referenced against the Intelligence X archive.
Example: ThreatNG discovers a legacy portal
partners.company-legacy.com. Intelligence X simultaneously searches its 100+ billion record archive and finds a Pastebin entry from 2022 containing a configuration file for that specific domain. This confirms not only that the asset exists (ThreatNG's finding) but also that its sensitive configuration details are public (Intelligence X's finding), enabling immediate takedown.
External Assessment and Validation
ThreatNG assesses the technical security of the perimeter (e.g., open ports, missing headers). Intelligence X validates whether these technical gaps have already been exploited.
Validating Credential Exposure: ThreatNG assesses the strength of authentication controls, flagging issues such as "Subdomains with No Automatic HTTPS Redirect." Intelligence X enhances this by verifying whether credentials for these specific domains are present in known breaches.
Example: ThreatNG identifies an exposed "Outlook Web Access" portal. Intelligence X data reveals that 50 corporate email addresses and passwords associated with this domain were released in a recent "Collection #1" breach. ThreatNG combines these insights to elevate the risk of the Outlook portal to "Critical," as the technical exposure (the portal) is now coupled with a verified threat (stolen credentials).
Reporting and Contextualization
Reporting is most effective when it combines "Status" with "History." ThreatNG integrates Intelligence X data to provide comprehensive reports that satisfy both IT and Forensic teams.
Unified Breach Reporting: ThreatNG generates reports that map findings to frameworks such as GDPR and PCI DSS. By incorporating Intelligence X data, these reports can include specific evidence of data compromises.
Example: A ThreatNG report on "Data Privacy" not only lists potential vulnerabilities (like "Subdomains Missing CSP") but also includes an appendix of "Verified Leaks" sourced from Intelligence X, such as specific documents or database dumps found on darknet forums. This provides a holistic view of the organization's data sovereignty status.
Continuous Monitoring
ThreatNG provides the mechanism for constant surveillance, while Intelligence X provides the stream of new threat data.
Leak-Driven Drift Detection: ThreatNG monitors the infrastructure for configuration changes ("Drift"). When paired with Intelligence X, it also monitors for "Data Drift"—the sudden appearance of corporate data on the dark web.
Example: ThreatNG establishes a secure baseline for a company's main domain. If Intelligence X detects a new post on a ransomware leak site referencing this domain, ThreatNG interprets this as a critical drift event. It triggers an alert indicating that while the technical perimeter may still look secure, the brand's integrity has been compromised externally.
Investigation Modules
ThreatNG’s specialized investigation modules leverage Intelligence X as a primary search library to perform deep-dive forensics without leaving the platform.
Domain Intelligence & Reputation
The Workflow: ThreatNG investigates "Domain Name Permutations - Taken" to find potential phishing sites.
The Intelligence X Enhancement: Intelligence X searches these typo-squatted domains in its archive to see if they have been used in previous phishing campaigns or malware distribution.
Detailed Example: ThreatNG identifies
support-company.comas a suspicious domain with active mail records. Intelligence X data reveals that this specific domain was registered using an email address previously linked to a known "Banking Trojan" campaign. This allows the security team to block the domain immediately based on historical attribution rather than just suspicion.
Archive Intelligence & Data Recovery
The Workflow: ThreatNG’s "Documents Found on Archived Web Pages" module looks for sensitive files left on the web.
The Intelligence X Enhancement: Intelligence X excels at indexing "deleted" content from paste sites and dark web mirrors.
Detailed Example: A developer accidentally uploads a code snippet containing AWS keys to a public paste site and deletes it five minutes later. ThreatNG’s standard scan might miss this transient event. However, Intelligence X captures and archives the paste instantly. ThreatNG’s investigation module queries Intelligence X, retrieves the "deleted" API keys, and alerts the engineering team to rotate them, preventing a breach that would have otherwise gone unnoticed.
Intelligence Repositories
ThreatNG serves as an aggregator, pulling raw intelligence from Intelligence X repositories to fuel its risk-scoring engines.
Dark Web & Ransomware Feeds: ThreatNG consumes Intelligence X feeds regarding "Dark Web Mentions" and "Ransomware Events." This ensures that the "Security Ratings" provided by ThreatNG are not just based on theoretical vulnerability scans but on actual criminal activity targeting the organization.
Complementary Solutions (Downstream Integration)
The combined intelligence of ThreatNG and Intelligence X feeds into broader security operations tools to automate defense.
Security Information and Event Management (SIEM)
Cooperation: ThreatNG pushes the asset data, and Intelligence X pushes the threat data into the SIEM.
Example: ThreatNG tells the SIEM, "This IP address belongs to our new VPN." Intelligence X tells the SIEM, "This VPN IP is mentioned in a hacker forum post about 'easy targets'." The SIEM correlates these two inputs to create a high-fidelity "Targeted Asset" alert for the SOC.
Governance, Risk, and Compliance (GRC) Platforms
Cooperation: ThreatNG validates controls, while Intelligence X validates data confidentiality.
Example: For a GDPR audit, the GRC platform requires proof that no personal data is publicly accessible. ThreatNG confirms that all web servers are encrypted (HTTPS). Intelligence X confirms that no customer databases appear in its leak archive. Together, they provide the positive and negative proof required for a clean audit opinion.
