Pre-Compromise Assessment

Pre-Compromise Intelligence (PCI) is a proactive, external security discipline focused on gathering and analyzing data about an organization and its employees from the internet, dark web, and open sources before a cyberattack occurs or a breach is detected. It is the intelligence an attacker would use to plan, stage, and execute an assault, viewed through the lens of the defender.

Core Focus and Purpose

PCI shifts the security mindset from reactive defense (firewalls, patching, incident response) to proactive threat anticipation. Its primary goal is to identify and remediate digital clues, vulnerabilities, and leaked data that facilitate targeted attacks, effectively dismantling the attacker's reconnaissance phase.

1. External Attack Surface Mapping

PCI begins with the continuous discovery of all organization-owned internet-facing assets. This includes authorized and unauthorized resources:

• Shadow IT: Identifying unknown or unmanaged servers, domains, cloud storage buckets, and open ports.

• Vulnerabilities: Cataloging exposed services, unpatched software, and misconfigurations that are visible from the outside.

• Third-Party Risk: Discovering the digital footprint and security posture of vendors and partners who have access to the primary organization's systems.

2. Digital Risk and Identity Exposure

This involves monitoring the non-technical, human elements that attackers use for social engineering and account takeover:

• Credential Leakage: Actively searching the dark web, hacker forums, and public data dumps for leaked employee or executive corporate credentials (usernames and passwords).

• Social Engineering Bait: Collecting publicly available personal information (PII) about executives and high-value employees (e.g., job titles, personal emails, family names, travel plans) that can be used to craft convincing phishing, whaling, or Business Email Compromise (BEC) attacks.

• Domain and Brand Abuse: Tracking the registration of malicious domains that mimic the organization's brand (typosquatting) or are used for phishing campaigns.

3. Threat Actor Reconnaissance

This component involves gathering contextual intelligence about specific adversaries or campaigns that may target the organization's industry or region.

• Threat Actor Chatter: Monitoring hacker forums and closed communities for discussions, intentions, or sale of exploits specific to the organization's technology stack (e.g., a specific unpatched VPN server).

• Targeted Narrative: Identifying the beginnings of misinformation or disinformation campaigns aimed at damaging the company's brand, a concept known as Narrative Risk.

In summary, Pre-Compromise Intelligence provides the security team with an adversary's view of their target, allowing them to close critical exposure gaps—from a forgotten open port to a leaked CEO password—before that information can be successfully weaponized in a compromise.

ThreatNG's capabilities are specifically structured to provide Pre-Compromise Intelligence (PCI) by giving the security team the same external, unauthenticated view of their organization that an attacker would use to plan an attack. This intelligence allows the organization to proactively identify and close exposure gaps before they can be weaponized.

External Discovery and Continuous Monitoring

ThreatNG provides the foundation for PCI through its external discovery and continuous monitoring.

• External Discovery: The platform can perform purely external, unauthenticated discovery without any connectors. This means it mimics an attacker's reconnaissance by mapping the organization's entire external digital footprint, identifying all internet-facing assets and their underlying technologies. This uncovers Shadow IT and forgotten assets before attackers do.

• Example of ThreatNG Helping: ThreatNG's Subdomain Intelligence uses DNS enumeration to discover a forgotten, unmonitored subdomain, dev-test.mycompany.com. This server is not decommissioned and is running an old, unsupported WordPress content management system. This is a critical PCI gap because the unauthenticated server is a low-risk, perfect entry point for an attacker to gain initial access and establish persistence.

• Continuous Monitoring: The platform continuously monitors the external attack surface, digital risk, and security ratings. This ensures that new exposures, such as a recently opened sensitive port or a new leaked credential, are identified immediately, closing the time window an attacker has to use the information.

External Assessment for PCI

ThreatNG performs several external assessments that serve as Pre-Compromise Intelligence, highlighting vulnerabilities and exposures from the adversary's perspective.

• Breach & Ransomware Susceptibility: This assessment is calculated based on factors like exposed sensitive ports, exposed private IPs, known vulnerabilities, and compromised credentials on the dark web. These are the exact pieces of information an attacker needs for a compromise.

• Example of Assessment: ThreatNG identifies a known vulnerability (CVE) on a publicly accessible server through its Domain Intelligence. Concurrently, the Dark Web Presence repository shows an increase in activity from a prominent ransomware gang targeting that specific vulnerability. This pre-compromise intelligence allows the team to prioritize patching the vulnerability before it is exploited, directly reducing the Ransomware Susceptibility score.

• Cyber Risk Exposure: This score considers exposed sensitive ports and known vulnerabilities. It also factors in Code Secret Exposure, which scans public code repositories for sensitive data.

• Example of Assessment: ThreatNG's Code Secret Exposure module discovers a public GitHub repository containing an Amazon AWS Access Key ID. This is a massive PCI finding, as this credential is all an attacker needs to compromise the organization's cloud environment. The team can immediately invalidate the key and secure the repository, pre-empting a cloud breach.

Investigation Modules and Intelligence Repositories

The granular data collected by ThreatNG's investigation modules and repositories is the raw material for PCI.

• Investigation Modules (Domain Intelligence and Subdomain Intelligence): These are used to find specific technical exposure gaps. The Subdomain Intelligence module identifies exposed sensitive ports and Content Identification such as Emails and User Names.

• Example of Module Helping: The Domain Intelligence module, through Domain Name Permutations, detects the registration of a new typosquatting domain, mycompany-login.com, which uses a keyword like "login". The security team sees this and preemptively issues a company-wide alert about the malicious domain before the attacker can launch a phishing campaign, neutralizing the initial access vector.

• Intelligence Repositories (DarCache): These are continuously updated and provide the crucial context of threats actively circulating outside the organization.

• DarCache KEV: The KEV (Known Exploited Vulnerabilities) repository highlights vulnerabilities that are actively being exploited in the wild. This allows the security team to prioritize remediation of vulnerabilities that pose an immediate, proven threat.

• Example of Repository Helping: A server identified during external discovery has a critical vulnerability listed in DarCache NVD. The team also sees that it is listed in DarCache KEV. This pre-compromise context provides objective evidence that the risk is not theoretical but an imminent, proven threat, justifying the immediate allocation of resources to patch the server and close the gap.

Cooperation with Complementary Solutions

ThreatNG's PCI is highly valuable when cooperating with internal security solutions.

• Cooperation with Security Monitoring (SIEM/XDR) Solutions: ThreatNG's discovery of exposed sensitive ports (like an RDP port) and the associated Compromised Credentials from the DarCache Rupture repository provides critical risk context. This PCI can be fed into a Security Monitoring solution (such as Splunk or Microsoft Defender XDR) to create high-priority correlation rules. Suppose the monitoring solution detects any authentication attempt to that specific exposed port using the compromised credentials found by ThreatNG. In that case, it can immediately block the session and alert the security team, stopping a compromise in progress.

• Cooperation with Vulnerability & Risk Management (GRC) Solutions: ThreatNG's External GRC Assessment identifies external security and compliance gaps and maps these findings directly to frameworks like NIST CSF and GDPR. This validated external view of compliance gaps can be forwarded to an internal Vulnerability & Risk Management solution (such as those from vendors like Tenable or Qualys). This ensures that internal remediation efforts are not based solely on an internal scan but are prioritized according to the real-world external exposure identified by ThreatNG, thereby maximizing the efficiency of risk mitigation.