How does Mentions in data breach protect your company?
When sensitive information related to your business appears in large-scale data breaches — especially ransomware leaks — the Axur Platform identifies these mentions and registers a detection in the Data Leakage workspace.
Instead of alerting on generic leaked datasets, this product focuses on evidence that clearly references your company or its critical data, helping you understand what was exposed, where, and in what context.
This contextual visibility enables faster internal investigations and stronger responses to extortion, fraud, insider risk, and operational exposure.
Which companies benefit from this monitoring?
Any organization concerned about information being exposed during or after a breach can benefit, particularly those that:
Work with third parties and want visibility into indirect exposure.
Require business impact assessments and risk awareness when a supplier suffers a breach.
Store corporate or customer information that could be accessed during ransomware attacks.
Investigate attacks leveraging stolen internal data or proprietary information.
Mentions in data breach is especially useful for companies that:
Might be targeted by ransomware or data exfiltration.
Need to quickly assess exposure and prioritize incident response.
Want to monitor operational data such as:
Employee or customer information;
Internal documentation (projects, invoices, strategies);
Confidential files or identifiers;
System configurations or source references;
How does Mentions in data breach differ from other Axur products?
Axur provides multiple intelligence solutions that complement each other but focus on different types of cyber risk:
Mentions in data breach
Identifies confidential corporate information inside ransomware leaks and breach files.
Provides direct evidence of data already in attackers’ hands and helps assess the impact of a breach.
Credentials exposure
Monitors for compromised login credentials of employees or customers.
Helps prevent unauthorized access and account takeover attacks.
CTI (Threat & Exposure Intelligence)
Delivers intelligence on emerging threats, attackers, and exploited vulnerabilities.
Supports proactive defense and prioritization of risks before an incident.
Threat Hunting
Allows analysts to manually search across Axur’s intelligence datasets for indicators linked to specific investigations.
Ideal for targeted queries linked to ongoing cases or hypotheses.
How does the platform work?
Every time Axur collects a new ransomware leak or breach package, all files are automatically analyzed using our intelligence pipeline.
If a file contains references relevant to your company, a detection is created at the Data Leakage workspace.
The detection details include:
Sample of the relevant content found.
File name and breach source information.
Metadata of the leak including publication dates and identifiers.
Access to download the original file (when permitted).
Advanced filtering enables quick triage and grouping by breach, date, affected asset, and other available parameters.
You may also export your current view into a CSV if deeper offline investigation is required.
How to set up your monitoring
Mentions in data breach relies on your organization’s monitored assets to determine what should trigger a detection, such as corporate names and domains that uniquely reference your business in leaked files.
To ensure accurate monitoring, go to the Monitoring settings page and review the registered assets:
Brand (corporate name, brand name and variations, tax identifiers)
Domain
The richer and more complete your monitored asset list is, the better the platform becomes at detecting relevant exposures in breach packages.
At the moment, no additional configuration or rules are required. Monitoring will be automatically enabled in assets that are already monitored by one of the following products:
Other Sensitive Data
Code Secret Leaks
User/Employee Credentials
Once assets are registered, you will start receiving detections whenever they appear in leaked files collected by Axur.
Granting user access to the detections
Access to Mentions in data breach is managed through the My Team settings on the Axur Platform.
To grant access:
Navigate to Settings → My Team
Select the user you want to update
Enable permissions under Access to Data Leakage Detections
Viewers can analyze detections but cannot modify them. If your viewer needs editing permissions, you can use a Custom role with grant Edit status, tags and others in data leakage detections.
How to identify important information: source, context, and sample content
When selecting a detection, a side panel opens with all key information:
Source – Where the leak was published (ransomware site, forum, marketplace)
Context – Short description of the breach and incident background.
Mentioned Sample – Extracts helping analysts understand why the detection matters.
File Information – Name, type, download links.
This single-panel investigation view accelerates internal response and correlation with ongoing incidents.
Accessing files and performing investigations
Every relevant file generates one detection, independent of the number of assets mentioned within that file.
If the breach contains multiple files referencing your organization, you will see multiple detections that can be:
Investigated individually.
Grouped by the same breach event.
Exported for offline data enrichment.
Files remain available for one year after collection, respecting download usage and legal boundaries. Automated or bulk unauthorized downloading is not permitted.
Please be advised that all files are provided as collected and have not been inspected for malware. Axur strongly recommends utilizing a Sandbox environment during investigation.
What is the life cycle of a detection?
Detections follow a standard workflow:
New → Just identified, requires analysis.
In Treatment → Under internal triage or investigation.
Solved → Addressed and no further action required.
Discarded → Not relevant or intentional exposure.
You may also add tags and notes to customize your organization’s workflow.
What are the sources?
The product continuously monitors:
Ransomware Leak Sites
Deep & Dark Web Communities
Data Brokerage Platforms
Marketplaces offering leaked corporate information
Other curated intelligence sources
Coverage evolves as threat actors change tactics and new platforms emerge.
Which file types are supported?
Mentions in data breach is designed to process a wide variety of file formats commonly found in ransomware leaks and large-scale data breaches.
We currently support:
Plain text files like .txt, .sql, .csv, .md and others
Spreadsheets in .xsl or .xslx
Office documents .doc and .docx
Compressed files like zip, tar, rar, 7z and others
Some formats like PDFs are under development and may be included in future releases.
What to do after a detection?
Recommended actions include:
Validate whether exposed files contain sensitive or confidential data.
Engage internal incident response teams if operational risk is identified.
Notify internal owners of the impacted systems or business units
Review security controls around the leaked content and origin systems
Update risk assessments for third-party systems if the exposure originates externally
Add context in the platform and change status to reflect progress
If the breach indicates an active attack, escalate immediately.
It is not possible to request takedown of the original leak, ransomware groups publish data outside legal jurisdictions.
How to prevent exposure of sensitive information?
Reducing exposure risk can be achieved by:
Continuously updating and patching systems and applications.
Securing access to internal documentation and file repositories.
Implementing strong encryption and proper permission management.
Reviewing relationships with third-party providers and vendors.
Conducting employee security awareness programs.
Regularly auditing data that shouldn’t be externally stored or shared
While breaches may still happen, having proactive controls reduces the likelihood of data being exfiltrated — and lowers the impact if it is.
API
API endpoints for this product are under development.
Documentation will be released when the feature becomes available.
Webhooks
Webhook notifications for creation and update of detections are in our roadmap. These will allow near real-time integration into your workflow.
Documentation will be released when the feature becomes available.
Safelist
Mentions in data breach does not have a safelist at the moment.
If you have any questions, feel free to reach out at [email protected] 😊