Findings

The Findings feature represents the core output of Inopli DRP’s threat detection engine. Each finding is the result of active surveillance across multiple layers of the internet including surface, deep, and dark web and is produced when content is matched against elements from the organization's monitoring profile.

Monitoring inputs may include corporate domains, names and identifiers of VIPs, internal project names, sensitive strings, and keywords associated with infrastructure, clients, or proprietary data. Once a match is detected, it is processed through enrichment and validation routines to determine its legitimacy and severity.

Findings serve as the central intelligence object of the DRP workflow. They are not static records but dynamically enriched entities that support decision-making and escalation. Verified findings automatically integrate with the Response module, allowing operations teams to initiate containment, attribution, or takedown procedures when applicable.

The system ensures full traceability for each finding by associating metadata such as detection source, confidence level, enrichment context, matching rule (when applicable), and timestamps. Every finding also includes the raw evidence, which can be reviewed by analysts for verification or false positive dismissal.

Detection Categories

Findings are classified according to the source and type of exposure. The following categories are supported:

• Exposed Credentials Leaked username/password pairs found in public pastes, dumps, or chat logs.

• Leaked Documents Internal presentations, spreadsheets, contracts, or technical documents referencing the company’s domain or VIP names.

• Cloud Bucket Exposure Files publicly accessible in cloud storage such as S3, Azure Blob, or similar, containing sensitive or proprietary content.

• Phishing & Lookalike Domains Domains that imitate official company websites, including typo-squatting and phishing kits.

• VIP Mentions Sensitive or malicious references to executive names or internal personnel in open or criminal forums.

• Sensitive Strings Detected Predefined strings (e.g., internal project names, client references, tokens, credentials) detected in web pages, code, or chats.

• Threat Actor Discussions Targeted discussions involving the brand, products, infrastructure, or VIPs in threat actor communities or deep web sources.

• Code Repository Exposure Exposure of keys, tokens, employee emails, or internal comments in public Git repositories.

• Dark Web Artifacts Data related to the company found in dark web marketplaces, leaks, or ransomware listings.

• Clone Alerts (JS Probe) Sites that have embedded the Inopli JavaScript and were detected as clones based on unauthorized propagation.

• Automated Rule Matches Findings generated from correlation rules created by analysts using Structured, XML, YARA, or Sigma detection logic.

Lifecycle

Each finding passes through the following stages:

1. Ingestion – Raw evidence is collected from open, dark, and proprietary sources.

2. Correlation – Content is matched against the company’s monitoring profile.

3. Enrichment – Metadata is added (WHOIS, DNS, internal feeds, etc.).

4. Classification – Automated severity scoring and tagging.

5. Response – If marked as a true positive, the finding triggers an incident in the Response module.