# Risk Signals Detected

The *<mark style="color:green;">Surface Web Monitoring</mark>* layer produces findings tied to exposed data, brand misuse, and signs of operational risk found in publicly accessible sources. These signals help identify early traces of compromise, misconfiguration, or abuse that may escalate if left unaddressed.

Findings in this layer typically fall into one of the following categories:

* <mark style="color:green;">**Leaked credentials and sensitive files**</mark>**:** authentication keys, passwords, API tokens, internal documentation, and configuration files exposed through public code repositories like GitHub or embedded in company websites.
* <mark style="color:green;">**Exposed APIs and data schemas**</mark>**:** public access to Swagger/OpenAPI specs or Postman collections that reveal the structure of internal systems, sensitive endpoints, or production data samples.
* <mark style="color:green;">**Open cloud storage**</mark>**:** public S3, GCP, or Azure buckets containing log files, backups, or confidential documents inadvertently exposed.
* <mark style="color:green;">**Brand impersonation and misleading domains**</mark>**:** look-alike domains registered to exploit visual or keyboard similarity with official assets, often used in phishing or fraud campaigns.
* <mark style="color:green;">**Certificate and DNS anomalies**</mark>**:** new TLS certificates or subdomains linked to monitored brands, which may indicate shadow infrastructure or asset misuse.

Each finding is linked to a specific risk category such as phishing, data leakage, infrastructure exposure, or brand fraud and is enriched with supporting evidence and context to support investigation and response.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.inopli.com/drp/surface-web-monitoring/risk-signals-detected.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.