Latest News

Hiding in Plain Sight: The Growing Value of Surface Web Threat Intelligence

The deep and dark web do not have a monopoly in online threats – something businesses must be aware of now more than ever, writes Karl Swannie, Founder of Echosec Systems

Deep and dark websites are often considered a mecca of open-source intelligence for digital security. 

The marketplaces, forums, paste sites, and other sites on these networks can provide valuable information about tactics, techniques, and procedures targeting organisations and industries. They can also host early breach indicators in the event of a compromise, and support other security use cases like misinformation or executive threats. 

Risks have now also become increasingly apparent on the surface web, including mainstream and less-regulated social media sites. Security strategies need to consider a variety of surface, deep, and dark web sources in concert, as adversaries invariably leave breadcrumbs across these spaces. Without involving the surface web with equal scrutiny as more covert networks, security teams risk overlooking critical risks and context.

Why is the surface web a valuable intelligence source, and how can security operations seamlessly integrate relevant data?

Why Surface Web Threat Intelligence Matters

More often than not, adversaries pivot between surface, deep, and dark web networks rather than sticking to a single webspace. The traces of information left behind can provide valuable context to security teams – whether they are managing cyber risks or handling executive protection.

Surface web sources are crucial for monitoring these breadcrumbs, hosting a variety of compromising activities. For example:

  • Sensitive information, such as photos of workplace IDs and facility floor plans, are frequently posted on social networks like Twitter and Reddit. While these can be posted innocently, this information can easily migrate across the web and be exploited by threat actors who can use it to compromise digital or physical security.
  • Patterns of life posted online by high-profile personnel, such as executives, is useful for threat actors deploying social engineering and phishing strategies.
  • Deep and dark web users are sometimes traceable to surface web usernames and accounts, which can be valuable for investigating cyber criminality, theft, and fraud.
  • Social media and other surface web networks host misinformation that could implicate an organization’s cybersecurity and brand reputation.

Less-regulated social platforms, like Telegram or Parler, have also emerged as user-friendly alternatives for dark web-like activities, such as data disclosure. These risks can hide in plain sight as security teams may not have easy access to obscure platforms—or are unaware that they even exist.

Streamlining Online Investigations

If you’re a security analyst, you probably know that Google dorking is not a viable way to collect surface web and social media threat data. Specialised software is required to efficiently gather and process online information relevant to security operations. 

The problem with many of these solutions is that they typically separate different online data sources. For example, this could mean that analysts flip between one tool for gathering dark web data, another for social media sources, and another for technical cybersecurity alerts. This makes it harder to integrate online threat intelligence sources, connect breadcrumbs, and provide deeper context.

To address this gap, security operations managers should not only prioritize surface web data alongside other security feeds—but also invest in a suite of tools that pivot easily between surface, deep, and dark web sources.

This will ensure a more comprehensive security strategy, helping mitigate the staggering costs associated with overlooked security vulnerabilities.

The deep and dark web does not have a monopoly on online threats. In reality, the surface web is significantly larger than the dark web in terms of site traffic, overall size, and for some use cases, threat data. As adversaries expand their digital footprints, security investigations beginning on the surface web usually pivot to the deep and dark web, and vice versa.

As investigations become more complex and overlap more digital channels, security professionals must consider all publicly-available web spaces, and adopt solutions that effectively integrate these sources. In reality, online threats never unfold in digital silos – and neither should your security strategy.

Karl Swannie is the founder of Echosec Systems. Echosec Systems gives security teams a single access point to real-time risk data across a wide range of social media, deep web and dark web networks. To learn more, visit