Credential abuse is the leading initial-access vector for breaches at 22 percent, ahead of vulnerability exploitation (20 percent) and phishing (16 percent), per the Verizon 2025 Data Breach Investigations Report. In the EU-specific dataset, phishing accounts for 60 percent of observed initial intrusions (ENISA Threat Landscape 2025). And 54 percent of organisations hit by ransomware in 2024 had domains visible in pre-existing credential dumps before the breach, with 40 percent showing corporate email addresses among the compromised credentials (DBIR 2025). The credential layer is not adjacent to account takeover. It is the path.
The Lockdown is the credential-and-account-takeover tier of our investigation work. It includes the full Mirror investigation as foundation (seven deliverables covering the publicly-findable surface), then adds seven Lockdown-specific deliverables that work the credential side: corporate leak investigation, credential pair analysis, stealer log exposure mapping, pastebin and dark forum reference search, account takeover risk assessment, personalised security recommendations, and 24 to 48 hour analyst support after delivery. Five business days end to end. €995 fixed.
This article walks the methodology: how a Lockdown investigation runs from intake to delivery, what each stage produces, and where it routes when the Lockdown is the wrong tool. It is the sister piece to How a Mirror Investigation Runs, which covers the Mirror foundation. The service page sits at /the-lockdown; this is the methodology view between it and /methodology.
A note on the examples in this article. Where this article shows example findings, they are drawn from internal analyst self-audits run on team members’ own digital footprints, with explicit consent. No client engagement is referenced, summarised, or excerpted, including in redacted form. Client findings are cryptographically deleted within 48 hours of delivery acceptance and remain off-limits to all internal use after that, including editorial. This is the Data Purge Policy applied without exceptions.
Intake: what we ask for, and what we don’t
What the client provides at intake: full name, primary email addresses, primary username (or usernames if the person carries multiple identifiers across platforms), country of residence, a short list of services they actively use, and one specific to Lockdown: employer name and corporate email pattern. Without the employer field, the corporate leak investigation quadrant cannot run.
What we never ask for: passwords. MFA codes. Account access. Financial details (account numbers, balances, tax identifiers). The client’s authentication state stays out of the firm’s hands. This is a hard rule. We do not hold credentials, we do not test credentials, we do not store credentials.
The engagement gate is the same as the Mirror. Signed informed consent plus identity verification. This closes the misuse-as-stalking-tool gate at the front door. It also activates the third-party constraint: any depth-OSINT on third parties (employer staff, family members, ex-partners, business associates) requires explicit secondary consent, either from those persons themselves or from the engaging client’s organisation if it holds those rights. The contract a client signs does not transfer rights they do not personally hold.
The 24 to 48 hour priority-support window opens on delivery. Analyst access for follow-up questions on the report is part of the package. Five business days from intake to first delivery; then the support window for questions about findings, sequencing of remediation actions, or risk-state interpretation.
Stage 1 — Discovery (Day 1 to 2): casting two nets
Stage 1 produces a candidate worksheet, not findings. It runs in two halves that mirror the service-page split: Mirror foundation work and Lockdown additions.
Half A: identity-surface enumeration (Mirror foundation).
Identifier surface. Username and email pivots across the platforms the client actively uses, plus the older platforms the username records suggest they once used. Username correlation is well-documented as a methodology; we do not redo that walkthrough here. The deep dive is in our Username and Alias Correlation article.
Account-existence surface. Which platforms acknowledge an account on the client’s email. Some of this is direct (the platform exposes a “user already exists” signal at registration). Some is indirect (recovery flows that disclose partial state). And one pivot specific to the consumer ecosystem: Google-linked accounts surfaced via public signals: services the client logged into with their Google account at some point, sometimes years ago, that the client may not remember consenting to. The Discovery quadrant inventories which Google-linked services exist on the client’s account; whether any of those services are still active and worth attention is decided in Stage 2.
Social-OSINT surface. Public profile assessment plus the photo and avatar inventory. Profile photos and avatars are collected here as targets for Stage 2; reverse-image correlation happens then.
Half B: credential-and-leak enumeration (Lockdown additions).
Public breach corpora. Raw hits across HIBP-class indexes plus the gap layer. HIBP indexes breaches and, separately via dedicated API, stealer-log credential triples (email plus password plus website at login). The Lockdown investigation extends beyond that surface into corpora HIBP does not catalogue, including session-cookie-enriched logs from infostealer families and dark-forum-only dumps. Stealer-log mechanics, infostealer family detail, and the cookie-versus-password distinction are covered in our canonical Stealer Logs article.
Corporate-leak corpus. Breach data cross-referenced against the client’s employer and company name. This is a distinct surface from public consumer breaches. Corporate dumps may include role context, internal email-format patterns, internal employee identifiers, and references to the client by their corporate identity rather than personal one. This is where the intake employer field earns its keep: without it, every breach hit on a corporate-pattern email becomes a guess about whether it relates to this client.
Pastebin and dark-forum reference search. Targeted search for the client’s name, email, and username across paste dumps and closed forum posts. Pastebins are public and indexed; closed forums are not. Both layers carry credential references the public breach corpora miss.
Stealer-log surface. Raw infostealer-log presence. We do not name the corpora we query and we do not publish the query patterns. The stealer-log market has matured into an active criminal supply chain, and disclosure of investigation tooling reduces its operational value. What matters for this article: the stealer-log layer is queried at Stage 1 as raw presence (does this email appear in any stealer log we can see) and pivoted at Stage 2 for cookie freshness and active-account match.
A typical mid-career professional with one employer cross-referenced: 80 to 150 candidate items at end of Stage 1. A heavy email-reuser with multi-employer history: several hundred. None of these is yet a finding. Stage 2 work decides which survive.
Stage 2 — Cross-reference (Day 2 to 3): pivots that turn candidates into findings
Stage 2 is where structured Lockdown work distinguishes itself from running breach checkers. It runs in the same two halves.
Half A: identity-surface pivots.
Profile-photo and reverse-image correlation. The same avatar appearing across LinkedIn, a forum account, and a leak-source photo establishes a high-confidence link between three identity surfaces. The pivot is well-documented in OSINT practice. We acknowledge limits: stock images defeat it, AI-generated photos defeat it, and clients who use distinct images per platform partially defeat it. When it works, it consolidates fragmented identity surfaces into one coherent map.
Posting-cadence and EXIF correlation. Posting timezones inferred from cadence (consistent posts at 09:00 and 21:00 local time on weekdays suggest an Amsterdam-aligned schedule), EXIF GPS in publicly posted images, device strings from photo metadata. We frame this pivot from the defender posture, not as instruction. What matters for the report is what an attacker could derive from the same public surface, and where the client’s own posting behaviour is leaking schedule, location, or device context.
Half B: credential-state pivots.
Credential-pair viability. Whether a leaked password is still in use against a still-active account. The methodology stays abstract by design. We use first-party regulator-style indicators and platform-published exposure signals; we do not attempt authentication. We do not log into the client’s accounts to test passwords. We never have. No analyst is permitted to.
Corporate-leak-to-employer-account pivot. Internal email-format patterns from corporate dumps cross-referenced against current-employer SSO surfaces and active-platform logins. This is where Half-B work finds value the breach checkers miss: a credential pair from a 2019 corporate dump may still be live in 2026 if the email format has not changed and the client reused that password on a personal SaaS service that did not force rotation. The DBIR 2025 finding (54 percent of 2024 ransomware victims had domains in pre-existing credential dumps; 40 percent had corporate email addresses in those compromised credentials) sits exactly here. Corporate credential exposure is not just an organisational risk; it is a personal-and-corporate fusion risk.
Stealer-log to active-account match. A stealer-log hit means very different things depending on cookie freshness and which sites have rotated session secrets in the leak window. A 2022 stealer-log hit on a service that forced credential rotation in 2023 is documented past exposure. The same hit on a service that did not force rotation, where the client’s password also appears in 2024 corpora unchanged, is active risk.
Subscription-dashboard contrast. This kind of cross-reference is what subscription “dark web monitoring” services do not do. Those services alert on hits. The Lockdown investigation alerts on hit-state versus rotation. The economic comparison is in our Dark Web Monitoring article.
End of Stage 2: rejection log. Every candidate that fails cross-reference is recorded with the reason (image is a known stock photo / username is a common dictionary word matched by coincidence / breach is older than the platform’s last forced rotation). Stage 3 and Stage 4 are auditable because Stage 2 is auditable.
Stage 3 — Verification (Day 3 to 4): two scoring axes
Verification inherits the three-tier confidence scale from the Mirror methodology (High, Medium, Unverified, each finding requiring independent-source corroboration to escalate). The Lockdown adds a second axis specific to credential state.
Confidence axis (3-tier). High: two or more independent sources confirm the finding. Medium: one source plus indirect corroboration. Unverified: present but not confirmed; appears in the report as candidate-state only.
Risk-state axis (3-tier). Active: credential pair likely usable now (recent exposure, no platform-forced rotation in the window, password appears in current corpora). Latent: credentials present but not validated against live signals (older exposure, no recent corroboration, but not superseded). Superseded: platform forced credential rotation in the leak window, or the client has rotated since.
The two axes work together. A finding can be high-confidence superseded (well-documented exposure that has already been remediated): documentation, no action required. A finding can be medium-confidence active (likely live exposure, single-source): immediate priority despite single-source confidence. A finding can be high-confidence latent (well-documented but its current usability is unclear): targeted follow-up question to the client about whether the relevant account is still in use.
Worked example, category-only: an email plus password pair appearing in two independent stealer-log corpora (high confidence) on a SaaS service the client confirms they no longer use, where the platform forced credential rotation in 2024 (superseded). Outcome: archived in the report. No action.
If the surface this maps looks too close to your own credential reality, that is the conversation.
Talk to an AnalystStage 4 — Report (Day 4 to 5): structuring delivery
Stage 4 is structuring the deliverable. Four blocks.
Findings register by category. Credential exposure, account-takeover risk, social-OSINT exposure, broker presence. Each finding shows confidence tier, risk state, and the independent sources that support it. The format mirrors the Mirror’s findings register so clients who upgrade from Mirror to Lockdown read the same shape with deeper substance.
Account Takeover Risk Assessment. Per the service-page commitment, this names which specific accounts are at realistic risk and explains why. Not generic advice. The risk assessment maps the intersection of active-state credentials and current platform exposure, and articulates the specific takeover path each one supports. A finding might read: “Credentials for [SaaS X] appear in two independent corpora (high confidence, active state). The platform did not force rotation in the leak window, and the credentials have not been observed superseded in later dumps. The takeover path is direct authentication. Priority: rotate immediately, then enable phishing-resistant MFA before re-authenticating.”
Country-aware broker section. This is where vocabulary precision matters. People-search platforms (publicly indexed profiles like Spokeo, Whitepages, BeenVerified, regional EU equivalents) are enumerable per individual; we list them with opt-out routing. B2B data brokers (corporate-facing record holders like Acxiom, LexisNexis, Oracle Data Cloud successors) are not enumerable per individual; their records are not publicly viewable, and the firm’s clients cannot directly query them about themselves. Listing those brokers as findings would misrepresent what is lookup-able. Instead, the report routes B2B broker exposure through Article 17 erasure requests under GDPR, with bulk-removal request templates. The mechanic of that routing, and why GDPR’s right-of-access machinery sometimes works as a threat-model surface in its own right, is covered in our Right of Access Reconnaissance article.
The country-aware element matters because the broker ecosystems differ by jurisdiction. The Netherlands and Germany have distinct people-search platforms (and distinct bulk-opt-out paths to B2B brokers) that an Anglosphere-default assumption would miss. The UK has its own DPA-specific routes. The US has the largest people-search exposure surface and the weakest baseline statutory framework; California’s regime is the closest to GDPR-equivalent. The report routes accordingly to the client’s country of residence.
Personalised Security Recommendations and Prioritised Action Plan. Per the service-page commitment: tool and setup advice tied to actual findings, not a generic checklist. If the finding is a plaintext password in a corporate dump, the recommendation names the specific accounts to rotate and the password manager to set up. If the finding is an email in a credential market, the recommendation names which services to lock down first, in what order. Specific actions: credential rotations, MFA upgrades from SMS or push-notification authenticators to phishing-resistant FIDO2 hardware (NIST SP 800-63B-4 §2.2.2 specifies that “verifiers SHALL offer at least one phishing-resistant authentication option at AAL2 ... since phishing is a significant threat vector”), session-revocation walkthroughs at the platform level (because a stealer-log hit may carry a session cookie that a password rotation alone does not invalidate), and the opt-out request set sequenced to the broker section above.
Two-channel encrypted delivery. The report is delivered as an encrypted file via secure portal. The decryption key arrives via a separate channel. Locking the door and leaving the key in is not the firm’s posture. For high-threat-model clients, bespoke delivery is available: in-person briefing, encrypted physical media, or courier with chain-of-custody.
What we don’t do, and why
We do not request, hold, or attempt passwords. The legal exposure is real, the custody risk is real, and the investigative value is zero. Credential-pair viability can be assessed without authentication.
We do not access client accounts. The moment the firm logs in, the surface we are measuring rotates and we lose the picture we came to capture. The client is the only authorised actor against their own accounts.
We do not run automated stealer-log queries through paid commercial dashboards. The Lockdown is human-led work; the chain-of-evidence integrity matters at delivery, and that integrity erodes when the underlying tooling is a black box.
We do not enumerate B2B data brokers per-individual. The firm’s clients cannot directly query Acxiom, LexisNexis, or equivalent B2B record holders about themselves; that surface is reachable only via Article 17 erasure or Article 15 access requests under GDPR. Listing those brokers as findings would misrepresent what is lookup-able. They are routed via the report’s bulk-removal templates instead.
We do not surveil third parties without their explicit consent. Standard public-record due diligence on supplier organisations is in scope; depth-OSINT on named individuals at suppliers, family members, or ex-partners is not, unless those persons or their organisations have engaged the firm directly.
We do not produce financial-fraud monitoring. That is a downstream service after detection, not part of investigation work. The report tells the client what to rotate and in what order; ongoing transactional monitoring is a different engagement entirely.
When the Lockdown is the wrong tool
Active compromise in progress. If the client has an open session on an unknown device, ongoing extortion correspondence, or in-flight wire fraud, the Lockdown is not the tool. Law enforcement first; the Shield engagement carries the active-threat workload. /the-shield is the right entry point. The Lockdown’s five-business-day timeline is incompatible with the active-attack window where every hour matters.
Removal-and-resurfacing rather than credential problem. If the client has previously paid for personal-data removal (DeleteMe, Incogni, equivalent) and the data keeps reappearing, the issue is not a credential investigation. It is a depth removal engagement. /the-eraser is shaped for that work, including the Article 17 follow-through that the Lockdown’s report only routes.
Single-vector exposure. If the client has one breach to investigate, one platform to map, one alias to resolve, the Mirror is the right fit at €595 fixed. The Lockdown’s full credential-corpus and corporate-leak coverage is over-scoped for a single-event investigation. The Mirror to Eraser 30-day fee credit also applies: €595 credited if the client proceeds with an Eraser engagement within 30 days of Mirror delivery.
Closing
The discipline is steady: human-led, fixed-fee, methodology-first. The Lockdown buys the credential-takeover answer that automated breach checkers cannot give. Five business days of structured work, with the candidate-to-finding rejection log audit-ready by delivery.
The 24 to 48 hour priority-support window opens on delivery. Analyst availability for follow-up questions about a specific finding’s risk-state, sequencing of remediation actions, or clarification on the country-aware broker routing: included, no upsell. The Lockdown report stands on its own.
Where the findings reveal a deeper exposure surface (active impersonation, ongoing surveillance, broker-resurfacing patterns), the report names the right next tool. The Lockdown is the credential layer; the Shield works active threat; the Eraser works long-term removal. Each engagement is scoped to its own depth.
Sources
Primary regulatory and standards documents
- NIST Special Publication 800-63B-4: Digital Identity Guidelines: Authentication and Authenticator Management (July 2025; supersedes NIST SP 800-63B June 2017, updated March 2020)
- European Data Protection Board: Guidelines 9/2022 on personal data breach notification under GDPR, version 2.0 (adopted 28 March 2023)
Threat-landscape and breach-investigation reports
- ENISA Threat Landscape 2025 (October 2025; reporting period 1 July 2024 to 30 June 2025; 4,875 incidents analysed)
- Verizon 2025 Data Breach Investigations Report, Executive Summary (18th annual edition; 22,052 incidents and 12,195 confirmed data breaches across 139 countries)
Breach corpora coverage reference
- Have I Been Pwned: About and FAQ pages
Sister articles for service routing and methodology context
- How a Mirror Investigation Runs (Mirror methodology, series companion)
- Right of Access Reconnaissance: GDPR Article 15 Gap (Article 17 erasure routing for B2B brokers)
- Stealer Logs: Inside The Credential Market (canonical stealer-log deep dive)
- Is Dark Web Monitoring Worth It? (subscription-dashboard contrast)
- Username and Alias Correlation (username pivot mechanics)