● Methodology · How we investigate

Investigation Methodology

This page describes how we investigate digital exposure: where we look, how a finding becomes a verified entry in a report, and how an engagement moves from first enquiry to delivery. It is methodology first, process second. Sales pages live elsewhere.

Where we look

All public-source reconnaissance collapses into four quadrants. Each quadrant maps to a distinct class of source, with its own access pattern, verification cost, and decay rate.

Source map: four reconnaissance quadrants Four quadrants — Brokers, Breaches, Social, and Forums — covering the public-source surface we search for an investigation. 01 Brokers — hundreds of people-search platforms — commercial aggregators — EU, UK, US, NL registries 02 Breaches — credential dumps — stealer log corpora — combo lists + paste indices 03 Social — current + dormant profiles — historical post archives — username re-use patterns 04 Forums — marketplaces + leak indices — Tor + clearnet boards — targeted-group channels

Source map · 4 quadrants · evaluated each engagement

We do not purchase data. We do not access accounts without authorisation. Breach corpora are queried on a first-party consent basis — you authorise us to search records associated with your own identifiers, and the raw data is never transferred to you.

How a finding becomes a report

Every entry that appears in a report passes through four sequential gates. Each gate has a published time budget so the schedule is honest before it starts.

Investigation pipeline: four sequential gates Discovery, then Cross-reference, then Verification, then Report. A finding cannot move forward until it clears the gate before it. 01 Discovery ~12 hr 02 Cross-reference ~12 hr 03 Verification ~12 hr 04 Report ~12 hr

Pipeline · 48-hr Snapshot Scan SLA · longer engagements scale per stage

A finding cannot move forward until it clears the gate before it. Discovery is breadth: collect candidate hits across the four quadrants. Cross-reference compares each candidate against at least one independent source. Verification applies confidence scoring; uncertain entries are flagged, not dropped. Report structures findings by category and risk priority, then ships via encrypted channel.

From enquiry to delivery

An engagement is a sequence of four moments. Most enquiries begin at stage one and never need stages three or four — that is a feature, not a defect.

  1. Snapshot Scan

    The starting point. A two-page exposure summary delivered within 48 hours, free of charge. We check public sources, breach databases, people-search platforms, and the data broker surface. If there is nothing significant to report, we say so. If there is, the summary names the categories of exposure and which service, if any, addresses them.

  2. Qualification

    After reviewing the Snapshot Scan, you may enquire about a specific service. We respond within 24 hours by email. For straightforward cases we confirm scope and provide payment instructions directly. For larger engagements (Shield, Eraser, Corporate Audit) we move to a written proposal.

  3. Proposal

    A written proposal sets fixed scope, fixed price, and fixed delivery timeline. There are no hourly rates and no scope creep. If the engagement requires more than the proposal anticipated, we say so before the work expands; you decide whether to extend.

  4. Delivery

    Findings are delivered via encrypted channel on the agreed date. Reports are structured, source-attributed, and ranked by risk priority. Case data is cryptographically deleted within 48 hours of acceptance. There is no automatic upsell at the end of an engagement.

Sample report

A redacted Mirror investigation report illustrates the format. Categories, risk classifications, and source attributions are shown; client identifiers are removed. The executive summary is available without a gate; the full report requires an email address.

View sample report →

Verification standard

A finding is included in a report only when it can be attributed to a verifiable source. We do not speculate or infer. If a data point is uncertain, it is marked unverified and flagged for follow-up. Confidence levels are noted for each finding category.

Report structure

Reports are organised by source category (brokers, breaches, social, forums, search-engine, corporate records) and by risk priority (high, medium, low, informational). Each section includes:

  • What was found
  • Where it was found (source category, not necessarily URL)
  • Risk classification
  • Recommended action

We do not include raw screenshots of sensitive data unless explicitly requested. Report format is structured text delivered via encrypted channel.

Scope and limitations

An investigation covers what is findable at the time of search. Dark web data in particular is volatile — findings may change between search and report delivery. We document what is present, not what may have existed previously.

We do not:

  • Conduct penetration testing or active technical scanning
  • Access accounts without authorisation
  • Purchase data from brokers or forums
  • Retain findings beyond 48 hours of delivery acceptance

Data handling and communication

Information you provide is used solely to conduct the requested investigation. Case findings are cryptographically deleted within 48 hours of delivery acceptance. We do not store, sell, or share client data. Default communication is encrypted email; PGP and Proton are supported on request. Full details: Data Purge Policy · Ethics Code.

Further reading

Policy Data Purge Policy

Full details on data retention, deletion procedures, and storage standards.

 Policy Ethics Code

The ethical framework governing all engagements: consent, legality, and do-no-harm.

 Example Sample Report Structure

An illustrative example of report format and findings categories.
Questions

Methodology FAQs

Investigations draw from four source quadrants — open public sources, breach and leak corpora, the data broker surface, and platform-specific records — and run through a four-stage pipeline: Discovery, Cross-reference, Verification, and Report. A finding cannot move forward until it clears the gate before it. The 48-hour Snapshot Scan applies the same pipeline at a faster cadence; longer engagements scale per stage.

A finding is included only when it can be attributed to a verifiable source. Each candidate is compared against at least one independent source during the Cross-reference stage, and confidence scoring is applied during Verification. Uncertain entries are flagged as unverified rather than dropped or asserted. We do not speculate or infer.

An engagement runs in four stages. Snapshot Scan: a free two-page exposure summary delivered within 48 hours. Qualification: a response within 24 hours confirming scope or moving to a written proposal for larger engagements. Proposal: fixed scope, fixed price, fixed delivery timeline — no hourly rates, no scope creep. Delivery: structured, source-attributed findings ranked by risk priority, delivered via encrypted channel. Most enquiries resolve at stage one and never need stages three or four.

We do not conduct penetration testing or active technical scanning, access accounts without authorisation, purchase data from brokers or forums, or retain findings beyond 48 hours of delivery acceptance. An investigation covers what is findable at the time of search; dark web data is volatile and findings may change between search and report delivery.

Information you provide is used solely to conduct the requested investigation. Case findings are cryptographically deleted within 48 hours of delivery acceptance. We do not store, sell, or share client data. Default communication is encrypted email; PGP and Proton are supported on request. Full retention and deletion procedures are documented in the Data Purge Policy.

See this methodology applied to your own exposure.

A two-page summary within 48 hours. No commitment.

Request a Snapshot Scan

Free · 48-hour delivery · Data purged after delivery