Investigation Methodology

This page describes how we investigate digital exposure: where we look, how a finding becomes a verified entry in a report, and how an engagement moves from first enquiry to delivery. It is methodology first, process second. Sales pages live elsewhere.

Where we look

All public-source reconnaissance collapses into four quadrants. Each quadrant maps to a distinct class of source, with its own access pattern, verification cost, and decay rate.

Source map: four reconnaissance quadrants Four quadrants — Brokers, Breaches, Social, and Forums — covering the public-source surface we search for an investigation. 01 Brokers — 150+ people-search platforms — commercial aggregators — EU, UK, US, NL registries 02 Breaches — credential dumps — stealer log corpora — combo lists + paste indices 03 Social — current + dormant profiles — historical post archives — username re-use patterns 04 Forums — marketplaces + leak indices — Tor + clearnet boards — targeted-group channels

Source map · 4 quadrants · evaluated each engagement

We do not purchase data. We do not access accounts without authorisation. Breach corpora are queried on a first-party consent basis — you authorise us to search records associated with your own identifiers, and the raw data is never transferred to you.

How a finding becomes a report

Every entry that appears in a report passes through four sequential gates. Each gate has a published time budget so the schedule is honest before it starts.

Investigation pipeline: four sequential gates Discovery, then Cross-reference, then Verification, then Report. A finding cannot move forward until it clears the gate before it. 01 Discovery ~12 hr 02 Cross-reference ~12 hr 03 Verification ~12 hr 04 Report ~12 hr

Pipeline · 48-hr Snapshot Scan SLA · longer engagements scale per stage

A finding cannot move forward until it clears the gate before it. Discovery is breadth: collect candidate hits across the four quadrants. Cross-reference compares each candidate against at least one independent source. Verification applies confidence scoring; uncertain entries are flagged, not dropped. Report structures findings by category and risk priority, then ships via encrypted channel.

From enquiry to delivery

An engagement is a sequence of four moments. Most enquiries begin at stage one and never need stages three or four — that is a feature, not a defect.

  1. Snapshot Scan

    The starting point. A 1-page exposure summary delivered within 48 hours, free of charge. We check public sources, breach databases, people-search platforms, and the data broker surface. If there is nothing significant to report, we say so. If there is, the summary names the categories of exposure and which service, if any, addresses them.

  2. Qualification

    After reviewing the Snapshot Scan, you may enquire about a specific service. We respond within 24 hours by email. For straightforward cases we confirm scope and provide payment instructions directly. For larger engagements (Shield, Eraser, Corporate Audit) we move to a written proposal.

  3. Proposal

    A written proposal sets fixed scope, fixed price, and fixed delivery timeline. There are no hourly rates and no scope creep. If the engagement requires more than the proposal anticipated, we say so before the work expands; you decide whether to extend.

  4. Delivery

    Findings are delivered via encrypted channel on the agreed date. Reports are structured, source-attributed, and ranked by risk priority. Case data is cryptographically deleted within 48 hours of acceptance. There is no automatic upsell at the end of an engagement.

Sample report

A redacted Mirror report illustrates the format. Categories, risk classifications, and source attributions are visible; client identifiers are removed. The asset is in preparation and will replace the placeholder below in a follow-up release.

Verification standard

A finding is included in a report only when it can be attributed to a verifiable source. We do not speculate or infer. If a data point is uncertain, it is marked unverified and flagged for follow-up. Confidence levels are noted for each finding category.

Report structure

Reports are organised by source category (brokers, breaches, social, forums, search-engine, corporate records) and by risk priority (high, medium, low, informational). Each section includes:

We do not include raw screenshots of sensitive data unless explicitly requested. Report format is structured text delivered via encrypted channel.

Scope and limitations

An investigation covers what is findable at the time of search. Dark web data in particular is volatile — findings may change between search and report delivery. We document what is present, not what may have existed previously.

We do not:

Data handling and communication

Information you provide is used solely to conduct the requested investigation. Case findings are cryptographically deleted within 48 hours of delivery acceptance. We do not store, sell, or share client data. Default communication is encrypted email; PGP and Proton are supported on request. Full details: Data Purge Policy.

Our ethical framework: Ethics Code.

Further reading

Data Purge Policy Full details on data retention, deletion procedures, and storage standards.
Ethics Code The ethical framework governing all engagements.
Sample Report Structure An illustrative example of report format and findings categories.

See this methodology applied to your own exposure

Request a Snapshot Scan A 1-page summary within 48 hours. No commitment.