Intelligence Methodology

Business Risk Score

A composite indicator derived from automated analysis across six risk categories. Published for transparency -- the framework is open even where individual signal weights remain confidential to protect score integrity.

Version 2.1 -- March 2026
Risk Classification Bands 4 Tiers
80 -- 100
Critical
Active credential exposure confirmed across multiple breach databases. Infrastructure vulnerabilities detected with known exploits. Immediate remediation required to prevent unauthorized access.
60 -- 79
High
Significant exposure detected across credential and infrastructure categories. Breach history and security misconfigurations present exploitable attack surface. Priority remediation recommended within 30 days.
35 -- 59
Moderate
Limited credential exposure or infrastructure findings. Security controls are partially implemented but gaps exist in coverage. Standard remediation timelines apply with monitoring recommended.
0 -- 34
Low
Minimal or no detectable external exposure across monitored sources. Security controls are properly configured. Continued monitoring recommended to maintain posture against emerging threats.

Risk bands are calibrated against a representative North American SMB baseline. A score of 0 indicates no detectable external exposure across monitored sources. Scores are point-in-time assessments and will change as new breaches are disclosed, infrastructure is modified, or intelligence feeds are updated.

How Signals Combine Weighted Composite

Each scan produces dozens of discrete observations. Findings are categorized, weighted by demonstrated severity in real-world incidents, and combined into a single 0-100 indicator. Categories below are listed in order of typical contribution -- credential and infrastructure findings carry the most weight because they represent the most direct paths to compromise.

  1. 1
    Credential Exposure

    Confirmed presence of domain-linked credentials in breach databases, paste sites, and dark web monitoring. Higher weight reflects that exposed credentials translate to direct account compromise.

  2. 2
    Infrastructure Vulnerability

    Misconfigurations, missing security controls, and exploitable weaknesses on externally visible infrastructure. Findings are weighted by severity, with criticals carrying substantially higher impact than informational notes.

  3. 3
    Threat Intelligence

    Domain or IP correlation with malware activity, phishing campaigns, abuse reports, and known exploitable vulnerabilities. Each correlation indicates active or recent threat activity rather than theoretical risk.

  4. 4
    Exposure Surface

    Shadow IT, leaked credentials in public code, lookalike domains, and unmonitored assets that extend the attack surface beyond what an organization typically tracks.

  5. 5
    Regulatory Signals

    Government breach notification filings, fraud alert correlations, and consumer protection records that indicate prior incidents or active enforcement attention.

  6. 6
    Identity Verification

    A baseline contribution applied to entities verified in public business registries, ensuring confirmed organizations register a non-zero score that reflects discoverability by threat actors.

Per-signal weight values and source counts are not published. Disclosing exact weights would permit gaming -- adversaries motivated to suppress an organization’s score could optimize against the published values without addressing the underlying exposure. The framework above is sufficient to interpret any score we publish.

Intelligence Categories Six Categories
Credential Intelligence

Monitors breach databases, dark web repositories, and paste sites for exposed credentials linked to the assessed domain.

  • Breach database monitoring and correlation
  • Domain-level breach source analysis
  • Dark web and paste site monitoring
  • Employee email discovery and enumeration
  • Credential pattern analysis and validation
  • Email address enumeration engine
Infrastructure Assessment

Evaluates externally visible infrastructure for misconfigurations, missing security controls, and exploitable weaknesses.

  • SSL/TLS certificate chain analysis
  • Security header audit and grading
  • DNS configuration audit
  • Email authentication validation (DMARC/SPF/DKIM)
  • Open port and service scanning
  • Domain registration and WHOIS analysis
  • Subdomain enumeration
  • Historical DNS analysis
  • Security posture grading
Threat Intelligence

Cross-references domain and IP data against threat intelligence feeds, malware engines, and reputation databases.

  • CVE and vulnerability detection
  • Malware detection engine analysis
  • IP abuse and reputation scoring
  • Malware distribution URL detection
  • Phishing database correlation
  • DNS blacklist monitoring
  • Service banner and fingerprint analysis
US Regulatory

Searches federal and state databases for breach notifications, fraud alerts, and corporate registration data.

  • Federal breach notification databases
  • National fraud alert monitoring
  • Federal corporate registry lookups
  • Intellectual property record searches
  • Securities filings analysis
  • Provincial business registries
  • Financial services regulatory data
Historical Intelligence

Analyses historical records to identify changes in infrastructure, ownership, and security posture over time.

  • Web archive analysis and comparison
  • Historical DNS record tracking
  • Certificate transparency log analysis
  • Domain registration history
  • Hosting provider change detection
Exposure Surface

Identifies shadow IT, code leaks, and exposure vectors that extend beyond the primary domain.

  • Public code repository scanning
  • Search engine exposure analysis
  • Lookalike domain detection
  • Shared hosting and co-tenancy analysis
  • Visual site capture and comparison
Methodology Principles
  • External Sources Only
    All data is collected from external, publicly accessible sources only. LeakTrace does not access internal systems, networks, or endpoints. The assessment reflects what an external attacker could discover through open-source intelligence techniques.
  • No Internal System Access
    Scans are non-intrusive by design. No authentication attempts, no penetration testing, no internal network probing. All findings are based on what is already exposed to the public internet.
  • Scores Capped at 100
    Multiple high-weight signals may exceed the theoretical maximum, but the displayed score is bounded to the 0-100 range. Scaling signals accumulate per finding, meaning organizations with broader exposure receive proportionally higher scores.
  • FTC and State Privacy Law Compliant
    All scanning activity is compliant with FTC data security guidelines and applicable state privacy laws. Robots.txt directives are respected where applicable.
  • Secure Data Policy
    LeakTrace handles all data in accordance with our Privacy Policy. No passwords, hashes, or full email addresses are exposed in reports. Only metadata required for threat assessment is processed.
  • North American Data Residency
    All scan data and customer records are stored on infrastructure located within North America. Processing remains within North American jurisdiction to satisfy data sovereignty requirements for regulated industries.
  • Point-in-Time Assessment
    Scores reflect the state at the time of scanning. Risk posture changes as new breaches are disclosed, infrastructure is modified, or threat intelligence feeds are updated. The methodology is versioned and auditable -- scoring weight changes are documented and applied prospectively.
  • Verified Entity Baseline
    A baseline contribution applies to any entity with a verified US business registration, ensuring confirmed organizations have a non-zero score that reflects the discoverability of their corporate identity in public registries before additional risk signals are applied.

LeakTrace Intelligence · getleaktrace.com