SoftLeak Enterprise is a continuous breach, credential, and attack-surface intelligence platform built for security operations, threat intelligence, fraud, and compliance teams. Monitor your workforce, customers, domains, and third-party supply chain against 15.01 B+ records sourced from breach dumps, combolists, stealer logs, paste sites, and dark-web forums — delivered via API, SIEM, SOAR, or secure portal.
Stolen credentials, exposed PII, and compromised domains circulate on forums, stealer channels and paste services daily. Security teams need a single, lawful, enterprise-grade place to see their exposure — before an attacker strings it into an account takeover.
SoftLeak Enterprise was built by security researchers who spent too many incident reviews watching attackers exploit credential reuse that should have been caught months earlier. We consolidate the world's verified public breach corpus into a single defensive intelligence surface — so your SOC learns about an exposed employee credential before it appears in a successful login.
We serve exactly one mission: give defenders the time, context, and data to act first.
"Breach data is not the threat — the silence around it is. A compromised credential sitting unnoticed for six months is a successful intrusion waiting for a login. Our job is to end the silence."
Eight core intelligence surfaces, unified under one API, one portal, one contract. Designed to feed your existing SOC tooling, not replace it.
Continuous monitoring of workforce and customer credentials across 15 B+ records — breach dumps, combolists, stealer logs, and paste sites.
Core CapabilityWatch every corporate domain and subdomain. Get alerts when new leaks reference your infrastructure, employees, or customer-facing assets.
Core CapabilityNamed-identity watchlists for executives, board members, and high-risk staff. Alerting on personal email, phone, and alias exposure.
EnterpriseCorrelate vendor and partner exposure to your own risk. Know when a supplier breach introduces credentials that reach your environment.
EnterpriseDedicated ingest pipeline for infostealer logs (RedLine, Raccoon, StealC, Vidar). Surface session cookies, saved credentials, and host context.
Premium FeedMonitoring of closed forums, Telegram leak channels, and marketplace listings that mention your brand, domains, or employees.
Premium FeedSub-15-minute alerting on new exposures, delivered to email, webhook, Slack, Teams, PagerDuty, Jira, Opsgenie, and custom endpoints.
Core CapabilityImmutable audit log of every query, every result viewed, and every user action. Exportable for SOC 2, ISO 27001, and internal review.
GovernanceBuilt to meet the procurement, legal, and operational bar of enterprise buyers.
Native integration with Okta, Azure AD / Entra ID, Google Workspace, Ping, OneLogin, and any SAML 2.0 IdP. SCIM provisioning on Enterprise.
Granular RBAC with custom roles. Separate analyst, investigator, administrator, and auditor permissions. Cell-level data access policies.
RESTful API with token and mTLS authentication. Per-endpoint rate limiting. Webhook delivery with HMAC signing and retry.
Upload domains, emails, usernames, and phone numbers by the thousand. Continuous monitoring with delta-only alerting.
Pre-built connectors for Splunk, Microsoft Sentinel, Elastic, Chronicle, Sumo Logic, QRadar, Cortex XSOAR, Tines, and Torq.
Per-case workspaces with evidence pinning, shared notes, chain-of-custody timestamps, and exportable investigation packages.
Export to CSV, JSON, and STIX 2.1 for threat-intel sharing. Per-export watermarking and audit trail.
Choose EU or US processing region. Optional private, single-tenant deployment. No cross-region replication without consent.
BYOK support for at-rest encryption of your account-specific watchlists and investigation data (on Enterprise Plus).
Named customer success manager, dedicated threat-intel engineer, and direct Slack / Teams channel during business hours.
Around-the-clock response for P1 incidents with a 30-minute acknowledgement SLA. Direct line to on-call analyst.
Named-customer QBR covering exposure trends, coverage, tuning, roadmap input, and upcoming threat landscape briefings.
One platform, four practitioners. Each with first-class tooling.
Turn credential exposure into an actionable signal inside your SIEM. Correlate new leaks with authentication logs, detect credential reuse, and short-circuit account takeover before it converts into a successful login.
Cut mean-time-to-detect on credential-based intrusion from months to minutes.
Enrich your internal TI platform with breach and credential context. Hunt across the largest consolidated breach corpus available commercially, and share findings in STIX 2.1 with ISACs, partners, and internal sharing groups.
Operationalise raw leak data into finished intelligence.
Score incoming account sign-ups, logins, and transactions against known compromised credentials and stealer logs. Block account takeover, synthetic identity, and reseller fraud at the edge before it hits your book.
Reduce chargeback, friction, and ATO loss in a single signal.
Demonstrate continuous control over credential exposure for SOC 2, ISO 27001, PCI DSS, HIPAA, DORA, and NIS2. Immutable audit logs, exportable evidence, and a signed Data Processing Addendum out of the box.
Turn breach monitoring into audit-ready evidence.
Controls, certifications, and contractual commitments that hold up under procurement, legal, and regulator scrutiny.
Annual audit covering Security, Availability, and Confidentiality TSCs.
Certified ISMS covering information security management and risk treatment.
EU data processing under Art. 28 DPA with Standard Contractual Clauses.
California Consumer Privacy Act processor obligations and contractual controls.
Control mapping to Identify, Protect, Detect, Respond, Recover, and Govern.
Control alignment for scoped use in cardholder data environments.
AES-256 at rest, TLS 1.3 in transit. Customer-managed KMS keys available on Enterprise Plus.
Choose EU or US processing region. No cross-region replication without explicit consent.
Annual third-party pentest and continuous, bounded crowdsourced testing programme. Summary report available under NDA.
Published VDP with scoped legal safe harbour for good-faith security research. Coordinated disclosure only.
Every query, every export, every administrative action is logged, hash-chained, and exportable.
Active-active multi-AZ infrastructure. RPO ≤ 15 min, RTO ≤ 4 h. Annually tested DR plan.
Tiered access, identity verification, and use-case attestation. Abusive use results in immediate suspension under the MSA.
You own your watchlists and investigation data. 30-day deletion SLA on written termination request.
Fits where your security data already lives.
Annual contract, custom-scoped volume, signed MSA & DPA. No seat-tax games, no feature-gated nonsense — the full security platform, from day one.
If yours isn't here, our sales engineering team will answer it under NDA.
No. This is an enterprise-only offering, sold under annual agreement with a signed MSA and DPA. Minimum seat and volume commitments apply. We do not sell seats or API access to individuals.
Customers choose either EU (Frankfurt) or US (Virginia) processing regions. Data does not cross the chosen region without explicit, logged consent. A single-tenant, air-gapped deployment is available as a professional-services engagement on Enterprise Plus.
Yes. Every Enterprise contract is executed with our standard DPA and, where applicable, the 2021/914 Standard Contractual Clauses. Customer redlines are reviewed by counsel within five business days. A reviewable DPA template is provided during procurement.
Yes. SOC 2 Type II report, ISO 27001 certificate, most-recent third-party penetration test summary, and our annual internal audit summary are available under a mutual NDA through the Enterprise Portal or on request from your account team.
Access is gated by contract, verified business identity, named users, RBAC, and immutable audit logs. All queries are logged with user, IP, timestamp, and purpose attestation. Patterns consistent with stalking, doxxing, unauthorised access, or resale are contractually prohibited and trigger immediate suspension and, where appropriate, referral to law enforcement.
Yes — a 30-day scoped POC with a named technical success engineer is available for qualified enterprise buyers. POCs are delivered under a short-form evaluation agreement and use either anonymised corpus samples or your own domains / identities, at your choice.
Single-tenant deployment in your preferred AWS, Azure, or GCP tenant is available on Enterprise Plus as a professional-services engagement. Fully air-gapped deployment is available for qualifying public-sector and critical-infrastructure customers.
SoftLeak operates a published Vulnerability Disclosure Policy (VDP) with scoped legal safe harbour for good-faith security research. Researchers may contact [email protected] with a PGP-encrypted report. We commit to acknowledgement within 72 hours and a coordinated disclosure timeline. CVE assignment is supported for qualifying findings.
Tell us about your team and we'll schedule a 30-minute technical briefing with an engineer — NDA on request, commercial terms sent after scoping.
Your submission is routed directly into our Enterprise admin panel and picked up by the on-duty sales engineer.
Prefer email? [email protected]