What is the deep web?
The deep web is any part of the internet that search engines like Google or Bing cannot find or index. This means all the content that exists behind passwords, paywalls, or login screens that regular search engines can't access or catalog.
You use the deep web every single day without realizing it. When you check your email, log into your bank account, or access your company's internal systems, you're navigating the deep web. This content isn't hidden for malicious reasons—it's simply private and requires authentication to access.
The deep web makes up the vast majority of internet content. Think of the surface web as the tip of an iceberg, while the deep web represents the bulk beneath the surface. Estimates vary widely—some sources suggest up to 99%—because measuring unindexed content is inherently difficult. What's certain: password-protected databases, private intranets, and authenticated systems vastly outnumber publicly indexed pages.
Common examples of deep web content include:
Your personal email inbox and messages
Online banking portals and financial records
Company intranets and internal documents
Medical records in patient portals
Private social media profiles and messages
Subscription-based academic databases
Password-protected cloud storage files
Cloud Attack Retrospective: 8 Common Threats to Watch for in 2025
Drawing from detection data across thousands of organizations, we highlight eight commonly observed MITRE ATT&CK techniques and offer practical guidance on how Wiz can help to detect and mitigate them.
What is the dark web?
The dark web is a small, intentionally hidden section of the deep web that requires special software to access. Standard browsers like Chrome or Firefox can't access .onion sites by default. You need specialized software like the Tor Browser, which routes your traffic through the Tor network's relay system (entry node → middle relay → exit node) to encrypt your connection and obscure your IP address. Some browser extensions claim to enable .onion access, but the Tor Browser remains the recommended method for security and anonymity.
The dark web was designed for maximum anonymity. When you use Tor, your traffic routes through at least three volunteer-operated relays worldwide, with each relay only knowing the previous and next hop—not the full path. This makes tracing difficult for most adversaries. However, deanonymization is possible: nation-state actors can run malicious exit nodes, conduct timing correlation attacks across the network, or exploit browser vulnerabilities (as demonstrated in FBI operations like Operation Onymous in 2014).
While the dark web has a reputation for illegal activity, it also serves legitimate purposes. Journalists use it to communicate with sources in dangerous situations. Activists in countries with heavy censorship rely on it to access uncensored information and organize safely.
| Feature | Deep Web | Dark Web |
|---|---|---|
| Access method | Standard browsers with login credentials | Tor Browser or I2P |
| Content type | Private, legitimate data behind authentication | Mix of illegal and privacy-focused content |
| Size | Far larger than surface web | Tiny fraction of the deep web |
| Anonymity level | Limited—your activity can be tracked | High anonymity by design |
| Daily users | Everyone who uses the internet | Small, specific groups |
| Indexing status | Not indexed; behind authentication or paywalls | Not indexed; .onion domains only |
| Typical examples | Email, banking portals, company intranets, medical records | Hidden forums, leak sites, whistleblower platforms, illicit marketplaces |
Deep web vs dark web: Core differences for security teams
Understanding these differences is crucial for security professionals because each presents distinct challenges and threats. The deep web contains the sensitive data you need to protect, while the dark web is often where that data ends up after a breach.
Scope and scale: The deep web is enormous and contains most of the internet's content. The dark web represents only a tiny fraction of the deep web. According to Tor Project metrics, the Tor network serves thousands of .onion sites at any given time—orders of magnitude fewer than the billions of deep web pages behind authentication on the surface internet. The exact count fluctuates as sites appear and disappear.
Access requirements: You access the deep web with normal browsers using passwords or direct links. The dark web requires specialized software and knowledge of specific .onion addresses that look like random strings of characters.
Security focus: For the deep web, security teams focus on access controls, authentication, and preventing unauthorized access to private systems as part of a defense in depth strategy. For the dark web, the focus shifts to threat intelligence—monitoring for stolen data, credentials, and emerging attack methods.
User intent: Deep web users are typically conducting legitimate business—checking email, accessing work systems, or managing personal accounts. Dark web users have varied intentions, from privacy protection to illegal activities.
The key security implication is that attackers often steal data from poorly secured deep web resources and then sell it on dark web marketplaces. This creates a direct connection between your organization's security posture and the underground economy.
Security implications and threat landscape
The real danger for organizations isn't the dark web itself, but how cybercriminals use it as a marketplace for stolen data and attack tools. When attackers breach your systems, they often package and sell that information on dark web forums—with nearly 40,000 posts offering stolen corporate data detected between 2022-2023—creating ongoing risks for your business.
Data exposure risks: Sensitive information stored in your private systems can be stolen and sold on dark web marketplaces. This includes customer data, financial records, intellectual property, and internal communications that were never meant to be public.
Credential marketplaces: Underground forums are filled with stolen usernames, passwords, API keys, and access tokens. In 2024 alone, 2.9 billion compromised credentials were identified in underground sources. Attackers buy these credentials to gain initial access to corporate networks and cloud environments, often for just a few dollars per account.
Ransomware operations: The dark web serves as the primary hub for ransomware-as-a-service operations. Criminal groups sell or lease ransomware tools to other attackers, providing the infrastructure needed to launch devastating attacks against businesses.
Supply chain threats: Attackers use dark web channels to sell access to compromised software tools, development pipelines, and third-party services. This creates risks that extend far beyond your direct control.
Identity-aware defense-in-depth: Stolen credentials are only valuable if they grant meaningful access. Implement identity-aware defense by right-sizing cloud entitlements and continuously monitoring effective permissions. Use Cloud Infrastructure Entitlement Management (CIEM) to identify over-privileged accounts—for example, developers with production admin rights when they only need read access to dev environments. Enforce least privilege through IAM policies, Azure RBAC, or GCP IAM conditions. Monitor for privilege escalation attempts and unusual permission usage patterns. When credentials inevitably leak to dark web markets, limited permissions reduce the blast radius and contain potential damage.
The threat landscape is constantly evolving as criminals develop new techniques and share knowledge through these hidden channels, with underground forum breach data sharing increasing by 43% in 2024. What starts as a discussion on a dark web forum can quickly become a widespread attack method targeting organizations worldwide.
7 Best Incident Response Plan Templates for Security Teams
Access top incident response plan templates for your security team, find out which are cloud native, and learn how you can respond faster to minimize damage.
Read more
Regulatory and compliance implications
When organizational data appears on dark web marketplaces, breach notification and incident response obligations are triggered under multiple frameworks. GDPR Article 33 requires notification to supervisory authorities within 72 hours of breach awareness. HIPAA's Breach Notification Rule mandates notification to affected individuals and HHS for breaches affecting 500+ records. SOC 2 Type II controls (CC7.3, CC7.4) require documented incident response procedures and evidence of timely containment. ISO 27001 controls A.16.1.4 and A.16.1.5 mandate assessment of information security events and response to incidents. State laws like California's CCPA add additional notification requirements. Security teams should work with legal counsel to determine applicable obligations based on data types, affected individuals' locations, and organizational certifications.
Incident response playbook when your data appears on dark web marketplaces
When threat intelligence alerts you to organizational data on the dark web, execute this five-step response:
Identify artifacts and scope: Determine what data was exposed (credentials, customer records, source code, API keys), when the breach likely occurred, and which systems were affected. Preserve forensic evidence.
Revoke and rotate immediately: Invalidate compromised credentials, rotate API keys and tokens, and regenerate certificates. For cloud environments, use AWS Secrets Manager, Azure Key Vault, or Google Secret Manager to automate rotation.
Force re-authentication: Require password resets for affected accounts, terminate active sessions, and implement step-up authentication for sensitive operations. Review and tighten MFA policies.
Block exposure paths: If cloud storage was exposed, enable AWS S3 Block Public Access, Azure Storage firewall rules, or GCP uniform bucket-level access. Use IAM Access Analyzer (AWS) or Azure Policy to detect and remediate public exposure.
Notify and document: Alert legal, compliance, and affected parties according to breach notification requirements (GDPR Article 33, HIPAA Breach Notification Rule, state laws). Document timeline, scope, and remediation for audit trails.
Hunt for credential reuse across cloud accounts, on-premises systems, and third-party services—attackers often test stolen credentials against multiple targets.
Threat intelligence and monitoring strategies
You can't defend against threats you don't know exist. Proactive monitoring of dark web activities helps security teams identify potential attacks before they happen and respond quickly when their organization's data appears in underground markets.
Automated threat feeds: Modern security platforms integrate with threat intelligence feeds that continuously collect and analyze data from dark web forums and marketplaces. These feeds use automated crawlers, human intelligence sources, and honeypot operations to gather breach data, credential dumps, and vulnerability discussions—then correlate findings with organizational assets through API integrations to SIEM, SOAR, and CNAPP platforms.
Context-driven prioritization: Dark web threat intelligence generates thousands of alerts—leaked credentials, vulnerability discussions, brand impersonation attempts. Without context, security teams drown in noise. Effective platforms correlate dark web alerts with code-to-cloud context: Is the leaked credential still active? Does it have access to sensitive data? Is the vulnerable software internet-exposed? This graph-based approach connects threat intelligence to exposure paths, data sensitivity, and identity blast radius, enabling teams to act on the highest-impact risks first rather than the loudest signals.
Credential monitoring: Specialized services scan the dark web for leaked employee credentials, API keys, and other authentication tokens. When matches are found, security teams receive immediate alerts to reset passwords and revoke compromised access.
Brand protection: Threat actors often impersonate legitimate companies to launch phishing campaigns or create fraudulent websites. Dark web monitoring services track domain registrations, phishing kits, and brand abuse discussions to enable takedown requests before campaigns launch.
Vulnerability intelligence: New exploits and attack techniques are frequently discussed or sold on dark web forums before they're used in widespread campaigns. Early intelligence about these threats gives you time to patch vulnerabilities and strengthen defenses.
Unified platform benefit: Aggregating threat intelligence, vulnerability data, identity permissions, and data classification in a single security graph reduces mean time to triage (MTTT) and accelerates coordinated response. When a dark web alert fires for leaked AWS keys, a unified platform instantly shows: which IAM user owns the key, what S3 buckets it can access, whether those buckets contain PII, if the key was used recently, and what lateral movement paths exist. This eliminates the manual correlation across five separate tools (threat intel, CSPM, CIEM, DSPM, SIEM) and enables one-click remediation workflows. Security, cloud, and DevOps teams work from the same context, reducing friction and speeding incident resolution.
The key is using legal, automated methods rather than manually browsing illegal sites. Professional threat intelligence services handle the technical and legal complexities while providing actionable insights for your security team.
Operational safety for security researchers
If your role requires direct dark web research, follow these operational safety practices:
Use isolated environments: Conduct all research in dedicated virtual machines (VMs) with no access to production networks or sensitive data. Use Qubes OS, Tails, or disposable VMs that can be destroyed after each session.
Route through approved networks: Never access the dark web from corporate networks. Use dedicated research networks with logging and monitoring, or work with legal and IT to establish approved access policies.
Never download or interact with illegal content: Viewing illegal material (child exploitation, terrorist content) is criminal regardless of research intent. Document your activities, maintain clear research objectives, and stop immediately if you encounter illegal content.
Log and document access: Maintain detailed logs of sites visited, data collected, and research objectives. This documentation protects you and your organization if access is questioned.
Use reputable threat intelligence providers: For most organizations, partnering with commercial threat intelligence services (Recorded Future, Flashpoint, Intel 471, Digital Shadows) is safer and more effective than direct research.
See Wiz in action
Learn what makes Wiz the platform to enable your cloud security operation
Cloud security considerations for dark web threats
Cloud environments create unique opportunities for attackers because of their scale, complexity, and the valuable data they contain. A single misconfiguration or leaked credential can provide access to vast amounts of sensitive information that quickly finds its way to dark web markets.
Exposed cloud storage: Publicly accessible storage buckets containing sensitive data are prime targets for automated scanning tools. Attackers constantly search for these misconfigurations, and stolen data appears on dark web markets within hours of discovery.
Compromised service accounts: Cloud service accounts with excessive permissions are highly valuable on underground markets. If attackers obtain these credentials, they can move freely through your environment, steal data, or deploy ransomware across your infrastructure.
API key exposure: Developers sometimes accidentally commit secrets like API keys to public code repositories. Automated bots continuously scan these repositories, and discovered keys are quickly sold or used to attack cloud services.
Shadow IT risks: When employees use unauthorized cloud services, they create blind spots for security teams. These unmanaged resources often lack proper security controls, making them easy targets for compromise and data theft.
Shift left to stop leaks at the source: The most effective defense against dark web data exposure is preventing secrets and misconfigurations from reaching production. Extend secret scanning into developer workflows through pre-commit hooks (git-secrets, Talisman), CI/CD pipeline checks (GitHub Advanced Security, GitLab Secret Detection), and infrastructure-as-code validation (Checkov, tfsec, Terrascan). Scan container images for embedded credentials before registry push. Enforce short-lived credentials through AWS STS, Azure Managed Identities, or GCP Workload Identity. By catching exposed keys and misconfigurations during development—before deployment—you eliminate the attack surface that feeds dark web marketplaces.
The interconnected nature of cloud services means that a breach in one area can quickly spread to others. Attackers understand these relationships and specifically target cloud environments because of their potential for large-scale data theft and system compromise.
How Wiz prevents your cloud assets from reaching dark web marketplaces
The most effective defense against dark web threats is preventing your sensitive data and credentials from being compromised in the first place. Wiz provides comprehensive protection across your entire cloud environment, eliminating the security gaps that attackers exploit.
Wiz uses agentless discovery and unified scanning to detect exposed secrets and credentials across code repositories, configuration files, and running workloads—before attackers can harvest them. The agentless approach provides complete visibility without performance overhead, agent maintenance, or coverage gaps from unmanaged workloads. Wiz scans for AWS access keys, Azure service principal credentials, GCP service account keys, API tokens, database connection strings, and private keys embedded in code, containers, or VM snapshots. The platform identifies toxic combinations of vulnerabilities, misconfigurations, and excessive permissions that create the exact conditions attackers look for when planning breaches.
Data Security Posture Management capabilities discover and classify sensitive information across your cloud environment, ensuring that valuable data is properly protected and monitored. The Threat Center provides real-time intelligence about actively exploited vulnerabilities, helping you prioritize patches for the security flaws most likely to be used against you.
Runtime detection identifies suspicious activities that might indicate attackers are using credentials or access purchased from dark web sources. The unified platform approach eliminates security silos and provides complete visibility across code, cloud infrastructure, and runtime environments.
Organizations using Wiz achieve comprehensive protection by addressing security risks at every stage of the development and deployment lifecycle. This proactive approach ensures that sensitive assets never become commodities in underground marketplaces.
Request a demo to see agentless, code-to-cloud visibility and risk-prioritized remediation in action. Discover how Wiz's security graph connects threat intelligence, vulnerabilities, identities, data, and network exposure to show you the attack paths that matter—and stop your sensitive data from becoming dark web commodities.
Expose Hidden Threats, Confidently
Wiz helps security teams uncover dark web activity and strengthen cloud security across your organization.
