Overview
This factor evaluates how exposed a target is to real-world phishing and account takeover risk. It incorporates breach/leak signals, public social signals that encourage targeting, and security posture/alert signals from integrated tools (endpoint protection, MDM, SIEM, EDR, etc.).
Click from the following to jump to your desired section:
- Dark Web Exposure (Leak Detection)
- Social Media Presence
- Security Tooling Integrations
- KillPhish
- Security Signals Scoring Example
Dark Web Exposure (Leak Detection)
The following is the Finding and effect of PII exposure:
| Finding | Effect |
| PII Exposure (e.g., SSN, phone number, address) | +10 to +60, based on severity |
For more information concerning dark web exposure, see our article on Dark Web Monitoring.
Social Media Presence
The following contains various Social Media Presence Findings, and their respective effects:
| Finding | Effect |
| Job Title Exposure (job/role is clearly discoverable) | +10 |
| Work email posted publicly | +10 |
| High social activity linked to work content | +10 to 25 |
| Phishing-enable signals (e.g., "Just got a new laptop" or "on vacation" | +10 per signal |
Security Tooling Integrations
The following contains various Security Tooling Integration findings, and their respective effects:
| Finding | Effect |
| Threat Detected | +5 to +20 based on severity |
| Suspicious Sign-in Signals | +5 to +20 based on severity |
| No endpoint protection installed | +15 |
| OS not patched / critical CVEs present | +10 |
| Unsupported OS version | +10 |
| Unencrypted drive | +10 |
| No MDM agent detected | +5 to +10 |
|
MFA disabled / not enforced; Shadow IT software installed |
+10 each |
|
Multiple failed login attempts; Public Wi-Fi detected repeatedly; Auto-login / saved passwords detected |
+5 each |
KillPhish
The following contains the Real Phishing Report finding and its respective effect:
| Finding | Effect |
| Real Phishing Report | -10 |
Security Signals Scoring Example
Context for the following user:
- User credentials found in dark web scan.
- User title and email found on public LinkedIn profile.
- Password reuse detected.
- Social profile contains "on vacation" language.
The following contains the above findings with their respective value, decay, and adjusted score:
| Finding | Value | Decay | Adjusted Score |
| Credentials found in dark web dump (150 days ago) | +60 | 12.5% | +52.5 |
| Job title and email found on public LinkedIn profile | +5 | +5 | |
| Reported phishing email through KillPhish | -10 | -10 | |
| "On vacation" detected on social media | +10 | +10 | |
| Raw Security Signal Score | 57.5 |
Security Signals Factor Total: (52.5 + 5 - 10 + 10) * .2 = 11.5
Note: It is possible to have a negative score for this factor if the target has accumulated a number of reported phishing emails through KillPhish. After weighting the score, it will range between -4% and 20%.
Interpretation the Score
This user, with a score of 57.5, represents a moderate risk.
Their credentials have appeared in a recent breach, and their public-facing presence makes them more easily identifiable and targetable.
Breakdown of What the Score Reflects
| Indicator | Interpretation |
| Recent credential breach | Indicates the user's login information is actively circulating in threat actor ecosystems, elevating risk of account takeover. |
| Public job title and email | Makes the user easier to target with social engineering or spear phishing attacks, especially if they occupy a sensitive role. |
| Phishing-enabling signals | Can be weaponized in highly personalized phishing attacks. |
| Reported real phishing | Shows the target can detect when they are being phished. |
Recommended Actions
These are the following recommended actions for the above user:
- Require immediate reset with unique credentials across all corporate systems.
- Ensure multi-factor authentication is enforced accross all logins.
- Encourage the user to review and minimize job-related personal information that is shared publicly.
- Deliver microlearning on password hygiene and credential management.
- Schedule exposure scans every 30 to 60 days.