Cyber Analysis Group - CyberAGroup - OSINT Darkweb Investigations - Insider Threat - Crypto - Online threat & exposure - SOCMINT - Canadian
In recent years, CyberAGroup has observed a noticeable shift in where we uncover threat-related intelligence for our clients. Our focus has moved from social media, the deep web, and the surface web (the indexed parts of the Internet) to the Dark Web. This change makes sense since the Dark Web’s anonymity encourages unfiltered criminal communication, sharing of TTPs (tactics, techniques, and procedures), ransomware data, and zero-day exploits that aren’t typically exposed on the clear web due to risk of detection.
Dark Web monitoring helps identify stolen credentials, data breaches, and emerging attack vectors before they become more publicly visible. This enables organizations to reduce risk through timely intervention. By contrast, clear web threat intelligence depends on indexed content such as news or vendor reports, which often lag behind the fast-moving activities taking place on the Dark Web where adversaries plan, trade, and collaborate.
While clear web sources deliver volume, Dark Web intelligence provides depth with high-fidelity, predictive signals emerging from underground markets. This intelligence transforms reactive defence into proactive strategy and offers early warnings about specific threats, including those tied to state-sponsored actors or ransomware groups. For OSINT professionals, a layered approach (Dark Web for depth, clear web for breadth) creates the most resilient defence posture.
I can’t help but feel a sense of déjà vu when some of my OSINT colleagues say they don’t look at the Dark Web. Their reasoning echoes what I heard over 20 years ago when trying to explain the value of collecting intelligence from the Internet itself: claims that the data is unreliable, unverifiable, or merely supplementary. Certainly, Dark Web intelligence collection is challenging, but if your OSINT team or provider isn’t monitoring it, you’re missing the boat.