Customer portal

Product news

Product news

We have winners for our EMF Camp competition!

We recently ran a competition with our friends at EMF Camp to win four tickets to attend this years hotly anticipated event.

After a huge amount of interest, we have randomly picked the four entries and the winners have been notified! Congratulations 🙂

SOS Intelligence is one of the Gold Sponsors of EMF Camp this year. We love the concept of bringing together like minded people over a few days – people with an inquisitive mind or an interest in making things: hackers, artists, geeks, crafters, scientists, and engineers.

We are attending the event and will have some schwag to give away. See you there!

Product news

Tackling the UK’s Ransomware Challenge with the NCSC and Plexal

We are delighted to announce that we have been chosen to help the government solve the UK’s most pressing cyber challenge of ransomware.

SOS Intelligence is now part of the NCSC For Startups initiative.

The UK government’s National Cyber Strategy identified ransomware attacks from cyber criminals and state-backed actors in Russia and China as one of the key threats to public services and supply chains.
It highlighted the need to secure the digital environment for all UK internet users, prevent attacks, build basic security in products and services and help individuals and small businesses with basic actions to improve cyber security.

In line with this, the National Cyber Security Centre (NCSC) and Plexal, the innovation company founded by Delancey, have been working closely with emerging technology innovators joining the NCSC For Startups initiative to develop, adapt and pilot technology to help address the growing ransomware challenge.

Amir Hadzipasic, CEO and Founder of SOS Intelligence said:

“We are extremely excited to have been selected as a member of #NCSCforstartups, looking forward to address the ransomware challenge through our early breach detection technology”.

We are focused on helping critical national infrastructure like healthcare organisations and energy systems become more resilient and better protected against ransomware attacks. SOS Intelligence wants to make cyber threat intelligence affordable and accessible to everyone. Our automation technology collects pre-selected keywords from organisations and then scans the dark web, ingesting threat data and looking for mentions of those keywords in Telegram channels or forums.

The startups were chosen based on their relevance to three challenges identified by the NCSC:

  • Defending SMEs from ransomware by providing accessible, low-cost protection
  • Encouraging firms to implement secure backups to minimise the impact of an attack 
  • Addressing risks posed by Remote Desktop Protocol (RDP) as more businesses and individuals implement home and remote working

“Ransomware remains the biggest cyber threat to UK organisations, and tackling it requires a collective effort.

“The five companies selected to join the NCSC for Startups initiative offer various innovative approaches to dealing with ransomware – we look forward to working with them and ultimately further boosting the UK’s cyber security.”

Chris Ensor, Deputy Director for Cyber Growth at the NCS

“The opportunity for innovative and novel ways to address ransomware can often be overlooked. The startups selected to meet this challenge will experience a unique collaboration opportunity with Plexal and the NCSC, gaining critical insights and developing solutions to enhance the resilience of society in the face of unprecedented digital risks and increasingly motivated threat actors.”

Saj Huq, CCO at Plexal

For the full announcement >>
Our profile and the other startups information >>

Twitter: @NCSC and @PlexalCyber
LinkedIn: National Cyber Security Centre and Plexal Cyber
Instagram: @PlexalCity

To book a demo of SOS Intelligence, please click here.

Product news

“Cost-effective and timely threat intelligence”

JISC are the UK higher, further education and skills sectors’ not-for-profit organisation for digital services and solutions.

They are:

  • Dedicated entirely to the sectors’ individual and collective needs
  • Not a vendor: they deal with and/or work with vendors and publishers on the collective behalf
  • Not for profit: every pound is used for the sectors’ benefit
  • Objective, but not unbiased: they put the sectors’ interests above all else

We are delighted that JISC have chosen to use SOS Intelligence for their threat intelligence and are looking forward to working closely with them in the future.

“SOS Intelligence has provided us with cost-effective and timely threat intelligence. The dark web monitoring and alerting allows us to reassure and help our customers to mitigate potential attack vectors on their infrastructure. The platform is easy to use, with manageable alerting. SOS Intelligence has fantastic customer support and is always meeting our never-ending requirements with feature requests being implemented in record time.”

David Batho Head of protective services at Jisc

SOS Intelligence works with businesses, organisations and MSSPs.

Product news

An essential MSSP Cyber Threat Tool

When we set out to develop and launch SOS Intelligence, we knew that one of our markets was MSSP providers.

As Gartner succinctly puts it, a managed security service provider (MSSP) provides outsourced monitoring and management of security devices and systems. Common services include managed firewall, intrusion detection, virtual private network, vulnerability scanning and anti-viral services.

Increasingly though, it’s all about Cyber Threats and Dark Web Threat Intelligence.

We are seeing more and more interest in what we do, especially real time breach alerting and reputation monitoring, plus the ability for MSSPs to use us on the behalf of their clients.

Our solution is ideal for managing your customer keywords with our bulk management tools, customer alert filtering and sub-customer dashboards. Once your customers are on boarded you can get started adding their monitoring keywords, receiving and responding to alerts and reviewing customer alerting performance.

One of most recent MSSP clients was kind enough to send this to us:

We have been looking for an intelligent and cost-effective means of Digital Risk Monitoring for our clients for a number of months. Having now implemented the SOS Intelligence solution, we are pleased we have explored a white-label service designed for MSSPs to provide digital risk monitoring.

Easy to use, constantly being improved and with terrific support, we are already seeing a steady stream of information which is benefitting our clients.

Director of Services for a UK MSSP

If you work for a MSSP, then please click here now to book a demo.

Photo by FLY:D on Unsplash

Product news

We are on the Cyber Runway

Plexal has announced the 108 cyber startups joining the Cyber Runway accelerator and we are delighted to have been chosen!

Cyber Runway is the UK’s most diverse community of cyber founders and entrepreneurs.

Cyber Runway has been designed to address some of the biggest challenges facing cybersecurity, such as diversity and inclusion and regional representation, and support the most promising innovators at various stages of growth. 

The full membership list confirms that Cyber Runway will not only be the largest cyber startup accelerator in the UK, but the most diverse community of cyber founders in the country. 

The cohorts are solving challenges like ransomware, cyber fraud, cyber-physical threats to critical national infrastructure, cloud security, improving threat intelligence and boosting education using emerging technologies such as AI, quantum and cloud security. 

45% of Cyber Runway members are female-led startups and 52% are run by founders from black, ethnic or minority backgrounds.

You can see a list of Grow members including us here.

Plexal has ensured inclusivity is at the heart of Cyber Runway by including under-represented groups in the design and delivery of the programme. Members will also have access to a diverse mentor pool of investors and industry experts. 

50% of member companies are based outside of London and the South East of England. From Ashford to Yeovil, members and their teams are based across the country and Cyber Runway will be delivered in person and virtually to maximise nationwide reach.   

The Cyber Runway membership represents some of the most innovative and high-potential cyber startups currently operating in the UK. Members include scaleups such as CybSafe, which raised £5m earlier this year for its security awareness software, SECQAI, which uses quantum technology and AI to combat cyber threats, Yorkshire-based Bob’s Business, which delivers cyber training, insurtech startup, which aims to disrupt cyber regulatory compliance, and Hack The Box, which raised £7m in April for its online cybersecurity training platform.


Cyber Runway programme

Backed by the Department for Digital, Culture, Media and Sport and delivered by Plexal in partnership with CyLon, Deloitte and CSIT (the Centre for Secure Information Technologies), Cyber Runway will be an intensive six-month programme. Three distinct streams will deliver dedicated curricula for cyber startups based on their growth phase: Launch, Grow and Scale. 

Launch: 20 entrepreneurs will get support with launching their business, building a minimum viable product and creating a network. 

Grow: 68 startups and SMEs will get business support to help them address their growing pains, access funding and achieve commercial success. 

Scale: 20 scaleups will access support (including 1:1 mentoring) to help them grow rapidly in the UK and around the world. 

Cyber Runway has replaced and consolidated three DCMS-funded programmes: HutZero, Cyber 101 and Tech Nation’s cyber accelerator for startups. 

The accelerator is designed to strengthen the UK’s cyber ecosystem and accelerate the growth of a new generation of breakthrough cyber startups to improve national security, stimulate innovation and drive economic growth. 

Cyber Runway: member benefits

The 108 member companies will receive:

  • business masterclasses (both virtual and in person)
  • mentoring, engineering support from CSIT and access to CSIT’s data and testing centre
  • technical product development support
  • opportunities to connect with international cyber hubs 
  • regional events 
  • connections to investors and corporates to fuel growth

“We are delighted to have been selected to be a part of the Cyber Runway accelerator programme, we are excited to be participating in the excellent programme and to network with fellow cohorts. The Plexal team has put a lot of hard work into the programme and it shows. Many thanks to the team for making us feel so welcome.”

Amir Hadzipasic, CEO and Founder SOS Intelligence

“This is a golden age for the UK cyber startup ecosystem. Cyber startups are attracting record levels of investment and both the government and global tech giants are coming to British cyber companies to adopt emerging cyber technologies. The scale of Cyber Runway is testament to the enormous potential within the cyber startup community and will help stimulate the supply of innovative cyber solutions that will be needed by the economy and society. 

However, Cyber Runway is also specifically designed to address some of the challenges facing cyber startups as they scale. Our three programmes will connect cyber founders to the mentors, investors and corporates they need to accelerate their growth and access diverse talent. This is a significant moment for UK cyber and I have every confidence that the collaboration between the government and the private sector to create Cyber Runway will make the cyber ecosystem more successful, innovative and inclusive.”

Saj Huq, director of innovation at Plexal.

For more information on SOS Intelligence, please schedule a demo here.

Product news, The Dark Web

Automating Cyber HUMINT Collection

This blog post will attempt to give a high-level overview of how we go about automating typically manual Cyber HUMINT ( “a category of intelligence derived from information collected and provided by human sources.”) collection. 

Significant elements of this blog will have to be described in general, non-specific, terms or redacted. Due to the nature of the work that we do, keeping our tradecraft methods, tactics and techniques private is important. The methods employed by us are not only commercially sensitive but over disclosure of specific details may render the methods ineffective.

Automating Cyber HUMINT Collection - SOS Intelligence
Screenshot of SOS Intelligence showing OSINT search

OSINT Source Selection

OSINT source collection SOS Intelligence
OSINT source

A fair amount of thought and research goes into selecting our OSINT (Open Source INTelligence) sources. For the most part, ideal collection sources would be ones that offer an API (Application Programming Interface) for information scraping and do so without significant restrictions. 

For example, Pastebin with a paid account grants access to a reasonable scraping API. Using this API we’ve been able to create a custom collection to download each paste, analyse it for relevant customer keywords and, if any matches found, store the paste & alert our customers.

In most cases, however, paste sites typically have no available APIs. Where these sites have a rolling list of new pastes posted, and those pastes can be enumerated & are publicly accessible, further development of a custom collection is required. 

An automated process is used to periodically check for new and available pastes, fetch those pastes in a raw format where possible, perform keyword matching and store where needed. A significant number of paste sites that we collect from, either on the internet or Dark Web, fall into this category. Generally there are no significant technical challenges other than the creation of a bespoke collection for each specific source type.

SOS Intelligence
URL code

As a general rule, for websites that do not have any specifically designed automated collection or scraping method, we apply a high degree of courtesy and do not aggressively scrape the site. 

Since the paste enumeration and paste collection is a fairly lightweight process, and given that pastes in general are uploaded every so often, there is no need for any aggressive polling of a target site.

SOS Intelligence
Lightweight and courteous collection

Authenticated Access

Member only Dark Web Forum
Member only forums

Some of the sources we collect from are closed, member only, Dark Web or internet hacking forums. Without going into too much detail as to how accounts are created on these forums, an account is essential since we must be able to access topics and posts as well as a roll of recent posts. 

In most cases forums helpfully provide a feed of new content by way of RSS (Really Simple Syndication) feed. This can in part, like an API, assist in the creation of a custom automated collection for that source. An additional caveat to this being that the collector passes credentials to the forum so as to appear to be a “logged in” user, e.g. simply viewing posts or browsing the forum. 

A good 30% of all the OSINT sources we collect from are authenticated. To maintain continuous automated collection, we ensure that we have a sufficiently well stocked array of back up accounts for each of the forums we collect from.

Bot Protection Bypass

In some cases the sources we collect from deploy DDoS or Bot Protection. The purpose of this is typically not to prevent scraping or automated collection but more to prevent the site from high volume denial of service attacks. 

The bypass for this defence varies depending on the source. In some cases, for example collection from Doxbin, we employed a CloudFlare challenge bypass method that essentially consists of:

  • Detecting the browser challenge.
  • Solving the challenge.
  • Passing the challenge answer back and obtaining a cookie.
  • Passing the cookie over to the collection processes to begin automated collection. 
  • Detecting when the cookie expires, ensuring any further challenge request are solved.
CloudFlare challenge bypass method
Bot Bypass
CloudFlare challenge bypass method
CloudFlare challenge bypass method

Even when fairly advanced bot/browser verification defences have been deployed by the target source, these have thus far all been mitigated and not prevented our automated OSINT collection. 

As for the Doxbin example, the challenge of bypassing their new bot protection was significant and on balance, considering the quality of the OSINT source, might not have been warranted. It was, however, still a challenge that couldn’t be left unmatched! 

CAPTCHA (Human Verification)

Raid Forums CAPTCHA
Raid Forums CAPTCHA

Automated solving of CAPTCHAs is tricky and is probably the toughest bypass we’ve had to solve so far. The amount of detailed technical information that we can share for how we go about bypassing CAPTCHA is very limited. However, it runs along similar lines to the browser challenge process, whereby detection of a CAPTCHA and the solving of it are tied into the automated collection functions. 

So far there are very few OSINT sources that employ this type of challenge and we’ve been able to mitigate these in all cases whilst maintaining automated collection.

Old school CAPTCHA
Old school challenge!

Staying Undetected

As with the above topic, it is tricky to discuss and share in any level of detail our methods for remaining “undetected“. However, in general we ensure that the accounts we use do not raise any significant cause for concern to the forum operators. 

In most cases, accounts with no post count after a number of months (or sooner!) are deleted. This means that our accounts must have some level of interaction with the forum, however minimal, to ensure their persistence. 

We try, wherever possible, to use Tor to access content. This helps preserve our anonymity in as much as not pinning our collectors down to one location. We also ensure we rotate things like user agents and other fingerprints to ensure relative anonymity. 

Then important aspect to blending in with the noise is ensuring that collection is not overly aggressive and not overly routine. We achieve this by randomising the frequency and timings of either enumeration of new posts, fetching / viewing posts or pastes. The key is to appear sufficiently “human“. This has afforded us the ability, in some cases, to collect with the same account for a year or more without administrator intervention. 

Detecting Faults

This can be even more challenging than bypassing CAPTCHA challenges. The goal for us is to ensure we have sufficiently robust detections for whenever a logged in session expires; a challenge pass expires; the very likely and common scenario of an overloaded website itself going offline or a Tor circuit is struggling. 

To ensure the best chance of successfully reaching a website over Tor, we employ a number of load balanced Tor routers that are themselves proxied and balanced to cater for our crawling services and automated collection. 

But things do go wrong, Tor is not the most reliable tool so our collection processes that utilise it have sufficient retry intervals and “back-off” intervals programmed into them. Should one of our requests result in a gateway time out the system will simply retry, hoping it is balanced to a less utilised Tor relay. 

At times we do get detected and blocked by forum administrators. In such instances, the system will attempt to detect any “authentication loops” and select another account to continue automated collection with. 

Some of the fault detection is relatively simple, such as enumerating how many pages a collection source has and iterating through each page until all pages have been collected.

SOS Intelligence Cyber HUMINT
Collection source
SOS Intelligence Cyber HUMINT
SOS Intelligence Cyber HUMINT

The process is not always perfect, but we try to monitor it and optimise wherever possible. We spend a lot of time on the initial development phases of a collection ensuring that all possibilities, within reason, are accounted for and once a collection goes into production that any following “cat and mouse” changes required are as minimal as possible. 

We hope this gives an insight into how SOS Intelligence works. We have a number of plans available and if you would like to schedule a demo, please click here.

Thanks for reading!


PS If you enjoyed this, we think you also enjoy An investigation into the LinkedIn data sale on hacker forums.

Product news

Getting started with our free plan

Dark Web tracking is often expensive and inaccessible. SOS Intelligence is different

We have developed a solution for everyone. An individual, an organisation or a business.

We often get asked about getting started and what we always recommend is sign up for a free plan.

We then get asked “is it really free?!”.

The good news is that it is! You get threat alerts based on the email address you use for signing up (via an email alert) and the intelligence is based on OSINT only.

OSINT is Open-source intelligence. In the intelligence community, the term “open” refers to overt, publicly available sources.

Signing up takes seconds by clicking here.

You’ll see this screen:

Free plan sign up

Use the email address you would like to track. When you sign up you’ll receive an email asking you to confirm you email address.

Once your email address has been confirmed – it is automatically checked against our existing breach databases. Anything that matches will trigger an alert and once logged in you can see the relevant breach information. 
If you are looking for a more thorough solution, then please book a demo (link) with our CEO Amir which you can do here.

So, what are you waiting for? Sign up for free!

Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Consent to display content from Youtube
Consent to display content from Vimeo
Google Maps
Consent to display content from Google
Consent to display content from Spotify
Sound Cloud
Consent to display content from Sound