For SOC & MSSP teams

Your people are the attack surface
you don't monitor.

Your SOC watches infrastructure. The attacker watches your people — the breached passwords, exposed accounts, and leaked identity data they'll use to phish an executive or take over a privileged account. xposeTIP maps that exposure from 179 public sources, every finding sourced and timestamped, so you can close it first.

179 OSINT sources11-axis behavioral fingerprintEvery finding sourced & timestamped
Request an exposure auditSee how it works
The problem

The recon happens whether you do it or not.

The attacker does open-source reconnaissance on your team before they ever send a payload. You should do it first.

Stolen credentials drive breaches.

Credentials are involved in the large majority of web-application breaches.

— Verizon DBIR 2025

Phishing starts with a named person.

Social engineering remains a top initial-access vector — and it begins with public profiling of a specific human, not a piece of malware.

Your privileged users leave a footprint.

Executives, admins, and IT staff are scattered across breaches, social platforms, and data brokers. That footprint is the attacker's starting kit.

You can't reduce what you can't see. xposeTIP assembles your team's footprint the way an attacker would — so you can shrink it.

What it does

From one identifier to a sourced exposure picture.

Give xposeTIP an email, username, or phone number for a person you're authorized to assess. It resolves the public exposure tied to that identity:

  • Accounts across social, developer, and forum platforms
  • Breach history — with dates and exposed data types
  • Reused usernames and handles across services
  • Leaked contact points — aliases, phone numbers, messaging handles
  • Corporate affiliations and public legal records, where they exist

An 11-axis behavioral fingerprint clusters and corroborates the findings. Every result carries its source, a confidence tier, cross-verification status, and first-seen / last-seen timestamps.

No black box

Your analysts validate every data point — which source, what confidence, when first seen. Attribution of an unknown actor is a human-in-the-loop judgment we support — never an automated claim we make for you.

How it works

Three stages. One identifier in, a sourced person out.

01

Discover

179 sources, in parallel — not a checklist, a widening surface.

An email or username fans out across social platforms, developer and forum sites, breach databases, archives, and people-search engines — all at once. Each pass widens the next: usernames found in the first wave are re-scanned in the second.

02

Enrich

Once a name resolves with high confidence, go deeper — on independent layers.

Only after a name is established do the name-based sources run: news and media, sanctions and PEP watchlists, corporate registries, and court records across the US, France, and the UK. The layers are independent by design — an error in one never cascades into the others.

03

Identify

From findings to a person — an 11-axis behavioral signature, not a list of indicators.

The graph links accounts, breaches, domains, and locations into personas. Exposure and threat are scored separately. Every finding carries its provenance — source, confidence, first and last seen.

See the full method →
vs traditional TI

Not another indicator feed.

Traditional TI platforms
xposeTIP
Primary unit
Indicators — IPs, domains, hashes
Identities — a person's public footprint
Output
Reputation scores on indicators
A sourced exposure picture of a person
Context
Technical — malware family, C2 infra
Human — accounts, breaches, reused identifiers
Transparency
Often opaque scoring
Every finding sourced and timestamped
Core engine
Mostly closed
AGPL-3.0 — audit it line by line
Where it fits

Exposure work for the identities you're responsible for.

Executive exposure audit

Map a leader's public attack surface before a board appointment, a public role, or an acquisition. What's findable — breached credentials, exposed accounts, leaked PII — with a plan to reduce it.

Workforce attack-surface baseline

See what an attacker could assemble on your privileged users: reused handles, breach exposure, leaked contact points. Assess your own team to shrink the surface before it's phished. Consent-based and defensive — never employee surveillance.

MSSP: exposure-as-a-service

Deliver productized exposure audits to your clients' leadership. A sourced report you can put your name on — depth over volume, days not weeks.

Incident enrichment

Have a known indicator from your logs? Get sourced public context on the identity behind it, fast. Attribution stays a human-in-the-loop judgment your analysts make — we surface the evidence, not a verdict.

How to work with us

Productized engagements — or run the platform yourself.

Identity-intelligence reports delivered as a service — for security teams and the MSSPs that serve them.

Quick Profile48h · 1 identity
Identity Assessment5d · full PDF report
Deep Investigation10d · up to 5 connected identities
Strategic Briefing3–4w · custom, board-ready

Pricing on application · capped at 4 engagements / month

Prefer to run it yourself? xposeTIP Cloud — self-serve scans, your own workspace, AGPL-3.0 core. Paid tiers are in early access. Join the waitlist →

Built to be checked, not trusted.

Open core, AGPL-3.0
Audit the engine line by line
Sourced & timestamped
Every finding, no opaque scores
Consent-based by design
You assess identities you're authorized to assess
Hardened
Strong TLS, security-headers grade A
🇱🇺 Built in Luxembourg
A small, accountable team

Bring us an identity you're authorized to assess.

An executive before a board appointment. A privileged user after an anomaly. Your client's leadership team as part of an engagement. We return a sourced exposure report — days, not weeks. Engagements are capped: depth over volume.

Request an exposure auditOr start a conversation →