1. Help Center
  2. FAQ
  3. Search Optimization

How Do I Optimize Beacon Searches?

Using search best practices will help you find the best results.

 

Beacon users are prohibited from conducting searches for any illegal material except as expressly permitted for the purposes of law enforcement, such as investigating crime.

View our privacy article for more information on how leaked personal data discovered on the Platform can be used.

 

Beacon currently gathers 2 million paste posts, 20 million dark web posts, and 300 million discussion posts every month. Use these search optimization tips to help you sift through this data and find the relevant information you need quickly.

Navigate to our Beacon search optimization tips by category:

Boolean and Search Logic
Search Builder
Advanced Search
Entities Bar
Tabs
Pivoting
Flagging and Exporting
Understanding Online Language
Search Optimization by Topic

 

Visit the Beacon User Guide for comprehensive user instructions.

Boolean and Search Logic

Incorporate Boolean Operators and other search logic symbols into your queries to pinpoint key information and return more relevant results. Check out this article for instructions on using Boolean and search logic in Beacon.

 

Search Builder

Beacon's homepage has a search builder to help guide marketplace, discussion board, and breached data searches. This is a good place to start if you're new to Beacon and intend to search in these categories. Read more about how to use our Search Builder here

search builder

 

Advanced Search

In addition to using Beacon's keyword field, users can combine the following Advanced Search parameters to narrow down results: 

Data Sources

Narrow down your results to certain data sources. Read our data sources article to learn about the value of each source.

For example, if you're only interested in searching dark web marketplaces, you might narrow the source to "Tor:"

sources 2

Category

Use this parameter to refine the content nature of your results to the following categories:

  • Drugs
  • Personally identifiable information (PII)
  • Hacking
  • Terror
  • Weapons
  • Sexual
  • Financial

The Category parameter does not apply to Documents, Social, or Breaches results.

Author

Use this parameter to search for specific usernames or handles.

Email

Use this parameter to search for specific emails. You can enter the exact email or run a wildcard search by typing an asterisk before a handle (e.g. *@echosec.net). This is useful for finding any instance of your organization's emails if you're looking for evidence of a breach.

Site Type

This parameter enables you to narrow down results to a few general site types. For example, if you're looking specifically for financial fraud products and services for sale, you could select "Marketplaces:"

marketplaces filter

Site Name

Use this parameter to find results from a specific site name (not domain). This is useful for narrowing results to a specific site that isn't included in the Data Sources list—for example, a site within the Tor network.

Date Published

Use the Date Published filter to narrow down results published in a specific time frame. For example, adverse hacking techniques and software evolve rapidly—if you're looking for current hacking threats, you could limit the date published range to recent months or weeks.

Beacon retrieves search results from up to 2 years in the past.

The Date Published parameter does not apply to Breaches results.

Site Domain

This parameter is useful for finding results from a specific domain. You can also enter a hyphen (-) before the domain name to exclude that site from your results. This is useful if there are a lot of irrelevant results coming from a particular domain:

domain exclusion

Phone Number

Searching by phone number is useful for finding breached data. You can use a wildcard search by typing an asterisk (*) after the area code to find any phone number from that area.

Language

Use this parameter to narrow down your search results to a specific language.  Post results can be translated within Beacon.

The Language parameter does not apply to Documents or Breaches results.

Also, Beacon does not automatically translate keywords you use into the language you specified. For example, if you combine a keyword search for "Canada" and specify Chinese as the language, results will include "Canada" as you typed it into the keyword field—not "Canada" in Chinese characters. However, if you use 加拿大 ("Canada") as a keyword, Beacon recognizes and searches for those characters in the results.

Date Crawled

Rather than filtering when posts were published, the Date Crawled parameter filters results by the date they were scanned and saved in our API. This is not necessarily the same as the published date.

Beacon retrieves search results from up to 2 years in the past.

The Date Crawled parameter does not apply to Breaches results.

Tabs

You'll notice that, like the data sources categories, search results are organized into Dark Web, Deep Web, Social, Documents, and Breaches tabs. Use these tabs to navigate quickly to each source type.

Check out our Beacon data providers article to learn more about each tab's data sources.

tabs-1

 

Entities Bar

The Entities Bar appears to the right of the search results list when you run a search. It automatically detects the following key content indicators within the loaded results: 

  • Authorssmart filters panel-1
  • Emails
  • External links
  • IP Addresses
  • Phone Numbers
  • SSNs
  • Credit Cards
  • Crypto Wallets

Select key content within the Entities Bar to navigate quickly to the post result it originated from. You'll notice the Smart Filters Panel populate with more content as you load results.

Pivoting

The entities described above are also highlighted in the post detail. Hover over them to launch a search for that entity in a new window:

pivoting

Flagging and Exporting

As you navigate through post results, you can flag posts of interest. Flagged posts are retained under the "Flagged" tab, where you can export them in CSV format. Use this feature to facilitate further investigation, share results with your team, or retain evidence.

flagged

Understanding Online Language

Communities on the dark web, deep web, and social networks use a variety of unique colloquialisms. This language identifies the community members and creates separation or confidentiality from outsiders. Familiarizing yourself with these terms is useful for optimizing keyword searches.

We've created a glossary of commonly used dark web terms. It's also helpful to read through post results as you run searches to get familiar with the language. For example, if you search for financial content, you'll probably notice terms like "fullz" (packages of an individual's personal information).

Some online communities, particularly on the dark web, engage in hate speech and radicalization. While disturbing, these communities can be useful sources of threat intelligence for security teams and law enforcement. Hatebase and ADL's Hate Symbols Database is useful for finding keywords related to such use cases.

Search Optimization Examples

Here are some search optimization examples for a couple of common use cases. 

Breached Data

If you're looking for breached data relevant to your organization or a VIP, use the Search Builder to find relevant email domains, addresses, URLs, and IPs:

search builder breached data

Or, run an Advanced Search using:

Category: Personally identifiable information, Hacking, Financial
Email: *@yourdomain.com, johndoe@yourdomain.com (optional)
Phone Number: 123-456-7890, 123* (optional)

For keywords, search for your organization's name or a specific individual's name in quotes. Combining that keyword with the term "dox" (e.g. "John Doe" AND dox) is useful for finding targeted breaches. Both the Documents and Breaches tabs are useful for finding posts related to leaked data.

Tip: Run breached data searches for third-party services, such as cloud software, that could implicate your organization.

Financial Fraud

If you're a financial institution looking for breached customer data or targeted hacking tools and services, run a keyword search for your institution's name with the following parameters:

Category: Personally identifiable information, Hacking, Financial
Site Type: Marketplaces

If you want to get even more specific, try the following keywords:

  • Fullz (a package of an individual's personally identifiable information)
  • Drop (bank accounts set up for financial fraud purposes)
  • Scampage (fake webpages used to collect login details and other private information)
  • Logs (login credentials)

If you're a financial institution looking for general financial fraud and hacking chatter to inform your security strategy, use "how to" OR "looking for" as keywords and:

Category: Personally identifiable information, Hacking, Financial
Site Type
: Forums + Discussions, Chats + Microblogging Sites