SOC & CERT Intelligence Feed

Your M365, VPN and GitHub access
may already be compromised.
We'll show you in 15 minutes.

You detect attacks. We detect exploitable access before the attack.
If an employee is infected at home, your SOC is blind. CYBERCREDS fills that gap.

For SOC · CERT · MSSP · Internal security teams
Test a domain for free — result in 15 min → See a real case
FREE TEST — RESULT IN 15 MIN
We never store exploitable credentials. We never test live access.
10,000+ machines / day
Freshness <72h
500,000+ profiles in database
cybercreds — live detection
$ scan --domain client-cible.fr --deep
[*] Scanning stealer log channels...
[*] Parsing 10k+ machines/day...
[!] 3 compromised workstations found
───────────────────────────
machine : DESKTOP-PRD-092
user : dev@client-domain.com
date : 2026-03-18 <3 days ago>
risk : CRITICAL
access : M365, VPN, GitHub
───────────────────────────
[✓] Report generated → PDF + webhook
───────────────────────────
[i] Real case: 28 minutes, zero CVE, full access →
$
Recognized by
FR
France Cybersecurity Label 2026
ACN
Digital Trust Alliance (ACN)
UG
UGAP-SCC Listed Vendor
CYBERESIST — 15 years of offensive & CTI expertise
Real Case — CTI CYBERESIST

28 minutes.
Full access. No exploit.

Based on real stealer log data analyzed as part of our CTI operations. No offensive tool. No vulnerability exploited.

ATTACK TIMELINE
INFECTION
Developer machine compromised
Infostealer — log silently exfiltrated
DISCOVERY
Internal GitLab URL found in the log
Not indexed, not public — visible in the browser dump
CREDENTIAL
Password reuse pattern identified
sangoku972! → échec
Sangoku972! → SUCCÈS
2021 Outlook password — still valid on GitLab in 2026
FULL ACCESS — T+28min
Owner on 47 internal repositories
JWT secrets · SSH keys · DB credentials · production .env
WHAT WAS EXPOSED
! PostgreSQL DB credentials (prod)
! Email, payment, cloud API keys
! JWT secrets → valid token forgery
! Production deployment SSH keys
! Deleted .env files → still in git history
SUMMARY
28min
total duration
0
exploit / CVE
47
exposed repos
IMMEDIATE SOC ACTION
→ Reset password + revoke all sessions
→ Enforce MFA on GitLab and all internal tools
→ Rotate all exposed secrets (JWT, SSH, API keys)
→ Audit git history for deleted .env and secrets
→ Triage compromised endpoint via EDR
Read the full case → resistez-aux-hackeurs.com
CYBERCREDS in this scenario: the credential was available in our sources 4 days before this access. A T-4 alert would have been enough to revoke the session and force rotation.
Real Case #2 — Passive Reconnaissance

One log.
The entire company mapped.

An attacker doesn't need to interact with your systems to know them. Stealer logs from your employees are enough to reconstruct your entire attack surface — silently.

WHAT WE EXTRACT FROM A SINGLE DOMAIN
STEP 1
Compromised corporate identities
47 @company.com addresses · 83 infected machines
12 critical exposed accesses (VPN, SSO, M365)
STEP 2
Attack surface reconstructed
VPN, SSO, M365 — plus internal non-public tools: Jenkins, Grafana, HR portals
STEP 3
Internal architecture revealed
Internal subdomains never published: vpn.corp.com, jenkins.dev.com, kibana.ops.com — visible in employee browser logs
RESULT
Full recon — zero interaction
Zero requests to your servers. Zero alerts triggered. Zero traces in your logs.
FIGURES FROM OUR ANALYSES
! 73% of orgs have ≥1 password reused on a critical access
! 1 in 4 accounts contains the company name or current year
! Cross-service reuse multiplies effective attack surface by 3
MOST DANGEROUS PATTERN

Password based on company name + year (Company2024!) — very common, very predictable, often used on the most critical accesses.

WHAT CYBERCREDS DOES

Monitor your domain before an attacker does. Identify exposed identities, map your real attack surface, and alert before exploitation.

Read the full case → substack →
CYBERCREDS in this scenario: the 47 exposed identities and internal subdomains were available in our sources. An alert enables forced rotation of critical accounts and VPN/SSO access audit before any intrusion attempt.
10K+
Machines analyzed / day
500K+
Profiles in database
<72h
Average freshness
6
Analysis levels
We don't sell logs. We sell decisions.
What we found last week (real data):
! 3 accès exploitables détectés sur des SaaS mid-market
! 1 accès admin M365 — session potentiellement active, credential valide
! 1 accès VPN potentiellement opérationnel — credential non révoqué
If you don't check:
→ attackers already have access
→ sessions are still active
→ you will only know after the damage
Check your clients →
The problem

91% of compromises detected
after the incident — never before.

An employee infected at home = your client's VPN, Microsoft 365 and GitHub credentials exposed. For an average of 30 days before detection. No scanner, no EDR sees it — it's outside their perimeter.

WHAT YOUR SOC DOESN'T SEE

Scanners · Firewalls · EDR — none monitor stealer logs outside the managed perimeter. CYBERCREDS fills that gap.

⚠ Typical impacts

  • Prise de compte Microsoft 365 / Google Workspace
  • Compromission VPN et accès réseau interne
  • Business Email Compromise (BEC)
  • Session hijacking via cookies potentiellement actifs
  • Accès aux repos Git, ERP, CRM critiques
~30j
BEFORE DETECTION
91%
POST-INCIDENT
Signal

What CYBERCREDS detects
for each client

Not credential lists. A structured, actionable signal — ready to feed directly into your SOC workflow.

INPUT
Raw stealer log
Machine · credentials · cookies · tokens · autofill
CYBERCREDS
Enriched signal
Company match · user identity · date · access scoring · confidence level
OUTPUT
SOC-ready action
Reset · revoke · triage endpoint · incident report
01

Compromised machine

Hostname, OS, internal IP — unique fingerprint of the infected endpoint. Savoir exactement quel endpoint est touché.

02

Precise infection date

Infection timestamp. Assess whether the risk is still active and reconstruct the incident timeline.

03

Employee identity

Corporate email, compromised account — you know exactly who was infected in your client's organization.

04

Exposed corporate access

M365, VPN, GitHub, ERP, internal apps — all access exfiltrated from the endpoint, mapped by criticality.

05

Sessions actives & cookies

Potentially still-valid session cookies — session hijacking risk on SSO, cloud and Slack accounts.

06

Famille malware + panel C2

Lumma, RedLine, Vidar... + malware family & campaign context identified. Root cause et timeline probable.

Use Cases

How your SOC
uses CYBERCREDS

Alert your client before the attack

CYBERCREDS sends an alert as soon as an endpoint is detected. You act before the attacker replays stolen sessions. You warn your client — you don't announce an incident.

  • Reset credentials + invalider sessions M365 / IdP
  • Forcer MFA + vérifier Conditional Access
  • Analyser connexions à risque (IP, pays, impossible travel)
  • Rotation secrets VPN + durcissement accès
  • Triage endpoint via EDR / AV si poste managé
🔴 CRITIQUE 2026-03-18 14:32 UTC
entreprise client-cible.fr
utilisateur j.martin@client-domain.com
machine DESKTOP-PRD-092
date infection 2026-03-15 <3 jours>
accès exposés M365 · VPN · GitHub
sessions cookies potentiellement encore actifs
risque Risque de session hijacking — sessions potentiellement actives
malware LummaC2 v4

Detect compromise before exploitation

30 days separate infection from detection on average. CYBERCREDS cuts that to 72h. The difference between "incident avoided" and "post-mortem".

Jour J
Machine infected
Stealer silently installed, log exfiltrated
J + <72h
CYBERCREDS detects
Alerte SOC avec machine, employé, accès exposés
J + 72h
Votre SOC agit
Reset credentials, invalide sessions — incident évité
Without CYBERCREDS: D+30
Successful attack
BEC, ransomware, exfiltration — too late
LA FENÊTRE D'OPPORTUNITÉ
30 jours
average time before detection without CTI monitoring
<72h
CYBERCREDS freshness — time to act before exploitation
No exploit needed
no exploit needed — just stolen credentials

Identify exactly who was infected and when

Which machine, which employee, which date, which access. You arrive at your client's with answers — not questions.

  • Recherche par domaine → liste des machines compromises
  • Identification de l'employé exact (email + poste)
  • Date précise d'infection pour la timeline légale
  • Cartographie des accès exposés par criticité
  • Root cause : famille malware + vecteur probable
  • Structured PDF report en 72h pour le RSSI
investigation — client.com
$ investigate --domain client.fr
[*] Searching 500K+ profiles...
[!] 2 machines found
 
── Machine 1 ──
user p.durand@client.com
host LAPTOP-SALES-04
date 2026-03-12
stealer LummaC2
access M365 · Salesforce · VPN
 
── Machine 2 ──
user p.durand@client.com
host DESKTOP-IT-12
date 2026-03-17
stealer Vidar
access Admin AD · GitHub · AWS
 
[✓] Report PDF → ready
$
Différenciation

What the others
don't do

Most platforms stop at credential detection. CYBERCREDS goes all the way to resolution.

Flare, Hudson Rock, Constella…
  • Credential detection only
  • No potentially active session / cookie analysis
  • Pas d'identification attacker infrastructure
  • No root cause analysis
  • No attacker profiling
  • No precise infection date
  • Generic dashboard — no concrete action
CYBERCREDS
  • Machine + employee + infection date
  • Cookies potentially active + session hijacking risk
  • Attacker infrastructure identified
  • Root cause + infection timeline
  • Malware campaign & attacker context
  • Freshness <72h — active signal, not historical
  • Concrete priority actions for the SOC
Sources & Methodology

How we get this —
and why it's defensible

The first question from any SOC is legitimate: "where does this data come from?" Here's the honest answer.

WHAT WE DO
Passive monitoring of public sources
Telegram channels, underground forums, leak archives — no intrusion, no interaction with threat actors
Data minimization
No plaintext credentials stored or transmitted. Minimal evidence, rapid purge of raw data. DPA available.
Confidence scoring on every signal
Every alert is scored LOW / MEDIUM / HIGH based on freshness, source correlation, and detected access type
EU hosting · GDPR-ready
Data processed in Europe. Full RBAC access, comprehensive logging, configurable retention.
WHAT WE DON'T DO
Purchase of stolen databases
Interaction with criminal actors
Storing or transmitting credentials in plaintext
Active testing of detected access (credential stuffing)
Reselling or sharing data with third parties
FALSE POSITIVES

Every signal is scored before delivery. LOW confidence alerts are flagged as such — you decide whether to act. We don't flood your SOC with noise.

Figures measured on our sources — last 6 months:
10K+ machines/day indexed
500K+ profiles in database
<72h average source → detection delay
DPA available on request
Tarification

Three levels
of engagement

Start with an investigation. See the value before any long-term commitment.

Investigation
Sur devis
One-time audit · results within 72h
  • Credential + session exposure analysis
  • Malware family + attacker infrastructure ID
  • Probable infection root cause
  • Session hijacking risk assessment
  • Structured PDF report
  • Debrief session included
Contact us
RECOMMENDED FOR SOC
Monitoring continu
2 000 – 3 500€
par mois — selon périmètre
  • Everything in Investigation included
  • Continuous domain + email monitoring
  • Real-time alerts — webhook / email / Slack
  • Dedicated multi-tenant client dashboard
  • Monthly summary report
  • Stolen cookies and sessions detection
Request a demo
Threat Intelligence
Contrat annuel
MSSP & grands comptes
  • Everything in Monitoring included
  • Malware campaign context
  • Tracking infra panels malveillants
  • STIX/TAXII feed on request
  • Advanced custom watchlists
  • Monthly investigation support
Contact us

Volume pricing available for multi-client MSSPs · White-label available

Start with an investigation — see the value before any recurring commitment.
Immediate POC

Submit a domain.
We tell you what we find.

Give us a client domain — preliminary results in 15 minutes, full analysis within 72h. No commitment, no cost.

01 You submit a domain
02 We scan our sources — 500K profiles, <72h freshness — preliminary results in 15 min
03 We send you what we find — machines, employees, exposed access
04 You decide whether it's worth going further
FOR MSSPS

You can resell this service to your clients. Every alert becomes proof of value from your SOC. Direct ROI on client retention.

FREE TEST — DOMAIN

Email domain must match submitted domain · Reply within 72h

Contact

Check the exposure
of your clients

A 30-minute call is enough to assess your scope and show you what we find. No commitment.

Reply within 24h · No freemail · Data handled confidentially

Cédric BERTRAND
CTO · OSCP · AWAE
cedric@cybercreds.fr
+33 6 85 57 36 99
FR EN