External Threats Advanced

Product Description

RiskIQ External Threats Advanced enables organizations to adapt the broad capabilities of the RiskIQ External Threats platform and the expertise of RiskIQ Solutions Architect and Managed Security Services (MSS) teams to automate threat detection and monitoring for threat-types that require a deeper understanding of the business in order to appropriately classify and respond.  

Monitoring and detection are limited to threats targeting the client organization and its subsidiaries, not competitors, partners, vendors, or other third parties.

Threat Types

Compromised Data

Compromised Data provides detection and workflow for stolen customer data, such as credit card information, as well as other leaked company data such as employee emails or source code being posted in the open, offered for sale, or otherwise made available to third parties outside the organization.

RiskIQ searches a broad range of known sources for compromised data, including Pastebin, GitHub, SlideShare, forums, and blogs to monitor what data related to an organization is available in each of these locations.

Pre-configured email templates and content removal procedures for various different sites and risk scenarios facilitate enforcement to remove detected instances of data compromise.

Brand Tarnishment

Brand Tarnishment includes the detection and mitigation of web content infringing on client brand trademarks by attacking the brand reputation and/or associating the brand with illegal or offensive content.

RiskIQ virtual users search for such content, analyzing webpages for brand related text or images and leverage machine learning and other advanced analytics to identify the presence of offending content. Dependent on the client brand's industry and policies, categories of such content can include pornography, liquor, tobacco, weapons, drugs, and gambling.

Mitigation requires a representative trademark chart and description of the tarnishment relevant to the Internet presence location, as well as client approval after performing a fair-use analysis.

Social Media Fraud Posts

Social Media Fraud Posts includes detection and remediation of Remote Deposit Capture (RDC) Fraud, Card Cracking, MoneyFlipping, and other popular forms of financial fraud targeting the organization's customers to recruit victims and money mules through social media posts.

RiskIQ virtual users monitor major social media channels most used (Facebook, Twitter, Instagram, and YouTube) for this type of recruiting to detect such activity along with mentions of financial institutions or other trusted brands leveraged in the scam. 

Event alerts contain all the necessary evidence to report abusive posts to each social network and request removal according to the nature of the activity and the site's terms of service.

Custom Monitoring

Custom Monitoring modules allow clients to adapt the capabilities of the RiskIQ platform to additional External Threat-related use-cases not otherwise listed above. All proposed use-cases will be subject to review to evaluate the technical feasibility and configuration challenges.

The detection of each custom module will vary per use-case, and part of the review process will include defining mitigation procedures and configuration of associated templates as appropriate. Mitigation of threats detected through custom monitoring will be subject to the terms of the RiskIQ Managed Security Services Agreement.

Workflow Engine for Threat Management & Mitigation

RiskIQ provides both a web interface and API access to clients and their support teams to submit and investigate events. The web interface is designed to provide users with all the necessary details for each type of threat in a single view to facilitate fast review and investigation.

For each threat event, users can take the following workflow actions: 

  • Confirm: Validate event without sending an enforcement notice
  • Enforce: Generate and send a notice to initiate takedown, content removal, or other type of threat mitigation
  • Monitor: Automatically alert on any changes in content or behavior of a suspicious event that raise its threat-level and could trigger future enforcement
  • Review: Set aside for discussion/review to decide on proper response
  • Dismiss: Label event as a false positive
  • Assign a specific user to manage this event
  • Tag an event with a custom label for searching or reporting
  • Send the details of this event to a specified email address

Continuous monitoring of online resources lets customers know when threats have been successfully remediated, and RiskIQ’s post-resolution monitoring automatically re-opens events and alerts users to any tenacious threats posing a recurring risk to the organization.

Detection Methodology

RiskIQ leverages its Internet intelligence datasets and proprietary virtual user technology to automate and streamline the detection and monitoring of threats over time. Virtual users closely simulate human Internet users in the ways they discover, analyze, and interact with web content in order to uncover previously unknown threats targeting specific user demographics and circumvent cloaking techniques used by criminals to evade detection. RiskIQ enriches the observations captured by virtual users with the intelligence gathered by the full RiskIQ platform in order to contextualize risks and prevent false positives. 

When threats are detected according to the subscribed set of modules and covered brands, RiskIQ automatically creates alerts in the form of events within the platform and schedules virtual users to re-examine the threat resource at scheduled intervals to observe changes over time and track the entire lifecycle of a threat.

RiskIQ’s vast Virtual User network includes:

  • A diversified bank of IP addresses from hundreds of geographic locations
  • All major browsers, both desktop and mobile
  • Algorithms to initiate crawlers on specific pages and follow links to simulate referred traffic
  • Algorithms to simulate clicking through a page as an intentioned user would rather than a bot systematically or randomly clicking links
  • The ability to extract, normalize, and target key attributes from social media profiles and mobile app store postings

Full records of virtual user sessions, including screenshots, the captured document object model of each page, and preserved sequence of links and redirects provide the technical basis of RiskIQ's detection capabilities, upon which layers of analytics are automatically applied in order to classify each threats and enrich data with additional insights to determine the appropriate response. 


RiskIQ provides dashboards, email alerts, data exports, webhooks, APIs, and integrations with popular SIEM and other tools to extract and interact with our data. PDF reports also provide External Threat Management program performance metrics related to event detection, management, and enforcement over time.