Articles on: TruScan

TruScan Dark Web Scanning Overview

TruScan Dark Web Scanning Overview

The TruScan functionality available to Service Providers enables you to provide Dark Web scanning and monitoring services to customers.

With Simple and Secure Workspaces, it by default comes with integrated TruScan Dark Web scanning for any users that are log into (or via your TruGrid branded portal).

TruScan also provides additional, exclusive functionality for Service Providers to scan entire domains (not only for individual users who log into and ongoing monitoring of compromised credentials being sold on the Dark web.

TruScan Dark Web scanning detects compromised credentials in the Surface Web, Deep Web and Dark Web. Below is a graphic and explanation of each term.

TruScan provides three key features exclusive to Service Providers:

Accept Dark Web requests from customers using your branded portal Risk Report page. Customers can enter in requests directly on the Risk Report page and the request will be sent to you for processing how you wish. You can promote your branded Risk Report page to your current and potential customers. Those customers can enter a domain, see an approximate count of compromised accounts we have on file and send a request to you for more details. You will receive an email notification and the request will be shown in your TruScan portal page. This is a free service that is included with your Service Provider paid licenses package.

Perform Dark Web Discovery Scans to get a sampling of up to a maximum of 15 potential compromised accounts for a domain. This will help you assess the potential compromised accounts. You can even download a CSV file of those accounts and masked passwords (first and last character such as L"""""4). You could show this to your existing or potential customers and try to promote a Full Domain Scan report for them. You can choose how much you would like to sell this to them for. Depending on how you bundle it and provide it to them, you may be able to sell this for between $200 to $1,000. Below is an example (using fictitious data) of what your discovery scan CSV results might look like.

Perform Dark Web Full Domain Scans and Monitoring to get a full report for the entire domain, of all known compromised accounts and ongoing monitoring for 1 year. For example, if the approximate count of compromised accounts is 1,000 then the full report would contain approximately 1,000 emails and masked passwords (first and last character such as L"""""4). A Full Domain Scan costs up to $85 and includes 12 months of monitoring. You can also rerun the scan at any time during those 12 months. Below is an example (using fictitious data) of what your full domain scan CSV results might look like. Note: if you are running a full domain scan report for a domain that shows over 200 compromised credentials, please contact us at with the domain name so we can ensure all the compromised credentials are published to you.

Below are examples of values that may appear in the "Source types" column:
Social - for example, LinkedIn or Facebook
Storage - for example, Dropbox or
Entertainment - for example, Hulu, Netflix
Gaming - for example, kids game sites and gambling sites
Hacking - represents general forums that exchange hacked data
Software - for example,
Email - for example, Email
Unknown - not yet classified. Classification is a manual process.

Below are examples of values that may appear in the "Profiles" column. This column shows what other information, in addition to the user credentials, has been leaked.
Phone Number
Full Name
Social Media Profile

Sometimes you may see a password listed as blank or in this format "<*******>". This means we were unable to decrypt the password into a plain text masked format for you, such as "X*****V", for example.

We don't provide full unmasked passwords. We do not believe its helpful to anyone to distribute full passwords and we believe doing so will only help further reduce the security of environments. If you have full passwords, this could also potentially increase your liability. An individual should be able to identify from the masked password, whether this represents their current password; having the full password does not offer any additional benefit to them.

Sometimes you may see an initial count of compromised credentials that is higher than the full domain scan resulting count. When we count compromised credentials, we count them from all breaches we have in our database. For example, a specific userid and password might be sold on two sites, however, we will consolidate this data in the final full domain scan. Typically the difference is less than 5-10% of the total count.

The most important thing to keep in mind is to act in a timely manner to mitigate the risks of compromised credentials being sold.

Note that changing a password on a compromised account will help protect it but this does not mean the compromised listing on the dark web will be removed. Hackers will continue to sell any information they can profit from, even if it is not all entirely accurate or up to date. Use the ongoing monitoring to be aware of new detections (use the "First seen date" to identify when it was found) so you can react and protect accounts as quickly as possible.

Below is a template Word document you can use to report TruScan results to your customers. You can modify and brand this with your companies logo and information.

TruScan ID Monitoring Report - Template from

Updated on: 08/03/2023

Was this article helpful?

Share your feedback


Thank you!