PLAYBOOK

Identity exposure playbook for SOC teams

A six-step framework for triaging exposed credentials, mapping the blast radius, and closing the loop fast —built from real SOC and IR engagements.

Published 2026-02-14 6 min read Operations Team

This playbook assumes you have a continuous identity exposure feed (e.g., DarkWeb LLC's stealer log + combo list pipeline) and a SIEM or ticketing system to route work. Each step lists the owner, the action, and the expected output.

1 · Detect

Owner: Identity exposure feed → SIEM

Action: Ingest exposure events tagged with your monitored domains, brands, and executive identities. Auto-create a triage ticket per identity (not per log) to avoid duplicate work.

Output: A queue of exposure tickets with raw evidence, source, and freshness metadata.

2 · Validate

Owner: Tier 1 SOC analyst

Action: Confirm the identity belongs to your org (not a former employee, not a personal account on a similar domain). Confirm the credential is plausibly current —check freshness, password format hints, and whether it matches a known reset event.

Output: Validated / Discarded label on the ticket, with rationale.

3 · Triage

Owner: Tier 2 SOC analyst + identity team

Action: Score each validated ticket on three axes: account criticality (privileged? executive? finance?), blast radius (how many systems share this credential or can be reached via SSO?), and active use (any recent suspicious sign-ins?).

Output: P1 / P2 / P3 priority and an action plan per ticket.

4 · Contain

Owner: Identity / IT operations

Action: Force credential reset, revoke active sessions, rotate any tokens / API keys associated with the identity, and disable saved-password sync on the user's managed devices.

Output: Contained ticket with timestamps for reset, revocation, and any device actions.

5 · Eradicate

Owner: SOC + endpoint team

Action: If the source is a stealer log, treat the user's device as compromised until proven otherwise —pull EDR telemetry, scope the infection, and reimage if there's any doubt. Hunt for siblings (same C2, same stealer family) across the fleet.

Output: Confirmed-clean device + scoped hunt results.

6 · Learn

Owner: SOC lead + identity owner

Action: Trace the root cause: where did the credential leak from? Was MFA enforced? Was the device managed? Update the relevant control (browser policy, MFA enforcement, device baseline) and feed the lesson back into onboarding.

Output: One-page post-incident note added to your knowledge base.

KPIs & SLAs

  • Time-to-validate —< 1 hour for P1 exposure
  • Time-to-contain —< 4 hours for P1, < 24 hours for P2
  • Repeat-exposure rate —< 5% of users re-exposed within 90 days
  • Mean blast-radius score —trending down quarter over quarter

These are starting targets. Tune to your environment and your exposure volume —what matters is that you measure and improve.

Wire this playbook into your SOC

We can plug DarkWeb LLC exposure feeds into your SIEM and stand this playbook up end-to-end in days, not months.

Talk to an analyst
Keep reading
DEEP DIVE
Inside the stealer log economy
Where the credentials in your queue actually come from.
Read article
REPORT
Telegram cybercrime 2026
Why so many of your exposures originate in encrypted channels.
Read report
ALL
All insights & research
Browse every report, deep dive, and playbook.
Browse library