Flare FAQ – Frequently Asked Questions


About Flare: the Company

Why was Flare created?

Our Montreal-based co-founders Mathieu Lavoie, Israël Hallé, and Yohan Trépanier Montpetit created Flare in 2017 after coming out of having worked in red teams in financial services/banking. They wanted to find a way to provide their cybersecurity knowledge and expertise in a system that could be made available to any organization regardless of their size or level of expertise. The goal is to democratize these services and make them available more broadly. Learn more about the Flare story.  

What industries does Flare work with?

Flare has customers across various verticals internationally. The use cases for dark web monitoring, data leak monitoring, and more can apply across industries and adapt to each organization’s unique challenges. Read our Customer Stories to learn more.  

How does Flare’s pricing work? What’s the difference between per seat versus per identifier pricing?

We have a flexible and transparent pricing model that allows your organization to scale depending on how much you want to monitor. Instead of charging per seat, which doesn’t take into account that different team members have varying levels of platform use, charging per identifier finds your organization’s best fit based on employee number and industry.   

What’s an identifier? 

Our identifiers are search terms that crawl the dark and clear web and return a prioritized list of risks in Flare’s intuitive SaaS platform. Some examples of identifiers include domains, keywords, executive names, email addresses, IP addresses, and other types of searches that can help detect threats related to your organization. The platform automates identifier discovery and recommends areas of your attack surface to monitor.  

What’s Flare’s intellectual property? Do you have any patents?

Our intellectual property is the combination of all the systems we’ve built in the last five years of R&D that can collect, structure and analyze cybercrime and cyber risk data. We don’t plan on patenting it as we prefer to keep it a trade secret and keep our competitive edge.  

Does Flare purchase methods or data?

What we’ve seen with our clients is that they are able to pinpoint the problem without actually buying the methods based on the description given in the listing. Threat actors have to include some amount of information in the listing to attract buyers, which is often sufficient for cyber analysts to take action on.  

Does Flare work with law enforcement?

Yes we have ties with law enforcement and can help bridge the gap between them, the financial institutions, and regulators. We supported the Canadian Radio-television and Telecommunications Commission (CRTC) in taking down one of the biggest dark web marketplaces in the world. Learn about Flare’s assistance in this takedown in the CRTC’s press release  

What are Flare’s security and compliance practices?

Flare applies industry best practices in terms of cybersecurity. All data is encrypted at-rest on AWS with 256-bit AES, and in-transit using SSL. We also do an annual penetration test with an external service provider. We are SOC 2 Type 1 Compliant and are aiming to be SOC 2 Type 2 compliant in 2023.  

About Flare: the Platform

How does the Flare platform work?

Customers provide a core set of terms (what we call identifiers) such as your domain name, the names of key VIPs in your organization, internal project names, or other terms that you want us to search. We then add to your terms with hundreds of other relevant terms. With this combined, the platform collects data and monitors for secrets, technical leakage, threat actor chatter about your organization, etc. and then prioritizes it. Not only do we crawl, but we also structure and analyze the data using artificial intelligence to prioritize threats and present precise risk levels on activities and actors to our clients.  We take the risk out of locating your data because we’ve established a safe way to access, search, and monitor these illicit sources. You can see it all through a single, intuitive interface with proactive alerts.  Want to take a look at the Flare platform for yourself? Watch the platform tour.  

How are other intelligence teams using Flare? 

There are a number of use cases. Threat intel teams typically look at the dark web for targeted threats or risks around the business either specific mentions of the organization as a Target or conversation around methods to bypass two-factor authentication that can cause customer ATO or other cyber risk.   

Can junior analysts/non-tech savvy team members use Flare?

Absolutely. We designed the platform to be user-friendly and create a safe, easy way to search through illicit sources.  Read our Customer Story, Flare Slashed Dark Web Investigation Time by 97% for a Leading Managed Security Service Provider, to learn more about how Flare can support upskilling junior analysts.   

Will bad actors know that I have been searching for my information on Flare?

No, they will not. When you search for particular information, Flare collects everything broadly and allows you to search anonymously.  

How long is Flare’s onboarding process?

Flare can set up in as little as 15 minutes.   

What languages does Flare support?

Flare indexes and supports searching in any language, with any character set. With Flare’s AI Powered Assistant, your cyber team can receive instantly contextualized reports, regardless of the original language of the post. Our interface is in English and French. More languages are coming soon!   

What types of sources does Flare cover? How often do you add and remove sources?

We cover many sources in the clear & dark web and illicit Telegram channels. These sources  include Shodan, GitHub, public buckets, source code sites, and paste sites, where cybercriminals gather. We update the sources each week and notify customers of changes each month.   

Does Flare do network security?

Flare does not really do network security. A network security solution will typically monitor and protect a network by having agents scanning or blocking the activity and looking for malicious events. A firewall is a typical network security tool, and vendors such as Fortinet or Cisco are well-known network security players. Flare, on the other hand, complements network security solutions by monitoring the external side of an organization and identifying threats and issues there.  

Does Flare do app security (appsec)?

Flare provides certain features for app security, especially in the context of monitoring for source code leaks, which typically occur when organizations or consultants are developing an application. Solutions like Sonatype that help improve the DevSecOps pipeline, or Static and Dynamic Application Testing Security (SAST/DAST) such as Acunetix, are well-known application security vendors.  

How does Flare help profile cybercriminals? 

Flare collects data across the clear & dark web and builds profiles for cybercriminals based on data points from a number of different sources. By bringing this information together, we are able to provide an overview of a threat actor’s credibility and activity from across illicit sources. If the actor has publicized email addresses, Telegram handles, or other identifiable information, it will be available in a single area of the Flare interface, helping you get better visibility and extracting actionable intelligence.  With the Similar Actor Model, Flare applies natural language processing to identify different usernames that may actually be the same threat actor, and help find actors who may be related since they sell similar items/services.  

What are the privacy considerations around Flare’s AI Powered Assistant?

We only send Flare results to the external AI service, and nothing about your organization or identifier leaves Flare. The data is not used by the AI service for training or model improvement, and is kept private. The AI Powered Assistant only runs if you click on the AI Assist tab. We can deactivate the capability for your organization if preferred.   

What is the minimum number of security team members necessary to use Flare?

We serve customers that range in cyber team sizes and industries. Teams with at least three members benefit from the deep coverage on specific sources.   

How does Flare keep up with the constant changes within illicit communities?

Various team members across Flare look into illicit communities each day to best monitor and add context to the findings on the Flare platform. The Research team delivers timely threat intel to our customers and audience so they can be better informed of (emerging) threats.  Take a look at some resources from Flare, including the Research team, in our Resource Center.  

Flare Integrations

How do I integrate my environment with Flare?

Flare’s digital footprint monitoring platform is designed to be flexible and compatible with any organization’s workflow and environment, and can work with nearly any other platform through our REST API. Customers can build integrations or automations themselves with the Flare API. There are three types of ready-to-use integrations: with other security tools like SIEM/SOAR (Splunk, Azure Sentinel), messaging systems (Slack, Microsoft Teams), and ticketing systems (Jira, ServiceNow).  

Can I monitor all my public infrastructure with Flare? How can I identify hosts/servers I might have lost track of?

Yes, we provide external attack surface monitoring. You can monitor all your domains and associated subdomains and we will query tools such as Shodan for all related IP addresses. Each event will specify which domain identifier it was found through, the IP address, metadata, any associated CVEs and the open port in question. You will also be able to check SSH certificate validity and further investigate the IP address. These events will be assigned a risk score depending on the port that was left open and the number of vulnerabilities associated with it among other things.  We also have a History tab for all host results that gives you the history log of all ports that have been opened and closed on the host. This is helpful for your team to see when any ports were mistakenly left open and how long they were left open to assess the risk.  

How do I receive alerts? When does Flare send alerts?

You can select to configure alerts to send you an e-mail or integrate with Slack and Azure Sentinel. We only send alerts for results of specific identifiers or groups of identifiers that have alerts configured in the platform. Each time a new document is found on the clear and dark web, we send alerts.  

Why would I use a Jira/ServiceNow-Flare integration?

The advantage of a ticketing system is that it allows triaging alerts without significant overhead. It is not as sophisticated compared to a SIEM/SOAR, but very simple.  

Why would I use an Azure Sentinel/Splunk-Flare integration?

The advantage is that a platform like Sentinel or Splunk includes a lot of other security data that can be used to pivot and add context on Flare alerts. It can also automate remediations and next steps.  

How Flare Partnerships Work with MSSPs

How do Flare service credits work with MSSPs?

We work together with MSSPs who want to offload intel work to us with service credits. We don’t offer a managed version of Flare, and only offer services for RFIs and takedowns. We don’t respond to incidents, analyze logs, or do assessments like MSSPs offer to customers.  

Can I change the report to my own branding?

For now, you can use the feature to export to a Word document and either update the document directly, or copy-paste the content in your own template or report. This gives you total control on the look and feel to make it match your brand. A number of partners add the Flare Footprint results to an actual report they are already producing and they appreciate the flexibility.  

Definitions: ABCs of the Dark Web

What is an autoshop?

In the criminal underground, the term autoshop is used to describe websites that allow cybercriminals to “automatically” purchase illicit digital assets such as credit cards, bank account information, credentials or other. These websites typically include an “add-to-cart” concept, an online cryptocurrency-based payment system and automatic delivery of the digital item. Autoshops typically have a small number of vendors that work directly with the administrators to make their illicit data available (compared to common peer-to-peer dark web markets where anyone can list and sell products and services).  

What is a browser fingerprint?

A browser fingerprint refers to a set of unique characteristics and configurations of a user’s device and browser that can be used to identify and track the user across websites and online services. While browser fingerprinting can serve legitimate purposes, such as fraud detection and anti-bot measures, it can also be exploited by malicious actors for various cyber threats and attacks. Some malware targets browser fingerprints to then sell to malicious actors.  

What’s the difference between the clear, dark, and deep web? What’s the importance of monitoring more than the dark web?

The clear web, also known as the surface web, is the publicly accessible portion of the internet that standard search engines index and search. It consists of websites and resources that are openly available to users without any special access requirements or encryption protocols. The clear web makes up a relatively small portion of the entire internet (about 4%), with the majority of the internet’s content existing in the deep web and the dark web, which are not accessible through standard search engines. The deep web includes all the pages that search engines don’t index, and are therefore not visible on Search Engine Results Pages (SERPs). This includes password-protected websites and websites that choose not to be “crawled” by search engines. The deep web contains content that’s stored in databases that support services on the clear web, such as social media platforms or subscription streaming services.  The dark web requires specific software, configurations, or authorization to access (it is not indexed by standard search engines). The dark web is intentionally hidden and requires the use of special tools like the Tor browser, which enables anonymous communication and browsing. While the dark web is often associated with illegal activities, such as the sale of drugs, weapons, and stolen data, there are also other activities, including privacy-focused communication, political activism, and the sharing of sensitive information in oppressive regimes. The anonymity provided by the dark web makes it appealing for both legal and illegal purposes, as it allows users to communicate and share information without revealing their identities or locations. Though threat actors are often associated with the dark web, they gather in many areas across the clear, dark, and deep web. Illicit Telegram channels are especially gaining traction as a popular alternative to dark web forums and marketplaces. Monitor all of these areas for a comprehensive cyber threat intelligence strategy.   

What is a combolist?

Combolist is a term used by threat actors to describe a large curated list of credentials (username and password) that is typically leveraged with a credential stuffing attack to attempt to gain access to a system.   

What is a dark web forum?

A dark web forum is an online discussion board or community where users can engage in discussions on various topics. These forums often focus on specific interests, such as hacking, cybercrime, activism, or privacy. Forum visitors can post questions, share knowledge, provide advice, and collaborate on projects. Dark web forums can be a source of information, tools, and techniques for cybercriminals, but they can also be used by privacy advocates, whistleblowers, and individuals seeking to avoid censorship.  

What is a dark web market?

A dark web market is an online marketplace that operates on the dark web, primarily facilitating the buying and selling of (often illicit) goods and services. The transactions are typically with cryptocurrency to provide anonymity. Dark web markets offer a range of products, including drugs, weapons, stolen data, counterfeit goods, hacking tools, and more.  

What is a data breach?

A data breach is an incident where an unauthorized individual or entity gains access to sensitive data, typically through deliberate actions like hacking or exploiting vulnerabilities in a system. Threat actors may use various tactics, such as phishing, malware, or social engineering, to infiltrate a system and exfiltrate sensitive data. The goal of a data breach is usually to acquire valuable information for financial gain, identity theft, or other malicious purposes.  

What is a data leak?

A data leak is an unintended exposure or release of sensitive data, often resulting from human error, misconfiguration, or lack of proper security measures. A data leak can occur when sensitive information is accidentally shared with unauthorized parties, such as through email, cloud storage, or unprotected databases. In this case, there may not be a deliberate attempt to access the data, but the result is still an exposure of sensitive information.  

What is an infected device?

An infected device refers to an electronic device, typically a computer, that has been compromised by malware. In this context, “infected” means that the device has been successfully targeted and exploited by threat actors who have managed to install malware on the device without the user’s knowledge or consent. Once a device is infected, the malware can perform various malicious activities, depending on its type and purpose. They can be sold in infected device markets.   

What are leaked credentials?

Leaked credentials refer to sensitive login information, such as usernames, email addresses, and passwords, that have been unintentionally exposed through the lack of proper security measures or intentionally stolen and subsequently made publicly available or shared among malicious actors. Credential leaks can occur as a result of data breaches, data leaks, phishing attacks, or other cybersecurity incidents.  

What is a stealer log?

A stealer log refers to a record or file generated by a type of malware known as a “stealer, “information stealer,” or stealer malware. This type of malware is designed to collect and exfiltrate sensitive information from a compromised device. The stealer log contains the harvested data, which may include usernames, passwords, browser history, cookies, credit card details, or other confidential information that the stealer malware has managed to capture.  

What is (info)stealer malware?

Stealer malware, also known as information stealer or data stealer, is a type of malicious software designed to collect and exfiltrate sensitive information from infected devices. The primary goal of stealer malware is to gather valuable data, such as login credentials, credit card information, personal identification details, and other confidential data, which can be used for various malicious purposes or sold on the dark web. The information stolen by stealer malware is a stealer log. 

What is ransomware?

Ransomware is a type of malicious software (malware) that infects a victim’s computer or network, encrypts their data, and demands a ransom payment in exchange for the decryption key to restore access to the encrypted files. The primary goal of ransomware is to extort money from victims. Threat actors have been trending to escalating their attacks from single extortion ransomware to double and even triple extortion.  

What is spear-phishing?

Spear-phishing is a targeted form of phishing attack where cybercriminals send carefully crafted emails to specific individuals or organizations with the aim of tricking them into revealing sensitive information, clicking on malicious links or attachments, or performing actions that benefit the threat actor. Unlike traditional phishing attacks, which are usually sent to a large number of recipients in a more generic form, spear phishing is tailored to the targeted victim, making it more convincing and effective. Threat actors craft spear-phishing campaigns by researching their targets extensively, gathering information from public sources like social media and corporate websites. Spear phishing emails often impersonate trusted sources, such as colleagues, business partners, or high-ranking executives within the target organization.   Curious about threat actor jargon? Read our blog article, Do You Speak Fraudster?, to learn more.