Every pen test and purple team engagement runs better when the team doing the work has already spent real time on prep. For SEVN-X, a big piece of that prep is the dark web. In the short video below, we walk through how we use OSINT, breach data, and info-stealer logs to find credentials and password patterns before we ever touch a client's environment.
| 0:00 | Prep work before a pen test or purple team |
| 0:15 | Pulling client credentials from past breaches and leaks |
| 0:38 | Spraying internal environments to find reused passwords |
| 1:00 | Identifying password patterns an organization actually uses |
Wondering what's already exposed about your organization?
Get in touch to scope a dark web assessment or your next offensive engagement.
An attacker doesn't start with an exploit. They start with what's already on the table. Stolen credentials sitting in breach dumps. Session cookies pulled from info-stealer logs. Email addresses scraped from old leaks. Password patterns leaked across a dozen smaller sites that an employee reused at work. None of this requires a single piece of malware to obtain. It's already public, or close to it.
If a tester is going to simulate a real attacker honestly, that's where the engagement starts. Not with a vulnerability scanner. Not with a phishing email. With the question of what an attacker would already know about you before they ever sent a packet your way.
Before a pen test or purple team kicks off, we pull together what's already circulating about the client in the public and semi-public corners of the internet. That includes OSINT on the organization and its people, but it especially includes credentials. We look at past breaches the company or its employees appeared in. We look at data leaks where corporate email addresses showed up alongside other sites' passwords. We look at info-stealer aggregations, which capture credentials that malware harvested from employees' personal machines and bundled together for sale.
What we end up with is a list of credentials and password patterns tied to the organization. Some are stale. Some still work. The interesting ones aren't necessarily the perfect matches. They're the patterns. If three different employees show up in three different leaks with passwords that all follow the same structure, that pattern probably exists somewhere inside the company today.
Once we have credentials and patterns, we put them to use. Externally, that might mean a controlled password spray against the client's cloud tenants. Internally, during the exercise itself, it means testing whether those same credentials or close variants have been reused on internal accounts. Either path tells the client something they couldn't have learned by running a tool.
The success rate is higher than most people expect. Even at organizations with mature security programs, the patterns hold. People reuse. Password rotation policies push employees into predictable variations. The same root word with a different number on the end shows up across a workforce of thousands. When we identify that pattern from public breach data and then prove it works inside the environment, the client doesn't just get a finding. They get a clear, defensible argument for changing how the organization thinks about credentials altogether.
A good test isn't the one that finds the most flashy vulnerability. It's the one that mirrors what an attacker would actually do. For most organizations, that means starting with whatever the attacker can already see, and credentials in breach and leak data are usually the first thing on that list. If your team has never been through this kind of exercise, you'd be surprised what's already out there. We can show you.