SpyCloud Integrations

By integrating SpyCloud into your existing security tools, you can maximize the value of your cybersecurity investments:
    • Security Information and Event Management (SIEM): View SpyCloud breach alerts within the context of your overall security posture, triage related alerts, and consolidate event logs for compliance and reporting.
    • Security Orchestration, Automation, and Response (SOAR): Enhance internal risk modeling and orchestrate incident response activities when a new data breach exposes enterprise credentials to cybercriminals.
    • Threat Analytics & Threat Intelligence Platforms (TIPs): Extend your threat detection and response capabilities by using SpyCloud data for threat hunting and incident response.
    • Link Analysis & Graphing: Visualize connections between SpyCloud data and other threat intelligence sources and accelerate your investigations.
    • Directory Services & Identity Management: Automatically prevent, detect, and reset compromised employee passwords that put your organization at risk of a data breach or ransomware delivery.
    • Ticketing Systems: Generate tickets for incident responders and others who may need to take action based on SpyCloud breach alerts.
    • Consumer Applications: Prevent consumers from setting bad passwords within your application and identify when their logins are compromised by a breach or credential-stealing malware.

How Customers Are Integrating SpyCloud

SpyCloud customers integrate our data into a variety of platforms and tools. Here are some examples.

Active Directory, Microsoft

SpyCloud-supported, Directory Services, Employee Protection

Automate Active Directory protection out of the box using SpyCloud Active Directory Guardian. Active Directory Guardian includes two components that can be used together or separately to prevent, detect, and reset weak or compromised passwords automatically.

    • The password filter blocks employees from setting insecure passwords that could put corporate resources at risk. When an employee sets a new Active Directory password, the password filter automatically screens their choices for repeated or sequential characters, up to 50,000 custom dictionary words, and any previously-exposed passwords that SpyCloud has recovered from data breaches and malware infections.
    • The scanner checks employee credentials for exposures on an ongoing basis as new breaches occur. Security teams can schedule automated scans to check for compromised credentials, custom banned passwords, 1000 “fuzzy” variations of banned and exposed passwords, and any previously-exposed passwords in SpyCloud’s database.

Together, they provide both prevention (password filter) and detection (scanner), complementing each other in the same way as brushing your teeth to prevent cavities and taking regular trips to the dentist to check for issues. The password filter prevents employees from setting weak or compromised passwords in the first place, and the scanner detects and resets additional exposures as new breaches occur over time.

Learn More

“One of the key areas of value is how the solution is proactive. As soon as it detects a compromised account, the integration with Active Directory works to reset that account, utilizing our CSOC incident response procedures. And it sends a notification to the security teams that remediation is taking place.”

– Al Dixon, Principal IT Security Architect of CorpIT at EBSCO Industries

“With Active Directory Guardian running on a daily or twice-daily basis, as soon as there’s a hit, the password is reset. I’m not sure you can do much better than that.”

– Dan Holland, Global Senior Director of IT Operations, Alvarez & Marsal


Vendor-supported, Threat Intelligence Platform (TIP), Employee Protection

Enhance your security defenses by using SpyCloud data within Anomali to extend your detection and response capabilities. Combining breach data with your other intelligence sources can help you identify potential threats to your enterprise and arm analysts with the information they need to respond to incidents swiftly and effectively.

AT&T Cybersecurity, AlienVault USM Anywhere

Vendor-supported, Security Information and Event Management (SIEM), Employee Protection

Centralize your security posture by viewing SpyCloud breach alerts within the AlienVault USM Anywhere security management platform for threat detection, compliance management, and incident response. USM Anywhere generates alarms when SpyCloud detects your employees’ data on the criminal underground, along with context such as whether the data was stolen in a breach or via a malware infection such as a keylogger.

Learn More


SpyCloud-supported, Link Analysis, Investigations

Enhance your investigations by combining breach data from SpyCloud with data from internal and other OSINT sources using Maltego. Render directed, interactive graphs for link analysis to help your investigators find relationships between pieces of information collected from different sources located on the internet. With the SpyCloud API, investigators can pivot on data points like username, password, IP address, or email address and find a wealth of data. SpyCloud provides 50+ Maltego transforms, making it easier for investigators to use our rich dataset to research incidents.

“SpyCloud really helps our research in connecting dots between a persona that we have and one that we don’t.”

– Global Managed Services Provider


Vendor-supported, Extended Detection and Response (XDR), Employee Protection

Expedite your incident response activities by drawing SpyCloud data into Cisco SecureX. Using the SecureX Threat Response SpyCloud Module, you can initiate investigations into security events and discover additional context from data SpyCloud has recovered from third-party breaches.

Learn More

IBM Security i2 Analyst Notebook

Link Analysis, Investigations, Not Officially Supported

Integrating SpyCloud data into i2 Analyst Notebook can help your agency visualize connections between entities and build a case by determining venue, discovering digital accounts tied to a single actor or criminal campaign, and pulling the thread to the end before spending months on process. Analysts can visually link artifacts, pivot on selectors of interest, and uncover links that can open new avenues for investigation.

Jupyter Notebook

Open-source, Link Analysis, Investigations, Not Officially Supported

Utilize our prebuilt Jupyter Notebooks to enhance your investigations with SpyCloud data. View potential trouble spots, or filter the data to highlight just the most actionable records and optionally export those records into a CSV for sharing or use in other tools.


Identity and Access Management (IAM), Employee Protection, Not Officially Supported

Seamlessly integrate SpyCloud and Okta to prevent account takeovers and monitor users for exposure and compromised credentials. Once enabled, you can check each set of user credentials at the time of login against the largest repository of recovered breach and botnet data in the industry to identify and reset passwords that have been exposed to criminals. If an exposed email or password is discovered during user authentication, Okta can automatically provide user notification, request an additional authentication factor, and reset passwords to remediate the exposure and prevent account takeover.

Palo Alto Networks Cortex XSOAR (Demisto)

Customer-created, Security Orchestration, Automation, and Response (SOAR), Employee Protection, Not Officially Supported

Streamline your incident response program by drawing SpyCloud data into your security, orchestration, automation, and response (SOAR) platform. Create playbooks to orchestrate your response when a new breach exposes a user’s data and give your analysts the context they need to prevent account takeover swiftly.


Vendor-supported, Security Orchestration, Automation, and Response (SOAR), Employee Protection

Access SpyCloud breach and catalog data from within your Siemplify playbooks to enrich the data available to you during your incident response workflows.

Learn More


SpyCloud-supported, Security Information and Event Management (SIEM), Employee Protection

See breach alerts within the context of your broader security landscape by ingesting SpyCloud logs into Splunk, enabling you to run queries, view dashboards, and centralize logs for compliance management. Using the two products together, you can accentuate Splunk’s built-in risk model with SpyCloud data and triage related alerts.

Learn More

“Splunk scripts pull in the SpyCloud data automatically to provide instant visibility into which students’ or staffs’ credentials have been exposed. The quantity and quality of their data is amazing, we’ve never seen anything like it.”

– Large U.S. University


Vendor-supported, Security Orchestration, Automation, and Response (SOAR), Employee Protection

Automate threat detection and response around company assets being exposed in third-party breaches and leaks, and keep cybercriminals out of corporate accounts and networks. Mutual customers can operationalize SpyCloud’s database of exposed assets tied to company employees through ThreatConnect, and:

    • Rapidly access a wealth of detailed, accurate and relevant breach data at the touch of a button and along with other threat intelligence feeds
    • Automate logging and remediation around exposures detected by SpyCloud
    • Leverage additional ThreatConnect integrations for further enrichment or triage
Learn More

Vertex Synapse

Vendor-supported, Link Analysis, Investigations

Enhance your investigations and attribute cybercrime faster by enriching your existing threat intelligence sources with SpyCloud data. Visualize connections in multiple formats and perform queries to support your analysis, including macros and storm commands.

Learn More

Don’t See Your Product Listed? You Have Options!

If no pre-built integration exists for your specific toolset or use case, you’re still in luck. SpyCloud provides high-volume APIs to help you put our data to use in conjunction with your essential technologies.


SpyCloud Enabled a Global Fintech Company to Protect Thousands of Vulnerable Accounts Representing Tens of Millions of Dollars

How It Works

SpyCloud provides access to Cybercrime Analytics based on billions of recaptured darknet data assets using REST-based APIs. Our APIs include easy-to-understand, resource-oriented URLs, and use HTTP response codes to indicate API errors. All API responses return JSON, including those with errors.

Any application with the ability to query an external API endpoint can integrate SpyCloud data. Once the application has been configured to query the SpyCloud API within appropriate parameters, such as providing an email or target domain, the results should be mapped to appropriate fields within your solution. 

Customers using SpyCloud Active Directory Guardian have additional integration options. Active Directory Guardian can write scan logs to the file system location for ever AD scan. These logs, which are in CSV format, can be read and consumed by any security solution that supports reading standard CSV data out of a known file location.

Still not sure how to integrate SpyCloud into your critical tools? Contact us.