Simulate Real Attacks

with Recaptured Darknet Data

Synthetic credentials and wordlists used in traditional pentest credential stuffing attacks are constructed from patterns, common passwords, and prior breach dumps that security teams have already seen. Defenses tuned against these known datasets perform well in testing but may fail against fresh, organization-specific credentials that have never been included in any published wordlist. SpyCloud’s recaptured dataset contains credentials, session cookies, and identity artifacts sourced directly from active criminal markets, infostealer malware logs, and phishing kit captures. These are the same credentials and artifacts that real attackers purchase and use in targeted attacks. When a pentester uses SpyCloud data to test whether employees have reused credentials across personal and work accounts, or whether active session cookies associated with corporate applications are circulating in criminal markets, the test is simulating the exact attack vector real threat actors would pursue. The TrollEye Security team described this directly: including SpyCloud data in their pen tests significantly decreased time-to-compromise and dramatically increased value to clients.

SpyCloud’s API exposes over 200 data fields from four primary criminal source categories. Breach data provides usernames, plaintext and hashed passwords, email addresses, and associated PII from third-party breaches where the target organization’s employees registered with work email addresses. Infostealer malware log data provides device-level telemetry from infected endpoints including every credential stored in the browser across all applications, active session cookies at the time of infection, device fingerprints, and a full list of applications the device had access to. Phishing capture data provides credentials harvested directly from successful phishing attacks targeting the organization’s employees or domains, typically fresher than breach data and including session artifacts. Combolists provide aggregated credential pairs that combine multiple breach and malware sources into attack-ready formats that match how criminal operators acquire and use identity data. For red team engagements, session cookie data is particularly valuable because it enables authentication bypass simulation without requiring a valid credential pair — testing whether the organization’s defenses would catch a session replay attack that bypasses MFA entirely.

SpyCloud delivers all data via REST API with JSON output, making it integrable into any tool that accepts external data input. Common integration patterns include pulling SpyCloud-matched credentials for a target domain directly into Burp Suite or custom credential stuffing frameworks to test login portal resilience against real-world password spray and stuffing attacks. Red teams use SpyCloud’s session cookie data to test whether their organization’s web applications, SSO systems, and cloud applications would detect or reject a replayed stolen session. CTI-informed red teams use IDLink to build a complete identity graph of target employees before an engagement, identifying personal account exposures that share credential patterns with corporate accounts and using those as initial access vectors. SpyCloud’s API documentation includes query parameters for filtering by domain, date range, breach source, and data type, enabling pentesters to scope queries precisely to the engagement target without pulling irrelevant data. For teams building custom tooling, SpyCloud’s Technical Account Manager provides hands-on support for API implementation and query optimization.

Most breach data sources deliver passwords as hashed values that require cracking before they can be used in credential stuffing or password spray attacks. Cracking adds time to an engagement, requires compute resources, and produces incomplete results for stronger hash algorithms. SpyCloud delivers over 80% of exposed credentials in plaintext as part of its recapture and processing pipeline. This means pentesters receive immediately actionable credentials that can be tested against target systems without a cracking step, compressing the reconnaissance-to-attack timeline significantly. The plaintext availability also changes what is testable. Password reuse patterns, password hygiene trends across an organization’s workforce, and the presence of corporate credentials in criminal markets all become immediately visible rather than requiring post-crack analysis. For red teams assessing how quickly an attacker could achieve initial access using stolen credentials purchased from criminal markets, SpyCloud’s plaintext delivery most accurately simulates the actual attacker workflow.

Free breach notification services like HaveIBeenPwned serve a different purpose: they tell individuals and organizations whether an email address appears in a known, publicly disclosed breach. They are designed for awareness and notification, not for active security testing. SpyCloud’s penetration testing data differs in three ways relevant to a testing engagement. First, freshness: SpyCloud recaptures data from criminal sources before it is publicly disclosed, meaning SpyCloud data includes recent exposures that have not yet appeared in any public breach notification service. Second, data types: HaveIBeenPwned and similar services index email addresses and optionally hashed passwords from disclosed breaches. SpyCloud includes plaintext passwords, session cookies, device fingerprints, PII, and full infostealer malware log telemetry that these services do not collect. Third, scope: free services cover publicly known breaches. SpyCloud covers breach data plus infostealer malware distribution channels and phishing kit captures that are never publicly disclosed and therefore never indexed by breach notification services.