Understanding the Dark Web ID compromise engine upgrade: IP address monitoring

Overview

This article describes how the Dark Web ID compromise detection engine has been expanded to include IP address monitoring. Following the successful transition of domain and email monitoring, IP‑based threat detection is now being migrated to the enhanced engine to provide improved visibility into network‑related risks.

For general information about the Dark Web ID compromise detection engine upgrade, including overall benefits and transition considerations, see Understanding the Dark Web ID compromise detection engine upgrade.

What is changing?

Dark Web ID is moving all IP address monitoring to the high-capacity compromise detection engine. This shift enables more comprehensive scanning of IP-related threats across a broader spectrum of illicit sources.

Key benefits

The transition to enhanced engine provides two primary benefits for network security:

1. Expanded coverage: Scans a substantially larger footprint of the dark web, including private forums and illicit marketplaces where IP-specific data such as botnet logs and proxy lists are traded

2. Increased monitoring frequency: Enhanced processing capacity allows more frequent queries, ensuring faster detection when a monitored IP address appears in newly discovered data

Important considerations & PSA impact

Because the enhanced engine performs more extensive scanning, you may see an increase in the number of compromises identified for monitored IP addresses.

Separate processing & duplicate alerts

IP address-related compromises are processed separately from domain or email compromises. This means:

Potential for duplicates: A single breach event may generate both domain/email and IP-based alerts because these are handled as distinct data streams
Contextual differences: While the data may appear similar, IP compromises often include different technical metadata, such as specific servers or endpoints, compared to standard credential‑based alerts

Safeguards for PSA (Professional Services Automation)

To prevent increased compromise volume from overwhelming PSA workflows, the following safeguards apply for customers using PSA integrations (for example, ConnectWise, Kaseya, or Autotask):

Default "Off" for PSA Sync: By default, newly discovered IP address compromises are not sent to your PSA
Required action: Log in to your Dark Web ID portal to review IP-related compromises. After assessing the data, manually enable IP address compromises in the Integration Configuration settings to begin ticket creation

Frequently asked questions (FAQs)

Q: Why am I seeing an IP address compromise that looks like a previous email compromise?

A: IP compromises are processed through a separate pipeline. If a breach contains both credential data and network identifiers, the engine may report them separately to ensure full visibility into both identity- and infrastructure-related risks.

Q: Why aren’t these compromises appearing in my PSA automatically?

A: IP address compromise processing is disabled by default for the IP engine migration. This allows your team to review increased data volume before generating service tickets.

Q: How do I start sending IP address compromises to my PSA?

A: Enable the option in the Integration Configuration page to allow IP address–related compromises to be sent to your PSA.

Q: Who should I contact if I have more questions?

A: If you have questions or require assistance with your integration settings, please contact our support team.

Understanding the Dark Web ID compromise detection engine upgrade

	Need help? Submit a Kaseya Helpdesk request.
	Want to talk about it? Head over to Kaseya Community.
	Have a new feature idea? Visit the Kaseya Ideas portal.
	Provide feedback for the Documentation team.