For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
HUMAN DashboardHUMAN WebsiteRequest a Demo
Product GuidesEnforcer GuidesMobile SDKAPI ReferenceCustomer support
Product GuidesEnforcer GuidesMobile SDKAPI ReferenceCustomer support
  • Getting Started
    • Overview
    • Best practices
  • Sightline Cyberfraud Defense
    • About Sightline Cyberfraud Defense
    • Getting Started
    • What's different in Sightline Cyberfraud Defense
    • Sensor changelog
    • About the Overview Dashboard
    • Glossary
  • AgenticTrust
    • Getting started with AgenticTrust
    • AI Agents Monitoring Dashboard
    • AI Visitors Overview Dashboard
    • Manage AI Agent Permissions
    • Agentic Activity Priority
    • Agent Trust Levels
  • Account Defender
    • Account Defender Overview
    • Use Cases
    • Prerequisites
    • Getting Started with Account Defender
    • Optimizing Account Defender Detection
    • Validating Account Defender Integration
    • Risk Triggers
    • About Network Events
    • Troubleshooting
  • Bot Defender
    • Bot Defender Overview
    • Detection
    • Bot Defender Policy Settings
    • Footprint
  • Credential Intelligence
    • Credential Intelligence Overview
    • How to Access the Breached Flag
      • Getting Started with Credential Intelligence
      • Top Questions During Onboarding
      • Top Questions Post-Onboarding
    • Credential Intelligence FAQ
    • Credential Intelligence Dashboard
  • Code Defender
    • Code Defender Introduction
    • Getting Started with Code Defender
    • Code Defender Glossary
    • Website Risk Analyzer
  • Platform
    • Account settings
    • Manage users
    • Role permissions
    • Enforcer configurations
    • Page Type Mapping
  • Client-Side Integration
    • JavaScript tag
    • Improving first page performance
    • Use of cookies & web storage
    • Advanced client integration
LogoLogo
Login
Login
HUMAN DashboardHUMAN WebsiteRequest a Demo
On this page
  • How will Credential Intelligence work?
  • On which paths should Credential Intelligence be configured?
  • What is the collection comprised of?
  • What will I see once the integration is complete?
  • Why is it important to configure the additional s2s activity?
Credential IntelligenceGetting Started with Credential Intelligence

Top Questions During Onboarding

Was this page helpful?
Previous

Top Questions Post-Onboarding

Next
Built with

How will Credential Intelligence work?

  • Once the integration is up and running, every request with credentials (to a configured path which can include account creation, password change, and account login), will be checked against the collection.
  • Once the credentials are deemed compromised, a response header will be sent in real time to the enforcer with the value true.

On which paths should Credential Intelligence be configured?

  • Every authentication path is password-based, including account log in, new account creation, and password reset/change.
  • Account log in with compromised credentials is a potential account takeover - it is essential to monitor those and remove the vulnerability from the account
  • We recommend that new/updated accounts will not reuse compromised credentials to avoid a future account takeover.

What is the collection comprised of?

  • The collection includes credentials extracted from live credential-stuffing attacks by threat actors against one or more of our customers. Since these pose a clear and present danger from global attacks and are in actual use by threat actors, they are reported as compromised.
  • The collection also includes dark web, deep web, and open web data vetted by the Threat Intelligence team.
  • By default, all Credential Intelligence customers enjoy the network effect and access to the collection of real-time global attacks.
  • The system will learn from targeted credential stuffing attacks only while Bot Defender is installed and tuned.

What will I see once the integration is complete?

  • Compromised credential usage - traffic using identified compromised credentials will be flagged as such.
  • The number of successful logins with compromised credentials, i.e., vulnerable accounts potentially already taken over, will be available.

Why is it important to configure the additional s2s activity?

  • Additional s2s is a method to retrieve the response status (fail/pass)
  • It offers a closed list of options to extract/determine the server response, e.g., status code 302 is a successful login vs. 200 is a failed one
  • This configuration allows us to quantify the number of compromised accounts that were observed active on the app
  • Without this data, we are only able to quantify the amount of compromised credentials that don’t necessarily correlate to the attack surface risk