How MSSPs can leverage dark web intelligence to counter emerging threats

A web structure imposed on a black background
(Image credit: Getty Images)

Managed Security Service Providers (MSSP) are at the forefront of emerging market trends, meaning they need to identify and adopt the latest technology to best protect their customers and keep step with competitors. 

The demand for dark web intelligence has skyrocketed over the past few years, as organizations grow ever more aware that cyber attacks originate in marketplaces, forums, and sites they cannot see. It is therefore not surprising that most MSSPs have already started to address customer demands for dark web threat insights.

But despite many MSSPs already undertaking dark web monitoring, our latest research identified that 35% of MSSPs believe that dark web monitoring is too complex, while nearly one-third (29%) believe it isn’t relevant to their service offering, and 18*+% are yet to be convinced they will be able to sell it.

Ben Jones, CEO of Searchlight Cyber
Ben Jones

Ben started his career in defence and aerospace as an engineer designing unmanned aircraft. He transitioned into cyber security after recognizing the evolution towards virtual battlefields and the rapid growth of cyber threats to nations, organisations, and individuals. Ben co-founded Searchlight Cyber to help in the fight to protect society from dark web threats.

With 34% of MSSPs not seeing value in dark web monitoring tools, some providers are potentially missing out on providing essential insights into an online criminal underworld where cyber criminals discuss and plan future attacks. 

MSSPs, therefore, have an opportunity to harness the power of dark web intelligence to protect their customers from cyber threats.

Dark web intelligence and the “cyber kill chain”

When we talk about cyber security, most of a security team’s resources and tools are focused on the late stages of “cyber kill chain” (the sequence of actions a cybercriminal has to take to execute their attacks). 

For instance, email security tools sit at the ‘delivery’ phase of a cyber attack, whilst endpoint, network, and antivirus security solutions focus on identifying the subsequent activity as the attacker makes their way across an organization’s infrastructure. 

As cyber criminals continue to evolve their capabilities and skill sets to be able to bypass existing security solutions, preventing an attack is not always as simple as not clicking a phishing link. To give the best chance of disrupting a cyber criminal’s operation in clients systems, MSSPs need to “shift left” and act as early in the cyber kill chain as they can on behalf of their customers. 

Dark web intelligence allows MSSPs to investigate the ‘reconnaissance’ stage, right at the beginning of the “kill chain” when threat actors are planning their cyber attacks on dark web hacking forums, and buying the exploits and tools they need on malicious marketplaces. 

By starting this early, MSSPs can make a dent in an attack plan and advise their clients on how to take preventative action that stops their network from being breached in the first place. 


eBook cover with green title text over image of business man wearing glasses and smiling at a workstation

(Image credit: ServiceNow)

See why peers are looking to AI and machine learning to transform their cyber security processes.


MSSPs’ position in the market requires them to be early adopters, able to identify the latest tools and technologies to protect their customers. It is no surprise then, that 56% of MSSPs already undertake dark web intelligence, recognising the benefit. 

Companies of all sizes are increasingly conscious of dark web threats and the opportunity dark web intelligence holds for helping them identify the early warning signs of attack. 

This has created an opportunity for MSSPs to use dark web intelligence as a basis to deliver the analysis, expertise, services, and solutions that help their customers act on the dark web risk they have heard so much about.

Meeting customer demand

According to our research, customer interest in the dark web has been increasing, with 65% of MSSPs stating that their customers have asked for threat intelligence from the dark web. 

Why is that? Well, there are three main reasons for this demand. Firstly, as visibility in cyber security is key, customers want to identify vulnerabilities affecting their organization. Secondly, they want to know if they or their competitors are currently being targeted on the dark web. 

Thirdly, they want to own and act upon intelligence on threat groups including ransomware gangs that are active in the threat environment.

So, as the topic of dark web monitoring grows in prominence, those MSSPs that have started to build out their capabilities, data sources, and understanding will be able to benefit as more customers look for guidance on the dark web, giving them an advantage in the competitive market of managed security services.

Unlocking benefits for MSSPs

Aside from striking benefits for customers, MSSPs can also take advantage of dark web intelligence from a commercial perspective. When asked about the benefits of using dark web intelligence, 37% of MSSPs reported that it helps them identify customer details on the dark web, closely followed by giving them new products and services to sell to customers and making their current services more efficient.

By “shifting left” in the cyber kill chain, MSSPs are enabled to move from reacting to threats to proactively preventing them from happening in the first place. This makes good business sense as it means MSSPs can document and demonstrate value based on attributes exposed and/or being discussed on the dark web. 

It also means that MSSPs don’t have to wait for their clients to be breached before they can prove their worth – they can often find threats that could impact the organization, from day one.

According to research, the most common use for threat intelligence is to inform pentests and security audits (35%) followed by informing incident response (34%). The MSSPs which use dark web intelligence in one-off engagements are missing a trick in integrating dark web intelligence into their value proposition and hence recurring revenues, where they could be capitalizing month-on-month. 

A huge opportunity lies in MSSPs wrapping dark web monitoring into their Managed Security and SOC services to provide customers with an ongoing view of their dark web risk over time and alert them as soon as a serious situation emerges.  

The turbulent nature of criminal activity means that the dark web shifts and changes at an even faster rate than the clear web. Marketplaces, forums, and criminal groups appear out of nowhere, rise to prominence, jostle with other criminals and law enforcement, and disappear just as quickly as they came. 

Dark web threat prevention is, therefore, not something that can be done on a six monthly or yearly basis. If organizations want to truly understand their threat risk on the dark web, they need their MSSPs to continuously monitor and deliver meaningful insights for effective cyber security protection and healthy cyber posture.

Ben Jones
CEO at Searchlight Cyber

Ben started his career in Defence and Aerospace as an engineer designing unmanned aircraft. He transitioned into cyber security after recognizing the evolution towards virtual battlefields and the rapid growth of cyber threats to nations, organisations, and individuals. Ben co-founded Searchlight Security to help in the fight to protect society from dark web threats.