Intelligence Methodology

Business Risk Score

A composite indicator derived from automated analysis of 47 intelligence sources across 6 risk categories. Published for transparency -- your score is never a black box.

Version 2.1 -- March 2026

Risk Classification Bands 4 Tiers

80 -- 100

Critical

Active credential exposure confirmed across multiple breach databases. Infrastructure vulnerabilities detected with known exploits. Immediate remediation required to prevent unauthorized access.

60 -- 79

High

Significant exposure detected across credential and infrastructure categories. Breach history and security misconfigurations present exploitable attack surface. Priority remediation recommended within 30 days.

35 -- 59

Moderate

Limited credential exposure or infrastructure findings. Security controls are partially implemented but gaps exist in coverage. Standard remediation timelines apply with monitoring recommended.

0 -- 34

Low

Minimal or no detectable external exposure across monitored sources. Security controls are properly configured. Continued monitoring recommended to maintain posture against emerging threats.

Risk bands are calibrated against a baseline of 2,400+ Canadian SMB scans. A score of 0 indicates no detectable external exposure across all monitored sources. Scores are point-in-time assessments and will change as new breaches are disclosed, infrastructure is modified, or intelligence feeds are updated.

Scoring Framework 19 Weighted Signals

Category	Signal Name	Max Points	Description
Credential	breach_database_hit	15	Domain-level match in monitored breach databases
Credential	breach_depth_scale	3 / each	Per additional breach source detected, scaling with exposure breadth
Credential	credential_pattern_match	10 / each	Per confirmed credential pattern across monitored intelligence sources
Credential	dark_web_confirmation	12 / each	Per confirmation in dark web monitoring or paste site databases

Infrastructure	critical_vulnerability	15 / each	Per critical infrastructure vulnerability -- exposed services, critical misconfigurations
Infrastructure	high_vulnerability	8 / each	Per high-severity infrastructure finding detected on exposed surfaces
Infrastructure	medium_vulnerability	4 / each	Per medium-severity infrastructure finding across assessed endpoints
Infrastructure	missing_security_control	3 / each	Per missing security control -- headers, policies, authentication configurations

Exposure	shadow_asset_detected	5 / each	Per unexpected live asset -- shadow IT, forgotten services, orphaned infrastructure
Exposure	code_leak_detected	20	Credentials or configuration data exposed in public code repositories

Threat Intel	known_cve	18	Known exploitable vulnerability (CVE) detected on exposed services
Threat Intel	reputation_blacklisted	12	IP address or domain listed on reputation blacklists and abuse databases
Threat Intel	malware_association	20	Domain flagged by malware detection engines across threat intelligence feeds
Threat Intel	abuse_reports	15	Elevated abuse confidence score from aggregated threat intelligence feeds
Threat Intel	active_malware_hosting	20	Active malware distribution URLs detected on the assessed domain
Threat Intel	phishing_association	18	Domain associated with known phishing campaigns or typosquatting activity

Regulatory	regulatory_breach_report	15	Match in government breach notification databases and regulatory filings
Regulatory	fraud_alert_association	12	Association with government fraud alert databases and consumer protection filings

Registry	entity_confirmed	8	Corporate identity confirmed in public registries -- provides baseline score for verified entities

Intelligence Categories 47 Sources Across 6 Categories

Credential Intelligence

Monitors breach databases, dark web repositories, and paste sites for exposed credentials linked to the assessed domain.

Breach database monitoring and correlation
Domain-level breach source analysis
Dark web and paste site monitoring
Employee email discovery and enumeration
Credential pattern analysis and validation
Email address enumeration engine

Infrastructure Assessment

Evaluates externally visible infrastructure for misconfigurations, missing security controls, and exploitable weaknesses.

SSL/TLS certificate chain analysis
Security header audit and grading
DNS configuration audit
Email authentication validation (DMARC/SPF/DKIM)
Open port and service scanning
Domain registration and WHOIS analysis
Subdomain enumeration
Historical DNS analysis
Security posture grading

Threat Intelligence

Cross-references domain and IP data against threat intelligence feeds, malware engines, and reputation databases.

CVE and vulnerability detection
Malware detection engine analysis
IP abuse and reputation scoring
Malware distribution URL detection
Phishing database correlation
DNS blacklist monitoring (8+ lists)
Service banner and fingerprint analysis

Canadian Regulatory

Searches federal and provincial databases for breach notifications, fraud alerts, and corporate registration data.

Federal breach notification databases
National fraud alert monitoring
Federal corporate registry lookups
Intellectual property record searches
Securities filings analysis
Provincial business registries (all 13)
Financial services regulatory data

Historical Intelligence

Analyses historical records to identify changes in infrastructure, ownership, and security posture over time.

Web archive analysis and comparison
Historical DNS record tracking
Certificate transparency log analysis
Domain registration history
Hosting provider change detection

Exposure Surface

Identifies shadow IT, code leaks, and exposure vectors that extend beyond the primary domain.

Public code repository scanning
Search engine exposure analysis
Lookalike domain detection
Shared hosting and co-tenancy analysis
Visual site capture and comparison

Methodology Principles

External Sources Only

All data is collected from external, publicly accessible sources only. LeakTrace does not access internal systems, networks, or endpoints. The assessment reflects what an external attacker could discover through open-source intelligence techniques.
No Internal System Access

Scans are non-intrusive by design. No authentication attempts, no penetration testing, no internal network probing. All findings are based on what is already exposed to the public internet.
Scores Capped at 100

Multiple high-weight signals may exceed the theoretical maximum, but the displayed score is bounded to the 0-100 range. Scaling signals (breach_depth_scale, dark_web_confirmation) accumulate per finding, meaning organizations with broader exposure receive proportionally higher scores.
PIPEDA and Bill C-27 Compliant

All scanning activity is compliant with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and the proposed Consumer Privacy Protection Act under Bill C-27. Robots.txt directives are respected where applicable.
Zero-Retention Policy

LeakTrace operates on a zero-retention model for raw credential data. Only metadata -- counts, breach sources, and dates -- is stored. No passwords, hashes, or full email addresses are retained after scan completion.
Canadian Data Residency

All scan data and customer records are stored on infrastructure located within Canada. Processing remains within Canadian jurisdiction to satisfy data sovereignty requirements for regulated industries.
Point-in-Time Assessment

Scores reflect the state at the time of scanning. Risk posture changes as new breaches are disclosed, infrastructure is modified, or threat intelligence feeds are updated. The methodology is versioned and auditable -- scoring weight changes are documented and applied prospectively.
Verified Entity Baseline

The entity_confirmed signal provides a base score for any entity with a verified Canadian business registration, ensuring all confirmed businesses have a non-zero baseline. This confirms the organization exists in public registries before additional risk signals are applied.

LeakTrace Intelligence -- getleaktrace.com