Lumu has an array of collectors and integrations that allow you to monitor your internal assets; however, every organization has exposed systems, services and resources that have unique vulnerabilities and require specialized analysis. For this purpose, we have Lumu Discover which will provide vital intelligence so you can understand the cybersecurity state of your external surface and start addressing vulnerabilities and compromise.

Key Benefits of Lumu Discover

• Provides visibility into the state of your Exposed Attack Surface, which, due to its nature, tends to remain outside the field of view of your cybersecurity team.
• Supplies intelligence on the cybersecurity state of exposed assets, how they are connected with vital infrastructure, and the pathways the adversary may take through them to enter your network.
• Stay informed regarding the presence of infostealer-type malware within your organization to react accordingly and protect your data.
• Gain access to vital intelligence on exfiltrated data in the aftermath of an incident. Lumu Discover sifts through millions of lines of leaked data to find any entries specifically related to your organization.

Access the Lumu Discover Module

If your Lumu account has access to Lumu Discover, upon logging in to the Lumu Portal, a banner will appear at the bottom of the left side panel which you can use to enter the module as seen in the screenshot below.

To learn how to gain access to Lumu Discover, contact your Customer Success Representative for detailed information.

If your company has more than one domain (e.g. Third party domains) registered, you can easily switch between them using the drop-down menu on the top right section of the module.

Here, you will find a summary of the external exposure of your organization. Now, let's take a look at the different sections of the Summary and the data they provide. 

Lumu Discover Summary

Dark Web Exposure

The Dark Web Exposure section offers insights into data leaks involving user information associated with your organization’s domain. This section has 3 panels:

• Overview panel (1): This panel gives you a rundown of your domain’s situation in three specific indicators: similar domains, exposed email addresses, and data leaks. We will learn more about each of these in a later section.
• Data Exposed Over Time (2): This panel provides you with a graph showing the frequency and amount of exposed data leaks (red) and emails (orange) of your organization.
• Data Leak Exposure (3): This panel provides you with a radial graph so you can get a quick look into the types of data from your organization that has been leaked out.

Infostealers Exposure

The Infostealers Exposure section gives you a quick look into your domain’s situation regarding infostealer type malware. It is composed of three panels:

• Overview panel (1): This panel gives you a rundown of how your domain is dealing with infostealers through three specific indicators :compromised employees, compromised credentials, and threat actors detected. We will learn more about each of these in a later section.
• Infostealers Exposed Over Time (2): This panel provides you with a graph showing the frequency and amount of Infostealer type malware detected in employee devices.
• Top Infostealers (3): This panel gives you a breakdown of the infostealers that have been detected in your network. It will display them in order based on the number of cases detected and the percentage they make up of the total number of infostealer type incidents detected.
  

SaaS Attack Surface Mapping

The metrics below quantify the scale of the immediate risk and guide your initial remediation strategy:

1. Compromised Devices(1): The number of distinct endpoints (laptops, desktops, servers) that are sources of exposure. These devices need immediate isolation and forensics.
   
2. Affected Services(2): The total number of SaaS applications/services linked to a compromise. This shows the breadth of the potential data leak and third-party risk.
   
3. Compromised Credentials(3): The number of user accounts with leaked passwords or API keys. Prioritize forced password resets and MFA review for these accounts.
   
4. Compromised Cookies(4): The number of session cookies harvested, which allows attackers to hijack active user sessions without needing a password. Requires immediate forced sign-out for all affected users.
   

The Attack Surface Graph

The central graph is an interactive network map that illustrates the relationships between compromised devices, affected services, and leaked data types. Each element is represented as a node, providing key information to help you understand the state of your external attack surface. Nodes correspond to assets such as devices, users, or services involved in the compromise, with colors and icons indicating the primary type of exposure (e.g., Compromised Cookies, Affected Services). You can zoom in and out to explore different levels of detail, and by hovering over a node, you can access additional information, as shown in the image below:

Top Compromised SaaS Platforms

This list identifies the most vulnerable SaaS applications in your environment based on the volume of associated compromises. These platforms require immediate attention for security hardening and policy review. The top applications are ranked by the number of devices and users involved in a compromise, often linked to cookie- or credential-based exposures. Use this list to prioritize targeted risk mitigation—such as strengthening session management, reviewing access controls, and integrating threat intelligence feeds—on the most critical applications first.

DNS Recon and Intelligence

This section provides you with vital intelligence regarding the external exposure and vulnerabilities of your network. This is how it is divided:

DNS Recon Mapping

This can allow you to better understand the ways an adversary can get into your exposed infrastructure, and how information can be exfiltrated.

You can use the buttons on the left side of the map to zoom in and out, and to prevent interactivity to lock the map in position.

Vulnerabilities/External IP

This panel shows a graph that allows you to quickly understand which external IPs have presented the most vulnerabilities in your network.

Vulnerability Risk Distribution

This panel shows you how the detected vulnerabilities are distributed among different levels of risk between low and critical so you can quickly grasp your network’s situation in that regard.

Now, let’s take a more detailed look at each of the sections of the module and how you can use them to proactively protect your network and organization.

Compromised Employees

Filtering information from massive data leaks can be daunting, as a 1GB leak may contain millions of entries. Searching for the email addresses of compromised employees can be a time-consuming task. However, the Compromised Employees section of Lumu Discover streamlines this process, saving your team time and effort.

The Compromised Employees section provides information about the email accounts and credentials belonging to employees of your organization that have been compromised and shared in data leaks. You can find it by opening the External Attack Surface drop-down menu and clicking on the Compromised Employees option.

By clicking on each entry, you will find a radial graph and additional information.

The radial graph will allow you to get a quick look into the types of data that has been compromised for this user. Below, you will find three tabs: the Data Leak tab (1) contains information regarding the data leaks where the user’s information is present; the Credentials tab (2) will let you know which of the user’s credentials is compromised to address it promptly; and the Contact Information tab (3) will tell you what contact information from the user has been leaked to cybercriminals so you can take action preemptively.

You can also export the data displayed in this view to a .CSV spreadsheet using the provided Export option.:

Infostealers

This section provides detailed insights regarding the presence of infostealer type malware in your organization’s and personal devices. You will find which elements of your exposed area surface have shown presence of infostealers, which family of infostealer has been detected, the site where the user’s credentials have been compromised, the compromised user, and the cookies stored in the compromised device. You can find it by opening the External Attack Surface drop-down menu and clicking on the Infostealers option..

Using this drop-down, you can filter compromised employee and user accounts. User accounts refer to your clients, and this information can help you mitigate cybersecurity risks within your user base. 

This way, it will be easier to pinpoint any specific accounts of interest. By filtering user accounts only, you will be able to create and direct training campaigns tailored to the cybersecurity needs of your users. 

By clicking on a specific entry,  regardless of the category, you will find additional details about each of these items. 

You will have access to the IP address of the affected device (1), its Operating System and build (2), the detected malware path (3), and the malware family the infostealer belongs to (4). You can also find the date the device was detected as compromised and the latest detection of the infection (5). 

If you look below, you will find even more information regarding the threat. 

You will be able to look for incidents related to that specific infostealer family in the Lumu Portal by clicking the provided link (1). This view also has two tabs, the Credentials tab (2) shows you the URL of the resource where the compromised credentials were detected, as well as the compromised user email address. The SaaS Applications tab (3) will show you the cookies of SaaS applications stored in the affected device.You will find additional cookie data such as its expiration date, type, and a description of its functionality if available. If a cookie has not expired, it will be highlighted so you are aware of the risk it poses. 

You can also export the data displayed in this view to a .CSV spreadsheet using the provided Export option.:

Data Leaks

The Data Leaks section contains a list of data leaks where data related to your organization has been detected. It will show you the date the record was detected in the data leak, the data leak’s size, relevant tags and the number of records in it that involve your organization. High-priority leaks will be easy to spot as they are marked with an exclamation point. You can find it by opening the External Attack Surface drop-down menu and clicking on the Data Leaks option.

By clicking on a specific entry, you will gain access to more detailed information regarding the leak. You can use the search bar at the top to look for known data leaks.

Sifting through data leaks can be a colossal endeavor as they can comprise millions of entries; however, Lumu Discover will take on that task for you and provide only the entries relevant to your organization.

You will find the name and release date of the leak, all the relevant tags so you have a better idea of the type of data contained in the leak, as well as the 20 latest entries in the data leak that are related to users of your organization.

IPs and vulnerabilities

The IPs and Vulnerabilities section shows you a list of exposed IPs from your network that have shown vulnerabilities. You will be able to see the affected IPs, the domains that have been entered from those IPs, the detected open ports and the total number of detected vulnerabilities.

You can find it by opening the External Attack Surface drop-down menu and clicking on the IPs and Vulnerabilities option.

You can use the search bar at the top to look for specific IPs.

By clicking on a specific entry, you will be able to find a full list of the domains contacted by the vulnerable IP.

As well as a full list of open ports, and detected vulnerabilities that you can scroll through to gain a better understanding of your organization’s situation. You can use this data to adopt a proactive approach and tend to those vulnerabilities and mitigate their impact.

Similar Domains

The Similar Domains section contains a list of potentially fraudulent URLs that seem to be attempting to impersonate your organization’s public domain. These fraudulent sites are commonly set up by cybercriminals to steal data from unsuspecting customers and users. You will also find additional details such as DNS records, related mail servers, and the hosting server service where the site is hosted. You can find this section by opening the External Attack Surface drop-down menu and clicking on the Similar Domains option.

By clicking on a specific entry, you will be able to find additional threat intelligence, mostly provided by Mativerse. This includes data on the domain’s status, all IPs related to the impostor domain, mail servers, and name servers. You can use the provided links to head to the Maltiverse portal and get the full details.

You can also find research links in different intelligence sources and databases to better understand the risk a fraudulent site can represent.

Reports

You also have the option to download your domain’s Lumu Discovery report if you want to have a document with the module’s information to share with stakeholders. To do so, click on the Reports option on the side panel, and click on Generate Report.

Then, a menu will pop up. If you have more than one registered domain, select the domain you want to generate the report for, and click on Generate Report.

Lumu Discovery will let you know that your report is benign generated and you will receive it via email.

Below, you will see an example of the email you will be receiving from Lumu with the report attached.

Settings

You will find all your registered domains in the settings section. You can get there by selecting the Settings option from the side panel. You will be able to sync their data manually to update the domain’s exposed attack surface information in the module by clicking the sync button for each domain. By default domains sync on a weekly basis.

Lumu Discover Playbooks

1. Lumu Discover Vulnerabilities Response Playbook
   
2. Lumu Discover Infostealer Playbook
   
3. Lumu Discover Compromised Employees Playbook
   
4. Lumu Discover New Infrastructure Playbook