Refer to Lumu Discover Risk Score for more information about how the Risk Score of your organization is calculated.

Third-Party Risk Overview 

This section is designed to transform raw security data into actionable prioritization, allowing security teams to manage hundreds of third parties by focusing only on those that pose the most significant threat to business continuity.

1. Aggregated Vendors Risk Score: It provides an overall score for your organization based on the amount of monitored vendors of your organization. 

2. Third-Party Risk Distribution Matrix: This matrix is a strategic visualization tool that cross-references a vendor’s Security Grade (A–F) with its user-defined Business Impact (Critical, High, Medium, Low). It allows you to quickly analyze at a glance if your most important partners are maintaining acceptable security standards, helping you move away from static spreadsheets to real-time risk management.

3. Performance Extremes: To facilitate rapid response, the dashboard highlights the two ends of your vendor spectrum:

1. Highest Risk Vendors: Lists the three vendors with the lowest numerical scores. This view includes their specific Industry, their assigned Relevance, and direct links to their detailed risk profile. It is the primary to-do list for third-party risk analysts.
2. Best Performing Vendors: Displays your top three most secure partners. Monitoring these vendors provides a benchmark for what your organization considers an acceptable level of risk and can help validate the security posture of your most trusted associates.
   

My Organization - Domains

In this section, you will find a summary of the external exposure of your organization. You can access the domain details of your organization by selecting My Organization > Domains in the left side menu. 

Or clicking on Details in one your organization domains in the Dashboard. 

Once you are in the Domains section, you can easily switch between the domains of your company using the drop-down menu on the top right section of the module.

Here, you will find a summary of the external exposure of your organization. Now, let's take a look at the different sections of the Summary and the data they provide. 

Domain details - Overview 

The Dark Web Exposure section offers insights into data leaks involving user information associated with your organization’s domain. This section has 3 panels:

• Overview panel (1): This panel gives you a rundown of your domain’s situation in three specific indicators: similar domains, exposed email addresses, and data leaks. We will learn more about each of these in a later section.
• Data Exposed Over Time (2): This panel provides you with a graph showing the frequency and amount of exposed data leaks (red) and emails (orange) of your organization.
• Data Leak Exposure (3): This panel provides you with a radial graph so you can get a quick look into the types of data from your organization that has been leaked out.

The Infostealers Exposure section gives you a quick look into your domain’s situation regarding infostealer type malware. It is composed of three panels:

• Overview panel (1): This panel gives you a rundown of how your domain is dealing with infostealers through three specific indicators :compromised employees, compromised credentials, and threat actors detected. We will learn more about each of these in a later section.
• Infostealers Exposed Over Time (2): This panel provides you with a graph showing the frequency and amount of Infostealer type malware detected in employee devices.
• Top Infostealers (3): This panel gives you a breakdown of the infostealers that have been detected in your network. It will display them in order based on the number of cases detected and the percentage they make up of the total number of infostealer type incidents detected.
  

The metrics below quantify the scale of the immediate risk and guide your initial remediation strategy:

1. Compromised Devices(1): The number of distinct endpoints (laptops, desktops, servers) that are sources of exposure. These devices need immediate isolation and forensics.
   
2. Affected Services(2): The total number of SaaS applications/services linked to a compromise. This shows the breadth of the potential data leak and third-party risk.
   
3. Compromised Credentials(3): The number of user accounts with leaked passwords or API keys. Prioritize forced password resets and MFA review for these accounts.
   
4. Compromised Cookies(4): The number of session cookies harvested, which allows attackers to hijack active user sessions without needing a password. Requires immediate forced sign-out for all affected users.
   

The Attack Surface Graph

The central graph is an interactive network map that illustrates the relationships between compromised devices, affected services, and leaked data types. Each element is represented as a node, providing key information to help you understand the state of your external attack surface. Nodes correspond to assets such as devices, users, or services involved in the compromise, with colors and icons indicating the primary type of exposure (e.g., Compromised Cookies, Affected Services). You can zoom in and out to explore different levels of detail, and by hovering over a node, you can access additional information, as shown in the image below:

Top Compromised SaaS Platforms

This list identifies the most vulnerable SaaS applications in your environment based on the volume of associated compromises. These platforms require immediate attention for security hardening and policy review. The top applications are ranked by the number of devices and users involved in a compromise, often linked to cookie- or credential-based exposures. Use this list to prioritize targeted risk mitigation—such as strengthening session management, reviewing access controls, and integrating threat intelligence feeds—on the most critical applications first.

DNS Recon and Intelligence

This section provides you with vital intelligence regarding the external exposure and vulnerabilities of your network. This is how it is divided:

DNS Recon Mapping

This can allow you to better understand the ways an adversary can get into your exposed infrastructure, and how information can be exfiltrated.

You can use the buttons on the left side of the map to zoom in and out, and to prevent interactivity to lock the map in position.

Vulnerabilities/External IP

This panel shows a graph that allows you to quickly understand which external IPs have presented the most vulnerabilities in your network.

Vulnerability Risk Distribution

This panel shows you how the detected vulnerabilities are distributed among different levels of risk between low and critical so you can quickly grasp your network’s situation in that regard.

Now, let’s take a more detailed look at each of the sections of the module and how you can use them to proactively protect your network and organization.

Domain details - Compromised Employees

Filtering information from massive data leaks can be daunting, as a 1GB leak may contain millions of entries. Searching for the email addresses of compromised employees can be a time-consuming task. However, the Compromised Employees section of Lumu Discover streamlines this process, saving your team time and effort.

The Compromised Employees section provides information about the email accounts and credentials belonging to employees of your organization that have been compromised and shared in data leaks. You can find it by clicking on the Compromised Employees tab. 

You can narrow down the list of compromised employees using the Identity Filter. This feature can be used after you have integrated Microsoft Entra ID. The filter acts as a lens, hiding any external data that doesn't match active employees in your Active Directory. This ensures that your security team focuses only on the users that pose a direct risk to your corporate environment. Learn how to integrate Microsoft Entra ID in the Integrations section.

By clicking on each entry, you will open the details page. 

This page allows you to get a quick look into the types of data that has been compromised for the specific user. Below, you will find three tabs:

1. Data Leak: contains information regarding the data leaks where the user’s information is present.
2. Credentials: this tab provides information on which of the user’s credentials is compromised to address it promptly.
3. Contact Information: find what contact information from the user has been leaked to cybercriminals so you can take action preemptively. 
   

You can also export the data displayed in this view to a .CSV spreadsheet using the provided Export option.:

Domain details - Infostealers

This section provides detailed insights regarding the presence of infostealer type malware in your organization’s and personal devices. You will find which elements of your exposed area surface have shown presence of infostealers, which family of infostealer has been detected, the site where the user’s credentials have been compromised, the compromised user, and the cookies stored in the compromised device. You can find it by clicking on the Infostealer tab.

You can narrow down the list of infostealer events using the Identity Filter. This feature can be used after you have integrated Microsoft Entra ID. The filter acts as a lens, hiding any external data that doesn't match active employees in your Active Directory. This ensures that your security team focuses only on the users that pose a direct risk to your corporate environment. Learn how to Microsoft Entra ID in the Integrations section.

Using this drop-down, you can filter compromised employee and user accounts. User accounts refer to your clients, and this information can help you mitigate cybersecurity risks within your user base. 

This way, it will be easier to pinpoint any specific accounts of interest. By filtering user accounts only, you will be able to create and direct training campaigns tailored to the cybersecurity needs of your users. 

By clicking on a specific entry, you will find additional details about each infostealer event. This page is divided into 3 main sections

1. The first section introduces information about the infostealer event, the date the device was detected as compromised and the latest detection of the infection. IT also provides systema and malware information to provide context of the incident. You will be able to look for incidents related to that specific infostealer family in the Lumu Portal by clicking the provided link.

1. The second section provides information about the user involved in the incident. 
   

1. The last section the cookies of SaaS applications stored in the affected device. You will find additional cookie data such as its expiration date, type, and a description of its functionality if available. If a cookie has not expired, it will be highlighted so you are aware of the risk it poses. 
   

You can also export the data displayed in this view to a .CSV spreadsheet using the provided Export option.:

Domain details - Data Leaks

The Data Leaks section contains a list of data leaks where data related to your organization has been detected. It will show you the date the record was detected in the data leak, the data leak’s size, relevant tags and the number of records in it that involve your organization. High-priority leaks will be easy to spot as they are marked with an exclamation point.  You can find it by clicking on the Data Leaks tab.

By clicking on a specific entry, you will gain access to more detailed information of the leak.

Sifting through data leaks can be a colossal endeavor as they can comprise millions of entries; however, Lumu Discover will take on that task for you and provide only the entries relevant to your organization.

You will find the name and size of the leak, and all the relevant tags so you have a better idea of the type of data contained in the leak.

Domain details - IPs and Vulnerabilities

The IPs and Vulnerabilities section shows you a list of exposed IPs from your network that have shown vulnerabilities. You will be able to see the affected IPs, the domains that have been entered from those IPs, the detected open ports and the total number of detected vulnerabilities. You can find it by clicking on the IPs and Vulnerabilities tab.

You can use the search bar at the top to look for specific IPs.

By clicking on a specific entry, you will be able to find a full list of the domains contacted by the vulnerable IP.

As well as a full list of open ports, and detected vulnerabilities that you can scroll through to gain a better understanding of your organization’s situation. You can use this data to adopt a proactive approach and tend to those vulnerabilities and mitigate their impact.

Domain details - Similar Domains

The Similar Domains section contains a list of potentially fraudulent URLs that seem to be attempting to impersonate your organization’s public domain. These fraudulent sites are commonly set up by cybercriminals to steal data from unsuspecting customers and users. You will also find additional details such as DNS records, related mail servers, and the hosting server service where the site is hosted. You can find this section by clicking on the Similar Domains tab.

By clicking on a specific entry, you will be able to find additional threat intelligence, mostly provided by Maltiverse. This includes data on the domain’s status, all IPs related to the impostor domain, mail servers, and name servers. You can use the provided links to head to the Maltiverse portal and get the full details.

You can also find research links in different intelligence sources and databases to better understand the risk a fraudulent site can represent.

My Organization - Identities

To populate this section, ensure you have a working integration with Microsoft Entra ID. Check out the Integrations section for more information.

This section is a centralized hub that allows you to drill down into the specific security posture of every individual in your organization, giving you information about which users have vulnerabilities due to the lack of MFA and the inclusion of email forwarding rules. 

You can access this section by navigating to My Organization > Identities. 

In this section, you will find: 

1. Identities summary (1): A quick overview of the status of the users within the Active Directory, providing high-level metrics on synchronization, MFA coverage, and potential redirection risks. 
2. Filtering options (2): Multiple filtering options to narrow down the user list by groups, specific MFA statuses, or active email forwarding, allowing for targeted risk assessment. 
3. User list (3): Full user list. It can be sorted using any of the options in the table. 
   

User details

By clicking on a specific user, you enter the Identity Details view. 

From this view, you can get a general overview of the user. You can also access the following tabs to obtain information about the compromise events where the user has been involved. 

Data leaks

In this tab, you will find the information related to all the Data Leak incidents for this user. Clicking on View Full Details will take you to the Compromised Employees section for the specific domain of the user. 

Infostealers

This tab provides the full information about the infostealers events where the user has been involved. Clicking on View Full Details will take you to the Infostealers section for the specific domain of the user. 

SaaS Exposure

This tab provides a look into the third-party application footprint of the user. This view specifically tracks where the user has utilized their corporate Microsoft credentials via SSO to authenticate into external platforms.

Third-Parties

You can access this section from the left menu. 

This section provides a comprehensive inventory of your third-party relationships and their respective security hygiene. 

The table provides a filterable view of all monitored vendors, giving you immediate access to the following information: 

1. Security Scoring: Each vendor is assigned a real-time grade based on their external security posture.
2. Risk Contextualization: The table displays Data Leaks, Infostealer Compromises, and Vulnerabilities counts (e.g., 18 vulnerabilities for a specific vendor) to provide context for the provided score.
3. Industry & Impact: You can view the vendor’s industry (e.g., Technology, Financial Services) and their assigned Business Impact (e.g., Critical, High). The business impact is essential for the Home Dashboard's Risk Distribution Matrix.
   

Third-party Details

You can review the in-depth summary for each third party domain by clicking on Details.

That will take you to the details of the third party domain. 

On this page, you will find a detailed summary of the external exposure of third-party vendors. This summary displays the information reviewed in the Domains section using the data specific for the vendor.

Third-party editing

You can edit the third party information by clicking the Edit button on each vendor. 

Reports

You also have the option to download your domain’s Lumu Discovery report if you want to have a document with the module’s information to share with stakeholders. To do so, click on the Reports (1) option on the side panel, and click on Generate Report (2).

Then, a menu will pop up. If you have more than one registered domain, select the domain you want to generate the report for, and click on Generate Report.

Lumu Discovery will let you know that your report is benign generated and you will receive it via email.

Below, you will see an example of the email you will be receiving from Lumu with the report attached.

Settings

You will find all of your registered domains, and third-party domains in the settings section. You can get there by selecting the Settings option from the side panel. You will be able to sync their data manually to update the domain’s exposed attack surface information in the module by clicking the sync button for each domain. By default domains sync on a weekly basis.

Tag Creation

Integrations

Now, add a name for the integration and click on Connect with Microsoft Entra ID. 

You will be prompted to log in with a Microsoft account, it is of extreme importance to login with an Administrator account to accept all the required permissions. Once you have successfully logged in, click on Activate Integration to complete the integration. Then, you will be directed to the integration details. 

Once you successfully integrate Microsoft Entra ID, the initial synchronization of the user database can take up to 15 minutes to complete.

On this page, you will find the following information: 

1. Integration details (1): General information about the integration. 
2. Identities details (2): Quick overview of the compromise status of the user within your Active Directory. 
3. Refresh Identity Data (3): With this button you can refresh the data synced. By default, the system syncs data every day.  
   

At the bottom of the page, you will find an interactive graph that allows you to visualize trends and track the effectiveness of your security policies over time.

At the top-right of the graph, you will find three Legend Buttons. These act as toggles to customize your view .

Once you have successfully integrated, you can make use of the Identities section and the Identity Filter to narrow down your investigations within the Compromised Employees and Infostealers sections of your domains’ details. 

Lumu Discover Playbooks

1. Lumu Discover Vulnerabilities Response Playbook
   
2. Lumu Discover Infostealer Playbook
   
3. Lumu Discover Compromised Employees Playbook
   
4. Lumu Discover New Infrastructure Playbook