Refer to Lumu Discover Risk Score for more information about how the Risk Score of your organization is calculated.

Third-Party Risk Overview 

This section is designed to transform raw security data into actionable prioritization, allowing security teams to manage hundreds of third parties by focusing only on those that pose the most significant threat to business continuity.

1. Aggregated Vendors Risk Score: It provides an overall score for your organization based on the amount of monitored vendors of your organization. 

2. Third-Party Risk Distribution Matrix: This matrix is a strategic visualization tool that cross-references a vendor’s Security Grade (A–F) with its user-defined Business Impact (Critical, High, Medium, Low). It allows you to quickly analyze at a glance if your most important partners are maintaining acceptable security standards, helping you move away from static spreadsheets to real-time risk management.

3. Performance Extremes: To facilitate rapid response, the dashboard highlights the two ends of your vendor spectrum:

1. Highest Risk Vendors: Lists the three vendors with the lowest numerical scores. This view includes their specific Industry, their assigned Relevance, and direct links to their detailed risk profile. It is the primary to-do list for third-party risk analysts.
2. Best Performing Vendors: Displays your top three most secure partners. Monitoring these vendors provides a benchmark for what your organization considers an acceptable level of risk and can help validate the security posture of your most trusted associates.
   

Organization Summary

In this section, you will find a summary of the external exposure of your organization. You can access the domain details of your organization by selecting My Organization in the left side menu. 

Or clicking on Details in one your organization domains in the Dashboard. 

Once you are in the Organization Summary section, you can easily switch between the domains of your company using the drop-down menu on the top right section of the module.

Here, you will find a summary of the external exposure of your organization. Now, let's take a look at the different sections of the Summary and the data they provide. 

The Dark Web Exposure section offers insights into data leaks involving user information associated with your organization’s domain. This section has 3 panels:

• Overview panel (1): This panel gives you a rundown of your domain’s situation in three specific indicators: similar domains, exposed email addresses, and data leaks. We will learn more about each of these in a later section.
• Data Exposed Over Time (2): This panel provides you with a graph showing the frequency and amount of exposed data leaks (red) and emails (orange) of your organization.
• Data Leak Exposure (3): This panel provides you with a radial graph so you can get a quick look into the types of data from your organization that has been leaked out.

The Infostealers Exposure section gives you a quick look into your domain’s situation regarding infostealer type malware. It is composed of three panels:

• Overview panel (1): This panel gives you a rundown of how your domain is dealing with infostealers through three specific indicators :compromised employees, compromised credentials, and threat actors detected. We will learn more about each of these in a later section.
• Infostealers Exposed Over Time (2): This panel provides you with a graph showing the frequency and amount of Infostealer type malware detected in employee devices.
• Top Infostealers (3): This panel gives you a breakdown of the infostealers that have been detected in your network. It will display them in order based on the number of cases detected and the percentage they make up of the total number of infostealer type incidents detected.
  

The metrics below quantify the scale of the immediate risk and guide your initial remediation strategy:

1. Compromised Devices(1): The number of distinct endpoints (laptops, desktops, servers) that are sources of exposure. These devices need immediate isolation and forensics.
   
2. Affected Services(2): The total number of SaaS applications/services linked to a compromise. This shows the breadth of the potential data leak and third-party risk.
   
3. Compromised Credentials(3): The number of user accounts with leaked passwords or API keys. Prioritize forced password resets and MFA review for these accounts.
   
4. Compromised Cookies(4): The number of session cookies harvested, which allows attackers to hijack active user sessions without needing a password. Requires immediate forced sign-out for all affected users.
   

The Attack Surface Graph

The central graph is an interactive network map that illustrates the relationships between compromised devices, affected services, and leaked data types. Each element is represented as a node, providing key information to help you understand the state of your external attack surface. Nodes correspond to assets such as devices, users, or services involved in the compromise, with colors and icons indicating the primary type of exposure (e.g., Compromised Cookies, Affected Services). You can zoom in and out to explore different levels of detail, and by hovering over a node, you can access additional information, as shown in the image below:

Top Compromised SaaS Platforms

This list identifies the most vulnerable SaaS applications in your environment based on the volume of associated compromises. These platforms require immediate attention for security hardening and policy review. The top applications are ranked by the number of devices and users involved in a compromise, often linked to cookie- or credential-based exposures. Use this list to prioritize targeted risk mitigation—such as strengthening session management, reviewing access controls, and integrating threat intelligence feeds—on the most critical applications first.

DNS Recon and Intelligence

This section provides you with vital intelligence regarding the external exposure and vulnerabilities of your network. This is how it is divided:

DNS Recon Mapping

This can allow you to better understand the ways an adversary can get into your exposed infrastructure, and how information can be exfiltrated.

You can use the buttons on the left side of the map to zoom in and out, and to prevent interactivity to lock the map in position.

Vulnerabilities/External IP

This panel shows a graph that allows you to quickly understand which external IPs have presented the most vulnerabilities in your network.

Vulnerability Risk Distribution

This panel shows you how the detected vulnerabilities are distributed among different levels of risk between low and critical so you can quickly grasp your network’s situation in that regard.

Now, let’s take a more detailed look at each of the sections of the module and how you can use them to proactively protect your network and organization.

Compromised Employees

Filtering information from massive data leaks can be daunting, as a 1GB leak may contain millions of entries. Searching for the email addresses of compromised employees can be a time-consuming task. However, the Compromised Employees section of Lumu Discover streamlines this process, saving your team time and effort.

The Compromised Employees section provides information about the email accounts and credentials belonging to employees of your organization that have been compromised and shared in data leaks. You can find it by clicking on the Compromised Employees tab within your organization summary. 

By clicking on each entry, you will find a radial graph and additional information.

The radial graph will allow you to get a quick look into the types of data that has been compromised for this user. Below, you will find three tabs: the Data Leak tab (1) contains information regarding the data leaks where the user’s information is present; the Credentials tab (2) will let you know which of the user’s credentials is compromised to address it promptly; and the Contact Information tab (3) will tell you what contact information from the user has been leaked to cybercriminals so you can take action preemptively.

You can also export the data displayed in this view to a .CSV spreadsheet using the provided Export option.:

Infostealers

This section provides detailed insights regarding the presence of infostealer type malware in your organization’s and personal devices. You will find which elements of your exposed area surface have shown presence of infostealers, which family of infostealer has been detected, the site where the user’s credentials have been compromised, the compromised user, and the cookies stored in the compromised device. You can find it by clicking on the Infostealer tab within your organization summary.

Using this drop-down, you can filter compromised employee and user accounts. User accounts refer to your clients, and this information can help you mitigate cybersecurity risks within your user base. 

This way, it will be easier to pinpoint any specific accounts of interest. By filtering user accounts only, you will be able to create and direct training campaigns tailored to the cybersecurity needs of your users. 

By clicking on a specific entry,  regardless of the category, you will find additional details about each of these items. 

You will have access to the IP address of the affected device (1), its Operating System and build (2), the detected malware path (3), and the malware family the infostealer belongs to (4). You can also find the date the device was detected as compromised and the latest detection of the infection (5). 

If you look below, you will find even more information regarding the threat. 

You will be able to look for incidents related to that specific infostealer family in the Lumu Portal by clicking the provided link (1). This view also has two tabs, the Credentials tab (2) shows you the URL of the resource where the compromised credentials were detected, as well as the compromised user email address. The SaaS Applications tab (3) will show you the cookies of SaaS applications stored in the affected device.You will find additional cookie data such as its expiration date, type, and a description of its functionality if available. If a cookie has not expired, it will be highlighted so you are aware of the risk it poses. 

You can also export the data displayed in this view to a .CSV spreadsheet using the provided Export option.:

Data Leaks

The Data Leaks section contains a list of data leaks where data related to your organization has been detected. It will show you the date the record was detected in the data leak, the data leak’s size, relevant tags and the number of records in it that involve your organization. High-priority leaks will be easy to spot as they are marked with an exclamation point.  You can find it by clicking on the Data Leaks tab within your organization summary.

By clicking on a specific entry, you will gain access to more detailed information regarding the leak. You can use the search bar at the top to look for known data leaks.

Sifting through data leaks can be a colossal endeavor as they can comprise millions of entries; however, Lumu Discover will take on that task for you and provide only the entries relevant to your organization.

You will find the name and release date of the leak, all the relevant tags so you have a better idea of the type of data contained in the leak, as well as the 20 latest entries in the data leak that are related to users of your organization.

IPs and Vulnerabilities

The IPs and Vulnerabilities section shows you a list of exposed IPs from your network that have shown vulnerabilities. You will be able to see the affected IPs, the domains that have been entered from those IPs, the detected open ports and the total number of detected vulnerabilities. You can find it by clicking on the IPs and Vulnerabilities tab within your organization summary.

You can use the search bar at the top to look for specific IPs.

By clicking on a specific entry, you will be able to find a full list of the domains contacted by the vulnerable IP.

As well as a full list of open ports, and detected vulnerabilities that you can scroll through to gain a better understanding of your organization’s situation. You can use this data to adopt a proactive approach and tend to those vulnerabilities and mitigate their impact.

Similar Domains

The Similar Domains section contains a list of potentially fraudulent URLs that seem to be attempting to impersonate your organization’s public domain. These fraudulent sites are commonly set up by cybercriminals to steal data from unsuspecting customers and users. You will also find additional details such as DNS records, related mail servers, and the hosting server service where the site is hosted. You can find this section by clicking on the Similar Domains tab within your organization summary.

By clicking on a specific entry, you will be able to find additional threat intelligence, mostly provided by Mativerse. This includes data on the domain’s status, all IPs related to the impostor domain, mail servers, and name servers. You can use the provided links to head to the Maltiverse portal and get the full details.

You can also find research links in different intelligence sources and databases to better understand the risk a fraudulent site can represent.

Third-Parties

You can access this section from the left menu. 

This section provides a comprehensive inventory of your third-party relationships and their respective security hygiene. 

The table provides a filterable view of all monitored vendors, giving you immediate access to the following information: 

1. Security Scoring: Each vendor is assigned a real-time grade based on their external security posture.
2. Risk Contextualization: The table displays Data Leaks, Infostealer Compromises, and Vulnerabilities counts (e.g., 18 vulnerabilities for a specific vendor) to provide context for the provided score.
3. Industry & Impact: You can view the vendor’s industry (e.g., Technology, Financial Services) and their assigned Business Impact (e.g., Critical, High). The business impact is essential for the Home Dashboard's Risk Distribution Matrix.
   

Third-party Details

You can review the in-depth summary for each third party domain by clicking on Details.

That will take you to the details of the third party domain. 

On this page, you will find a detailed summary of the external exposure of third-party vendors. This summary displays the information reviewed in the Organization Summary section using the data specific for the vendor.

Third-party editing

You can edit the third party information by clicking the Edit button on each vendor. 

Reports

You also have the option to download your domain’s Lumu Discovery report if you want to have a document with the module’s information to share with stakeholders. To do so, click on the Reports option on the side panel, and click on Generate Report.

Then, a menu will pop up. If you have more than one registered domain, select the domain you want to generate the report for, and click on Generate Report.

Lumu Discovery will let you know that your report is benign generated and you will receive it via email.

Below, you will see an example of the email you will be receiving from Lumu with the report attached.

Settings

You will find all of your registered domains, and third-party domains in the settings section. You can get there by selecting the Settings option from the side panel. You will be able to sync their data manually to update the domain’s exposed attack surface information in the module by clicking the sync button for each domain. By default domains sync on a weekly basis.

Tag Creation

Lumu Discover Playbooks

1. Lumu Discover Vulnerabilities Response Playbook
   
2. Lumu Discover Infostealer Playbook
   
3. Lumu Discover Compromised Employees Playbook
   
4. Lumu Discover New Infrastructure Playbook