Executive Monitoring
Executive Monitoring is a watchlist for the people most likely to be targeted: your CEO, CFO, board members, and other high-value individuals. You register each executive once, attach their personal identifiers (emails, usernames, phone numbers), and ShadowMap correlates exposure for that person across five other modules — data breaches, infostealer logs, dark web discussions, cyber news, and social media — into a single weighted risk score you can sort and triage.
Overview
The page is a sortable watchlist. Each row is one executive you have added to monitoring. Per row you see the executive's name and organization, a computed Risk score, and a set of count columns — Leaked Creds, Breaches, Stealer Logs, News, Social Media — that tally how many findings ShadowMap has correlated to that person in each upstream module. The default sort is Risk descending, so the most-exposed executive is at the top.
Above the table sit two collapsible panels: a six-card metrics strip (toggled with the Metrics button in the header) and an analytics panel of charts (toggled with Analytics). Status tabs — All, Active, Under Review, Escalated, Resolved — sit between the panels and the search bar.
One feature, two entrances
Executive Monitoring and the old Data Leaks → Executive Leaks page are now the same view. The Executive Leaks route (and its legacy URLs) permanently redirect here, preserving any query string and hash. If you have a bookmark or a deep link to Executive Leaks, it lands on this page. Document and train on Executive Monitoring; treat Executive Leaks as a synonym.
How it works
Most of what makes this module useful is not visible in the grid. These are the mechanics behind the numbers.
Executives are a manual watchlist
Nothing appears here automatically. You decide who is monitored by adding executives (one at a time, or via CSV bulk import). For each executive you supply one or more personal identifiers — email addresses, usernames, phone numbers. Those identifiers are the join key: every correlation downstream is driven by matching an executive's identifiers (and their name) against findings in other modules. An executive with no identifiers will show near-zero exposure because there is little for the engine to match on.
The Risk score is computed from cross-module threat counts
The Risk number is not a stored severity you set — it is a weighted sum of how many findings each upstream module has for that executive, recalculated from live counts:
| Threat source | Weight |
|---|---|
| Data breaches | ×5 |
| Stealer logs | ×4 |
| Dark web mentions | ×3 |
| News mentions | ×2 |
| Social media | ×1 |
risk_score = (breaches × 5) + (stealer_logs × 4) + (dark_web × 3) + (news × 2) + (social_media × 1)
The weights reflect exposure severity: a leaked, breached credential is far more dangerous than a press mention, so breaches dominate the score. All five sources are correlated live — dark-web mentions are matched against the executive's identifiers in dark web discussions and contribute their ×3 weight to the displayed score. The numeric score then maps to a severity band that colours the Risk badge:
| Severity | Score threshold |
|---|---|
| Critical | ≥ 20 |
| High | ≥ 10 |
| Medium | ≥ 5 |
| Low | ≥ 1 |
| None | 0 |
The score is computed live from current counts
The Risk score is not stored — it is recomputed every time the page loads. Both the list rows and the detail drawer ask each upstream module for the executive's current count and run the weighted formula on the spot, so the number always reflects the latest data. A new breach or stealer log raises the score the next time you load or refresh the view.
Counts are scoped to the executive, not the whole company
Every count column is the per-executive slice of a much larger module:
- Leaked Creds — credentials in the Executive Leaks store whose owning record is this executive and whose response status is still Needs Review. The metrics-strip "Leaked Credentials" KPI counts the same needs-review subset across all executives.
- Breaches — data-breach rows matched on
breach_value IN (the executive's identifiers). - Stealer Logs — infostealer password entries correlated to this executive's ID.
- News — cyber-news mentions matched on the executive's name.
- Social Media — social posts/accounts matched to the executive.
This scoping is why the count drill-downs (below) open pre-filtered to this executive — most jump to the upstream module reproducing the query the count was built from, while the Leaked Creds count opens the executive's own detail page on its Credentials tab.
Understanding the data
Columns
The table is column-customizable (gear/column-customizer in the header). The Executive name column is locked on and always visible; the rest can be hidden.
| Column | What it shows |
|---|---|
| Executive | Name with a colour-coded initials avatar. Always visible. |
| Organization | The organization the executive belongs to (set when added). |
| Risk | Weighted risk score, badge-coloured by severity band (Critical/High/Medium/Low/None). Default sort column, descending. |
| Leaked Creds | Count of leaked credentials needing review for this executive. Links to this executive's detail page, opened to the Credentials tab. |
| Breaches | Count of data-breach findings. Links to Data Breaches, pre-filtered to this executive's identifiers. |
| Stealer Logs | Count of infostealer password entries. Links to Stealer Logs, filtered by executive ID. |
| News | Count of cyber-news mentions. Links to Cyber News, searched on the executive's name. |
| Social Media | Count of social-media findings. Links to Social Media, filtered to the executive. |
| Relevance | A 0–100 relevance-score badge. The list response does not currently populate a score for executives, so this column renders as a dash (—). |
| Status | Monitoring status badge (see below). |
A zero count renders as a muted 0; any non-zero count is a clickable link that opens the source module in a new tab, pre-filtered to that executive.
Monitoring status
Status is a triage state you assign — it is independent of the Risk score. Each executive carries exactly one:
| Status | Meaning |
|---|---|
| Active | Default. The executive is being monitored; no special handling. |
| Under Review | An analyst is currently working this executive's exposure. |
| Escalated | Raised for urgent attention (e.g. forwarded to the executive's office or IR). |
| Resolved | Worked through; exposure addressed or accepted. |
The status tabs at the top filter the list to each state, with a live count badge per tab. Newly-added executives default to Active.
Metrics strip (six KPIs)
| Card | Definition | Clickable |
|---|---|---|
| Total Executives | All executives on your watchlist. | Jumps to the All tab. |
| High Risk | Executives whose score is in the High band or above (≥ 10). | Read-only — no risk filter is exposed. |
| Leaked Credentials | Leaked credentials across all executives still needing review. | Filters the list to executives with leaked credentials. |
| Stealer Logs | Total correlated stealer-log entries across executives. | Filters to executives with stealer logs. |
| News (7d) | Total news mentions correlated across executives. | Read-only. |
| Social Media (7d) | Total social-media findings correlated across executives. | Read-only. |
Why some cards do not filter
High Risk, News, and Social Media are deliberately read-only. There is no risk-level filter exposed and no "has news / has social" filter, so clicking those cards would land you on a set that does not match the headline number. They surface the count without a misleading drill-down. The three that do filter (Leaked Credentials, Stealer Logs, Total) map cleanly to a supported filter.
Analytics panel
Four charts: a 30-Day Exposure Trend line (new leaked credentials per day), a Risk Distribution donut (executives by severity band), a Top 10 Exposed Executives bar (highest-scoring individuals), and Exposure by Type (breaches / stealer logs / dark web / news / social media).
Filtering & search
The search bar supports a free-text query plus structured filters. Available filter fields:
| Filter | Notes |
|---|---|
| Executive | By name. |
| Organization | By the executive's org. |
| Status | Active / Under Review / Escalated / Resolved. |
| Has Leaked Credentials | Executives with leaked credentials. |
| Has Data Breaches | Executives with breach findings. |
| Has Stealer Logs | Executives with stealer-log findings. |
| Info Type | By identifier type (email / username / phone). |
| Created Date | Date range the executive was added. |
| Updated Date | Date range the record last changed. |
| Bookmarked | Your starred executives. |
Two extra toggles sit beside the filters: a Bookmarked star (show only executives you have starred) and an Export button. There is no risk-level filter exposed here — you sort by Risk instead, and narrow exposure with the Has Leaked Credentials / Has Data Breaches / Has Stealer Logs filters.
No "Advanced" rule builder here
Unlike some other modules, Executive Monitoring hides the advanced/CMD rule-group entry point. Use the structured fields above plus free-text search.
Detail view
Click any row to open the detail drawer — a side panel for fast triage without leaving the list. Use the chevrons (or j / k) to move to the next/previous executive, and Esc to close. "Open full page" expands to the standalone detail route.
The drawer header shows the avatar, name, status badge, and a Risk badge. Below it, a quick-metadata block lists Organization and the per-source counts (Leaked Credentials, Breaches, Stealer Logs, News Mentions, Social Media), then a row of status buttons to re-classify the executive inline. The drawer has four tabs:
- Overview — the executive's Personal Information (their registered identifiers) and a Risk Breakdown rationale string that spells out what is driving the score (e.g. "Risk driven by: 2 data breach(es), 5 stealer log(s), 3 news mention(s).").
- Credentials — paginated leaked credentials for this executive: source, date, email, and a masked password indicator. Count shown on the tab.
- Related — real per-executive related items grouped into Breaches, Stealer Logs, News, and Social Media buckets (up to a handful each). Empty buckets are hidden.
- Footprint — the compromise footprint from infostealer logs: counts and 5-row previews across Passwords, Machines, Cookies, Autofills, and Tokens. Cards, Wallets, and History appear greyed as not correlated — those record types do not carry an executive link in the current schema, so they show
—rather than a misleading zero.
Taking action
Per-row actions (hover the row) and bulk actions (select rows via the checkboxes) overlap:
| Action | Single row | Bulk |
|---|---|---|
| Change status | More (⋮) menu → Active / Under Review / Escalated / Resolved | Status dropdown in the bulk bar → Apply |
| Bookmark | Star icon | Bookmark button |
| Assign | — | Assign dropdown — search teams/people, assign or clear assignee |
| Share | Share icon | Share button (share-integration modal) |
| Comment | Comment icon (with templates) | — |
| Export | — | Export button (also in the filter bar) |
| Remove | Delete icon | Remove button |
Other controls:
- Add Executive (header) — modal to register one executive: name and organization (both required), plus optional repeatable personal-info rows (email / username / phone) that become the monitoring identifiers.
- Import (header) — CSV bulk import with a downloadable template, a validation preview step (total / valid / errors / duplicates, with per-row error messages), and a confirm step that commits the valid rows.
- Export — kicks off an async Excel export of the current filtered/sorted view via the task queue, with a progress toaster.
Leaked credentials surfaced through an executive can be pushed to the takedown workflow (the module wires into the shared takedown endpoint with an authorization attestation), letting you action exposed credentials rather than just observe them.
Removing an executive
Remove deletes the executive from your watchlist and stops correlation for them. It does not delete the underlying breach, stealer-log, or news findings — those still exist in their own modules. Use status (Resolved) to retire an executive you have finished triaging but want to keep on the list.
Common questions
How do I get an executive onto this page? Add them manually with the Add Executive button, or bulk-import a CSV with Import. Nothing populates automatically — this is an opt-in watchlist.
Why is an executive's risk low even though I know they were breached? Risk is driven by the identifiers you registered. If the breached email isn't on the executive's record, the engine can't correlate it. Open the drawer → Overview and confirm the right emails/usernames/phones are listed. The score is recomputed from current counts every time the page loads, so a brand-new finding shows up the next time you load or refresh the view.
What's the difference between Risk and Status? Risk is computed automatically from exposure counts (you can't set it). Status is the triage state you assign — Active, Under Review, Escalated, Resolved — to track your workflow.
Why can't I filter by risk level? The risk score is computed from threat counts each time the page loads, and a risk-level filter isn't exposed in the filter bar today. You can still sort by Risk and use the Has Leaked Credentials / Has Data Breaches / Has Stealer Logs filters to narrow to exposed executives.
Is "Executive Leaks" a different feature? No. The former Data Leaks → Executive Leaks page was unified into this one; its URLs redirect here. They are the same data and the same view under two nav entries.
Why do the count columns open another module? The counts are per-executive slices of the breach, stealer-log, news, and social modules. Clicking a count opens that module pre-filtered to the executive's identifiers, so you can review the actual findings behind the number.
What does the Footprint tab's "not correlated" mean? Stealer logs carry passwords, machine info, cookies, autofills, and tokens that can be tied to a specific executive. Cards, wallets, and browser history aren't linked to an executive in the current data model, so they're shown greyed with — instead of a count that would always read zero.
Related
- Data Breaches — the source of an executive's Breaches count; the count column drills into it filtered to the executive's identifiers.
- Stealer Logs — feeds the Stealer Logs count and the drawer's Footprint tab.
- Leaked Credentials — broader credential-exposure module; Executive Monitoring tracks the per-executive, needs-review slice.
- Compromised Computers — the infected machines behind stealer-log exposure.
- Cyber News — the source of the News mentions count.
- Social Media — the source of the Social Media count.
- Takedowns — how exposed executive credentials are pushed for removal.
- Severity & Status — how severity bands and triage statuses work across ShadowMap.