Safeguard.sh Documentation Center

Digital Risk Protection & Threat Intel

Roadmap — a threat-intelligence pipeline (ingest, normalize, dedup, enrich, score, age, correlate, disseminate) plus outward-facing digital risk protection for leaked credentials, look-alike domains, and brand impersonation.

Digital Risk Protection & Threat Intel

Roadmap — not yet available. DRP and TIP are planned capabilities documented here for direction. They extend the shipped IOC/feed/actor/hunt store; the new pipeline stages and DRP monitors are not yet available.

Two pillars on one substrate. TIP (Threat Intelligence Platform) turns scattered intel into a real ingest → normalize → dedup → enrich → score → age → correlate → disseminate pipeline. DRP (Digital Risk Protection) is the outward-facing footprint monitor that produces external findings and consumes TIP enrichment. Neither builds a parallel store, and collection is passive and authorized only — no unauthorized access, no scraping behind auth, no offensive action.

TIP — threat intelligence pipeline (planned)

StageWhat it does
IngestSTIX 2.1 / TAXII 2.1 collections plus authorized OSINT feeds, polled incrementally
NormalizeCanonicalize indicators (lowercase punycode domains, canonical IPs, defang→refang)
DedupMerge the same indicator across feeds, keeping per-source provenance
ScoreConfidence from feed reliability, corroboration, recency, and enrichment; actionability from confidence × freshness
AgeExponential decay per indicator type; expired indicators are excluded from dissemination but retained for history
EnrichGeo/ASN, WHOIS, passive DNS, reputation, related campaigns (fail-open on enricher timeout)
MapIndicator → campaign → threat actor; TTP → ATT&CK
CorrelateMatch live indicators against your assets, findings, and telemetry
DisseminateA one-directional pull view consumed by SecOps (real-time IOC match), Package Firewall, and Red Team

The Indicator model extends the existing IOC record rather than forking a new store, and dissemination is pull-only — TIP never writes into a consumer's store.

DRP — digital risk protection (planned)

DRP will continuously monitor your external footprint through authorized sources and emit drp findings:

  • Leaked credentials — dark-web, paste-site, and public-repo exposure, with rotation recommended.
  • Look-alike domains — typosquat, homoglyph, TLD-swap, and combosquat candidates, confirmed via passive DNS and certificate-transparency logs.
  • Brand impersonation — spoof pages, fake mobile apps, and impersonating social accounts.
  • Exposed documents — sensitive documents leaked publicly.
  • Actor chatter — org-targeted discussion from authorized feeds.

Secret redaction (planned invariant)

A raw secret value never enters the store, a log, an export, or a finding. On any leaked-credential or exposed-document hit, DRP computes a non-reversible fingerprint (for dedup and re-detection), stores redacted evidence only (type, masked preview, source, timestamps), and recommends rotation. A collector that cannot redact a value drops it rather than storing it.

Takedown (planned, gated)

Takedown will prepare and submit authorized, human-approved requests only — never automated attacks. A request cannot advance to submitted without a policy pass, a human approver, and non-empty authorization evidence; a kill-switch halts all submissions and every transition is audited.

When it ships

DRP findings will land in the single findings store (drp), with sensitive findings under elevated ACL. Gated by the ff.drp and ff.tip feature flags, with on-prem/air-gap parity via self-hosted feeds.

On this page