looking into the abyss: introducing kocho cthulu

in the modern cybersecurity landscape, threat actors no longer just break in—they log in. compromised credentials harvested from public database leaks, phishing portals, and corporate metadata exposures represent the primary vector for unauthorised network access.

to combat this, i built kocho cthulu: a high-performance dark web monitoring and credentials audit portal designed to transform raw breach telemetry into surgical security operations.

the plaintext reality

the most dangerous threat isn't a complex exploit; it is a valid password. while traditional monitoring tools focus on metadata and "hit" counts, kocho cthulu digs into the brutal reality of the leak.

by querying verified global breach indexes and live osint proxies, the portal identifies when organisational assets have been exposed in plaintext. seeing the actual password used in a breach isn't just a "security alert"—it is an immediate call to action. it allows soc teams to verify the strength of employee passwords and identify dangerous patterns of credential reuse before an attacker attempts a spray or stuffing campaign.

automated risk scoring

not all leaks are created equal. a username mentioned in a marketing list is a nuisance; a plaintext password leaked from a personal dropbox account used for corporate access is a critical incident.

kocho cthulu implements an automated risk-scoring engine that categorises exposures based on severity:

• critical: plaintext passwords and active session tokens.
• high: cryptographic hashes (salted or unsalted) and pii that can facilitate targeted social engineering.
• medium/low: metadata leaks and general corporate aliases.

this automated prioritisation ensures that security engineers aren't drowning in noise. they focus on the "red" hits that represent a direct path into the perimeter.

the abyss executive report

raw threat data is only valuable if it leads to executive buy-in and swift remediation. i built the abyss executive report to bridge the gap between technical forensics and corporate risk management.

designed with a high-contrast, editorial aesthetic, these reports are more than just exports—they are branded intelligence documents. they provide:

• system exposure index: a mathematical risk score for the entire domain.
• colour-coded forensics: clear visualisations of exposure types.
• remediation runbook: a step-by-step checklist for the soc, from triggering entra id password rotations to revoking active refresh tokens.

it turns a complex dark web investigation into a printable, one-page brief that an engineering manager can hand to a cio to justify immediate emergency changes.

portal oversight and telemetry

the portal functions as a unified command centre for credential intelligence:

• verified domain audits: instant queries across corporate domains to retrieve individual compromised aliases.
• interactive threat feed: live-updating streams of malware distribution centres and botnet command channels powered by urlhaus proxies.
• visual telemetry: responsive graphs that map the evolution of a domain's exposure over time, allowing teams to track the effectiveness of their security awareness programmes.

argus integration

as part of the argus enterprise monitoring toolkit, kocho cthulu doesn't sit in a silo. when a critical exposure is detected, it triggers a proactive alert card directly into microsoft teams. with role-based security groups (executive rbac) managing access via microsoft entra id, the intelligence remains secure, restricted, and actionable.

become greater. protect your perimeter. step out of the dark.

ready to audit your domain? navigate to the kocho cthulu panel on your insights hub to scan the abyss.