



In the summer of 2025, a large Indian NBFC discovered that over 40,000 customer records — including PAN numbers, Aadhaar-linked mobile numbers, and loan account details — had been circulating on a Telegram channel and a dark web forum for nearly three months before the organisation’s internal security team had any idea. The breach had originated from a third-party vendor’s compromised VPN credentials, listed for sale on a well-known cybercriminal marketplace for the equivalent of ₹12,000.
This is not an isolated story. It is playing out across Indian banks, insurance companies, manufacturing conglomerates, and government-adjacent enterprises every quarter. The adversaries move first — and the gap between when a breach occurs and when your security team knows about it is where the real damage compounds.
Dark web monitoring and threat intelligence are no longer optional luxuries reserved for Fortune 500 companies. For Indian enterprises navigating the DPDP Act’s strict breach-reporting obligations, they are fast becoming operational necessities.
The dark web is a collection of websites and marketplaces accessible only through anonymising networks such as Tor or I2P. It operates outside standard search indexing and hosts a thriving underground economy in stolen credentials, compromised access, financial data, and corporate espionage materials. Alongside the dark web, threat actors also operate on semi-open platforms: Telegram channels, closed Discord servers, Russian-language criminal forums, and paste sites where data dumps are advertised or shared freely.
For Indian enterprises, the threat surfaces are specific and serious:
CERT-In’s 2025 Annual Report noted that credential theft and data exfiltration collectively accounted for over 38% of significant cyber incidents reported by Indian organisations. The DPDP Act, meanwhile, now mandates breach notification within a defined window — making early detection not just a security best practice but a legal requirement.
Effective dark web monitoring is not a simple Google Alert for your company name. It requires a combination of automated crawling, human intelligence (HUMINT) from analysts embedded in closed forums, and structured threat feeds that can be actioned by your security operations team.
Automated systems continuously ingest stealer log marketplaces and paste sites, hashing harvested usernames and email addresses against your organisation’s known email domains. When a match is found — say, an employee’s corporate credentials appearing in a stealer log dump — the SOC is alerted in near real-time. The response: force-reset the compromised account, revoke active sessions, and investigate the endpoint for malware before the threat actor can use the access.
Beyond credentials, monitoring covers structured data patterns — PAN formats, GSTIN prefixes, IBAN patterns tied to Indian banks, and custom regular expressions for proprietary document types. If a paste or forum post contains data matching these patterns alongside your domain or brand name, an alert fires.
Analysts monitoring criminal forums can identify when network access to your organisation — or your industry vertical in a specific geography — is being advertised for sale. This intelligence, when acted upon quickly, can allow you to identify and close the access vector before ransomware is deployed. The window between an IAB listing and a ransomware payload being executed is typically 24–72 hours. A monitored enterprise can respond; an unmonitored one cannot.
Newly registered domains that are typographically similar to yours (homoglyph attacks, combosquatting), phishing kits containing your brand’s login page, and social media impersonation accounts are flagged and can be actioned through takedown services.
Your vendors, integration partners, and cloud SaaS providers are attack vectors into your environment. Dark web monitoring that extends to your key third parties — flagging their credential exposures and breach indicators — gives you early warning of supply chain risk before it becomes your incident.
Raw dark web intelligence without an operational workflow to action it is noise. The value is realised only when threat intelligence feeds are integrated with your Security Information and Event Management (SIEM) platform, your identity governance controls, and your incident response playbooks.
Industry-standard threat intelligence is distributed in STIX (Structured Threat Information eXpression) format over TAXII (Trusted Automated eXchange of Intelligence Information) channels. Indicators of Compromise (IOCs) — malicious IP addresses, command-and-control (C2) domains, file hashes of known malware — can be ingested directly into platforms like FortiSIEM, enabling automatic correlation against your environment’s log data. When your firewall logs show a connection attempt to a known C2 IP that arrived via a threat intel feed six hours ago, FortiGate can block it and FortiSIEM can trigger an investigation workflow, all without human intervention.
Fortinet’s FortiGuard Labs operates one of the world’s largest threat intelligence networks, processing billions of security events daily from its global sensor network. FortiGate NGFW customers benefit from this intelligence automatically: FortiGuard’s IP Reputation, Web Filtering, Antivirus, and Intrusion Prevention (IPS) subscriptions push updated threat signatures and block lists continuously. This is real-time, operationalised threat intelligence — the kind that stops known-bad traffic without requiring your team to manually update blocklists.
For Indian enterprises running FortiGate as their perimeter defence, this means you are already benefiting from global threat intelligence. The gap, for most organisations, is in the dark web and human-intelligence layer — the monitoring of your specific brand, credentials, and data exposure that requires targeted, domain-specific monitoring beyond what a global platform can provide out of the box.
Threat intelligence must map to your incident response playbooks. For each intelligence type, define:
India’s Digital Personal Data Protection Act creates a firm obligation on Data Fiduciaries to notify the Data Protection Board and affected data principals in the event of a personal data breach. While the precise notification timeline will be specified in forthcoming rules, regulatory guidance and CERT-In’s existing 6-hour reporting requirement for significant incidents together create a very short window to act.
Dark web monitoring directly supports DPDP compliance in two ways:
CISOs who appear before the Data Protection Board after a breach with evidence of a proactive monitoring programme, defined response playbooks, and timely internal escalation will be in a materially stronger position than those who had no visibility into the exposure until it was reported externally.
Minimum viable threat intelligence for Indian enterprises (FY 2026–27)
Building an in-house threat intelligence capability is expensive and talent-intensive. It requires analysts who are fluent in the criminal underground, able to operate safely in dangerous forums, and skilled at converting raw intelligence into actionable SOC workflows. Most Indian enterprises — even large ones — do not have this capability in-house.
Managed Security Service Providers (MSSPs) with dedicated threat intelligence practices offer a cost-effective alternative: the monitoring infrastructure, analyst coverage, and integration expertise, delivered as a service with defined SLAs. For organisations that have already invested in FortiGate and FortiAnalyzer, an MSSP that is deeply familiar with the Fortinet ecosystem can integrate threat intelligence directly into existing controls without a rip-and-replace of the security stack.
The economics are straightforward: the cost of a managed threat intelligence subscription is a fraction of the average cost of a data breach in India, which industry estimates now place in the ₹15–20 crore range when regulatory fines, breach response costs, and reputational damage are factored in.
The shift from reactive to predictive security is the defining challenge for Indian enterprise CISOs in 2026. Threat intelligence and dark web monitoring are the operational foundation of that shift — giving your SOC visibility into the adversary’s preparation phase, not just the execution phase.
Indian enterprises that invest in this capability now — integrating it with their FortiGate infrastructure, their SIEM, and their incident response playbooks — will be materially better positioned to meet their DPDP Act obligations, reduce their breach costs, and defend against an adversary ecosystem that is increasingly sophisticated and India-focused.
The dark web is where your next breach is being planned. The question is whether you will know about it before — or after — the adversary acts.
PJ Networks operates a 24/7 NOC/SOC with integrated threat intelligence capabilities, dark web monitoring, and FortiGuard-powered threat feeds. Our managed security practice helps Indian enterprises build predictive defences without the overhead of building an in-house intelligence team. Speak with our security architects to understand how we can extend your visibility into the adversary’s world.