DarkFlash Incidents
Every DarkFlash detection is surfaced as an incident in the CyberXTron platform. This page explains how to view, manage, and respond to DarkFlash incidents.
Viewing Incidents
Via Dashboard
Log in to app.cyberxtron.com, navigate to DarkFlash → Incidents to see all detections in your workspace. You can filter by:
- Severity (Critical, High, Medium, Low)
- Status (Open, In Progress, Resolved)
- Type (Credential Leak, Data Breach, Ransomware, etc.)
- Date range
Via API
Retrieve incidents programmatically using the Incidents API:
# List all DarkFlash incidents
curl \
-H "XTRON-ORG-KEY: your_org_key" \
-H "XTRON-ORG-SECRET: your_org_secret" \
"https://incidents.cyberxtron.com/api/v1/darkflash/incidents"
# Filter by keyword and status
curl \
-H "XTRON-ORG-KEY: your_org_key" \
-H "XTRON-ORG-SECRET: your_org_secret" \
"https://incidents.cyberxtron.com/api/v1/darkflash/incidents?keyword=example.com&status=Open&severity=Critical"
→ Full Incidents API Reference
Incident Fields
| Field | Type | Description |
|---|---|---|
id | integer | Unique numeric ID |
title | string | Short description of the detection |
taskKey | string | Ticket key (e.g., DFINC-123) |
status_statusCd | string | Open, In Progress, Closed |
severity_label | string | Critical, High, Medium, Low |
category_name | string | Detection category |
taskType_name | string | Specific incident type |
description | string | Full details with context |
keyword | string | The monitored keyword that triggered this detection |
publisher_source | string | Where the data was found (dark web forum, Telegram, etc.) |
retrieved_data | string | Raw data excerpt from the source |
impact | string | Impact description |
recommendation | string | Suggested remediation action |
createdDt | integer | Creation Unix timestamp |
updatedDt | integer | Last update Unix timestamp |
Incident Types and Response Guidance
Credential Leak
Employee credentials found in a breach database or stealer log.
Immediate actions:
- Identify the affected account(s)
- Force a password reset for the affected user
- Check for reuse — verify the same password isn't used on other systems
- Review login logs for unauthorized access using the exposed credential
- Notify the affected employee
Data Breach Mention
Your organization's data referenced in a breach announcement or being sold.
Immediate actions:
- Assess the scope — what data was involved
- Initiate your data breach response procedure
- Engage legal and compliance teams if PII is involved
- Notify affected customers if required by regulation
Ransomware Listing
Your organization named on a ransomware group's leak site.
Immediate actions:
- Activate your incident response plan immediately
- Engage your security team and executive leadership
- Preserve all evidence — do not power off systems until forensics are conducted
- Contact law enforcement if appropriate
Access Sale (Initial Access Broker)
Credentials or network access to your infrastructure listed for sale.
Immediate actions:
- Treat as a confirmed compromise until proven otherwise
- Force-rotate credentials for all accounts matching the listed access type
- Review authentication logs for the affected systems
- Engage your IR team or a third-party forensics provider
Updating Incident Status
Update incident status via the CyberXTron dashboard under DarkFlash → Incidents → [incident] → Update Status.
Notifications
Configure how you receive DarkFlash incident alerts under Settings → Notifications:
- Email — Per incident or daily digest
- Webhook — POST to your endpoint for each new incident
- Slack — Alert to a designated security channel