shwartz

Kobe Shwartz, CEO of Underdark, is redefining the cyber threat intelligence market by emphasizing direct human engagement with threat actors on the dark web, a stark contrast to the predominantly automated and AI-assisted approaches favored by larger competitors. In an exclusive interview with CB Insights, Shwartz articulated Underdark’s distinctive strategy, highlighting how their "human intelligence" model offers unparalleled depth and accuracy in a rapidly evolving digital underworld. This strategic divergence positions Underdark as a crucial player for organizations seeking more than just surface-level monitoring, aiming to provide actionable insights derived from genuine human interaction within the clandestine corners of the internet.

Defining the Market and Underdark’s Niche

The cyber threat intelligence (CTI) and dark web monitoring market is a complex and increasingly vital sector for global cybersecurity. It encompasses a wide range of services aimed at identifying, analyzing, and mitigating digital threats that originate from various sources, including state-sponsored actors, cybercriminal organizations, and hacktivist groups. The dark web, a hidden part of the internet accessible only through specialized software, serves as a primary hub for illicit activities, including the trading of stolen data, malware, and the planning of sophisticated cyberattacks.

Within this landscape, Underdark operates by focusing on a core methodology: human intelligence (HUMINT). Shwartz explained that while many established players in the CTI space, such as Recorded Future, Digital Shadows (now part of ReliaQuest), Flashpoint, and Cyberint, largely rely on automated crawlers and AI to scan the dark web for data and indicators of compromise, Underdark’s approach is fundamentally different. "Many of those companies are primarily engaged with automation and monitoring the dark web via crawlers," Shwartz stated. "The difference between them and us is that they’re mostly using humans assisted by AI to do the job, while what we do is called human intelligence, where we go into the dark web and engage the threat actors personally. This is our core service."

This distinction is crucial. Automated systems can gather vast amounts of data, but they often struggle to interpret context, understand intent, or uncover the nuanced motivations behind threat actor activities. Underdark’s model involves their own personnel actively participating in or observing discussions and transactions within dark web forums and marketplaces. This allows them to build relationships, extract information through direct engagement, and gain a deeper understanding of emerging threats, attack methodologies, and the individuals or groups behind them. "We don’t do automated collection of data – what we sell is the human interaction. All we do is engage with threat actors and obtain intelligence and information for our customers based on this human interaction," Shwartz emphasized. This human-centric approach allows for the collection of high-fidelity, actionable intelligence that automated systems may miss.

The Evolving Threat Landscape and the Need for Deeper Intelligence

The global cybersecurity threat landscape has undergone a dramatic transformation in recent years. The sophistication and frequency of cyberattacks continue to escalate, driven by factors such as the increasing digitization of businesses, the proliferation of remote work, and the growing availability of advanced hacking tools and services on the dark web. According to industry reports, the average cost of a data breach reached $4.35 million in 2022, an increase of 12.7% from 2020, highlighting the immense financial and operational risks organizations face.

The dark web, in particular, has become a fertile ground for cybercriminals. It hosts marketplaces where stolen credentials, credit card numbers, personal identifiable information (PII), and even access to compromised systems are readily available for purchase. Furthermore, it serves as a platform for the development and distribution of malware, ransomware-as-a-service (RaaS) operations, and the coordination of complex cybercrime syndicates. Understanding the dynamics of these illicit communities is paramount for effective defense.

Traditional CTI often focuses on identifying known threats, such as specific malware strains, IP addresses associated with malicious activity, or compromised domains. While valuable, this approach can be reactive. Shwartz’s emphasis on direct engagement with threat actors suggests a proactive strategy aimed at uncovering nascent threats, understanding future attack vectors, and identifying the key players before they launch their operations. This "inside" perspective is particularly valuable in a landscape where attackers are constantly innovating and adapting their tactics.

Supporting Data and Industry Trends

The growth of the CTI market underscores the increasing demand for sophisticated threat intelligence solutions. Market research indicates that the global cyber threat intelligence market was valued at approximately $15.1 billion in 2022 and is projected to grow at a compound annual growth rate (CAGR) of over 13% from 2023 to 2030, reaching an estimated $39.4 billion by 2030. This expansion is fueled by several factors:

• Rising Sophistication of Cyberattacks: Advanced Persistent Threats (APTs), ransomware, and nation-state-sponsored attacks require more advanced intelligence to counter.
• Regulatory Compliance: Increasing data privacy regulations (e.g., GDPR, CCPA) mandate robust security measures, including proactive threat intelligence.
• Cloud Adoption: The shift to cloud environments introduces new vulnerabilities that require specialized threat monitoring.
• Proliferation of IoT Devices: The vast and often insecure network of IoT devices creates new attack surfaces.

Within this market, there’s a growing recognition of the limitations of purely automated solutions. While AI and machine learning are indispensable for processing vast datasets and identifying patterns, they often lack the contextual understanding and nuanced interpretation that human analysts provide. The ability to discern genuine threats from noise, understand the motivations behind an attack, and predict future actions requires a level of cognitive ability that current AI is still developing.

Underdark’s focus on HUMINT directly addresses this gap. By cultivating human sources and engaging directly with individuals operating in the threat ecosystem, they can gather intelligence that is often qualitative, context-rich, and predictive. This type of intelligence can inform strategic decision-making, allowing organizations to prioritize defenses, understand potential adversaries, and anticipate attacks before they materialize. For instance, understanding the chatter around a new exploit being developed on a dark web forum, or identifying a new group coalescing with the intent to target a specific industry, is invaluable.

Chronology and Evolution of Dark Web Monitoring

The practice of monitoring the dark web for cybersecurity intelligence is not entirely new, but its sophistication and adoption have evolved significantly.

• Early Days (Late 1990s – Early 2000s): The dark web was primarily a fringe space, and monitoring was largely manual and ad-hoc, often by independent researchers or law enforcement agencies with specific investigations.
• Emergence of Commercial CTI (Mid-2000s – Early 2010s): As cyber threats became more industrialized, companies began offering basic dark web monitoring services, often focused on brand protection and identifying stolen data. These services were still heavily reliant on keyword searches and automated scraping.
• Rise of Automation and AI (Mid-2010s – Present): The advent of more powerful AI and machine learning tools allowed for more sophisticated automated crawling and analysis of dark web content. Companies like Recorded Future and Digital Shadows emerged as leaders in this space, offering comprehensive platforms for data collection and analysis.
• Focus on Human Intelligence (Late 2010s – Present): Recognizing the limitations of purely automated approaches, some firms began to incorporate human analysts more deeply into their workflows. This led to the development of hybrid models. Underdark represents a further evolution, prioritizing direct human engagement as the core differentiator.

Shwartz’s description of Underdark’s strategy suggests they are positioning themselves at the cutting edge of this evolution. Their model is not merely an augmentation of existing automated processes but a fundamental reorientation towards the human element in intelligence gathering. This approach likely requires a different set of skills and resources, including individuals with the ability to navigate complex social dynamics within illicit online communities, possess language proficiency, and demonstrate exceptional discretion and analytical acumen.

Broader Implications and Future Outlook

Underdark’s distinct approach to cyber threat intelligence has several significant implications for the broader cybersecurity industry and for organizations seeking to protect themselves from advanced threats.

Firstly, it highlights the persistent value of human expertise in an increasingly automated world. While AI can process data at scale, it often struggles with interpretation, contextual understanding, and the subtle nuances of human communication and intent. In the clandestine world of the dark web, where deception, misdirection, and coded language are commonplace, human analysts can cut through the noise and identify genuine threats.

Secondly, Underdark’s strategy could push the boundaries of what is considered actionable intelligence. By engaging directly with threat actors, they may uncover not just current threats but also emerging trends, new attack methodologies, and the motivations behind cybercriminal activities. This proactive intelligence can empower organizations to build more resilient defenses, allocate resources more effectively, and anticipate future challenges. For instance, understanding the development of novel phishing kits or the emergence of a new ransomware strain before it becomes widespread can save countless organizations from significant damage.

Thirdly, the success of Underdark’s model could lead to greater investment in HUMINT capabilities within the CTI sector. As more organizations recognize the limitations of automated solutions, there may be a shift towards recruiting and training individuals with the specialized skills required for effective human intelligence gathering. This could create new career paths and demand for a unique blend of technical, analytical, and interpersonal skills.

The ethical considerations and risks associated with direct engagement on the dark web are also noteworthy. Such operations require rigorous protocols to ensure the safety of personnel, maintain legal compliance, and avoid inadvertently aiding or abetting criminal activities. Shwartz’s emphasis on "human intelligence" suggests a disciplined and strategic approach to these challenges.

Looking ahead, the cyber threat landscape will continue to evolve, with adversaries becoming more sophisticated and the digital realm becoming more interconnected. Companies like Underdark, with their innovative and human-centric approach, are poised to play a critical role in helping organizations navigate this complex and dangerous environment. Their ability to extract deep, contextualized intelligence from the dark web through direct engagement offers a compelling value proposition for those seeking to stay ahead of the curve in cybersecurity. As the market matures, the distinction between automated data collection and genuine human-driven intelligence will likely become a key differentiator for success.