At Cisco Live Melbourne, the Security Operations Centre (SOC) served as a real-world proving ground for the power of integrated security solutions. A standout demonstration was the use of StealthMole—an AI-powered dark web threat intelligence platform—in conjunction with Cisco XDR. This integration enabled SOC analysts to rapidly identify compromised user credentials associated with malicious external IP addresses, enhancing both detection and response.
Integration Overview
StealthMole is an advanced threat intelligence platform that leverages AI to deliver real-time insights from the dark web. It excels at uncovering compromised credentials, data leaks, and other cyber threats that may not be visible through surface-level monitoring.
Cisco XDR’s open integration framework allows seamless connectivity with third-party tools such as StealthMole. By combining these capabilities, the SOC team at Cisco Live Melbourne was able to enrich investigations with dark web intelligence, correlating incidents with leaked or compromised credentials for improved context.
Investigative Steps
- Alert Generation — Cisco XDR detected suspicious activity originating from internal IP addresses communicating with a known malicious external IP. This external IP had already been flagged in Cisco XDR’s threat intelligence feeds for suspicious behavior.
- Enrichment with StealthMole Intelligence — Using the integrated StealthMole module, SOC analysts retrieved additional intelligence related to the flagged external IP. StealthMole revealed that this IP was associated with compromised user credentials, which had been identified on the dark web.
- Correlation and Analysis — With this new context, analysts examined the relationship between the compromised credentials and the internal assets involved. StealthMole data provided insight into the associated domains and extent of credential exposure, allowing the SOC to map potential attack vectors.
Takeaway and Response
The integration of StealthMole and Cisco XDR illustrates how open frameworks can empower SOC teams to leverage specialized threat intelligence, resulting in faster and more informed response to threats. By combining real-time dark web monitoring with robust detection capabilities, the team was able to identify credential exposure events that might otherwise have gone unnoticed.
Upon confirming the compromise, SOC analysts initiated response protocols. This included alerting impacted users, enforcing credential resets, and strengthening monitoring on affected endpoints. The integration with StealthMole provided the necessary context to take decisive and targeted action, showcasing the value of combining best-in-class tools within a unified security architecture.
Example Use Case
- Scenario: Internal user credentials are detected in cleartext on a dark web forum, with matching indicators in Cisco XDR.
- Action: The integration immediately alerts analysts, correlates the incident, and initiates credential reset workflows.
Note
SOC teams should regularly review and update their integrations to ensure the most up-to-date intelligence is available, and always validate findings with multiple sources before taking action.
By leveraging integrated threat intelligence, SOCs can gain the visibility needed to stay ahead of evolving cyber threats, as shown at Cisco Live Melbourne.
Check out the other blogs by my colleagues in the Cisco Live APJC 2026 SOC.
We’d love to hear what you think! Ask a question and stay connected with Cisco Security on social media.
Cisco Security Social Media
CONNECT WITH US