What Is the Dark Web — and Why Should Your Business Care?

The dark web appears in cybersecurity discussions with a frequency that has made it feel more mythological than practical. In reality, it is a specific technical environment with a specific role in the criminal ecosystem — and for small and medium-sized businesses, understanding it has direct operational relevance.

This guide explains what the dark web actually is, what appears there that is relevant to your business, and what organisations can do to monitor their exposure.

The Three Layers of the Web

Understanding the dark web requires a brief detour through how the web is structured. The surface web is what you reach through a standard browser and search engine: websites that are publicly indexed and accessible. This represents a relatively small fraction of all web content.

The deep web is everything that is not publicly indexed: webmail, banking portals, private databases, subscription services, internal company systems. It's not hidden in any nefarious sense — it's simply not in Google's index. The majority of web content is deep web.

The dark web is a subset of the deep web that requires specific software — most commonly the Tor browser — to access. Tor routes traffic through multiple relays, obscuring the origin and destination of connections. This anonymity has legitimate uses — journalists communicating with sources, activists in oppressive regimes, privacy researchers — but it also makes the dark web the preferred environment for criminal activity that depends on anonymity: drug markets, weapons sales, fraud services, and the trade in stolen data.

What Ends Up on the Dark Web That Affects Your Business

Credential Dumps

When a service is breached — a SaaS platform your staff use, a supplier's customer portal, even a personal service that shares a password with work accounts — the stolen usernames and passwords are aggregated and sold on dark web marketplaces. These credential dumps are enormous: the Have I Been Pwned database, which indexes publicly disclosed breaches, contains billions of records. Criminal buyers use these credentials in automated attacks against corporate systems — a technique called credential stuffing — testing them at scale against email platforms, VPN gateways, and business applications.

If a member of your staff used their work email address and a recycled password on a breached consumer service, your business has an exposure that you may be entirely unaware of until a criminal uses those credentials to access your systems.

Business Data for Sale

Following a breach, stolen data is frequently offered for sale on dark web forums before — or instead of — a ransom demand. Client records, financial data, intellectual property, and internal communications are all commercially valuable to the right buyer. For organisations in sensitive sectors, the buyer may not be a criminal looking to commit fraud — it may be a competitor or a state actor looking for intelligence.

Phishing Kits and Attack Infrastructure

Ready-made phishing kits — complete replicas of legitimate websites, complete with automated credential harvesting — are sold for tens of pounds. Attack infrastructure, including compromised servers to host them, is available on subscription. The barrier to launching a targeted phishing campaign against your organisation or your clients has never been lower, because the tools are commercially available to anyone willing to pay.

Access Listings

One of the most significant developments in the criminal marketplace in recent years is the sale of network access. Criminal groups that specialise in initial access — getting into a network — sell that access to other groups who specialise in monetising it, typically via ransomware or data theft. These "access broker" listings describe the compromised organisation (by sector and revenue rather than name), the type of access available, and the asking price. Your network may currently be listed for sale on a dark web marketplace without your knowledge.

Dark Web Monitoring: What It Is and What It Can Do

Dark web monitoring is the practice of continuously scanning dark web marketplaces, forums, paste sites, and criminal channels for references to your organisation's data, credentials, and infrastructure. This includes:

• Your email domain — scanning for staff credentials appearing in breach databases and criminal forums
• Your company name and domain — identifying mentions in criminal discussions, data-for-sale listings, or access broker posts
• Your IP ranges — monitoring for references to your infrastructure in vulnerability discussions or exploitation reports
• Key personnel — monitoring for personal credentials of senior staff or privileged account holders

When a monitoring tool surfaces a finding — a staff credential appearing in a fresh dump, a mention of your domain in a forum thread — the response depends on the nature of the finding. A credential in a breach database means: identify the affected account, force a password reset, check whether the account has been used to authenticate to your systems from unusual locations, and enable MFA if it isn't already active. An access broker listing requires immediate investigation to determine whether the claimed access is genuine and, if so, to identify and close the entry point.

What You Can Check Today

Several free tools provide a limited view of your exposure. Have I Been Pwned (haveibeenpwned.com) allows you to check whether a specific email address or your entire domain appears in publicly disclosed breach databases. This doesn't cover material that hasn't yet been publicly disclosed — a significant limitation — but it's a useful starting point.

For comprehensive, continuous monitoring — including material that circulates in criminal forums before it reaches public disclosure — you need tooling that actively monitors the criminal ecosystem in real time, not just the publicly indexed portion of it.