Cybersixgill collects intelligence from cyber criminals who discuss and plan cyber attacks on the clear, deep and dark web, helping organizations and governments around the world prevent a security breach.

We gather our data autonomously from a wide range of sources including those that other vendors cannot access. We use AI and machine learning to add context to this data, generating valuable insights into the cyber criminal mindset.

Our Representatives

Anastasya Elia Zlochevsky

EMEA Sales Diractor, Cybersixgill

EMEA Sales Diractor


Lior Marom

CISO, Cybersixgill



Yehuda Brauner

R&D Team Leader, Cybersixgill

R&D Team Leader


Merav Cohen

Marketing manager, Cybersixgill

Marketing manager


Zoe Cohen

Cybersixgill, Cybersixgill



Company's Solutions

Investigative Portal

Monitor Emerging Cyber Risks Threatening Your Organization In Real-Time

Combining unparalleled threat data collection capabilities with search functionality and automation, the Cybersixgill SaaS Investigative Portal delivers unmatched contextual visibility into the clear, deep and dark web.

Covertly uncover threat actor activity in any language, format and platform with exclusive and real-time access to the largest database of deep, dark and clear web activity on the market.

Our proprietary algorithms infiltrate and extract threat intelligence data from the most extensive base of sources, including limited-access deep & dark web platforms, invite-only messaging groups, paste sites, underground markets, code repositories, deleted posts and much more.

Dynamic Vulnerability Exploit (DVE)

Cybersixgill’s Dynamic Vulnerability Exploit (DVE) Intelligence supports vulnerability management teams with critical end-to-end exploit intelligence across the entire CVE lifecycle. With DVE Intelligence, teams can effectively prioritize the vulnerabilities that pose the greatest risks to their organization - before they can be exploited in attack.

Prominent Case Study

How an MSSP Discovered a Compromised RDP Sold in a Dark Web Access Market?

This past June, CyberProof, an MSSP using Cybersixgill’s Investigative Portal, was approached by a client who had been targeted by a ransomware attack. Noa Raz, CyberProof’s Senior CTI analyst, understood that the ransomware group behind the attack had exploited compromised RDP connections as a means for establishing initial network access. This is in fact a popular way for major ransomware groups to gain their first step into the targeted network.

The analyst discovered that the client had an exposed RDP server whose IP address began 52.172... From there, she searched these two octets in the Cybersixgill Investigative Portal. The analyst discovered that a machine with matching octets and other metadata (including geolocation) was sold on a dark web RDP market known as a popular source for ransomware groups to purchase initial network access.

With this intel in hand, the analyst concluded that there was a significant likelihood that the attacker had purchased access to the vulnerable server on this dark web market. Thus, empowered by Cybersixgill’s Portal, she was able to map out a coherent forensic hypothesis for the attack.

Just how many compromised RDP connections are sold on underground markets? Over the span of a year (June 1st, 2020 to May 31st, 2021), Cybersixgill observed a total 325,917 RDP connections listed for sale on the underground. This is in addition to the nearly 4.6 million endpoints and other remote protocols and systems that are also for sale on the deep and dark web. Anyone can purchase access on these markets, sometimes for as little as several dollars apiece. While deploying ransomware is a lucrative way to abuse access, actors can also abuse access by siphoning system resources, harvesting confidential information, and assuming control of logged-in financial accounts.

Furthermore, while this incident presents a scenario in which intel from these RDP markets can be used in a forensic investigation, Cybersixgill customers can leverage this intelligence proactively to prevent threats from these markets before they materialize. Through the Investigative Portal, customers receive automated alerts whenever their assets are mentioned on the underground. And with Cybersixgill’s Darkfeed, an automated, real-time feed of malicious IOCs, customers can consume and block the IP addresses of compromised RDP connections that are shared freely on underground forums - before they are deployed or weaponized by underground threat actors.

Indeed, several months ago, a Cybersixgill Darkfeed customer, a $2B+ revenue financial services company, received an alert that they had outgoing network traffic to an IP address that was flagged by Darkfeed as having a compromised RDP connection. Using this intel, the customer was able to rapidly triage and prevent this potential attack.