An Entity is a structured piece of atomic data, such as an email address, IBAN, or Social Security Number, that Lab 1 can detect, extract, and attribute to a company or individual. We sometimes also call this a keyword.

EDE stands for Exposed Data Entity. An EDE means we have matched an entity against a piece of data that has been leaked and could potentially be weaponized.

Lab 1 extracts a wide range of entities from files, depending on the file type and format.

From generic files, the platform identifies structured data such as:

• Email Address
• IPv4 Address, IPv6 Address
• CVE Code
• IBANs from various countries (e.g., Italy, Germany, France, Netherlands, etc.)
• US Social Security Number
• HTTP Basic Auth URL
• AWS S3 File Paths and Virtual Hosts
• RSA and SSH Private Keys (DSA, EC, including encrypted formats)
• From breaches shared in tabular form, Lab 1 extracts common column types such as:

Domain, Email, Username, Password, Password Hash, Salt

• Phone Number, Postal Address, Date of Birth
• First Name, Middle Name, Last Name, Full Name
• Company, Role, User ID for Service
• IP Address, URL
• US SSN, Bank Account Number
• Passport Number, Expiration Date, Country

Extraction is performed on a best-effort basis, and support continues to expand over time.

Lab 1 supports extraction and previews for a wide range of file types, including:

Documents: Word, PDF, PowerPoint, Excel, text files, HTML, and emails

Image metadata: Common formats such as .png, .jpeg, .jpg, .gif, .bmp, .tiff, .webp, .ico, .svg

Video metadata: Formats including .mp4, .mov, .wmv, .avi, .mkv, .webm, .flv, .mpg, .mpeg, .asf, .qtif, .vob

Code and data files: .xml, .json, .csv, .log, .cer, .crt, .pem, .ovpn

Executable files: .exe, .dll, .bin

Please note that Lab 1 does not control the quality of source material. Files may be malformed or corrupted, and all extraction is performed on a best-effort basis. Support is continuously improving over time.

There can be a variety of reasons why Lab 1 cannot create a file preview , we are constantly trying to improve our capability for extracting files and creating file previews. We really do want to hear from customers if a file you want to see is not in our system. Please contact our support team via the application.  

Lab 1 defines an “incident” as any observed data exposure that appears to have occurred without the consent of the lawful custodian. This includes data published on ransomware leak sites, hacker forums, or similar sources. For each incident, Lab 1 tracks key details such as the publication date, threat actor metadata, and whether the incident has been confirmed by the affected organization.

We use the term company to represent any type of company, regardless of their relationship to you, a company might be a supplier, a customer or a competitor, you’ll find all  companies under the company section of our app . 

Your own company is also configured as a company. Therefore in the companies page for your account you will see your own company and any others that you ‘follow’ (depending on your subscription). This can be a way of managing supplier/third party risk, but has other use cases

When you click into a specific company page for a company that you follow you will see all of the matches for that company's domains.  You all see all incidents that have a domain match for the company you are looking at.  

This is more aligned to how you might assess supplier risk, e.g. you can see how many incidents the company appears in and assess the  ‘risk’ level this supplier represents due to the amount of exposed data that is available.  So in summary, drilling down into a company using this route shows you the potential supplier risk, not directly your risk, it will however give you an indication of their levels of hygiene and compliance with industry cyber best practice. 

An insight report shows a specific company's impact in a specific incident. It shows you the number of EDE’s (entities of the company matched in the incident) and whether they are matched in the content and meta data or the file name or path.

‘Other companies affected’ which is part of the insight report page may appear empty. This depends on 2 factors, firstly whether you have a subscription allowing you to follow 3rd party companies? Without this subscription you will not see companies in this section. The second factor is there may be no companies in our platform affected.  If you are unsure you can contact our support team to check.   

Lab 1 only tracks incidents that it has been able to directly observe. If a threat actor claims a breach but the exposed data isn't publicly accessible, the incident may not appear on the platform. However, in certain cases where the circumstances strongly support the credibility of the claim, Lab 1 may choose to include the incident even without direct visibility.

Lab 1 monitors domains that can be publicly linked to a company using OSINT techniques. If a domain isn't publicly associated with a company, it won’t be monitored by default. However, customers can provide additional domains, which will be included in the monitoring scope upon request.

Entity (public) - we extract entities from each individual incident and match company domain names (that are public information, gathered via OSINT) to show your potential exposure within an incident. You’ll see this within insight reports and other pages in the app.

Entity (private) - within the dedicated /entities page, we can configure specific entities you want to monitor, this monitoring takes place across all incidents. There might be people or 'entities' that you are concerned about and want to monitor that specific exposure. 

It’s worth noting that any specific entities a customer gives us e.g. email addresses, IP addresses, IBAN etc, we treat as customer data and keep it separate and private from the public entities we gather via OSINT.

Yes, Lab 1 has a GraphQL API. Documentation is available at the following link https://lab1-1.gitbook.io/lab-1-reporting-api/

A match in a file path means that the company's name (or one of its known alternative names) was found within the file name or full folder path of a file. The search includes all files that were exfiltrated (stolen) and published as part of that specific incident.

A match in content means our platform found a specific piece of information (an "entity") inside the text of a file that is associated with a company. Common examples of entities include email addresses or internet domains.

For a full list of the file types we scan and the entities we search for, please refer to the relevant sections in this FAQ.

A list of files with at least one match (either in content or in the file path) is only supported for incidents added after 1st of April 2025.

If enabled for your account, an email alert can be set up in the settings page of the application.

When the Lab 1 application finds a match of the company in the incident an email alert is sent. Only 1 alert per incident per client (per company - you follow) will be sent - regardless of how many attributions occur over the course of processing data for an incident in the Lab 1 Platform. If you follow 2 companies that are impacted by a single incident you will get 2 alerts.

Lab 1 calculates the Incident-to-Employee Ratio (IER) by dividing the number of incidents a company is mentioned in by its estimated number of employees. This ratio serves as a proxy for exposure relative to company size—lower ratios indicate less exposure. The Percentile Rank is then computed by comparing a company's IER to all others in the dataset, showing the percentage of companies with equal or lower exposure.

The IER Percentile Rank cannot be changed directly, as it reflects Lab 1’s observations and assumptions about a company. However, if certain underlying data, such as employee count or associated domains, is inaccurate, customers can contact the Lab 1 team to request corrections. Once updated, the IER Percentile Rank will automatically adjust to reflect the new information.