Lab 1 supports extraction and previews for a wide range of file types, including:

Documents: Word, PDF, PowerPoint, Excel, text files, HTML, and emails

Image metadata: Common formats such as .png, .jpeg, .jpg, .gif, .bmp, .tiff, .webp, .ico, .svg

Video metadata: Formats including .mp4, .mov, .wmv, .avi, .mkv, .webm, .flv, .mpg, .mpeg, .asf, .qtif, .vob

Code and data files: .xml, .json, .csv, .log, .cer, .crt, .pem, .ovpn

Executable files: .exe, .dll, .bin

Please note that Lab 1 does not control the quality of source material. Files may be malformed or corrupted, and all extraction is performed on a best-effort basis. Support is continuously improving over time.

An Entity is a structured piece of atomic data, such as an email address, IBAN, or Social Security Number, that Lab 1 can detect, extract, and attribute to a company or individual. 

EDE stands for Exposed Data Entity. An EDE means we have matched an entity against a piece of data that has been leaked and could potentially be weaponized.

Lab 1 extracts a wide range of entities from files, depending on the file type and format.

From generic files, the platform identifies structured data such as:

• Email Address
• IPv4 Address, IPv6 Address
• CVE Code
• IBANs from various countries (e.g., Italy, Germany, France, Netherlands, etc.)
• US Social Security Number
• HTTP Basic Auth URL
• AWS S3 File Paths and Virtual Hosts
• RSA and SSH Private Keys (DSA, EC, including encrypted formats)
• From breaches shared in tabular form, Lab 1 extracts common column types such as:

Domain, Email, Username, Password, Password Hash, Salt

• Phone Number, Postal Address, Date of Birth
• First Name, Middle Name, Last Name, Full Name
• Company, Role, User ID for Service
• IP Address, URL
• US SSN, Bank Account Number
• Passport Number, Expiration Date, Country

Extraction is performed on a best-effort basis, and support continues to expand over time.

Lab 1 defines an “incident” as any observed data exposure that appears to have occurred without the consent of the lawful custodian. This includes data published on ransomware leak sites, hacker forums, or similar sources. For each incident, Lab 1 tracks key details such as the publication date, threat actor metadata, and whether the incident has been confirmed by the affected organization.

Lab 1 only tracks incidents that it has been able to directly observe. If a threat actor claims a breach but the exposed data isn't publicly accessible, the incident may not appear on the platform. However, in certain cases where the circumstances strongly support the credibility of the claim, Lab 1 may choose to include the incident even without direct visibility.

Lab 1 monitors domains that can be publicly linked to a company using OSINT techniques. If a domain isn't publicly associated with a company, it won’t be monitored by default. However, customers can provide additional domains, which will be included in the monitoring scope upon request.

Lab 1 calculates the Incident-to-Employee Ratio (IER) by dividing the number of incidents a company is mentioned in by its estimated number of employees. This ratio serves as a proxy for exposure relative to company size—lower ratios indicate less exposure. The Percentile Rank is then computed by comparing a company's IER to all others in the dataset, showing the percentage of companies with equal or lower exposure.

The IER Percentile Rank cannot be changed directly, as it reflects Lab 1’s observations and assumptions about a company. However, if certain underlying data, such as employee count or associated domains, is inaccurate, customers can contact the Lab 1 team to request corrections. Once updated, the IER Percentile Rank will automatically adjust to reflect the new information.