An Entity is a structured piece of atomic data, such as an email address, IBAN, or Social Security Number, that Lab 1 can detect, extract, and attribute to a company or individual. 

EDE stands for Exposed Data Entity. An EDE means we have matched an entity against a piece of data that has been leaked and could potentially be weaponized.

Lab 1 extracts a wide range of entities from files, depending on the file type and format.

From generic files, the platform identifies structured data such as:

• Email Address
• IPv4 Address, IPv6 Address
• CVE Code
• IBANs from various countries (e.g., Italy, Germany, France, Netherlands, etc.)
• US Social Security Number
• HTTP Basic Auth URL
• AWS S3 File Paths and Virtual Hosts
• RSA and SSH Private Keys (DSA, EC, including encrypted formats)
• From breaches shared in tabular form, Lab 1 extracts common column types such as:

Domain, Email, Username, Password, Password Hash, Salt

• Phone Number, Postal Address, Date of Birth
• First Name, Middle Name, Last Name, Full Name
• Company, Role, User ID for Service
• IP Address, URL
• US SSN, Bank Account Number
• Passport Number, Expiration Date, Country

Extraction is performed on a best-effort basis, and support continues to expand over time.

Lab 1 supports extraction and previews for a wide range of file types, including:

Documents: Word, PDF, PowerPoint, Excel, text files, HTML, and emails

Image metadata: Common formats such as .png, .jpeg, .jpg, .gif, .bmp, .tiff, .webp, .ico, .svg

Video metadata: Formats including .mp4, .mov, .wmv, .avi, .mkv, .webm, .flv, .mpg, .mpeg, .asf, .qtif, .vob

Code and data files: .xml, .json, .csv, .log, .cer, .crt, .pem, .ovpn

Executable files: .exe, .dll, .bin

Please note that Lab 1 does not control the quality of source material. Files may be malformed or corrupted, and all extraction is performed on a best-effort basis. Support is continuously improving over time.

There can be a variety of reasons why Lab 1 cannot create a file preview , we are constantly trying to improve our capability for extracting files and creating file previews. We really do want to hear from customers if a file you want to see is not in our system. Please contact our support team via the application.  

Lab 1 defines an “incident” as any observed data exposure that appears to have occurred without the consent of the lawful custodian. This includes data published on ransomware leak sites, hacker forums, or similar sources. For each incident, Lab 1 tracks key details such as the publication date, threat actor metadata, and whether the incident has been confirmed by the affected organization.

Lab 1 only tracks incidents that it has been able to directly observe. If a threat actor claims a breach but the exposed data isn't publicly accessible, the incident may not appear on the platform. However, in certain cases where the circumstances strongly support the credibility of the claim, Lab 1 may choose to include the incident even without direct visibility.

Lab 1 monitors domains that can be publicly linked to a company using OSINT techniques. If a domain isn't publicly associated with a company, it won’t be monitored by default. However, customers can provide additional domains, which will be included in the monitoring scope upon request.

Yes, Lab 1 has a GraphQL API. Documentation is available at the following link https://lab1-1.gitbook.io/lab-1-reporting-api/

A match in a file path means that the company's name (or one of its known alternative names) was found within the file name or full folder path of a file. The search includes all files that were exfiltrated (stolen) and published as part of that specific incident.

A match in content means our platform found a specific piece of information (an "entity") inside the text of a file that is associated with a company. Common examples of entities include email addresses or internet domains.

For a full list of the file types we scan and the entities we search for, please refer to the relevant sections in this FAQ.

A list of files with at least one match (either in content or in the file path) is only supported for incidents added after 1st of April 2025.

If enabled for your account, an email alert can be set up in the settings page of the application.

When the Lab 1 application finds a match of the company in the incident an email alert is sent. Only 1 alert per incident per client (per company - you follow) will be sent - regardless of how many attributions occur over the course of processing data for an incident in the Lab 1 Platform. If you follow 2 companies that are impacted by a single incident you will get 2 alerts.

Lab 1 calculates the Incident-to-Employee Ratio (IER) by dividing the number of incidents a company is mentioned in by its estimated number of employees. This ratio serves as a proxy for exposure relative to company size—lower ratios indicate less exposure. The Percentile Rank is then computed by comparing a company's IER to all others in the dataset, showing the percentage of companies with equal or lower exposure.

The IER Percentile Rank cannot be changed directly, as it reflects Lab 1’s observations and assumptions about a company. However, if certain underlying data, such as employee count or associated domains, is inaccurate, customers can contact the Lab 1 team to request corrections. Once updated, the IER Percentile Rank will automatically adjust to reflect the new information.