Feature: Dark Web Monitoring

Keeper BreachWatch^® for Business

BreachWatch continuously monitors the dark web for exposed credentials across your organization while preserving Keeper's zero-knowledge architecture.

Start Free Trial Scan Your Business Email

Keeper admin dashboard showing top user activity events over the last 30 days.

What is BreachWatch?

BreachWatch is Keeper's dark web monitoring feature that continuously checks passwords stored in employee vaults against known breach data, then prompts users and admins to update exposed credentials. It operates within Keeper's zero-knowledge architecture, so sensitive data remains private during detection and reporting.

How BreachWatch works

Employees save credentials in their Keeper Vault

BreachWatch compares those passwords against known breach datasets

The user is alerted and admins see the risk in the Admin Console if matches are found

Users resolve alerts by changing the password or ignoring the alert if already remediated

Dark web monitoring built for business impact

Monitor the dark web continuously

Continuously scan employee passwords saved in their vault against known breach data, then alert users the moment a match is found so they can fix it before attackers strike.

Google login record with a red “High-Risk Password” warning, buttons to Ignore or Resolve, and a weak password strength indicator.

Table listing users with counts for High-Risk, Passed, and Scan Ignored items, shown per user with email addresses.

Prioritize admin visibility and remediation

Get a clear view of potential risks across your organization. The Admin Console highlights users with “At risk” or “Ignored” items, making it easy for admins to dig into user details and take action.

Report to SIEM and trigger alerts

Turn on BreachWatch event forwarding in role enforcement, build custom reports in Advanced Reporting and Alerts, then add webhooks for real-time notifications to Slack, Teams or any HTTP endpoint. Events can also feed external SIEM platforms for centralized monitoring and response.

Alerts settings page showing alert types, frequency, occurrence counts, and on/off toggles.

Alert configuration screen with an alert name field, expandable alert conditions for event types and attributes, and an alert frequency dropdown.

Surface BreachWatch alerts in IT Service Management (ITSM) platforms

Keeper's ITSM integration converts BreachWatch alerts into tickets in Jira, ServiceNow and other systems, enabling automated incident response for compromised credentials.

Why choose BreachWatch?

Zero knowledge by design

BreachWatch is a patented solution that follows Keeper's zero-knowledge model. Data is always encrypted and decrypted on the device, with multi-layer keys and public-key sharing. Keeper's broader encryption model uses per-record AES-256 keys, device-level key pairs and an extra transmission key on top of Transport Layer Security (TLS).

BreachWatch Security

Two-stage hashing

When BreachWatch is activated, the client computes an HMAC_SHA512 hash of each stored password and sends the anonymized hash to Keeper's servers. The server then computes a second HMAC_SHA512 hash using hardware security modules having a non-exportable key and compares the “Hashes-of-Hashes” against breach data.

BreachWatch Documentation

Frequently asked questions

How are users notified about exposed credentials?

Users receive an in-app BreachWatch prompt in their Keeper Vault to resolve the high-risk password by changing it or to ignore it if it's already been remediated.

What happens if a user ignores an alert?

That record is excluded from future scans until the password is changed, and it remains at risk. Admins still see users with "At risk" and "Ignored" items in the Admin Console.

Does BreachWatch support SIEM integration?

Yes, BreachWatch events can be integrated with SIEM tools through Keeper's Advanced Reporting and Alerts Module (ARAM).

Keeper BreachWatch® for Business