Solanasis Docs

Breach_Intelligence_Prospecting_Smartcut_Strategy

13 min read

Breach Intelligence Prospecting — Smartcut Strategy

Version: 1.0 Date: 2026-03-21 Owner: Dmitri Sunshine, Founder & CEO Category: Growth Hacking / Unconventional Outreach Companion docs: Solanasis_Master_GTM_Playbook_2026.md | MSP_Cold_Email_Outreach_Playbook.md

The Core Insight

Instead of cold-emailing people who might need security — reach out to people you can prove already have exposed credentials on the dark web. You lead with value (their actual exposure data), not a pitch. This is the cybersecurity equivalent of a doctor who can show you your own X-ray vs. one who just says “you should probably get checked.”

Why this is a Smartcut: You’re collapsing the entire trust-building and problem-awareness phase into a single touchpoint. The prospect doesn’t need to be convinced they have a problem — you’re showing them the evidence.

1) The Legal & Ethical Landscape — What’s In-Bounds

  • Domain-level breach lookups — Scanning a company’s domain (e.g., @acmecorp.com) against known breach databases to see how many employee credentials are exposed
  • Using legitimate threat intelligence platforms — SpyCloud, Breachsense, ID Agent (Dark Web ID), Flare, DarkWebReport.io all offer this as a commercial service specifically for MSP prospecting
  • HaveIBeenPwned domain search — HIBP offers domain-level searches for authorized domain owners, and breach notification services built on top of it
  • Publicly reported breach data — Any breach that’s been publicly disclosed is fair game to reference
  • Cold email outreach under CAN-SPAM — B2B cold email is legal in the US as long as you include your physical address, a clear unsubscribe mechanism, and don’t use deceptive subject lines

What’s OFF-LIMITS (Do NOT Touch)

  • Directly accessing breached databases from dark web forums — This is legally gray-to-illegal territory under the Computer Fraud and Abuse Act (CFAA). Even if the data is “free,” downloading stolen data could expose you to liability
  • Sharing actual passwords in outreach emails — Even if you found them, emailing someone their plaintext password is both a security risk and could be considered threatening/coercive
  • Using HIBP API to “ambulance chase” — Troy Hunt’s terms of use explicitly prohibit using the API to “disadvantage breach victims” or pitch services to them
  • Purchasing stolen credentials — Buying data from dark web marketplaces is illegal regardless of intent
  • Accessing anyone’s personal accounts — Even to “verify” a breach, logging into someone’s account without authorization is a federal crime

The Smart Middle Ground (Where the Opportunity Lives)

Use legitimate commercial threat intelligence platforms that have already done the work of collecting, sanitizing, and making breach data available through legal APIs. These platforms exist specifically for this use case.

2) The Tool Stack — Ranked by Fit for Solanasis

Tier 1: Best for Prospecting (Start Here)

ToolCostWhy It FitsKey Feature
Breachsense~$200-500/mo (MSP tier)Built for MSP prospecting, multi-tenant, API accessProspect scanning, Digital Risk Review reports as leave-behinds
DarkWebReport.ioFree tier availableEnter a URL, get a report in 30 secondsMSP Prospecting Dashboard — search compromised companies by industry/location
Iceberg CyberFree CyberScore availableURL-based scan, shows dark web exposure + website vulnsGenerates a “Cyber Score” per domain — great for outreach hooks

Tier 2: For Ongoing Client Delivery (After You Close)

ToolCostWhy It FitsKey Feature
ID Agent (Dark Web ID)Partner program pricingIndustry standard for MSPsLive search demo tool, co-branded reports
SpyCloudEnterprise pricingDeepest breach corpus (200+ data types)Infostealer log monitoring, session cookie detection
FlareMid-market pricingDark web + external attack surface comboBrand impersonation + credential leak monitoring

Tier 3: Free/Low-Cost Research Tools

ToolCostWhat It Does
HaveIBeenPwnedFree (domain search requires verification)Check if a domain appears in known breaches
IntelligenceXFree tierSearch engine for leaked datasets, pastes, dark web
DeHashed~$15/moBreach search engine with API
Hunter.ioFree tierFind corporate email addresses to cross-reference

3) The Outreach Play — Step by Step

Phase 1: Build Your Hit List (30 min/day)

  1. Define your ICP (Ideal Customer Profile) filters:

    • SMBs and nonprofits in Colorado (or your target geography)
    • 10-200 employees
    • Industries: healthcare, legal, financial services, nonprofits, professional services
    • Bonus: Industries with compliance requirements (HIPAA, SOC 2, PCI-DSS)

  2. Run domain scans on your ICP:

    • Use DarkWebReport.io or Iceberg Cyber to scan target company domains
    • Log results: company name, domain, number of exposed credentials, breach sources
    • Prioritize companies with HIGH exposure + compliance requirements

  3. Cross-reference for decision-makers:

    • Use LinkedIn Sales Navigator or Hunter.io to find the CEO, CFO, COO, or IT director
    • For nonprofits: Executive Director, Operations Director, Board Chair
    • Note: Personal email addresses found in corporate breaches = employees using personal email for work systems (this is itself a finding worth flagging)

Phase 2: Craft the Outreach (Templates Below)

The key psychology: You’re not selling. You’re warning. You’re the neighbor who noticed their garage door was open at night.

Email Template A: The “Community Alert” (Cold — First Touch)

Subject: [Company Name] — {X} employee credentials found in recent breach data

Hi [First Name],

As part of our community cybersecurity monitoring initiative here in
[Boulder/Colorado], we routinely check whether local [industry] organizations
have been impacted by recent data breaches.

I wanted to flag that we found {X} email addresses associated with
[company domain] appearing in known breach datasets. This means employee
credentials may be circulating on dark web forums.

This doesn't necessarily mean your systems have been compromised — but it
does mean those passwords (and any accounts where they've been reused)
are at risk.

I've put together a complimentary Breach Exposure Summary for
[Company Name] if you'd like to see the details. No strings attached —
this is something we believe every organization should be aware of.

Happy to share it over a quick 15-minute call or just send it over
via email — whatever works best.

Best,
Dmitri Sunshine
Founder & CEO, Solanasis
[phone] | solanasis.com

P.S. — If you've already addressed this, great. If not, I'm glad to
point you in the right direction even if we never work together.

Email Template B: The “Specific Breach” (When You Know the Source)

Subject: [Company Name] employees impacted by [Breach Name] data leak

Hi [First Name],

The [Breach Name] data leak that was disclosed [date] included credentials
associated with [company domain].

This is a heads up that {X} of your team's email-password combinations
may be in circulation. The biggest risk here is credential stuffing —
attackers using those leaked passwords to try to access your business
systems, cloud platforms, and email accounts.

We put together a quick Breach Exposure Summary for [Company Name]
that covers:
- How many credentials were exposed
- Which breach(es) they appeared in
- What the immediate risks are
- 3 things you can do today to reduce your exposure

Want me to send it over?

Best,
Dmitri Sunshine
Founder & CEO, Solanasis

Email Template C: The “Personal Email Red Flag” (Power Move)

Subject: Quick security heads-up for [Company Name]

Hi [First Name],

During a routine scan, we noticed something that might be worth a
conversation — it appears some team members at [Company Name] may be
using personal email addresses for business-related accounts and logins.

The reason that matters: personal email accounts typically don't have
the same security controls (MFA, password policies, monitoring) as
corporate accounts. When those personal emails show up in breach
data — which several have — it creates an unmonitored backdoor into
your business systems.

This is one of the most common (and most overlooked) security gaps we
see in organizations your size. Happy to walk through what we found
if it'd be useful — 15 minutes, no pitch.

Best,
Dmitri Sunshine
Founder & CEO, Solanasis

Phase 3: The Call / Meeting (Convert Interest to Engagement)

  1. Share the Breach Exposure Report — Use Breachsense or ID Agent to generate a branded report showing their exposed credentials (redacted passwords, showing only breach sources and dates)
  2. Live Dark Web Scan Demo — Run a scan of their domain live on the call. The “oh sh*t” moment when they see their data is your best closer
  3. Bridge to the ORB — “The breach exposure is just the tip of the iceberg. Our Operational Resilience Baseline assessment covers this plus 8 other critical areas…”
  4. Offer a Quick Win — “At minimum, I’d recommend forcing a company-wide password reset and enabling MFA on your critical systems. We can help you do that in a half-day sprint.”

4) Advanced Plays — The Real Smartcuts

Play 1: The “Breach Alert Newsletter” (Evergreen Lead Magnet)

  • Set up automated monitoring on target domains using Breachsense or similar
  • When a new breach drops that affects your target companies, send a personalized alert within 24-48 hours
  • Why this is genius: You become the first person to tell them about their problem. Speed = credibility
  • Build a simple landing page: “Is your organization in the latest breach? Enter your domain to check.” → Captures leads who scan themselves

Play 2: The “Industry Breach Report” (Authority Builder)

  • Once a quarter, compile breach statistics for your target verticals (Colorado healthcare orgs, Denver-area nonprofits, etc.)
  • Publish as a LinkedIn post, email newsletter, and downloadable PDF
  • Include anonymized stats like: “47% of Colorado nonprofits with 50+ employees had credentials in at least one breach in the last 12 months”
  • Why this is genius: You become the local authority on breach exposure. Media will pick this up. Speaking invitations follow.

Play 3: The “Board Report” Play (For Nonprofits)

  • Nonprofit board members have fiduciary responsibility for data protection
  • Offer to present a complimentary “Cyber Risk Brief” at a board meeting
  • Show breach exposure data for the org, explain the liability, recommend next steps
  • Why this is genius: You’re presenting to 8-15 decision-makers at once, and nonprofits have very few people pitching security to them

Play 4: Cross-Reference with Compliance Deadlines

  • HIPAA-covered entities that have breach exposure = urgent compliance risk
  • Financial services firms in CO with exposed credentials = SEC/FINRA reporting concern
  • Any org with a cyber insurance policy = breach exposure could affect renewability or premiums
  • Target these first — they have the most urgency and budget

Play 5: The “Vendor Supply Chain” Cascade

  • When a major breach hits (like MOVEit, SolarWinds, etc.), quickly identify which of your target companies used that vendor
  • Reach out specifically about that supply chain exposure
  • “Your organization uses [vendor]. The recent [breach] may have exposed data you shared with them. Here’s what you should be checking…”
  • Why this is genius: Supply chain attacks are terrifying and poorly understood by SMBs. You become the translator.

Play 6: Partner with Cyber Insurance Brokers (Force Multiplier)

  • Cyber insurance brokers need risk data about their applicants and renewals
  • Offer breach exposure scans as a value-add the broker can offer
  • Broker sends you warm referrals of companies with exposure that need remediation
  • Why this is genius: The broker has the relationship and the urgency (policy renewal). You provide the expertise. Revenue split or referral fee.

5) Automation & Scaling This

Daily Routine (30 min)

  1. Check breach intelligence feeds for new breaches (5 min)
  2. Cross-reference new breaches against your target list (10 min)
  3. Scan 5-10 new prospect domains (10 min)
  4. Send 3-5 personalized outreach emails (5 min)

Automation Opportunities

  • Breachsense API → Webhook when a monitored domain appears in a new breach → Auto-drafts personalized email
  • DarkWebReport.io Prospecting Dashboard → Filter by geography + industry → Export target list
  • n8n or Make.com workflow: New breach detected → Match against ICP list → Draft email with breach details → Queue for review and send
  • LinkedIn Sales Nav saved searches → Alert when new companies match your ICP → Auto-scan their domain

Metrics to Track

MetricTarget
Domains scanned per week25-50
Breach outreach emails sent per week15-25
Reply rate (breach emails vs. cold emails)Expect 15-30% vs. typical 2-5%
Meetings booked from breach outreach3-5/week
Conversion from meeting to ORB proposal40-50%
  • All breach data sourced from legitimate commercial platforms (never from dark web directly)
  • CAN-SPAM compliant: physical address, unsubscribe link, honest subject lines
  • Never share actual passwords in any outreach
  • Never claim to have “hacked” or “tested” their systems
  • Frame as “publicly available breach data” not “we accessed your accounts”
  • Include disclaimer: “This information is based on publicly disclosed breach data and does not represent a security assessment of your systems”
  • Consult legal counsel before launching at scale (especially if expanding to EU/Canada — GDPR and CASL have stricter rules)
  • Do not use HaveIBeenPwned API for prospecting (violates their terms of use)

7) Budget Estimate — Getting Started

ItemCostNotes
DarkWebReport.io (free tier)$0Good for initial testing
Iceberg Cyber (free CyberScore)$0URL-based scanning
Breachsense MSP tier~$200-500/moThe workhorse tool for scaling
Hunter.io (free tier)$025 searches/month for decision-maker emails
LinkedIn Sales Navigator~$100/moAlready in your stack?
Total to start$0-600/mo

8) Why This Works for Solanasis Specifically

  1. Wedge alignment — Breach exposure is a natural lead-in to your Security Assessment offering. The ORB becomes the obvious next step.
  2. Credibility bypass — You don’t need certifications to show someone their own breach data. The data speaks for itself.
  3. SMB/nonprofit sweet spot — These orgs are the most likely to be unaware of their exposure AND the least likely to have someone monitoring for them.
  4. Recurring revenue bridge — Breach monitoring becomes an ongoing service ($200-500/mo per client). This directly feeds your MRR goal.
  5. Contractor-friendly — The domain scanning and outreach process is highly SOP-able. Train a contractor in 2 days.
  6. Scales with automation — Once the workflow is built, you can monitor hundreds of domains with alerts that fire automatically.

9) Risks & Mitigations

RiskMitigation
Prospect perceives outreach as threatening/creepyLead with “community initiative” framing, offer value before asking for anything
Legal gray area if you go too farStay with commercial platforms only, never touch raw breach data
Data accuracy — false positivesAlways caveat: “This is based on publicly available breach data. We recommend verifying with a full assessment.”
Competitors already doing thisMost MSPs do this lazily (generic email blasts). Your edge is personalization + speed + the Solanasis ORB as the conversion vehicle
Burnout on manual scanningAutomate early. The Breachsense API + n8n combo solves this
DayAction
Day 1Sign up for DarkWebReport.io + Iceberg Cyber free tiers. Scan 20 target domains.
Day 2Build your target list: 50 Colorado SMBs/nonprofits in healthcare, legal, financial, professional services
Day 3Scan all 50 domains. Rank by exposure severity. Identify decision-makers for top 10.
Day 4Send first batch of 5-10 personalized “Community Alert” emails
Day 5Follow up on any replies. Sign up for Breachsense trial. Build branded Breach Exposure Report template.
Day 6-7Refine templates based on responses. Set up monitoring on top 50 domains. Plan the “Industry Breach Report” for LinkedIn.

Bottom Line: This isn’t shady — it’s the cybersecurity version of a home inspector knocking on your door and saying “I noticed your foundation has a crack.” The data is already out there. The question is whether someone helpful tells these organizations about it, or whether the attackers get there first. Solanasis can be that helpful someone.

Graph View