Credential Autopsy // by SOCHQ
Leaked-credential exposure monitoring

We find your leaked secrets first.

Every API key, password, token, and crypto wallet you own — hunted across the entire public internet, live and archived, and traced back to you the moment it leaks — without ever using or storing the secret.

Autopsy my exposure → See what we watch 30+ sources · live + historical · 0 secrets stored
LIVE SCAN SESSION 0xA1· OBSERVE-ONLY
Exposure vitals
Sources live0
Checked / min0
Exposures caught0
0
public sources
0
secret types known
0
archived pages searched
0
secrets ever stored
// Surface coverage

We watch the entire internet
so you don't have to.

Most scanners check GitHub and call it done. Credential Autopsy sweeps the code hosts, package registries, cloud, the underground — and the general web itself, both live and in the archives where deleted secrets still live.

01

The whole public web

Common Crawl's billions of pages and the Wayback Machine's archives — we catch secrets you already deleted from your live site.

02

Code & every artifact you ship

GitHub (incl. force-pushed commits), GitLab, npm/PyPI/Go/NuGet, containers, mobile APKs, browser & IDE extensions, Hugging Face models.

03

Cloud, CI/CD & your footprint

Open buckets, build logs, Terraform state, exposed .env/.git — plus Certificate Transparency to find every subdomain the moment it gets a cert.

04

Pastes, chat & the underground

Pastebin, Telegram, breach & stealer-log indexes, and dark-web listings — flagging when your org is named, even with no raw secret.

// Detection

What we catch

Validated offline — checksums, token decoding, expiry — so a finding is a real, live credential, not a false alarm. We never authenticate with it to check.

API keysOAuth & access tokens AWS / cloud credentialsStripe keys GitHub / npm tokensJWTs SSH / private keysDatabase URLs PasswordsSlack / SendGrid / Google keys Bitcoin & wallet keysCrypto seed phrases (BIP-39) Extended keys (xprv)
// The autopsy

Every leak gets a case file.

When we find one of your credentials in the wild, you get a full forensic record — what leaked, where, when, who's affected, and exactly how to shut it down.

Specimen — redactedCASE #CA-2287
ghp_4f2a……c1d9
GitHub personal access token · checksum verified · LIVE
Found onwayback · archived gist (deleted)
Time of leak2026-06-29 14:02 UTC
Attributed toacme.io — repo: acme/deploy
Livenesschecksum_pass (offline)
Stored plaintextnever — preview + hash only
ACTION: revoke token in GitHub settings, reissue, audit access log. Runbook attached.
// SAFE-01

We never use your secret

Liveness is checked offline only — checksums, decoding, expiry. We never authenticate with your credential, anywhere.

// SAFE-02

We never store plaintext

Redacted at the instant of detection to a preview + hash. There is no plaintext column in the database.

// SAFE-03

Owner-scoped & isolated

You only ever see what attributes to you. Row-level tenant isolation keeps every customer's exposure private.

// SAFE-04

Public-only, never transact

We observe public content and lawful indexes — never bypass auth, never buy stolen data. Enterprise-clean by design.

// Reach

Live and archived. The whole picture.

0

Pages in the crawl

The general web as a corpus — where per-platform scanners can't reach.

0

Archived pages

The web's memory — deleted-but-un-rotated secrets still live here.

0

Continuous watch

New certs, new pushes, new pastes — checked in near real time, not a one-off scan.

Exposure is the start of an incident

Know the moment
your credentials go public.

Point Credential Autopsy at your domain and we'll surface what's already leaked — then keep watch, continuously, so you're never the last to know.