User guide

Welcome to OwlyScan. This guide explains how the site works: semantic search over all reports, filters, stars, topics, and how TLP clearance controls what you see.

Clearance is always scoped to sectors (Aerospace, Energy, Defence, etc.). What you see in one feed does not carry over to another.

Your access

Your current clearance

Base tier TLP:CLEAR — anonymous visitor

Sign in to see your account tier and any sector-specific grants.

What is OwlyScan

Daily supply-chain intelligence from the dark web

OwlyScan is a living briefing feed of real data, filtered to the sensitive economic sectors that matter (Aerospace, Defence, Energy, Maritime, Logistics, Pharma...). From the millions of raw results our platform crawls across ransomware leaks, darknet forums, paste sites and data dumps, AI interprets, classifies and summarises the signal into short narrative micro-reports with 1–3 supporting facts each, tagged by sector and region. What you see is the result of those interpretations — far from an exhaustive index of the underground. For open-ended search across the full corpus, see OwlyScan for Investigation.

The goal: give risk, security and supply-chain teams an early, scannable view of what the underground is saying about companies and the ecosystems they depend on — without drowning in raw IOCs or 50-page reports.

Browsing all reports

Search, filter, and read at your clearance

Go to All reports (or use the search bar on the homepage). Type any company name, supplier, or topic — the search is semantic (vector similarity via bge-small embeddings), so you do not need the exact keywords that appeared in a leak.

Then narrow with the filters:

  • Sector and Region pills (multiple selectable)
  • TLP level (show only CLEAR / GREEN / AMBER / RED items)
  • Date presets (24h, 7d, 30d, 90d, all)
  • "Hide withheld" — hides anything above your current clearance
  • Starred — your personal bookmarks (requires sign-in)

Click any result to open the full report: the synthesized narrative at the top, followed by the individual fact cards. Fact cards can carry a stricter TLP than their parent report.

Use stars (bookmark icon) to save items for later; they appear under the "starred" filter and on your account page.

Why TLP

Why OwlyScan uses TLP

The Traffic Light Protocol was developed by FIRST (Forum of Incident Response and Security Teams), originating in 1999 and standardised as TLP v2.0 in January 2023. It is the accepted vocabulary for controlling how sensitive intelligence may flow between organisations — used by CISA, ISACs, and major cybersecurity communities worldwide.

OwlyScan adopts TLP so that partners, GICAT members, and enterprise clients can all work from the same shared understanding. When a report is marked TLP:AMBER, every party in the chain knows exactly who may see it and under what conditions — no ambiguity, no bespoke NDAs required at the item level.

The TLP model

The four TLP levels

TLP:CLEAR No restrictions. May be shared freely.

TLP:CLEAR covers information with no distribution limits beyond applicable laws and copyrights. On OwlyScan, CLEAR reports display full titles, narratives, and fact summaries to every visitor — anonymous or authenticated.

TLP:GREEN Community — no public redistribution.

TLP:GREEN items may be shared within a trusted community (peers, partners, GICAT members) but not posted publicly. On OwlyScan, GREEN facts are redacted for free accounts and withheld for visitors; GREEN clearance reads them in full. You should not re-publish GREEN content on open channels.

TLP:AMBER Organisation & clients — need-to-know.

TLP:AMBER items contain sensitive details such as company names, financial figures, or operational data. Without AMBER clearance on the relevant sector, you see a redacted summary: strategic insight preserved, but identifying information removed. With AMBER clearance, the full content is displayed.

TLP:RED Named recipients only.

TLP:RED items carry the highest sensitivity — PII, precise financial data, technical drawings, or named-individual information. Without RED clearance, RED fact cards are withheld entirely: you see a locked placeholder with no text. Only subscribers with verified RED access can view them.

Content model

Report TLP vs fact TLP

Every report carries its own TLP, which governs the title and the narrative overview. But each discovered fact underneath it has its own independent TLP — often stricter than the parent report. A single GREEN report can contain AMBER or RED facts.

TLP:GREEN Report — "Energy supplier ransomware leak"

Title and overview visible to all visitors.

TLP:CLEAR Fact — "Attack vector: phishing email"

Visible to everyone.

TLP:AMBER Fact — "€12M ransom demand from [company]"

Redacted (company name and figure removed) unless your clearance on this sector is AMBER or higher.

TLP:RED Fact — "Named individual: [director name]"

Withheld entirely unless your clearance on this sector is RED.

Access restrictions

Readable, redacted, withheld

  • Readable — full text
  • Redacted — names & figures masked
  • Withheld — locked until clearance

Every fact you encounter is in one of three states:

Readable

Your clearance covers the fact's TLP — full text.

TLP:GREEN Redacted

When your clearance falls below a GREEN fact's TLP, you see a redacted summary: the strategic insight is preserved, but identifying details (company names, precise figures, part numbers, personal data) are masked.

TLP:AMBER TLP:RED Withheld

When your clearance falls below an AMBER or RED fact's TLP, the fact card is locked entirely — no summary, no redacted text, just a placeholder indicating that content exists but requires elevated access. AMBER and RED content is never partially revealed to unauthorised sessions.

All enforcement is server-side. Unredacted content is never transmitted to a browser unless the session carries a matching clearance level.

Access tiers

How clearance is assigned

Every visitor starts with a base tier — CLEAR for anonymous and most registered accounts, GREEN for vetted community members. On top of that, accounts can hold per-sector grants at GREEN, AMBER, or RED.

Your effective clearance for any given report is the highest of your base tier and whatever grant you hold on that sector. An AMBER grant on Aerospace does not affect what you see in the Energy or Defence feeds.

You get the clearances you need by choosing the right subscription plan. Verified subscribers automatically receive AMBER or RED grants on the sectors covered by their plan.

Visitor type Base tier Sector grants
Anonymous CLEAR None
Registered user CLEAR Optional — granted per sector
Community member GREEN Optional — granted per sector
Verified subscriber GREEN AMBER or RED on subscribed sectors

Grants are scoped to specific sectors and activated for subscribers according to their plan.

Built on FIRST.org TLP v2.0. Formal TLP definitions are maintained by FIRST and apply worldwide. The sector-scoped clearance model is specific to OwlyScan.