Directed Actor Engagements are part of Flashpoint’s impact-based response services. Flashpoint is uniquely positioned to anonymously and securely engage with threat actors operating in illicit communities on a customer’s behalf.


What is a “Directed Actor Engagement”?

Flashpoint attempts to directly engage a threat actor operating in illicit communities to identify the possible source of the material or data at issue, validate the information, purchase or otherwise obtain the specific data, and arrange for any other communications with the actors on behalf of the customer.

What is included in this service?

  • Flashpoint will attempt threat actor engagement(s) to validate the authenticity of the information and arrange for other communications on behalf of the customer.

  • If possible, and upon direction by the customer, purchase or attempt to purchase either data, intellectual property, associated information, or otherwise engage a threat actor in directed transactions in support of the engagement.

  • Provide the customer with any data or other information gathered as a result of attempted engagements with the threat actor(s).

  • Flashpoint coordinates closely with the customer and provides regular updates during the engagement concerning the threat actor’s activities.

How do we engage Flashpoint for this service?

This service requires a fully executed Statement of Work to begin the engagement.

How long is the engagement?

Normally, 30 days.

If a customer elects to purchase the data or other information from the threat actor, how is this done?

Upon a customer’s written instructions, Flashpoint will attempt to further engage the threat actor and purchase the offered data or other information. In most instances, the threat actor will require payment via cryptocurrency. Flashpoint requires the customer to wire funds in advance of the purchase so that Flashpoint can acquire the necessary cryptocurrency and cover any associated cryptocurrency transaction costs.


What is the cost of this service?

The fee is contingent upon several factors such as the complexity of the engagement and the level of access necessary to engage in the illicit online community and with the threat actor at issue. The fee does not include the cost to purchase any data or other information from the threat actor.

Who manages the engagement?

Flashpoint’s Professional Services team manages the directed actor engagements. This team is composed of highly experienced professionals with 55+ years of combined security and intelligence experience in the U.S. government and the private sector.

I’ve engaged Flashpoint-- now what should I expect, how often will we be in contact, how fast will I get the information?

Upon completion of a fully executed Statement of Work, Flashpoint will provide all available intelligence gathered about the threat actor. Flashpoint will only engage the threat actor upon explicit directions from the customer. The frequency of contact with Flashpoint is often contingent upon the customer’s willingness to further engage the threat actor, including any attempt to purchase the data and the threat actor’s responsiveness to the engagement attempts. At a minimum, unless otherwise stipulated, Flashpoint will update the customer once a week.

Can Flashpoint provide me updates without the need to engage the threat actor?

If a customer elects not to engage the threat actor, Flashpoint will provide updates, at minimum once a week, concerning the threat actor’s activities as identified from Flashpoint datasets.

Prior to any signed agreement, will Flashpoint provide me details of the threat actor so I can further vet them?

Flashpoint is unable to provide additional details on threat actors without a contract in place. Our business develops unique accesses within illicit communities and sharing of these details can put our personas at risk (to the point of potentially being burned), which would not benefit our subscription customers. Flashpoint must weigh the risk to our core business if we lose insights into illicit activities within these communities.

How long will the threat actor continue to offer this information/network access?

Threat actors prioritize speed of monetization when offering information or network accesses for sale. While each scenario is unique, in our experience, a typical offering is sold within about 96 hours of the initial offer. Threat actors advertise on forums, marketplaces, and direct messages about their current illicit offerings.

Why won’t Flashpoint allow redlines to this contract agreement?

In certain non-time sensitive engagements, Flashpoint will allow additional review for complex engagements. For time-sensitive engagements that need to be completed within 96 hours, the additional time and costs of legal review typically result in the offered information/access being no longer available. Flashpoint will request no-redline engagements to give our customers the greatest chances for a successful outcome from an engagement.


For more information, contact the Flashpoint Professional Services team, [email protected]

Did this answer your question?