While conducting advanced cyber investigations, security professionals struggle to identify malicious threat actors, prioritize security vulnerabilities, and detect insider threats. Therefore, illicit online communities remain a key source for invaluable data and intelligence pertaining to a wide range of cyber and physical threats, fraudulent activities, and malicious actors.

Maltego allows for data collection and link analysis in assisting various intelligence missions, especially cyber threat intelligence (CTI), in order to visualize, pivot and transform between various data types or entities discovered on the open web. Maltego allows third parties to develop custom entities, transforms, and machines (collections of transforms), and offer them to the community or host them independently.

The Flashpoint & Maltego Advantage

Flashpoint transforms provide Maltego users the ability to search within illicit online communities for data pertaining to their intelligence missions, allowing for insight, attribution, and support for cyber threat investigations. Flashpoint supports the identification of connections, bridging the intelligence gap, and discovering previously

unknown threats.

Use Cases


Flashpoint combines extensive knowledge of malicious insiders’ tactics, techniques, and procedures (TTPs) with targeted monitoring of illicit online communities to help organizations proactively detect and mitigate a broad spectrum of insider threats, some of which include intellectual property theft and insider recruitment. Leveraging Maltego transforms against Flashpoint's technical data enables investigators to identify potential insider threats within the organization or supply chain.


Access to Flashpoint’s datasets enables users to perform more detailed investigations, including uncovering relationships with other threat observables and identifying actors and intentions. This capability reduces the time for investigators to visualize relationships and obtain actionable intelligence.


Flashpoint data can identify the development of unreleased malware with observables indicating the actor producing the malware, and where and how development was taking place. Analysts are better prepared to combat malicious campaigns before they are widely deployed by understanding how the malware was being developed and by whom.

Integrated Flashpoint Datasets


Technical Indicators: Enables users access to indicators of compromise (IOCs) and technical data across Flashpoint datasets and those included in Finished Intelligence Reports, allowing for seamless integration into users’ workflows and automated tools.

Risk Intelligence Observables (RIOs): Flashpoint leverages its unique access to underground communities to collect and deliver a near real-time stream of cyber observables that can identify illicit activity from inside forums and file-sharing communities focused on cybercrime, hacking, fraud, and extremism/terrorism. These high-fidelity observables include IP address, location (city / country), hosting provider, timestamp, and user-agent string.


Finished Intelligence: Access to analytical reports produced by our intelligence analysts. Reports cover a wide spectrum of illicit underground activity, including crimeware, fraud, emerging malware, violent extremism, and physical threats.


Marketplaces: Access to top-tier marketplaces, where threat actors buy and sell items such as stolen credentials and personally identifiable information (PII).


Forums: Access to signal-rich discussions from illicit threat actor communities. Supplement internal data with targeted data from highly curated sources.

Chat Services: Access to around-the-clock conversations within threat-actor channels to monitor and gain insights across threat-actor communities.

Paste Sites: Enables access to openly shared research, data leaks, and other plain-text files frequently used by both anonymous sources and threat actors to share malicious activity, providing a broader view into open web data.

Blogs: Provides a broader view into open web data by providing online sources of news and information related to threat actors and collectives, allowing users to monitor activity in malicious communities more comprehensively, as well as risks impacting the organization or brand.

4chan & 8chan: Provides access to the anonymous 4chan and 8chan message boards, enabling users to monitor malicious content and discussions ranging from hacktivism to physical threats.

Social News Aggregation & Discussion Sites: Collections from social news aggregation and discussion websites leveraged by both open and deep & dark web communities where illicit actors discuss malicious activity, including malware developments, cyber threats, and physical threats.

Key Features

Leveraging Flashpoint’s collections capabilities provides users with visibility into illicit online communities in order to correlate information related to their infrastructure (e.g insider threats, external threat campaigns, etc), therefore, gaining insights in a timely manner and leveraging connections to prioritize their response.

    Flashpoint transforms are delivered with a set of custom entities related to Flashpoint data. Flashpoint transforms have built-in Maltego entity types, enabling users to pivot using other transform sets.

    Flashpoint and Malformity Labs provide a transform pack leveraging Flashpoint’s API. Flashpoint offers over 100 transforms, allowing users to query against all Flashpoint’s datasets.

For more information on Flashpoint’s Maltego transforms, contact: [email protected]

Did this answer your question?