Template created as part of Mary D’Angelo’s TI Essentials article: "Dark web monitoring: Common gaps and how to close them" | Published February 19, 2026 | feedly.com/ti-essentials/
| Document Title | Deep and Dark Web Collection Policy |
|---|---|
| Version | 1.0 |
| Classification | Internal / Confidential / etc. |
| Document Owner | Name, Title |
| Approved By | Name, Title |
| Effective Date | Date |
| Next Review Date | Date |
| Distribution | List of teams/roles with access |
This policy establishes the organizational requirements, controls, and responsibilities governing the collection of intelligence from Deep and Dark Web (DDW) sources. It exists to ensure that DDW collection activities are conducted safely, lawfully, and in alignment with the organization's risk management objectives.
This policy applies to all personnel authorized to access, collect from, or handle data originating from DDW sources on behalf of the organization.
This policy covers collection activities targeting any of the following source categories: underground forums and marketplaces, leak and extortion sites, paste sites and public data dumps, credential marketplaces and initial access broker listings, chat platform communities used for criminal coordination (including Telegram, Discord, and similar services), and any other online environment that is unindexed, access-restricted, or primarily used by threat actors.
This policy applies regardless of whether collection is conducted manually by analysts, through automated tooling, or via third-party vendor platforms.
| Term | Definition |
|---|---|
| Deep and Dark Web (DDW) | The ecosystem of unindexed forums, marketplaces, leak sites, credential dumps, and private communities where threat actors exchange stolen data, tools, and services. |
| Collection | The act of accessing, capturing, and preserving information from DDW sources for intelligence purposes. |
| Artifact | Any item captured during collection, including screenshots, text copies, metadata logs, file hashes, and session records. |
| Research Persona | A managed identity used for DDW access that is not attributable to the organization or to any individual's real identity. |
| Intelligence Requirement | A formally documented question or information need that drives collection activity. |
| TIP | Threat Intelligence Platform. The organization's designated system for storing, correlating, and analyzing threat intelligence data. |
4.1 DDW Collection Analysts
Personnel authorized to conduct DDW collection sessions. Responsible for following all operational security controls defined in this policy, collecting only against approved intelligence requirements, documenting all collection sessions per Section 8, handling and storing artifacts per Section 9, and reporting any operational security incidents immediately.
4.2 Threat Intelligence Team Lead
Responsible for approving intelligence requirements that justify DDW collection, maintaining the authorized analyst roster, reviewing collection session logs on a regular basis, coordinating with Legal and Compliance on policy questions, and owning the review and update cycle for this policy.
4.3 Information Security / GRC
Responsible for ensuring DDW collection activities align with the organization's risk management framework, reviewing this policy on the schedule defined in Section 13, advising on technical controls for environment isolation and data handling, and participating in incident review if an operational security failure occurs.
4.4 Legal and Compliance