Template created as part of Mary D’Angelo’s TI Essentials article: "Dark web monitoring: Common gaps and how to close them" | Published February 19, 2026 | feedly.com/ti-essentials/
| Document Title | DDW Collection Standard Operating Procedure |
|---|---|
| Version | 1.0 |
| Classification | Internal / Confidential / etc. |
| Document Owner | Name, Title |
| Approved By | Name, Title |
| Effective Date | Date |
| Next Review Date | Date |
| Distribution | List of teams/roles with access |
This SOP defines the step-by-step procedures for collecting intelligence from Deep and Dark Web (DDW) sources. It covers everything from pre-session preparation through artifact handoff to other analysts or investigators, and is intended to be followed during each collection session.
This SOP applies to all personnel authorized to conduct DDW collection on behalf of the organization. It covers manual collection, tool-assisted collection, and hybrid approaches across all DDW source types including underground forums, marketplaces, leak sites, paste sites, credential marketplaces, and chat platform communities.
This SOP operates under the authority of the organization's DDW Collection Policy. Where the policy defines requirements and assigns accountability, this SOP defines how those requirements are met in practice.
2.1 Collection Analyst
The person executing the collection session. Responsible for following each procedure in this SOP, documenting the session, and handling artifacts according to the standards defined here. Must be on the authorized analyst roster before conducting any collection.
2.2 Threat Intelligence Team Lead
Approves intelligence requirements that justify collection sessions. Reviews session logs. Owns the authorized analyst roster and this SOP's review cycle.
2.3 Legal and Compliance
Advises on jurisdictional and regulatory constraints. Reviews the interaction policy. Provides guidance when collected material raises legal questions. See Section 10 for legal considerations.
3.1 Only analysts listed on the current authorized roster may conduct DDW collection.
3.2 All authorized analysts must have completed the required training before collecting independently.
3.3 Authorization may be revoked at any time by the TI Team Lead or Information Security leadership.
| Control | Configuration |
|---|---|
| Training requirement | Specify required training or certification |
| Roster location | Where the authorized analyst roster is maintained |
| Roster review frequency | e.g., quarterly |