Watchers and Threats: How They Connect

In Selki, Watchers are the domains your organization chooses to monitor for exposed identities.

Every threat detected in Selki is tied to a watcher, which defines its origin, ownership, and scope.

Understanding the relationship between watchers and threats helps your security team manage risks at the domain level and prioritize remediation based on where exposures occur.

1. What Are Watchers?

Watchers represent the domains monitored by your organization.

For example:

• corporate domains
• subdomains
• customer-facing service domains
• brand or product domains

Whenever Selki finds an exposed identity matching one of these domains, a threat is created and associated with the corresponding watcher.

2. How Threats Are Attributed to Watchers

A threat is connected to a watcher when:

• the exposed identity belongs to an email under that domain
• the password or metadata indicates association with that domain
• the exposure contains identifiers tied to that domain

Selki automatically performs this mapping, ensuring exposures are grouped and traced to the correct monitored asset.

3. Using Watchers to Investigate Threats

Watchers are displayed on the left-side filter panel of the Threats List.

Each watcher includes:

• Domain name
• Threat count (total exposures for that domain)

This allows you to:

• narrow down threats to a specific domain
• compare risk across domains
• identify hotspots or compromised segments
• assess the security posture of each monitored asset

4. Why Watcher-Based Filtering Matters

Watcher filters help answer key security questions:

Which domains have the highest number of threats?

Useful for identifying systemic risk or repeated compromise.

Are employee accounts or customer accounts being targeted more often?

Essential for understanding threat patterns.

Which domain should the team prioritize during triage?

Focus remediation efforts on high-risk or high-volume domains.

Do certain domains correlate with certain exposure types?

Example:

One domain may have more infostealer leaks, another more breach-based exposures.

5. Watchers and Severity Interactions

Combined with the Risk Level filter, watchers provide a powerful triage view:

• Critical threats for a specific domain
• High-risk exposures for internal domains
• Medium/Low threats for customer-facing domains

This helps your team direct attention where it’s most needed.

6. Multi-Domain Environments

If your organization monitors multiple domains:

• threats are grouped by the domain the identity belongs to
• cross-domain exposures can be analyzed separately
• trends may indicate which business units or regions are more affected

This is especially valuable for companies with multiple brands, services, or subsidiaries.

7. When to Use Watcher-Based Investigation

You should use watchers in the following scenarios:

• Incident response: focus on the domain where the exposure happened
• Audits: generate domain-specific risk reports
• Prioritization: identify domains with repeated exposures
• Monitoring: track improvement over time per domain
• Comparisons: analyze which monitored assets show the most compromise

Summary

Watchers and threats are tightly linked in Selki.

Every threat is tied to a specific monitored domain, enabling accurate attribution, precise filtering, and domain-based risk analysis. Watchers help teams understand where exposures occur and how to prioritize remediation at scale.

Next Article

➡ Article 12 – Best Practices for Managing Threats in Selki

Updated on: 01/12/2025