Dark city scene with a hooded figure running ahead of shadowed figures.

Dark Web Intelligence

Void Runner

Active collection and correlation across hidden services turns dark web observations into connected investigation context.

>200MDark web resource records created
>41MDark web users discovered
>150kChats, forums, and market records created
165kSuspected dark-web-enabled C2 historical records

Void Runner preserves Dendrite's original emphasis on dark web services, users, communication hubs, hidden infrastructure, and historical records that remain useful after a service disappears.

>200M dark web resource records created

Shows Void Runner's collection depth across hidden services, markets, forums, communication hubs, and historical dark web infrastructure.

>41M dark web users discovered

Validates the system's ability to extract, normalize, and correlate user identifiers across dark web services and communication contexts.

165k suspected dark-web-enabled C2 historical records

Connects dark web observations to adversary infrastructure, preserving historical C2 context even after services move or disappear.

What it is

Dark Web Intelligence

Dendrite's dark web intelligence engine maps resources and users across hidden services and correlates them to broader infrastructure context.

Data coverage

What data it covers

Workflow

How it works

  1. Collect hidden service records
  2. Extract entities and metadata
  3. Enrich with proprietary and third-party context
  4. Correlate users, services, infrastructure, and credentials

Analyst use

How teams use it

Audience

Built for Void Runner users.

Dark web intelligence for mapping hidden services, users, infrastructure, and historical records.

Cyber threat intelligence teams

Use dark web records, user context, and infrastructure links to identify emerging threats before they appear in finished reporting.

Threat hunters

Pivot from hidden services, usernames, communication hubs, and infrastructure artifacts into connected leads for active investigations.

Security researchers

Study dark web services, historical records, and cross-service patterns with normalized context that supports deeper technical analysis.

Government and law enforcement analysts

Connect services, users, communication venues, and historical records to support long-running investigations and partner-ready intelligence.

Features

What the capability supports.

Hidden service discovery and characterization

Identify hidden services and preserve the metadata needed to understand what they are, how they behave, and how they change over time.

Cross-service user continuity

Connect usernames, handles, aliases, and behavioral signals across services so analysts can follow activity beyond a single dark web property.

Private communication hub mapping

Map forums, chats, markets, and other communication spaces where users, services, and infrastructure relationships emerge.

Historical dark web record retention

Preserve records from services that move, disappear, or change structure so past observations remain available for future investigations.

Use cases

Operational paths for Void Runner.

Pivot from hidden services to surface infrastructure

Move from an onion service or dark web artifact into related domains, IPs, certificates, services, and other infrastructure context.

Trace user and communication hub relationships

Follow users, aliases, venues, and interaction patterns across dark web communities to build a clearer view of actor activity.

Investigate services that have moved or disappeared

Use retained historical records to keep investigations moving after a hidden service changes location, goes offline, or removes content.

Data flow

Dark web collection to cross-domain correlation

Void Runner turns hidden services, users, hubs, and historical records into connected investigation pivots.

Void Runner turns hidden services, users, hubs, and historical records into connected investigation pivots.

Input

Source data

  • Dark web services
  • Dark web users
  • Dark web-based infrastructure
  • Private communication hubs

Processing

Correlation path

  • Collect
  • Extract
  • Enrich
  • Correlate
  • Investigate

Output

Analyst workflow

  • Pivot from hidden services to surface infrastructure
  • Trace user and communication hub relationships
  • Investigate services that have moved or disappeared

Delivery

Available where the workflow needs it.

Delivery options for Void Runner: API, CLI, Unified Web Platform, Dataset export.

API

API

  • Query dark web records and entity context programmatically
  • Enrich internal tools with hidden service and user pivots
  • Automate correlation workflows across Dendrite sources

CLI

CLI

  • Run focused searches from analyst workstations
  • Pull records into repeatable investigation workflows
  • Support rapid pivots without opening a full platform session

Platform

Unified Web Platform

  • Explore hidden service relationships in graph workflows
  • Save investigation context, notes, and pivots
  • Coordinate findings across analysts and teams

Dataset export

Dataset export

  • Receive scoped dark web datasets for offline analysis
  • Support model training, enrichment, and bulk correlation
  • Preserve historical records inside customer-controlled environments

Related

Connected capabilities

Operationalize

Put Void Runner into the workflow.

Talk with Dendrite about access, delivery options, and the right starting point for your team.