xonPlus Logo
Built for Security Platforms

Embed Breach Intelligence in Your Security Product

REST API and SDKs ready for production from day one — public pricing, one signed partner agreement.

Need a hand integrating?

Python & Node.js SDKsMonthly billing, no lock-in30-day money-back guarantee
$4.44M

Average cost of a data breach in 2025

Source: IBM/Ponemon Cost of a Data Breach Report, 2025

Your Customers Want Breach Exposure In Their Dashboard

  • Customers expect breach exposure alongside other risk signals in your dashboard
  • Sourcing breach data is legally complex
  • Maintaining a live 11.5B+ record index is a full-time engineering project

The Feature You Shouldn't Build

  • Build in-house: 3-6 months and a dedicated team
  • License from legacy vendors: $5K+/mo with annual lock-ins
  • Either way, customers keep asking why it isn't already there
  • Single API endpoint, 11.5B+ records indexed
  • Sub-15-minute breach ingestion
  • Plug it into your platform and surface the breach signals your customers expect to see

Built for Security Platforms & Product Teams

Production-ready breach intelligence, designed for embedding

Built for Multi-Tenant Scale

Manage hundreds of customer domains with tenant-level isolation. Each tenant gets independent alerting rules, watchlists, and reporting.

API-First With Full Specs

REST API with <100ms response, webhook delivery, and 99.99% uptime SLA. Official SDKs in 8 languages.

Live in Under 1 Hour

Skip the 2-year build. No infrastructure investment needed. Start delivering breach monitoring to clients today.

STIX 2.1 + JSON Feeds

Choose your delivery format. JSON for SIEM and data-lake ingestion, STIX 2.1 for direct TIP integration. Both fully documented.

Zero Query Persistence

Email and domain lookups are processed in memory. We never log or store the queries your platform sends our way.

Predictable Monthly Billing

Flat monthly rates with no per-request overages. Cancel anytime, no annual contracts, no surprise bills at month-end.

How Platforms Use xonThreatIntel+

Three ways security platforms surface breach intel to their customers

Embed in customer dashboards

Show clients which of their domains and accounts appear in breaches, alongside the other risk signals you already surface. Your UI, your branding, your context.

Enrich your scheduled reports

Add breach context to the recurring customer reports you already generate. No new pipeline to maintain, no breach index to keep fresh.

Inform analyst workflows

Give SOC analysts the full breach history for any domain or email. They decide remediation based on the client's incident-response runbook, not ours.

See the Data You're Working With

JSON for SIEMs, STIX for TIPs. Both formats fully documented.

Breach Intelligence JSON Feed

{
  "alert_id": "TI-2025-0472",
  "detected_at": "2025-04-02T14:23:47Z",
  "severity": "high",
  "source": {
    "name": "DarkMarket Forum",
    "category": "underground_forum"
  },
  "affected_assets": [
    {
      "type": "domain",
      "value": "example.com",
      "confidence": 0.92
    }
  ],
  "data_types_leaked": ["emails", "password_hashes"],
  "threat_actor": {
    "name": "RedSkull"
  }
}

Real-time JSON feeds for SIEM or data lake ingestion

Machine-Readable

Structured data formats for automated processing and integration

Standards-Compliant

STIX/TAXII compatible intelligence for direct TIP integration

Ship Breach Detection in Hours, Not Months

Sign the partner agreement and DPA once, then onboarding is self-serve: API credentials, production SDKs, and full docs — live the same day.

For Platform Teams

Embed breach data into your product via API

Get API Keys

Instant credentials & docs

5 minutes

Test Your Integration

Make live API calls from your dev environment. Same endpoints and response shape your customers will see.

30 minutes

Integrate & Ship

Add to your product with Python/Node.js SDKs. Solutions engineer available.

Typically 2–4 hours

What We Commit To

Coverage and SLAs you can build on

99.99%
API Uptime SLA

Independently monitored, measured monthly. Credit-backed on Ultimate and enterprise plans.

< 15 min
Breach-to-Alert Latency

From first detection to partner notification via API or webhook.

11.5B+
Breach Records Indexed

Continuously growing. New sources added weekly from dark web, paste sites, and forums.

763+
Data Breaches Indexed

Continuously growing index across dark web marketplaces, paste sites, Telegram channels, and underground forums.

STIX 2.1
Standards Compliance

Feeds available in JSON, CSV, and STIX 2.1 for direct TIP integration.

Uptime is independently monitored — see the live status page · full SLA terms

Built for Production

Rate limits, webhooks, audit logs, and the headers your team will ask for

Rate Limits & Headers

Standard 429 responses include retry-after headers. Per-key request analytics in the partner console so you can right-size your usage.

Key Scoping

Restrict API keys to specific IP ranges or environments. Rotate, scope, or revoke keys from your partner console without ticketing.

Webhook Delivery

Real-time breach alerts pushed to your endpoint as JSON. Available on Growth and Ultimate plans, configurable per client.

Structured Errors

Consistent JSON error schema with status and message fields, mapped to standard HTTP codes. Predictable handling across every endpoint.

Per-Key Audit Logs

Every API request is logged with timestamp, key, and response status. Rotate, scope, or revoke keys without ticketing.

Full API Reference

Endpoint-by-endpoint docs with request and response examples at console.xposedornot.com/docs/api.

Integrates With Your Stack

Connect in minutes, not days

IAM & Identity

Auth0, Okta, Azure AD, Ping

TIPs

MISP, ThreatConnect, Anomali

Your App

REST API, Webhooks, STIX 2.1

Data Platforms

S3, BigQuery, Snowflake

Side by Side With Legacy Vendors

Where xonThreatIntel+ wins and where legacy slows you down

Feature
xonThreatIntel+
Legacy Vendors
Breach records indexed
11.5B+
Varies (often undisclosed)
Starting price
$99/mo
Typically $5K+/mo with annual commitments
No long-term contracts
Annual commitments typical
Breach-to-alert latency
< 15 minutes
Hours to days
Public pricing, same-day onboarding
Opaque, sales-gated
STIX 2.1 + JSON feeds
Often proprietary only
Official SDKs in 8 languages
Varies
Volume discounts (50+ domains)
Custom quotes only

Enterprise-grade breach data at a fraction of legacy threat-intel pricing, starting at $99/mo. One 30-minute call to sign the partner agreement and DPA — most partners onboard the same day.

What customers are saying

Verified reviews from G2

4.9on G2
S

Sundar Kumar

IT and Product Head, Corent Technology

"Xposedornot is a useful tool for data breach alerting system. Every organization requires this tool to receive timely alerts of their exposed breaches. Its user-friendly design and seamless integration make it a valuable asset for proactive data security."

M

Miguel Mendes

IT Security Lead, Bluecom

"Indispensable to monitor the exposure of your personal data. What I like most about ExposedOrNot is its real-time dashboard alerts, as well as integration with Slack and Teams, are very practical features to be informed immediately in the event of a compromise."

B

Bertold Kolics

VP Engineering, Verosint

"I have been working with XposedOrNot from the early days. My experience could not have been better. The service scales well, performs well under high load and it has a large set of breach data dating back to several years."

S

Senthil K

Information Security Officer, Invicara

"I love how XposedOrNot makes protecting our data so simple and effective from ATO. The alerts are timely, and the CXO dashboard gives a clear picture of breach trends and risks. It's more than just a tool, it's like having a personal assistant for your security."

What You Get on Day 1

Same kit on every plan

Production API key

Live access to v3 endpoints with per-key analytics and audit logs.

Partner console

Web dashboard for key management, usage analytics, and rate-limit headroom.

SDKs & docs

Official SDKs in 8 languages on the major package registries. Full reference at console.xposedornot.com/docs/api.

Concierge onboarding

30-min call with our partner team to walk through credentials, your stack, and first integration.

Plans That Scale With Your Client Base

Start with 10 domains at $99/mo. Add more as you grow. Volume discounts at 50+

Basic

$99 /mo
$99 billed every month
Up to 10 domains monitored continuously
Breach alerts within 15 minutes (email)
API + CSV access
CXO dashboards
Email support (next-business-day response)
99.99% uptime SLA
30-day money-back guarantee
POPULAR

Growth

$243 /mo
$243 billed every month
Up to 25 domains monitored continuously
Breach alerts within 15 minutes + webhooks
API, JSON, STIX feeds
CXO dashboards, deep dive analysis
Priority Slack + email support (same-business-day response)
99.99% uptime SLA
30-day money-back guarantee

Ultimate

$447 /mo
$447 billed every month
Up to 50 domains monitored continuously
Breach alerts within 15 minutes + webhooks
Priority support — first response within 4 business hours
99.99% uptime SLA with credits
CXO dashboards, deep dive analysis
Threat intel advisory sessions
Custom integration support
30-day money-back guarantee
30-day money-back guarantee, no questions asked

Custom enterprise agreements available. Contact us for a tailored quote

For comparison: SpyCloud's MSSP program starts at $10,000/mo. White-label and multi-tenant access are included in every xonPlus tier.

Frequently Asked Questions

Everything about integration, pricing, and going live

Partner plans aren't card checkout. Pricing is public and fixed — what you see is what you pay. Purchase happens on a 30-minute call where both sides sign the partner agreement, terms of service, and DPA. After signature, onboarding is fully self-serve: API keys, dashboard access, and client onboarding the same day.

You have two options: (1) Use our ready-made xonPlus dashboards to monitor all your clients in one place, or (2) Integrate via API to build custom dashboards in your own platform. Both give you full multi-client visibility and reporting.

We index only breaches that are already publicly available, verified against acknowledgment by the affected organization or credible reporting. We never store plaintext passwords, payment data, or identity documents, and query responses return exposure facts rather than raw records — which is what keeps reselling alerts and reports to your clients clean. Full detail at plus.xposedornot.com/our-data.

Our platform detects and processes new breaches within 15 minutes of first appearance. Intelligence is enriched, verified, and distributed to partners, typically hours to days faster than legacy threat-intel feeds.

Yes! Run a free domain exposure check at plus.xposedornot.com/exposure-check to see real breach data for any domain, no signup required. This lets you evaluate data coverage and quality with your own data before committing to a plan.

Absolutely. No long-term contracts required. All plans are month-to-month, and you can cancel anytime from your dashboard without any cancellation fees.

Most partners are up and running within 1 hour. Our onboarding includes API setup, dashboard training, and first client migration support. You can typically have your first clients monitored by the end of the day.

No. The API returns raw breach data, and your platform's UI is the source of truth your customers see. We don't add visible attribution or require any badging. Your customers see your product, your brand, and your context around the data.

Reselling breach monitoring to your clients instead? See xonThreatIntel+ for MSSPs →

Ship Breach Monitoring in Hours, Not Months

Build breach detection into your product with our API. Official SDKs in 8 languages. 30-day money-back guarantee.