Trusted by enterprise security teams
PwC Trustwave Teachers Mutual Bank Swire Shipping Defense.com

Install in Three Commands

Inside Claude Code, run these three commands:

/plugin marketplace add https://github.com/breachsense/breachsense-plugins
/plugin install breachsense@breachsense
/reload-plugins

Pick “Install for you (user scope)” when prompted so the skill is available across every project on your machine.

Run /skills to confirm. You should see breachsense:query listed as on. The skill is open source. The data behind it requires a Breachsense license key, which you set with one environment variable (covered below).

Most investigators use the plugin for quick checks mid-incident. Ask “Has alex@example.com shown up in any stealer log this quarter?” or “Find anyone with a leaked AWS key tied to our org.” Claude routes the question, returns the relevant rows, and flags what’s worth acting on first. No curl flags or endpoint paths to remember.

The plugin shines in fast triage. The REST API is still the right path for continuous monitoring, watchlist management at scale, and SIEM/SOAR integrations. The plugin is for the ad-hoc question you’d otherwise lose ten minutes to.

api.breachsense.com GET /stealer
$curl -H "lic: $BS_LIC" \
    "https://api.breachsense.com/stealer?s=example.com"
HTTP/1.1 206 Partial Content  ·  4.2s  ·  application/json
{
  "results": [
    { "usr": "k.becker@example.com", "pwd": "V••••••12", "mal": "Lumma", "src": "confluence.example.com", "fnd": "20260609" },
    { "usr": "t.nilsson@example.com", "pwd": "U••••••91", "mal": "RisePro", "ccn": "5188••••••••2470", "fnd": "20260605" },
    { "usr": "legal@example.com", "pwd": "C••••••53", "mal": "Atomic", "src": "salesforce.example.com", "fnd": "20260601" },
    { "usr": "m.ahmadi@example.com", "pwd": "G••••••48", "mal": "RedLine", "cwa": "0xBe3a17…cD8f49A", "fnd": "20260528" },
    { "usr": "ops@example.com", "pwd": "F••••••76", "mal": "MetaStealer", "ccn": "4716••••••••5103", "fnd": "20260524" },
    { "usr": "n.silva@example.com", "pwd": "B••••••29", "mal": "Vidar", "src": "gitlab.example.com", "fnd": "20260520" },
    { "usr": "finance@example.com", "pwd": "Y••••••84", "mal": "Lumma", "src": "sso.example.com", "fnd": "20260515" },
    { "usr": "l.weber@example.com", "pwd": "N••••••62", "mal": "StealC", "cwa": "0x9aB42c…6f81E2A", "fnd": "20260512" },
    { "usr": "a.osei@example.com", "pwd": "P••••••38", "mal": "RedLine", "src": "jenkins.example.com", "fnd": "20260507" },
    { "usr": "hr@example.com", "pwd": "R••••••15", "mal": "Raccoon", "ccn": "5247••••••••8842", "fnd": "20260503" },
    { "usr": "d.chen@example.com", "pwd": "K••••••07", "mal": "Vidar", "src": "vpn.example.com", "fnd": "20260429" }
  ],
  "more": "850 more records · paginate via p=2"
}

Why Query Breach Data from Claude Code?

Stay in Your Terminal

You’re already in your shell when something prompts a check. A subdomain gets flagged or an offboarded contractor has cookies you want to chase. The plugin keeps the investigation in one place.

Interpreted Answers, Not Raw JSON

Claude reads the API response for you. Plaintext passwords float to the top, leaked session tokens get flagged because they bypass MFA, and leaked secrets get tagged by platform.

Ten Endpoints, No Memorization

You don’t need to remember whether session cookies live under /sessions or /stealer. Ask the question in the same words you’d use writing a ticket. Claude routes it.

See a Real Query

Here’s a stealer log query on a real customer domain. Email and password are sanitized; the SSO context is what it actually returned.

> Any stealer hits on tesla.com from the last 90 days?

Found 1 fresh hit on tesla.com:

  [employee]@tesla.com    [redacted]
  Source:    RedLine stealer log
  Captured:  2026-04-28
  Device:    Windows 10, Chrome 124
  Used to sign into:
    - login.microsoftonline.com  (Tesla M365 tenant: tesla.onmicrosoft.com)
    - vpn.tesla.com
    - workday.tesla.com

The Microsoft 365 entry is the riskiest. Same credential gives
SSO across the Tesla M365 tenant covering email and SharePoint.

Worth checking next:
  - /sessions for live cookies tied to this email
  - The full RedLine log to see what else this device leaked

Want me to run the session check?

One question, one interpreted answer, a follow-up Claude offers because it makes sense given the hit.

What You Can Ask

These all work the way you’d write them in Slack:

  • “Show me stealer logs for example.com from the last 30 days.”
  • “Any leaked session tokens for our domain in the last week?”
  • “What’s on ransomware leak sites for example.com or its subsidiaries?”
  • “Find leaked AWS keys associated with example.com.”
  • “Search leaked documents for any mention of Project Falcon.”
  • “Show me phishing domains that could impersonate example.com.”
  • “Any combo-list hits on the admin@ accounts at example.com?”
  • “Add example.com to my watchlist and send alerts to security@example.com.”

Claude routes to the right endpoint. You don’t need to know which one.

Endpoint Coverage

All 10 Breachsense endpoints are loaded as part of the skill.

EndpointWhat it covers
/stealerInfostealer credentials from RedLine, Lumma, StealC, and similar families
/comboCombo lists circulating on hacker forums
/credsThird-party breach credentials and unsecured database dumps
/sessionsSession cookies and auth tokens that bypass MFA
/nhiNon-human identities: API keys, OAuth tokens, service credentials
/darkwebRansomware leak site victim listings
/radarHacker forums and underground marketplaces where credentials get sold
/docsFull-text search across leaked ransomware files, third-party breaches, and unsecured DB dumps
/asmAttack surface: subdomains, exposed services, phishing domains
/accountWatchlist setup, webhook alerts, test alerts, license rotation

Same coverage as the Breachsense API. The plugin is a different way to call it, not a subset. If you’d rather call the API directly from scripts or your SIEM, the API workflows page has integration patterns.

License Key Setup

The plugin checks two places, in order. Pick whichever fits your setup.

Option 1: Environment variable. Recommended.

echo 'export BREACHSENSE_API_KEY=your-license-key-here' >> ~/.zshrc
source ~/.zshrc

Restart your Claude Code session after setting it. Claude Code reads the environment at startup, so a running session won’t pick up the new value.

Option 2: Memory file. Use this if you’d rather not touch your shell config.

mkdir -p ~/.claude/breachsense
echo 'your-license-key-here' > ~/.claude/breachsense/license.md
chmod 600 ~/.claude/breachsense/license.md

The file mode keeps the key readable only by you.

If neither is set, the skill loads but every query returns an auth error. Set the key once and you’re done.

Set Your License Key Once

Export your key as an environment variable, restart Claude Code, and you’re done. Queries will return data on your next prompt.

Get Your Key

Export the Env Var

Restart Claude Code

Start Asking

Book a demo

Frequently Asked Questions

Yes. The plugin is open source, but every query hits the Breachsense API, which is license-gated. You set your key with the BREACHSENSE_API_KEY environment variable or a memory file. If you don’t have a license yet, book a demo and we’ll get you a trial key.
Yes. The plugin follows the standard Claude plugin spec, so it loads anywhere that supports Claude plugins. Install is identical: /plugin marketplace add, then /plugin install breachsense@breachsense.
It can, but it asks before doing anything destructive. Watchlist edits and license rotations route through the /account endpoint and Claude confirms with you first. Read-only queries against stealer logs and the other endpoints don’t need confirmation.
Queries go to the Breachsense API over HTTPS, the same backend direct API callers use. Claude reads the response inside your session and never sees your license key in plaintext beyond the environment variable lookup.
Yes. The plugin code lives at github.com/breachsense/breachsense-plugins. The data behind it (stealer logs, session tokens, leaked files from ransomware attacks, hacker forum access) is what the license covers.
You don’t have to remember endpoint names, query parameters, or response schemas. Ask the question and Claude routes it. You also get an interpreted summary instead of raw JSON. Plaintext passwords and leaked session tokens get pulled to the top. Raw JSON is still one ask away when you want it.
Yes. Pentesters and red teams use the plugin to pull plaintext credentials and leaked session tokens for in-scope targets. The penetration testing tools page covers the underlying data and how assessors use it.

Related Resources for Terminal-First Security Workflows

Dark Web API

The REST API the plugin wraps. Same endpoints, called over HTTPS with curl, scripts, or your SIEM.

Learn More

API Workflows and Use Cases

Endpoint-by-endpoint patterns for credential monitoring, session token detection, and vendor breach investigation.

Learn More

Penetration Testing Tools

How red teams use Breachsense data for initial access. Plaintext passwords and leaked session tokens for in-scope targets.

Learn More

Stealer Logs Explained

What infostealer malware actually captures from infected devices. The data behind the /stealer endpoint.

Learn More

Infostealer Channels

Where stealer logs get sold and traded. Background on the source ecosystem the /radar endpoint monitors.

Learn More

Ransomware Gangs

Tracked leak sites and extortion groups behind the /darkweb endpoint. Lookups for vendor breach early warning.

Learn More

Attack Surface Management

Subdomain discovery, exposed services, and phishing domain monitoring. The capability behind the /asm endpoint.

Learn More

Documentation

Full reference for every endpoint: authentication, parameters, response schemas. For when you want to bypass Claude and call the API directly.

Learn More

Want to Try It? Book a Demo and We’ll Send You a Trial Key

Book a demo