Choosing the Right Deployment
For SpyCloud Investigations
SpyCloud Investigations helps security and fraud teams uncover identity-based risks using rich, recaptured data from the criminal underground. Whether you’re responding to alerts, investigating threats, or enriching internal data, there’s a deployment method that fits your needs.
This guide will help you choose the right way to access SpyCloud Investigations — from quick, manual research to automated, large-scale integrations.
Investigations Offerings
- Investigations Module
- Available in Pro, Core, and Lite editions depending on features and functionality that align to your outcomes.
- Investigations API
- IDLink API
Overview of Each Offering
| Offering | Access Type | Query Style | Ideal For |
|---|---|---|---|
| Investigations Module | SaaS-based console | Manual via UI | Analysts and quick lookups |
| Investigations API | REST-based API | Query-based (JSON) | Automated SIEM/SOAR enrichment |
| IDLink API | JSON Graph-spec API | Correlation queries | High-volume identity risk correlation |
🎯 Use Case Match-Up
| Use Case | Recommended Option |
|---|---|
| Manually investigate an identity | Investigations Module |
| Enrich SIEM/SOAR alerts automatically | Investigations API |
| Investigate exposure from malware-infected devices | Investigations Module |
| Correlate personal and corporate identities | IDLink API |
| Review vendor/contractor/employee exposure | IDLink API or Investigations Module |
| Upload a list of identities for quick review | Investigations Module |
👥 Who's Using What?
| Team | Best Fit Deployment |
|---|---|
| SOC / IR | Investigations Module or Investigations API |
| Threat Intelligence | Investigations API or IDLink API |
| Security Engineering | Investigations API |
| Fraud / Risk | IDLink API |
| MSSPs | Investigations Module (analysts) + API (integrations) |
📊 Volume-Based Guidance
| Investigation Volume | Recommended Option |
|---|---|
| Low (manual, <100 queries/week) | Investigations Module |
| Medium (~10K queries/week) | Investigations API |
| High (10K+ lookups, correlations) | Investigations API or IDLink API |
🔌 Integration Style
| How You Want to Use It | Best Option |
|---|---|
| No integration — just need quick results | Investigations Module |
| Feed exposure data into your SIEM (e.g. Splunk) | Investigations API |
| Automate response in SOAR | Investigations API |
| Score risk for employees/vendors/customers | IDLink API |
| Enrich identities from a CSV — no coding | Investigations Module |
💬 Need Other Options?
- Analyst Credits – Request expert support for targeted investigations
- Training Classes – Instructor-led courses for operationalizing SpyCloud data
🙋 Need Help Choosing?
Not sure which deployment is right for your team?
We’re here to help.
Contact your SpyCloud representative to walk through your:
- Use cases
- Data volume
- Integration preferences
- Team structure
& find the best fit for your organization.
Updated 3 months ago