🔐 Ping Identity

SpyCloud integrates with Ping Identity to embed recaptured criminal underground identity intelligence directly into your authentication flows. At every identity event across login, account creation, password reset, SpyCloud checks the credential inputs against our continuously refreshed database of stolen identity data and triggers automated, configurable remediation when a match is found.

⭐ Overview

Ping Identity runs the authentication journeys for your workforce and consumers. SpyCloud gives those journeys the darknet intelligence to stop compromised identities before access is granted.

SpyCloud recaptures stolen credentials, session cookies, and PII directly from criminal communities, sourced from breaches, infostealer malware logs, combolists, and phishing kits, weeks to months before this data surfaces publicly. By embedding this intelligence natively into Ping Identity flows, organizations can automatically act on real-world exposures at the moment that matters most: authentication.

SpyCloud offers two purpose-built integrations for Ping Identity, covering both workforce and consumer identity use cases.

⚙️ Available integrations

SpyCloud DaVinci Connector

Platform: PingOne DaVinci | Audience: Workforce (employees, contractors)

A drag-and-drop connector for PingOne DaVinci that checks employee and contractor credentials against SpyCloud's recaptured darknet data at any workforce identity event. When a match is detected, the flow automatically blocks access, forces a credential reset, or escalates to MFA.

SpyCloud Auth Node

Platform: PingOne Advanced Identity Cloud | Audience: Consumers

A native Journey Node for PingOne Advanced Identity Cloud that checks consumer credentials at login and account creation against SpyCloud's recaptured darknet data. Remediation is configurable and risk-proportionate, from step-up MFA, to a hard block, to a SOC alert.

Integration comparison

	DaVinci Connector	Auth Node for PingOne Advanced Identity Cloud
Audience	Workforce (employees, contractors)	Consumers
Platform	PingOne DaVinci	PingOne Advanced Identity Cloud
Trigger events	Login, registration, password reset	Login, account creation, password reset
Remediation actions	Block access, force credential reset, enforce MFA	Enforce MFA, delay/block login, force password reset, alert fraud/SOC teams
Setup required	No custom development — drag-and-drop connector	No custom development — native Journey Node

🛠️ How it works

At any configured identity event, the integration passes the authenticating user's credential to SpyCloud's API for a real-time check against recaptured darknet data. SpyCloud returns a match result, along with exposure context including source type, severity, and data elements found, and the Ping flow branches accordingly based on your configured remediation logic.

SpyCloud's data is sourced directly from criminal communities and refreshed continuously. Organizations are acting on exposure intelligence that arrives weeks to months ahead of public disclosure, not after the fact.

Note: Both integrations require an active SpyCloud Workforce Threat Protection or Consumer Threat Protection license. If you are not sure which license applies to your use case, contact your SpyCloud account team before getting started.

🔎 What SpyCloud checks

At each identity event, SpyCloud checks the presenting credential against recaptured data from the following sources:

Source	What it covers
Third-party breaches	Credentials exposed in external breaches, including 90%+ cracked to plaintext for true credential-level matching
Infostealer malware logs	Credentials, session cookies, and device data harvested from malware-infected devices, including unmanaged and personal devices outside EDR coverage
Combolists	Aggregated credential lists compiled and traded in criminal markets
Phishing kits	Credentials and PII captured through phishing campaigns before victims are aware