It’s a metaphor the threat intelligence and corporate security world has long been familiar with: the internet iceberg.
Like many analogies, its goal is to make a complex system (like the internet) more digestible. But could this model now be irrelevant—or even detrimental—for effective digital risk protection?
The internet iceberg is often used to illustrate how web spaces are structured. This includes the surface web—the smaller, visible part of the iceberg easily navigable through standard search engines like Google—and the deep web, the largest part of the iceberg including unindexed or encrypted pages.
The dark web is usually depicted as the deepest, darkest part of the iceberg, including unindexed web pages only accessible through specialized software like Tor.
This image makes it easy to understand where content is accessible (or not) online, and represents how more anonymized and hidden parts of the web are valuable for investigating illicit activity and digital risk indicators like leaked data.
However, the iceberg is no longer an accurate representation of how web spaces interact—yet it impacts how security professionals view the internet and consequently, how they approach digital risk protection strategies and tools.
Where does the internet iceberg fall short, and what model is better suited to threat intelligence practices and solutions?
Where the internet iceberg analogy gets it wrong
It’s easy to think of the surface, deep, and dark web operating in compartmentalized “layers” of digital space. In reality, they are not distinctly separated but highly interwoven, with deep and dark web pages “hiding in plain sight” amongst the navigable surface web.
Beyond how the web is actually structured, the iceberg also fails to capture how users navigate the internet, especially from a threat intelligence perspective. Nefarious online activity happens on the surface and deep web as much as the dark web. Many threat actors on the dark web have digital footprints that overlap deep and surface web spaces. Online risks never occur in silos as the iceberg might suggest, and investigations that begin on the surface web often cross over to the deep and dark web, and vice versa.
The dark web does not have a “monopoly” on online threats—but this role has been exaggerated in part by iceberg-like depictions of vast scary blobs lurking beneath the surface. In reality, the surface web is significantly larger than the dark web in terms of site traffic, overall size, and in many instances, available threat data. Yes, there is a LOT of valuable threat intelligence on the dark web—but digital risks and crime, from child pornography to terrorist networks, malicious hacking how-to’s, and stolen data, are also present on the deep and surface web.
For example, indexed public social media posts often contain criminal discussions. The ILPT (“illegal life pro-tips”) subReddit often hosts brand-targeted conversations relevant to corporate security teams. Users responsible for disinformation campaigns and extremist propaganda also rely on the surface web and social media channels to access a wider audience than is available on the dark web.
A new metaphor
Whether or not we want to admit it, the internet iceberg’s notoriety affects how intelligence and security teams view the internet—and likely how they approach online investigations.
The analogy no longer describes how the surface, deep, and dark web actually function and how risks unfold across these spaces. Conceptual models and threat intelligence strategies should focus on the intersection of different web spaces and reflect how they are actually used—but a segmented understanding of the internet often still informs digital risk strategies and threat intelligence software design.
For example, many threat intelligence products are highly specialized, focusing only on delivering social media, dark web, or technical feeds to users—sometimes even lumping deep and dark web feeds into the same category. This siloed approach can result in a more cumbersome strategy as users bounce between tools. Analysts can also overlook critical insights that are only gleaned when feeds are effectively cross-referenced.
There’s nothing inherently wrong with requiring multiple tools for effective digital risk strategies (in fact, using multiple tools is a best practice). However, tools that combine a broader range of surface, deep, and dark web feeds help desegregate online spaces and allow for more seamless web pivoting. This allows intelligence experts to more effectively analyze threat data intersections and multidirectional breadcrumbs.
Rather than using an iceberg to conceptualize threat intelligence sources, the internet’s evolution points more towards an interlaced mesh where online spaces constantly move and intertwine with each other.
Flashpoint has integrated this approach into its solutions, which combine billions of posts daily from a range of social media, deep, and dark web sources in a single platform and an API. The Platform’s pivoting features also enable users to transition faster between web spaces and easily extract insights where risks intersect. As a result, analysts achieve more valuable context and can react faster to threats to their organization or client.
As digital risks become more complex and overlap more digital channels, intelligence and security professionals must be able to pivot seamlessly between social media platforms, deep websites, and dark web content. This enables more comprehensive and efficient analysis and gathers insights that may be overlooked through a siloed approach.
So let’s sink the iceberg analogy—and ensure that conceptual models reflect the internet’s evolution accurately and keep pace with threat intelligence environments.