The credentials attackers grep for first
SBCMSP searches public code — repositories, gists and history tied to a client's domains and organization — for the API keys, tokens and cloud credentials that end up committed by accident. Every hit is reported with a masked sample only, never the live secret.
Public repos & gists
Repositories and gists tied to a client's domains and organization are searched for committed credentials — including personal accounts of staff that reference company systems.
Cloud credentials
AWS access keys, Google Cloud service-account JSON and Azure client secrets — the credentials that hand an attacker a client's cloud outright.
API tokens & webhooks
GitHub tokens, Slack and Stripe keys, SendGrid and Twilio secrets, private webhook URLs and OAuth client secrets — the tokens that quietly extend an attacker's reach.
Git history & forks
Secrets removed from the latest commit but still living in history, and credentials that leaked into a public fork — the copies a developer thinks are gone but attackers still read.
Masked evidence only
Every finding shows just enough of the secret to identify it — a masked prefix and suffix — never the live value. The credential is proven exposed without SBCMSP storing a usable copy.
Alert & rotate workflow
Each leaked secret lands as a critical finding with the source URL and rotation guidance, so the tech can revoke and rotate before it is abused — and confirm the fix on the next scan.