Google rolls out Gemini-powered dark web monitoring to spot leaks, brokered access, and insider threats

Google has started rolling out a new Gemini-powered dark web intelligence capability inside Google Threat Intelligence, and the goal is straightforward. It aims to help security teams find real threats in underground forums without drowning in false alarms. Google says the feature is now in public preview and can analyze millions of dark web events each day.

The announcement matters because dark web monitoring tools often struggle with context. Many products rely on keyword matching, brand-name scraping, and regex rules. Google says its new system uses Gemini to build an organization profile first, then compares dark web posts against that profile to decide whether a vague claim actually points to a real company, brand, executive, or business unit.

In plain terms, Google wants to solve a common problem for threat teams. Attackers rarely post a victim’s exact company name when they sell access, leak data, or hint at insider activity. Instead, they may mention revenue, industry, geography, employee count, or specific internal portals. Google says Gemini can connect those clues to the right organization and raise an alert before the access gets sold or abused further.

Google’s official blog says the feature analyzes “millions of dark web events daily,” while The Register reported Google told it the system sees roughly 8 million to 10 million events a day and reached 98% accuracy in internal tests. That accuracy figure comes from Google’s own testing, not an independent public benchmark, so it should be read as a vendor claim rather than a third-party validation.

The company says the tool can surface several high-priority risks, including data leaks, initial access broker activity, and insider threats. That fits the broader push Google announced this week around agentic security, where Gemini also helps drive investigation and triage workflows inside Google Security Operations.

Google also says the system does not rely only on generic web scraping. It uses open-source information and platform context to build a living profile of the customer’s business operations, brands, VIPs, and technology environment. According to Google and comments reported by The Register, the product also provides citations for the open-source material it uses, which is meant to make the AI output easier to verify.

That is important because dark web intelligence often breaks down at the relevance stage. Google says legacy tools can generate more than 90% false positives, while The Register separately reported a quoted range of 80% to 90% false positives from Brandon Wood, a product manager at Google. The promise here is not that Gemini sees more raw data than everyone else. It is that Gemini filters better and ties what it finds to a specific organization faster.

Google tied the launch to a larger security message at RSA Conference 2026. In the same set of announcements, the company said Google Security Operations now includes agentic automation in preview, with a Triage and Investigation agent that can gather evidence, investigate alerts, and provide verdicts with explanations. That means Google is not treating dark web monitoring as a standalone product update. It is positioning it as part of a larger AI-led detection and response stack.

There is also a wider industry backdrop. Google and Mandiant have both warned that attackers are adopting AI more aggressively, including for faster reconnaissance, experimentation, and workflow automation. So this launch lands at a moment when big security vendors want to show they can use AI defensively at similar speed.

One small detail in Google’s public material shows how fast this space moves. The RSA announcement referred to Google Threat Intelligence Group tracking 627 threat groups, while Google’s live threat intelligence page currently says it is monitoring 628 threat actors. That difference does not change the product story, but it suggests the underlying count updates in near real time.

What Google announced

Why this could matter to security teams

• It may reduce alert fatigue by filtering vague or low-value dark web mentions.
• It could help companies catch brokered access sales before ransomware crews or other buyers act.
• It gives Google a stronger story in AI-driven security operations ahead of RSA.
• It reflects the shift from simple keyword monitoring to context-based threat matching.
• It may shorten response time by feeding better dark web findings into investigation workflows.

What remains unclear

• Google has not published a public third-party benchmark for the 98% accuracy claim.
• The company has not publicly broken down how accuracy varies by threat type, language, or forum source.
• It is also not yet clear how well the system performs against deliberate deception, fake victim claims, or recycled breach posts, all of which are common on underground forums. This is an inference based on how dark web markets behave, not a published Google limitation.

Key takeaways

• Google has put Gemini-powered dark web monitoring into public preview inside Google Threat Intelligence.
• The company says it analyzes millions of daily events and uses business context to decide which threats actually matter.
• Google is pairing that launch with agentic SOC features that investigate alerts and produce verdicts inside Google Security Operations.
• The pitch is clear: fewer false positives, faster detection, and earlier warning when attackers discuss your organization on the dark web.

FAQ