[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"doc-detail-82145-en":3,"doc-seo-82145-105":29,"detail-sidebar-cat-0-en-105":91},{"code":4,"msg":5,"data":6},0,"success",{"doc_id":7,"user_id":8,"nickname":9,"user_avatar":10,"doc_module":4,"category_id":11,"category_name":12,"doc_title":13,"doc_description":14,"doc_content":15,"file_id":16,"file_url":17,"file_type":18,"file_size":19,"view_count":20,"is_deleted":4,"is_public":20,"is_downloadable":20,"audit_status":20,"page_count":21,"language":22,"language_code":23,"site_id":24,"html_lang":23,"table_of_contents":25,"faqs":26,"seo_title":13,"seo_description":14,"update_tm":27,"read_time":28},82145,1099514067438,"River Wang","https://ap-avatar.wpscdn.com/avatar/100002539ee87300030?x-image-process=image/resize,m_fixed,w_180,h_180&k=1780474512215547542",6,"Technology","Secret Scanner Agent Extracting Secrets and Access Context from Unstructured Documents","Exposed documents such as emails, chat threads, tickets, and incident notes often leak credentials, yet incident responders must also determine the “door” those secrets open—accounts, tenants, endpoints, databases, cloud resources, or other systems. Traditional secret scanners using regex or classifiers struggle when credentials are fragmented or far from the unlocked resource, and they output secret strings without the access context. Secret Scanner Agent (SSA) uses multi-agent LLM extraction to return the secret, its door, and supporting evidence, improving precision and recall and accelerating triage for remediation.","arXiv :2607 .090 1 1v 1 [ cs .CR] 10 Jul 2026  \nSecret Scanner Agent: Extracting Secrets and Access Context from Unstructured Documents  \nZixiao Chen∗ [zixiaochen@microsoft.com](zixiaochen@microsoft.com)  \nMicrosoft, Redmond, WA, USA  \nMariko Wakabayashi [mwakabayashi@microsoft.com](mwakabayashi@microsoft.com)  \nMicrosoft, Redmond, WA, USA  \nCharlotte Siska [csiska@microsoft.com](csiska@microsoft.com)  \nMicrosoft, Redmond, WA, USA  \nAbstract  \nExposed documents such as emails, chat threads, tickets, and incident notes routinely leak credentials, but during incident response a leaked secret is only half the story. Responders also need to identify the “door” the secret opens: the account, tenant, endpoint, database, cloud resource, or other system that the credential could allow an attacker to access. Traditional secret scanners rely on regular expressions or trained classifiers which work well on well-formatted code, yet they struggle when a credential is fragmented, reformatted, or far from the resource it unlocks, and they report the secret string without naming what it opens. We present Secret Scanner Agent (SSA), a multi-agent large-language-model system that extracts both the secret and its associated door, together with supporting evidence, from unstructured exposed documents. SSA pairs a detection agent that favors recall with a review agent that filters false positives and recovers missing context. Because real credential data is sensitive, we evaluate SSA on synthetic benchmarks we generated that span  \n23 secret types and multiple document formats, scored with a three-step pipeline of programmatic matching, an LLM judge, and human review. Across six models, multi-agent SSA improves extraction precision over a single-agent variant, with the largest gains on door extraction, by up to 16 percentage points. SSA matches a regular-expression scanner’s precision while more than tripling its recall, and against thirteen security analysts it is more precise, recovers nearly twice as many secret–door pairs, and runs five to seventeen times faster. By returning the secret, its door, and supporting evidence in one result, SSAturns credential detection into an actionable finding for triage and remediation.  \nKeywords: secret detection, credential exposure, large language models, multi-agent systems, incident response, information extraction  \n1. Introduction  \nSecurity teams need to answer three questions during a breach or data exposure: (1) did the exposed material contain secrets,(2) what systems or resources do those secrets unlock, and (3) what action should responders take? Secrets are credentials or authentication materials that grant access to systems, services, data, or infrastructure. They can include passwords, API keys, access tokens, private keys, cloud account keys, database connection strings, certificates, and other values used by users, applications, or services to prove identity (OWASP Foundation, n.d. ; IBM, 2024) . When attackers find exposed secrets, they may impersonate  \n∗ Corresponding author.  \n© Z. Chen, M. Wakabayashi & C. Siska.  \nChen Wakabayashi Siska  \nusers or services, access sensitive data, move laterally across systems, or maintain persistence inside an environment. Recent incidents show that this risk extends beyond source code and into exposed documents, support artifacts, emails, tickets, and logs.  \nThe 2023 Okta support case management incident illustrates this risk. Okta disclosed that a threat actor accessed files uploaded by customers as part of recent support cases, including [HTTP Archive](HTTP Archive) (HAR) files that can contain sensitive browser data such as cookies and session tokens (Okta Security, 2023) . Cloudflare later reported that, in its case, the threat actor used one access token and three service account credentials taken during the Okta compromise, which Cloudflare had not rotated, to access parts of Cloudflare’s internal Atlassian environment (Cloudflare, 2024) . A sim","cbCaieK1IFLjFsoT","https://ap.wps.com/l/cbCaieK1IFLjFsoT","pdf",2156916,1,28,"English","en",105,"# Introduction\n## Problem: credentials plus access context\n## Limitations of existing secret scanners\n## Secret Scanner Agent (SSA) overview","[{\"question\":\"What additional information do incident responders need beyond detecting a leaked secret?\",\"answer\":\"Responders must identify the “door” the secret enables, such as the account, tenant, endpoint, database, cloud resource, or other system the credential could access. This turns detection into actionable triage for remediation.\"},{\"question\":\"Why do traditional secret scanners often fail on exposed documents?\",\"answer\":\"They rely on recognizable formats and nearby context, but documents like emails, tickets, and chat threads can fragment credentials, reformat them, or place them far from the resource they unlock. As a result, scanners may miss context or report only the secret string.\"},{\"question\":\"How does Secret Scanner Agent (SSA) improve extraction quality and speed?\",\"answer\":\"SSA uses a detection agent optimized for recall and a review agent to filter false positives and recover missing context. Evaluation across synthetic benchmarks shows higher precision (especially for door extraction), more recovered secret–door pairs than single methods, and faster runtime than manual security-analyst workflows.\"}]",1784178431,71,{"code":4,"msg":30,"data":31},"ok",{"site_id":24,"language":23,"slug":32,"title":13,"keywords":33,"description":14,"schema_data":34,"social_meta":86,"head_meta":88,"extra_data":90,"updated_unix":27},"secret-scanner-agent-extracting-secrets-and-access-context-from-unstructured-documents","",{"@graph":35,"@context":85},[36,53,68],{"@type":37,"itemListElement":38},"BreadcrumbList",[39,43,47,50],{"item":40,"name":41,"@type":42,"position":20},"https://docshare.wps.com","Home","ListItem",{"item":44,"name":45,"@type":42,"position":46},"https://docshare.wps.com/document/","Document",2,{"item":48,"name":12,"@type":42,"position":49},"https://docshare.wps.com/document/technology/",3,{"item":51,"name":13,"@type":42,"position":52},"https://docshare.wps.com/document/secret-scanner-agent-extracting-secrets-and-access-context-from-unstructured-documents/82145/",4,{"url":51,"name":13,"@type":54,"author":55,"headline":13,"publisher":57,"fileFormat":60,"inLanguage":23,"description":14,"dateModified":61,"datePublished":62,"encodingFormat":60,"isAccessibleForFree":63,"interactionStatistic":64},"DigitalDocument",{"name":9,"@type":56},"Person",{"url":40,"name":58,"@type":59},"DocShare","Organization","application/pdf","2026-07-17","2026-07-16",true,{"@type":65,"interactionType":66,"userInteractionCount":20},"InteractionCounter",{"@type":67},"ViewAction",{"@type":69,"mainEntity":70},"FAQPage",[71,77,81],{"name":72,"@type":73,"acceptedAnswer":74},"What additional information do incident responders need beyond detecting a leaked secret?","Question",{"text":75,"@type":76},"Responders must identify the “door” the secret enables, such as the account, tenant, endpoint, database, cloud resource, or other system the credential could access. This turns detection into actionable triage for remediation.","Answer",{"name":78,"@type":73,"acceptedAnswer":79},"Why do traditional secret scanners often fail on exposed documents?",{"text":80,"@type":76},"They rely on recognizable formats and nearby context, but documents like emails, tickets, and chat threads can fragment credentials, reformat them, or place them far from the resource they unlock. As a result, scanners may miss context or report only the secret string.",{"name":82,"@type":73,"acceptedAnswer":83},"How does Secret Scanner Agent (SSA) improve extraction quality and speed?",{"text":84,"@type":76},"SSA uses a detection agent optimized for recall and a review agent to filter false positives and recover missing context. Evaluation across synthetic benchmarks shows higher precision (especially for door extraction), more recovered secret–door pairs than single methods, and faster runtime than manual security-analyst workflows.","https://schema.org",{"og:url":51,"og:type":87,"og:title":13,"og:site_name":58,"og:description":14},"article",{"robots":89,"canonical":51},"index,follow",{"doc_id":7,"site_id":24},{"code":4,"msg":5,"data":92},[93,97,101,105,110,113,118,123,128,131,135],{"id":20,"doc_module":4,"doc_module_name":45,"category_name":94,"show_sort_weight":95,"slug":96},"Story & Novel",90,"story-novel",{"id":46,"doc_module":4,"doc_module_name":45,"category_name":98,"show_sort_weight":99,"slug":100},"Literature",80,"literature",{"id":52,"doc_module":4,"doc_module_name":45,"category_name":102,"show_sort_weight":103,"slug":104},"Exam",70,"exam",{"id":106,"doc_module":4,"doc_module_name":45,"category_name":107,"show_sort_weight":108,"slug":109},5,"Comic",60,"comic",{"id":11,"doc_module":4,"doc_module_name":45,"category_name":12,"show_sort_weight":111,"slug":112},50,"technology",{"id":114,"doc_module":4,"doc_module_name":45,"category_name":115,"show_sort_weight":116,"slug":117},7,"Healthcare",40,"healthcare",{"id":119,"doc_module":4,"doc_module_name":45,"category_name":120,"show_sort_weight":121,"slug":122},8,"Research & Report",30,"research-report",{"id":124,"doc_module":4,"doc_module_name":45,"category_name":125,"show_sort_weight":126,"slug":127},9,"Religion & Spirituality",20,"religion-spirituality",{"id":126,"doc_module":4,"doc_module_name":45,"category_name":129,"show_sort_weight":126,"slug":130},"World Cup","world-cup",{"id":132,"doc_module":4,"doc_module_name":45,"category_name":133,"show_sort_weight":132,"slug":134},10,"Lifestyle","lifestyle",{"id":136,"doc_module":4,"doc_module_name":45,"category_name":137,"show_sort_weight":106,"slug":138},19,"General","general"]