A ULP list is a collection of URL, login, password records assembled from stolen credentials, usually harvested by infostealer malware. The URL matters because it tells an attacker exactly where the credential should work, turning a stolen secret into near-ready access material.
Expanded Definition
A ULP list is operational evidence of stolen credentials, not just a dump of usernames and passwords. In practice, the URL component is what elevates the record from “credential” to “usable access path,” because it reveals the exact login destination, tenant, or application context where the secret is likely to succeed.
In NHI security, that distinction matters. A password by itself may be stale, shared, or difficult to place, while a ULP list can map a compromised secret directly to an exposed service, SaaS account, or administrative portal. This makes ULP lists especially valuable to attackers using infostealer malware and credential replay workflows. Their role in real incidents aligns with the broader risk picture documented in NHI Management Group research, where Ultimate Guide to NHIs shows how often secrets remain exposed after discovery.
There is no single standard governing the term yet, and usage in the industry is still evolving. Some teams use ULP list to describe any stolen credential corpus, while others reserve it for records that preserve the login target with enough fidelity to support immediate use. The most common misapplication is treating a ULP list as a generic credential leak, which occurs when defenders ignore the URL context and miss how quickly the record can be operationalised.
Examples and Use Cases
Implementing controls around ULP list exposure often introduces triage burden, requiring organisations to weigh faster incident containment against the cost of broader account inventory and validation.
- A stolen browser profile yields a URL, login, and password for a cloud admin console. The attacker can test the exact endpoint instead of guessing where the credential belongs, making response timing critical.
- An infostealer dump includes records for multiple SaaS tools. Security teams use the destination URL to determine whether the account is a human login, an API-backed workflow, or an NHI-adjacent service account.
- During breach response, analysts compare ULP records against known application inventories and rotate the matching secrets. This aligns with the identity lifecycle discipline described in Ultimate Guide to NHIs and the identity-focused principles in NIST Cybersecurity Framework 2.0.
- A SOC sees repeated access attempts against a specific login page from a ULP list circulating in criminal forums. The URL pattern helps distinguish opportunistic reuse from targeted access to a particular tenant or federation endpoint.
Because the URL is part of the record, ULP lists are also useful for measuring exposure across legacy portals, third-party services, and forgotten admin interfaces that may not appear in modern identity governance tooling.
Why It Matters in NHI Security
ULP lists matter because they compress reconnaissance, credential validation, and targeting into a single artifact. For NHIs, that is especially dangerous: service accounts, API keys, and other secrets are often reused across environments, poorly inventoried, or left valid long after they should have been revoked. NHI Mgmt Group research in Ultimate Guide to NHIs shows that 79% of organisations have experienced secrets leaks, with 77% of those incidents causing tangible damage, which underscores how quickly leaked access material becomes a business problem.
From a governance standpoint, a ULP list exposes where identity hygiene has failed: weak offboarding, incomplete secret rotation, and poor endpoint ownership. The NIST Cybersecurity Framework 2.0 reinforces the need to detect, respond, and recover from credential compromise, but ULP lists sharpen that obligation by identifying the likely access target. The practical value of the term is that it ties a leaked secret to a live control gap.
Organisations typically encounter the real impact only after anomalous sign-ins, account takeover, or unexpected API activity reveal that a stolen record from a ULP list had already become operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | ULP lists turn stolen secrets into actionable access paths, amplifying secret exposure risk. |
| NIST CSF 2.0 | PR.AC-1 | Credential-based access paths in ULP lists relate to authenticated access control and validation. |
| NIST SP 800-63 | AAL | ULP list records often map to login endpoints whose assurance strength must be assessed. |
| NIST Zero Trust (SP 800-207) | CA-7 | A ULP list reveals targets that Zero Trust should continuously validate before granting access. |
| OWASP Agentic AI Top 10 | AGENT-SEC-05 | Agentic workflows can be compromised when leaked login targets expose tool or account access. |
Match exposed login flows to the required assurance level and increase authentication strength where needed.
Related resources from NHI Mgmt Group
- What breaks when CI/CD pipelines can list tables with long-lived credentials?
- Who should own unsubscribe and suppression list governance?
- How should organisations respond when a jurisdiction is added to the FATF grey list?
- What do security teams get wrong about posture reports that list hundreds of findings?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org