Skip to Content
Concepts and Fundamentals

What is the deep web?

The deep web is every part of the internet that search engines do not index: everything behind a login, a paywall or a private network. It is the vast majority of the web and, for the most part, perfectly legitimate, your online banking, your email inbox, your company's internal systems. It is not the same thing as the dark web.

Zamak TechnologiesUpdated on July 10, 2026

The three layers of the web

The internet is often described in three layers. Understanding the difference keeps the ordinary from being confused with the dangerous.

1

Surface web

What search engines index and anyone can find: public sites, blogs, stores, open posts. It is only the visible tip of the web.

2

Deep web

Everything behind a login, a paywall or a private network: banking, email, internal systems, databases. It is the majority of the internet, and it is legitimate.

3

Dark web

A tiny, anonymous corner reachable only through tools like Tor, where illegal marketplaces hide. It is a fraction of the deep web, not the other way around.

Source: CrowdStrike and N-able Cyber Encyclopedia.

What lives in the deep web

  • Online banking and financial apps
  • Your email inbox and your documents in the cloud
  • The company's internal systems: ERP, CRM, intranet
  • Medical records and legal files
  • Streaming content when you are logged in
  • Academic, corporate and government databases

The deep web and the dark web are not the same

  • Deep web Huge, legitimate and protected by a login. It is where everyday sensitive data lives, yours and your company's.
  • Dark web Tiny and anonymous, reachable only through networks like Tor. It is where illegal marketplaces and stolen data circulate.

What the deep web means for your company

90%+
of the internet's content is on the deep web, beyond search engines (CrowdStrike)
~10%
is the surface web, what search engines index (CrowdStrike)
< 0.01%
is the estimated fraction that is the dark web (industry estimate)

The most valuable part of your operation lives in the deep web, and that is normal: the email, the finance system, the customer records, all protected by a login. The deep web is huge precisely because almost everything that matters sits behind an access barrier. According to CrowdStrike, more than 90% of the internet's content is on the deep web, and only about 10% is the surface web that search engines reach. The risk, then, is not the deep web itself: it is when the key to one of those systems, a password, escapes and ends up for sale on the dark web. What protects your deep web is not fear of it, but care over who holds the key.

How to protect what lives in your deep web

The deep web is not a place to fear; it is where your data is. Protecting it means protecting access to it, in the order that reduces risk the most:

  1. A second identity checkThe login that guards your deep web systems needs more than a password to withstand a leaked credential.
  2. Access managementEach person sees only what they need. If an account is compromised, the damage stays far more contained.
  3. Unique passwords and a managerA leaked password from one system does not open the others if it was never reused.
  4. Leak monitoringKnowing early whether a credential to your systems appeared for sale on the dark web lets you change it before the attack.
  5. Isolated backup of critical systemsThe systems that keep the operation running also need a copy out of an attack's reach.

In practice

The deep web is not a dangerous place; the danger is a credential from your deep web ending up on the dark web. Protect the keys, do not fear the door.

How Zamak handles your deep web

Zamak Technologies protects access to what lives in your deep web, the systems that keep the operation running, with managed Cybersecurity across identity and endpoint, and watches beyond the perimeter, on the Anticipate front, to see whether any of those credentials has appeared for sale. The goal is simple: keep the keys to your deep web away from the dark web.

Frequently asked questions about the deep web

Is the deep web the same as the dark web?
No. The deep web is everything that does not show up in search engines because it sits behind a login or a barrier, and it is mostly legitimate. The dark web is a small anonymous corner, reachable only through tools like Tor, where illegal marketplaces concentrate. All of the dark web is deep web, but the deep web is not dark web.
Is the deep web illegal or dangerous?
No. You use the deep web every day: your email, your online banking and your company's systems are on it. It is simply the part of the internet that is not public. The danger concentrates in the dark web, which is a tiny fraction.
Do I need Tor to access the deep web?
No. You access the deep web with an ordinary login and password, in your usual browser. Tor is needed for the dark web, which is built for anonymity.
How much of the internet is the deep web?
Most of it. According to CrowdStrike, more than 90% of the internet's content is on the deep web, behind some kind of access barrier; only about 10% is the surface web that search engines index.
Why does the deep web matter for my company?
Because it is where your most sensitive systems live: email, finance, customer records. Protecting them means protecting access, with a second identity check and management of who can see what.
How does the deep web become a risk?
It is not the risk; the risk appears when a credential to one of your deep web systems leaks and is sold on the dark web. From then on, a stranger holds the key to something that should be private.

Related terms

Endpoint and Identity
MFAPAM (privileged access)SSO (single sign-on)
Detection and Response
EDRMDRXDRMITRE ATT&CKSIEMSOC (security operations center)
Network and Access
ZTNAFirewallVPNSASE
Governance and Compliance
LGPDISO 27001SOC 2NIST CSFShadow ITCyber maturity assessmentHIPAAPCI DSSGDPRCMMCCIS ControlsISO 42001 (AI management)NIST AI RMFNIST 800-171FTC SafeguardsISO 27701 (privacy)FedRAMPGRC (governance, risk, compliance)vCIOvCISO
Concepts and Fundamentals
Deep webZero TrustDefense in depthAttack surfaceEndpointLeast privilege
AI and Security
Shadow AIAI governancePrompt injectionOWASP LLM Top 10Deepfake