Threat intelligence
Threat intelligence helps teams identify, analyze, and respond to threats before they cause damage. Explore domain investigations with WHOIS and RDAP, passive DNS and hosting context, certificate transparency, detection techniques, and analysis methods.
Start with essential reading for a fast overview, then move into deep dives and reference material as you need it.
Start with essentialsEssential reading
Domain threat intelligence
Domain threat intelligence is the collection and analysis of signals from domain registrations, DNS, certificates, and hosting to detect abuse. This guide covers core data sources, enrichment workflows, and how domain threat intelligence supports incident response.
Malicious domain detection
Malicious domain detection combines registration signals, DNS behavior, content analysis, and reputation feeds to identify domains used for phishing, malware, or fraud. This guide covers detection approaches, scoring models, and false positive management.
What is certificate transparency?
Certificate Transparency (CT) is an ecosystem of public, append-only logs of issued certificates. Originally created to catch rogue certificates after high-profile CA compromises, CT logs have become an important source of threat intelligence for domain and subdomain monitoring.
What is passive DNS?
Passive DNS collects historical DNS resolution data by observing resolver traffic rather than querying authoritatively. This guide explains how passive DNS data is gathered, what it records, and how investigators use it for infrastructure pivoting.
What is RDAP?
RDAP (Registration Data Access Protocol) is the modern, standards-based replacement for WHOIS. This guide covers RDAP's HTTP/JSON design, bootstrapping mechanism, access control model, and advantages over WHOIS for domain investigations.
What is threat intelligence?
Threat intelligence is evidence-based knowledge about adversaries, their techniques, and their infrastructure. This guide explains strategic, tactical, and operational threat intelligence, the intelligence cycle, and why raw data alone is not intelligence.
What is WHOIS?
WHOIS is a protocol for querying domain registration data, including registrant information, registrar details, and key dates. This guide covers the port 43 protocol, why unstructured WHOIS drove adoption of RDAP, thick vs thin registries, data fields, GDPR impact on public data, and investigative uses.
Deep dives
ASN reputation
ASN reputation assesses the trustworthiness of an autonomous system based on the proportion of malicious activity it hosts. This guide covers reputation signals, data sources, scoring limitations, and how ASN reputation feeds into domain risk assessment.
Domain permutation analysis
Domain permutation analysis systematically generates lookalike domain variants to identify potential typosquatting and brand impersonation. This guide covers permutation categories, scoring approaches, and how to prioritize thousands of candidates.
Malicious redirect chains
Attackers use multi-hop redirect chains to evade detection, fingerprint visitors, and deliver payloads conditionally. This guide covers cloaking, traffic distribution systems, open redirect abuse, and why these chains are difficult to detect.
TLS and SSL certificates
TLS certificates secure HTTPS and other protocols; SSL is the older name for the same family of technology. This guide covers what certificates are, how TLS differs from SSL in practice, and how teams use them in investigations.
What is a redirect chain?
A redirect chain is a sequence of HTTP redirects from an initial URL to a final destination. This guide explains how redirects work, their legitimate uses, and why chain depth matters for security investigations.
What is an ASN?
An Autonomous System Number (ASN) is a unique identifier assigned to a network that operates under a single routing policy. This guide explains ASNs in the context of BGP routing, IP prefix allocation, and how ASN data supports domain investigations.
What is an HTTP banner?
An HTTP banner is the information returned in HTTP response headers that reveals server software, version, and configuration. This guide covers which headers are informative, what banners reveal, and their limitations in investigations.
What is hosting provider reputation?
Hosting provider reputation evaluates providers based on abuse patterns, takedown responsiveness, and the types of content they host. This guide explains bulletproof hosting, attribution challenges with shared infrastructure, and how hosting reputation integrates with domain risk scoring.
What is Levenshtein distance?
Levenshtein distance measures the minimum number of single-character edits to transform one string into another. This guide explains the algorithm, walks through an example, and covers its use and limitations in domain similarity scoring.
WHOIS vs RDAP
WHOIS and RDAP both provide domain registration data, but RDAP is the modern standard with structured JSON responses, authentication support, and better internationalization. This guide compares the two protocols and offers practical guidance on when to use each.
Reference
Put what you learn into practice
Monitor typosquats, investigate infrastructure, and move from reading to detection with continuous domain coverage built for security teams.