Skip to main content
Announcement: DomainTools Launches MCP Server
Product Updates
MCP

Integrating DomainTools into the AI-Powered SOC

Written by: 
Dan White
Published on: 
Mar 31, 2026

An important conversation is taking place in the modern SOC: how can we make AI work for us? 

Security teams are busy navigating compliance requirements, resource constraints, and an accelerating threat landscape; at the same time, they are evaluating how to responsibly adopt AI without adding complexity to already-stretched workflows. The challenge isn't access to more data. It's getting the right data, fast enough, and in a form that's accessible, understandable, and actionable.

To meet that need, we're excited to announce a new way to use DomainTools data: direct, natural language access through the Model Context Protocol (MCP).

Moving Beyond the UI

MCP is a standard that allows large language models (LLMs) to securely interact with external data through compliant AI clients and agents.

In practice, supplying an LLM with fresh investigative data streamlines workflows: instead of manually querying an API or logging into a dashboard, analysts can now retrieve rich domain intelligence through simple, conversational, natural language prompts — directly within the AI tools and workflows they're already using.

This exciting new access method is an especially speedy way to view DNS insights such as domain risk scores, registration details, hosting history, passive DNS (pDNS) observations,  and more. 

Here's how it works. Using an AI agent connected to the DomainTools MCP server, we asked for a lookup of whatsapp-us.com[.]cn, a domain linked to malware targeting Chinese-speaking users

The response is immediate and comprehensive. In a single query, we surface the Domain Risk Score, registrant information, SSL certificate details, hosting infrastructure, and active threat classifications — including malware and phishing indicators.

From there, the investigation deepens naturally. We follow the registrant email address — 2035712403[@]qq[.]com — to see what else it's connected to.

The result: 47 additional domains tied to the same registrant, all active, spanning a coordinated phishing and malware campaign impersonating WhatsApp across multiple regional variants. The LLM surfaces a structured "Key Findings" summary automatically — no manual pivoting required.

We can then filter that cluster further with a targeted follow-up query — pulling only the domains with a Risk Score between 80 and 99 for prioritized review.

In three prompts, we've moved from a single suspicious domain to a mapped network of malicious infrastructure — complete with risk-ranked results ready for analyst action. This is what "intelligence without the interface" looks like in practice: analytical depth at the speed of conversation.

Transforming SOC Workflows 

We're still in the early stages of AI-driven security operations, and we expect the use cases to expand significantly as SOC workflows evolve. Our initial testing revealed four immediate areas of impact listed below— and we're committed to exploring more with you as your needs develop.

Connecting your LLM to DomainTools delivers value across these critical dimensions:

  • Operational Scale: Automating the retrieval and pivoting of domain records within an AI agent enables your SOC to identify and triage threats at a pace that manual workflows simply can't match without adding headcount.
  • Frictionless Adoption: Analysts access comprehensive domain intelligence directly within their existing AI workflows. No new interface to learn. No context-switching. The data comes to them. And with us hosting the service, your users and AI agents get secure access without having to operate an unfamiliar, open source stack on that old box under someone’s desk.
  • Accessible Investigations: Natural language prompts allow analysts to execute complex link analysis and infrastructure mapping that previously required senior expertise — narrowing the skill gap across the entire team.
  • Deterministic Intelligence: Outputs are constructed programmatically from our proprietary databases—not generated by AI. The same query returns the same answer, every time. AI gets reliable data to reason from, not a guess.

Maximizing Your AI Investment

For organizations that have already invested in an AI solution, connecting it to DomainTools delivers instant, measurable value. Whether your team is focused on proactive threat hunting, incident response, or brand protection – and regardless of where you are on your AI adoption journey – real-time domain intelligence through a natural language interface acts as a force multiplier.

The DomainTools MCP server meets your team where it is today and scales with you as AI adoption matures.

Closing Thoughts

AI should be working for you, not placing unnecessary burdens on the SOC. The goal is to enhance the workflows your team already has — not replace them with something more complicated.

That's why we built the DomainTools MCP server: to give your analysts instant, frictionless access to world-class domain intelligence, directly within the AI tools they're already using.

Ready to see it in action? Request a demo today or contact your account representative to connect your LLM to the DomainTools ecosystem.

No items found.
Product Updates
MCP
Dan White