Press Releases

DomainTools Introduces New Threat Hunting Capabilities in the Iris Investigation Platform

SEATTLE, May 15, 2018DomainTools, a leader in domain name and DNS-based cyber threat intelligence, today announced important new threat hunting and forensic capabilities in the Iris Investigation Platform. Enhancements include detailed SSL certificate profiles, as well as Historical Reverse Whois, to help security professionals profile adversaries and map connected infrastructure even with reduced availability of certain Personal Data fields within domain name Whois data post-GDPR. Additionally, the new Guided Pivots feature shortens the time needed to complete investigations while simultaneously helping to surface more relevant intelligence.

“GDPR makes our customers’ jobs even harder, but it is a great forcing function for DomainTools to make our products better, faster,” said Tim Chen, CEO at DomainTools. “That is why we are introducing these new enhancements – to make sure security teams have the ability to go beyond Whois and map infrastructure, profile bad actors, and defend their networks against them.”

Iris, DomainTools’ flagship offering, is purpose-built for security analysts and threat hunting teams. It combines enterprise-grade domain and DNS-based intelligence with an intuitive web interface, helping security teams quickly and efficiently investigate and prevent cyber threats. The three new updates enhance analysts’ efficiency, accuracy, and risk assessment confidence in a post-GDPR environment.

New SSL/TLS Certificate Data Add Layer of Intel to Investigations
SSL and TLS certificates are open source data that support actor and infrastructure forensics. These certificates are used to help authenticate the identity of a remote computer, such as a Web server. Data from a certificate can help an analyst characterize a domain and find connections between it and other domains referenced in the certificate. All of this helps security pros better understand the scope and threat level of suspicious online infrastructure.

Historical “Reverse Whois” Support
Since 1995, DomainTools has been tracking the Whois history of millions of domains. With this release, Iris queries on registrant information–so-called “reverse Whois” searches–will surface domains that historically matched (or currently match) a given input. Context on historic infrastructure can be very informative to current incident investigations.

Guided Pivots Reveal Path to Threat Infrastructure
The concept of a “pivot,” where the analyst finds connections between entities through data points they have in common, is fundamental to DNS-based forensics. With “Guided Pivots,” Iris automatically shows the analyst which pivots are most likely to lead to relevant connections. By reducing the number of clicks and dead-ends in an investigation, this “easy button” for threat hunting saves time and raises confidence that the analyst or hunter may find useful forensic data.

“It is, and always will be, our goal to help our customers detect, investigate, and prevent malicious activity online,” said Tim Helming, director of product management at DomainTools. “The new capabilities in Iris get at the heart of what matters to threat hunters – a high level of confidence in their assessment of threat actors and risk to their organizations. For example, by finding attack infrastructure that eludes blocklist feeds or otherwise remains hidden, security analysts can configure defenses to stop targeted campaigns, which can pose a significant threat to organizations.”

The Iris Investigation Platform is an award-winning cyber threat hunting solution built on the world’s largest database of domain profile and DNS-based forensic information. For additional information on DomainTools and Iris, visit:

About DomainTools
DomainTools helps security analysts turn threat data into threat intelligence. We take indicators from your network, including domains and IPs, and connect them with nearly every active domain on the Internet. Those connections inform risk assessments, help profile attackers, guide online fraud investigations, and map cyber activity to attacker infrastructure. Fortune 1000 companies, global government agencies, and leading security solution vendors use the DomainTools platform as a critical ingredient in their threat investigation and mitigation work. Learn more about how to connect the dots on malicious activity at or follow us on Twitter: @domaintools.