Skip to main content
Announcement: Introducing Real-Time Threat Feeds

Real-Time Threat Feeds

Risk Feeds

Predictive feeds that deliver a risk-based view of newly registered or updated domains and infrastructure

Instantly identify and act on dangerous domains

Drastically reduce detection and incident response times

Embed accurate, predictive domain risk scoring into your workflows and act on dangerous domains

Learn More

Discovery Feeds

Comprehensive feeds that surface newly registered, active, and observed domains and hostnames, providing the foundational visibility to combat emerging threats

Gain real-time visibility into young domains or hostnames

Build defenses against threats like phishing, ransomware, brand infringement, and more

Feed young, suspicious infrastructure directly into security tools for analysis and early warning

Learn More
WHAT'S INCLUDED

Risk Feeds

Domain RiskAll high-risk domains with scores for phishing, malware, spam, and proximity
Domain HotlistHighest-risk domains that have become active in passive DNS within the previous 24 hours
IP RiskAll IP addresses hosting at least one domain, with predictive risk scores based on the domains they host. Apply your own criteria to evaluate or characterize IP infrastructure.
IP Hotlist Highly curated list of the riskiest IP addresses on the Internet — those with traffic to malicious domains. A focused, easy-to-act-on subset for blocking and detection, delivered in real-time.

Discovery Feeds

Newly Observed DomainsDomains never before observed in passive DNS
Newly Active DomainsDomains not observed in passive DNS in the previous 10 days
Domain DiscoveryNewly discovered domains, including those not yet active in passive DNS
Newly Observed HostnamesFully qualified domain names (FQDNs) never before observed in passive DNS

How Feeds Work:

DomainTools maps the Internet to bring you the most comprehensive DNS-focused threat intelligence data.

How Feeds Work:

Step one

Feeds are delivered in real-time via Real-time Feed API, Download API, RPZ, or MCP Server

Step Two

High-priority domains and IP addresses are surfaced

Step three

Triaging occurs via automated processes and playbooks

DomainTools maps the Internet to bring you the most comprehensive DNS-focused threat intelligence data.
Step four

Risky infrastructure is mitigated in under 60 seconds

DomainTools maps the Internet to bring you the most comprehensive DNS-focused threat intelligence data.
Request a Demo
INTEGRATIONS

Get more from what you have with DomainTools.

Through seamless integrations across leading SIEMs, SOARs, TIPs, LLMs, Datalakes, and other security platforms, DomainTools places rich real-time domain and IP intelligence directly within the tools analysts already use. These integrations can be incorporated into your environment in as quickly as one day, enabling security teams to unlock immediate value.

Icon of a face mask with three horizontal pleats.
White abstract circular design with concentric arcs and a small central circle on black background.
Abstract colorful shapes resembling a cluster of overlapping rounded elements in pink, yellow, blue, turquoise, and green.
Two overlapping speech bubbles with three dots inside the front bubble, representing a chat or conversation.
Microsoft Copilot logo with a gradient design in blue, green, yellow, purple, and orange colors.
Green circular logo with a vertical split showing one half solid and the other half hollow.

“Through close collaboration this year, we were among the first to adopt DomainTools’ Real Time Feeds and API, reducing the time from threat discovery to active prevention to under one minute. This level of speed and accuracy effectively closes the window for domain-based attacks. DomainTools has set a new standard for real-time, high-fidelity intelligence - critical to any modern, proactive defense strategy.”

Dave Ahn
Chief Architect and VP, Centripetal

Resources

Explore Research, Webinars, White Papers, and More

Webinar
Enriching your TIP and Real Time Threat Feeds in the SIEM
Learn More