Cyber Threat Intelligence on the Up and Up

Today, as the culmination of many months of work and testing, we are proud to announce the official launch of our new Domain Risk Score. As part of our ongoing efforts to help our customers identify dangerous domains as early as possible, the new scores are simple, accurate, and informative. To put Domain Risk Score in context, though, let’s look back a bit to see how we got here.

As most DomainTools customers know, we have provided scoring based on what we call “Proximity to Known Maliciousness” or just “Proximity,” for years. It is what underpins the “risk” column in Iris—which, to distinguish it from this new score, we have re-labeled “Proximity.” Proximity tells us how closely connected a given domain is to domains that are on well-vetted industry blocklists. This has been a very effective way to identify dangerous domains, and it is a component of our new Risk Score. But we knew from the beginning that some malicious domains do not actually have much proximity to bad domains. We also knew that our customers wanted to know about the nature of the risk—more than just a number. To this end, we began development of the new, second component to our Risk Scores: Threat Profile.

Domain Risk Score enhances understanding of domains in Iris


Threat Profile works in a completely different way from Proximity. Our data science team built machine learning classifiers that were trained on sets of confirmed phishing, malware, and spam domains. The classifiers examine various traits of a domain, such as its age, the composition of its name, and many others, and generate a score that indicates how much the domain resembles spam, phishing, or malware domains. For some excellent technical detail on Threat Profile, have a look at the blog post penned by Senior Data Scientist, Sean McNee in July, when Domain Risk Score went into beta.

So the Domain Risk Score is derived from two components, Proximity and Threat Profile. This schematic shows how to interpret the Risk Score:

Score composition, and an example where Malware was the predominant threat type. The Risk Score is 81 and the Threat Profile is Malware.

Domain Risk Score is available as an API with two endpoints:

  • /risk provides the score and the threat type
  • /risk/evidence provides a more verbose response, with some evidence supporting the “conviction” (such as domain age, registrant, etc)

It is also available as an Iris add-on. When the add-on is enabled, Domain Profile will show some details about the risk factors for a domain. A right-click popup on the score in Pivot Engine gives a summary snapshot of the same information.

If you were not one of our beta testers, we encourage you to have a look at Domain Risk Score, either in Iris or API form. You can always reach us at [email protected], or via your Account Manager, or Enterprise Support at [email protected].

The entire DomainTools team is passionate about helping our customers root out evil online. We believe Domain Risk Score is an important tool in that effort, and we hope you’ll agree.

Happy exploring.