featured image, joined lines, blurred image
Blog Newly Observed Hostnames Newly Active Domains Newly Observed Domains Domain Discovery Domain Hotlist Domain Risk Real-Time Threat Feeds

Proactive Defense with DomainTools Real-Time Feeds

07/22/2025
Share this entry
Black-and-white photo of a bearded man with short hair, wearing a plaid shirt, looking slightly to the side against a plain white background.
Dan White

DNS and Internet-based threats appear and evolve at an astonishing pace. Every day, over 290,000 new domains are registered, and approximately 30,000 of them are malicious. That’s an overwhelming volume of threats to monitor and manage. 

So what happens when one of these domains appears on your network? In many cases, unfortunately, the damage is already done. The domain may have established a connection with a critical device, dropped malware, or exfiltrated sensitive data, all before it’s even detected. While post-incident analysis can reveal patterns to help prevent future attacks, it often comes too late to stop the initial impact. 

Security teams can find themselves stuck in a reactive cycle, responding to threats only after they have impacted their organization. This approach not only drains time and resources but also contributes to analyst burnout across the SOC. Traditional threat intelligence feeds offer some support, but they only include known bad domains – i.e., those that have already been weaponized and potentially discarded by threat actors. 

DomainTools risk feeds have always been predictive in nature – with our coverage of over 97% of the Internet and contextual Risk Score, we help customers detect malicious domains before they cause damage. Historically, these feeds were updated once per day, leaving a visibility gap into the intraday risk profile of domains. Now, we are thrilled to offer Real-Time Feeds that offer instantaneous visibility into risky domain and DNS activity, enabling customers to take a transformative, proactive approach to cybersecurity. 

With this launch, the following feeds will be available in real-time:

  • Domain Risk: all high-risk domains scored for phishing, malware, spam, and proximity 
  • Domain Hotlist: highest-risk domains that have also been active in passive DNS in the previous 24 hours
  • Domain Discovery: newly discovered domains, including both newly-active domains seen in passive DNS and newly-registered domains that might not be active yet 

Our other feeds – Newly Observed Domains, Newly Active Domains, and Newly Observed Hostnames – have always been available in real-time but will soon be accessible through our new real-time Feed API, enabling easier integration into existing security stacks. 

Real-Time Risk: Coverage with Context

What’s most compelling about Real-Time Feeds is the marriage between DomainTools’ visibility into over 97% of the Internet with the now-immediate, predictive Domain Risk Score. It’s easy to see how the two components complement each other – the nearly-full Internet coverage ensures that you don’t miss potential threats, while the real-time Domain Risk Score provides the context to understand which of these threats warrant a closer look. This results in Real-Time Domain Risk, a powerful combination of these two factors that empower security teams to be proactive, not reactive. With its unmatched speed and coverage, practitioners can shift to a forward-leaning mindset that doesn’t just help them keep up with bad actors – it puts them ahead.

Plug and Play Integrations

Crucially, all of this is supported by seamless integrations with leading security platforms. No need for context switching – with the new real-time Feed API, organizations can ingest feed data directly into their SIEM, TIP, Data Lake or SOAR, where their cybersecurity teams are already doing their work. This allows for automated blocking and detection, and quick prioritization of alerts. With this plug & play approach to integrations, customers tell us that their security teams have enriched their tech stack with DomainTools data in just a few hours. 

Key Use Cases for Real-Time Feeds 

Next, let’s examine each Real-Time Feed in detail, going over important use cases and other details. 

Real-Time Domain Risk

The Domain Risk feed is a continuous data stream of all newly-scored, high-risk domains. This gives organizations real-time visibility into emerging domain-related threats, greatly enhancing threat detection. When integrated into a TIP or SIEM, security engineers can set up automated detection rules that fire off alerts when a network device communicates with a high-risk domain. A playbook can then be automated for domain enrichment, enabling quicker threat prioritization. 

Real-Time Domain Hotlist

The Domain Hotlist feed includes newly-scored domains that match our highest risk criteria and have been active in passive DNS in the past 24 hours. Given this more focused  criteria, Domain Hotlist is a great alternative to Domain Risk for those who may find the full risk feed too large to ingest. Like Domain Risk, Domain Hotlist can be used for threat detection but is primarily used for blocking. The Response Policy Zone (RPZ) access method allows direct integration of the Domain Hotlist as a blocklist into an organization’s DNS resolvers, turning them into DNS firewalls, and preventing endpoint communication with malicious domains. 

Real-Time Domain Discovery 

Lastly, the Domain Discovery feed includes all domains that DomainTools discovers, as we discover them. This includes net new domain registrations, domains never before seen in passive DNS activity since we started monitoring in 2010, and domains that went dormant for a period of time and were reactivated or re-registered. This data stream is published within seconds of observation and allows security teams to detect and defend against young domains as they are created. In addition to threat detection and blocking, Domain Discovery can also be used for automated data enrichment and brand protection. Users can rapidly identify new domains that mimic their organization, supply chain, or partner brands and maintain full control over pattern matching rules to ensure accurate monitoring and protection. This is particularly useful for organizations with short or generic names as it significantly reduces the number of false positives in threat detection.

Conclusion

We at DomainTools are thrilled for the launch of Real-Time Feeds and look forward to helping our customers take the next step in enhancing their DNS intelligence. Curious to learn more? Check out this blog by our very own Rob Fawcett that contains more helpful details about the Real-Time Feed API.

Related Content
Abstract digital background depicting a glowing blue wireframe landscape with peaks and troughs, illuminated with dots of light, on a dark blurred background.
Blog

Less Phishing, More Cat Pictures

Read more

Related Content

Abstract network background image featuring interconnected lines and nodes with glowing points, set against a dark blue backdrop with bokeh effects.
Blog

DNSDB Scout Updates: Streamlined Interoperability with Iris Investigate

Read more
abstract image
Blog

Why Your Protective DNS Needs Real-Time Data: The DomainTools Advantage

Read more
A flowchart titled "Storm Connections" showing relationships between entities in Seychelles, Slovakia, and Russia, with labeled arrows for BGP, RDAP Registrant, and email addresses connecting the entities.
Blog

RDAP and BGP in Investigative Journalism

Read more
DomainTools Logo
Pricing Contact Login Support Request a Demo

© 2025 DomainTools

DomainTools® and DomainTools™ are owned by DomainTools, all rights reserved.

Privacy Policy    |    California Privacy Notice
Do Not Sell My Personal Information    |    Terms of Service    |    Sitemap