Forward to: Threat Intel Team

Threat Intelligence
Workflows

Ten agent workflows for the Threat Intel Team — automated threat actor profiling, malicious infrastructure mapping, IOC enrichment, dark web domain tracking, APT campaign correlation, phishing kit detection, C2 infrastructure monitoring, threat feed deduplication, vulnerability exploitation tracking, and attribution analysis — providing comprehensive domain-level threat intelligence that complements traditional threat feeds.

1Threat Actor Infrastructure Profiling

AI agent maps the complete digital infrastructure of known threat actors by analyzing domain registration patterns, hosting configurations, page types deployed, and enrichment data to build comprehensive adversary profiles.

1
Scan Known Threat Actor Domains
/login /api /products /contact Domain Ages Countries OpenPageRank
THREAT ACTOR INFRASTRUCTURE PROFILE — APT-PHANTOM-DRAGON ════════════════════════════════════════════════════════════ CAMPAIGN: Operation Jade Storm (active since Q3 2024) ATTRIBUTION: State-sponsored, East Asia nexus DOMAINS MAPPED: 47 confirmed, 128 suspected CONFIRMED INFRASTRUCTURE: secure-cloudupdate.com Domain Age: 73 days | Country: Moldova (hosting), registered Panama PageRank: 0.2/10 | IAB: Technology & Computing /login: Fake SSO portal mimicking Azure AD /api: C2 beacon endpoint detected Web Filtering: Malware / Phishing firmware-delivery-cdn.net Domain Age: 41 days | Country: Latvia (hosting), registered Belize PageRank: 0.1/10 | IAB: Technology & Computing /products: Trojanized firmware download page /docs: Fake technical documentation (lure) Web Filtering: Malware Distribution hr-benefits-portal.org Domain Age: 28 days | Country: Romania (hosting), registered Seychelles PageRank: 0.0/10 | IAB: Business & Finance /login: Credential harvester — mimics Workday /careers: Fake job postings (social engineering lure) Personas: HR professionals, executives
2
Identify Infrastructure Patterns
Agent correlates registration patterns, hosting preferences, and page deployment strategies to build a fingerprint for this threat actor's infrastructure.
Infrastructure Pattern
Registration Pattern — 92% of domains registered via NameSilo with privacy protection. Average domain age at first use: 22 days. All use Cloudflare DNS initially, then migrate to bulletproof hosting within 14 days.
HIGH CONFIDENCE — Consistent TTP fingerprint
Hosting Cluster
Geographic Distribution — Hosting concentrated in Moldova (34%), Latvia (28%), Romania (22%), Bulgaria (16%). All domains use /login page within 48 hours of deployment. No /investors, /sustainability, or /press pages ever deployed — distinguishing from legitimate sites.
PATTERN CONFIRMED — Eastern European hosting preference
3
Predict New Infrastructure
Using the fingerprint, agent scans the 100M+ domain database to identify newly registered domains matching this actor's pattern before they become active.
PREDICTIVE INFRASTRUCTURE DETECTION — 12 NEW CANDIDATES ════════════════════════════════════════════════════════════ HIGH CONFIDENCE (3 domains — 89%+ match): office365-sso-verify.com Age: 6 days | Moldova | PageRank: 0.0 Pattern match: 94% | Registrar: NameSilo | /login deployed RECOMMENDATION: Add to blocklist immediately cloud-storage-auth.net Age: 4 days | Latvia | PageRank: 0.0 Pattern match: 91% | Registrar: NameSilo | /login deployed RECOMMENDATION: Add to blocklist immediately employee-onboard-hub.org Age: 8 days | Romania | PageRank: 0.0 Pattern match: 89% | Registrar: NameSilo | /careers deployed RECOMMENDATION: Add to blocklist immediately MEDIUM CONFIDENCE (5 domains — 65-85% match): secure-doc-share.io Age: 11 days | Bulgaria | PageRank: 0.1 vpn-corp-access.com Age: 3 days | Moldova | PageRank: 0.0 saas-license-mgmt.net Age: 9 days | Latvia | PageRank: 0.0 benefits-enrollment-2026.com Age: 5 days | Romania | PageRank: 0.0 it-helpdesk-ticket.org Age: 7 days | Moldova | PageRank: 0.0
4
Generate Threat Intel Report

APT-PHANTOM-DRAGON Infrastructure Report

EXECUTIVE SUMMARY ──────────────────────────────────────── Total confirmed domains: 47 | Suspected: 128 | Newly predicted: 12 Active campaigns: 3 (credential harvesting, firmware supply chain, HR lures) Infrastructure refresh rate: New domains every 4-6 days Avg domain lifespan: 34 days before rotation RECOMMENDED ACTIONS 1. Block 3 high-confidence domains immediately via NGFW policy 2. Add 5 medium-confidence domains to monitoring watchlist 3. Update SASE URL filtering with pattern-based detection rule 4. Share IOCs with ISAC partners via STIX/TAXII feed 5. Brief SOC on updated TTPs for manual hunting

2Malicious Domain Clustering & Attribution

AI agent clusters suspicious domains by shared infrastructure characteristics — registration patterns, page structures, enrichment data similarity — to identify campaigns and attribute them to known threat groups.

1
Cluster Domains by Shared Attributes
/login /products Domain Ages Countries Web Filtering IAB Categories
DOMAIN CLUSTERING ANALYSIS — FEBRUARY 2026 ════════════════════════════════════════════════════ INPUT: 4,219 flagged domains from threat feeds CLUSTERS IDENTIFIED: 23 CLUSTER #7 — "SHADOW FINANCE" (89 domains) Common traits: Domain Age: 14-45 days | Country: Cyprus, Malta, Estonia IAB: Financial Services | Web Filtering: Phishing /login: Present on 100% | /pricing: Present on 78% /about: Generic text, AI-generated | /legal: Copy of legitimate bank T&Cs PageRank: 0.0-0.3 | Personas: Banking customers CLUSTER #12 — "TECH MIRAGE" (134 domains) Common traits: Domain Age: 7-21 days | Country: Russia, Ukraine, Belarus IAB: Technology | Web Filtering: Malware /products: Present on 92% | /docs: Present on 87% /api: C2 endpoint pattern | /support: Fake ticketing system PageRank: 0.0-0.1 | Personas: IT administrators
2
Attribute Clusters to Threat Groups
Attribution Match
Cluster #7 "Shadow Finance" — 87% TTP overlap with FIN7/Carbanak. Registration pattern matches known FIN7 infrastructure from 2024 campaigns. Domain age distribution and geographic hosting are consistent with prior FIN7 operations documented by Mandiant.
HIGH CONFIDENCE — FIN7 attribution (87%)
Attribution Match
Cluster #12 "Tech Mirage" — 72% TTP overlap with APT28/Fancy Bear. /docs page structure and /api C2 patterns match known APT28 tooling. However, Domain Age pattern is slightly newer than typical APT28 — possible evolution or copycat.
MEDIUM CONFIDENCE — APT28 or copycat (72%)
3
Map Campaign Infrastructure Timeline
Infrastructure Evolution — Cluster #7
2024-09-12 First domain registered (banking-secure-login.com)
2024-11-03 Expanded to 12 domains, added /pricing pages to mimic premium banking
2025-02-18 Shifted hosting from Bulgaria to Cyprus/Malta — improved evasion
2025-06-22 Introduced /api endpoints — upgraded from simple phishing to credential API
2025-10-14 Rapid expansion to 67 domains — bulk registration via NameSilo
2026-01-29 Current: 89 active domains, 34 rotated out, refresh rate accelerating

3IOC Enrichment & Context Engine

AI agent automatically enriches Indicators of Compromise with domain intelligence context — adding page type analysis, enrichment data, historical changes, and risk scoring to raw IOCs for better triage and response prioritization.

1
Enrich Raw IOCs with Domain Intelligence
/security /legal /about OpenPageRank Domain Ages Web Filtering IAB Categories
IOC ENRICHMENT — BATCH #2026-0217-A (42 DOMAINS) ════════════════════════════════════════════════════════ IOC: update-service-ms.com Source: VirusTotal community | First seen: 2026-02-14 ENRICHMENT: Domain Age: 12 days | Country: Russia (hosting), registered Panama PageRank: 0.0/10 | IAB: Technology & Computing Web Filtering: Malware | Personas: IT Admins /security: Not present | /legal: Not present /about: Generic placeholder text /login: Present — mimics Windows Update auth VERDICT: CONFIRMED MALICIOUS — Block immediately Confidence: 97% | Priority: CRITICAL IOC: analytics-cdn-global.com Source: Abuse.ch | First seen: 2026-02-11 ENRICHMENT: Domain Age: 1,847 days (5+ years) | Country: United States PageRank: 4.2/10 | IAB: Technology & Computing Web Filtering: CDN / Web Services | Personas: Developers /security: Present — SOC2 certified | /legal: Detailed T&Cs /about: Real company, 45 employees on LinkedIn /careers: Active hiring — 8 positions VERDICT: LIKELY FALSE POSITIVE — Legitimate CDN provider Confidence: 91% | Priority: LOW — Verify with submitter
2
Prioritize & Score Enriched IOCs
IOC Scoring Model
Multi-Factor Risk Score — Domain Age (weight: 25%), PageRank (20%), Web Filtering Category (20%), Page Type Presence (15%), Country Risk (10%), IAB Category Match (10%). Enrichment reduces false positive rate from 34% (raw feeds) to 6.2% (enriched).
82% reduction in false positives with enrichment
3
Auto-Distribute to Security Controls
IOC DISTRIBUTION — AUTOMATED ACTIONS TAKEN ════════════════════════════════════════════════════ Batch: 42 IOCs processed | 18 confirmed malicious | 8 false positives | 16 monitoring BLOCKED (18 domains): → NGFW URL Filtering: Updated in 2.3 seconds → SASE DNS Security: Updated in 1.8 seconds → XDR Endpoint Blocklist: Updated in 4.1 seconds → Email Gateway: Domain block rules pushed WHITELISTED (8 domains): → Removed from threat feeds | Submitter notified → analytics-cdn-global.com added to known-good list MONITORING (16 domains): → Added to WildFire sandbox queue for behavioral analysis → Hourly page-type re-scan scheduled for 72 hours

4Phishing Infrastructure Detection

AI agent continuously monitors newly registered domains for phishing indicators — comparing page structures, login portals, and brand impersonation patterns against protected brand domains to detect phishing sites before they launch campaigns.

1
Monitor for Brand Impersonation
/login /products /support Domain Ages OpenPageRank Personas
PHISHING DETECTION — BRAND IMPERSONATION SCAN ════════════════════════════════════════════════════ PROTECTED BRANDS: 847 customer brands monitored NEW DOMAINS SCANNED: 142,000 (last 24 hours) PHISHING CANDIDATES: 23 CRITICAL — Active phishing targeting customer brands: paloalt0-networks-sso.com (targeting: Palo Alto Networks) Domain Age: 2 days | Country: Romania | PageRank: 0.0 /login: Exact replica of GlobalProtect VPN login /support: Fake support page with "call for MFA reset" Personas: IT Security professionals Web Filtering: Phishing STATUS: ACTIVE — Credential harvesting live cortex-xdr-update.net (targeting: Palo Alto Networks Cortex) Domain Age: 5 days | Country: Bulgaria | PageRank: 0.0 /products: Fake Cortex XDR download page /docs: Fake installation guide — drops RAT Web Filtering: Malware Distribution STATUS: STAGING — Not yet distributed via email crowdstr1ke-falcon-login.com (targeting: CrowdStrike) Domain Age: 1 day | Country: Moldova | PageRank: 0.0 /login: Falcon console login replica Personas: SOC analysts, security engineers STATUS: DEPLOYING — SSL certificate just issued
2
Automated Takedown & Protection
AUTOMATED RESPONSE — 23 PHISHING DOMAINS ════════════════════════════════════════════════════ ACTIONS COMPLETED: → 23 domains added to PAN-DB URL filtering (all NGFW/Prisma customers protected) → 23 domains added to DNS Security blocklist → 3 critical domains: Registrar abuse reports filed automatically → 2 domains: Hosting provider takedown requests submitted → Customer notification: 3 targeted brands alerted with IOC package → ISAC sharing: STIX bundle published to FS-ISAC, IT-ISAC TIME TO PROTECT: 4 minutes 12 seconds (from detection to global block) CUSTOMERS PROTECTED: 78,000+ NGFW/SASE deployments worldwide

5Dark Web & Underground Infrastructure Mapping

AI agent tracks threat actor infrastructure that bridges the clear web and dark web — identifying domains used for initial access, data exfiltration staging, and ransomware payment portals that maintain clear-web presence for victim communication.

1
Map Ransomware Group Web Presence
/contact /blog /legal Domain Ages Countries Web Filtering
RANSOMWARE GROUP CLEAR-WEB INFRASTRUCTURE ════════════════════════════════════════════════════ GROUP: LockBit 4.0 / Successor Operations lockbit-support-desk.com Domain Age: 89 days | Country: Seychelles /contact: Victim negotiation portal /blog: Victim leak site mirror (clear web) /legal: "Terms of service" for ransom payment Web Filtering: Ransomware / Extortion data-recovery-consulting.net Domain Age: 34 days | Country: Panama /about: Fake data recovery company front /contact: Proxied to negotiation backend /pricing: "Data recovery" pricing — actually ransom tiers IAB: Technology & Computing (deceptive classification) Personas: IT managers, CISOs
2
Track Infrastructure Changes
Ransomware Infrastructure Shifts
2025-11-02 LockBit successor registered 4 new victim negotiation domains
2025-12-18 Shifted from .onion-only to clear-web mirrors — indicating expanded operations
2026-01-05 Added /pricing pages — professionalizing ransom negotiation
2026-02-01 New "data recovery" front companies registered — social engineering pivot
2026-02-14 2 domains taken down by law enforcement, 3 replacements registered within hours
3
Generate Proactive Blocking Rules
Proactive Defense
Pattern-Based Blocking — Domain intelligence fingerprint enables blocking ransomware infrastructure 72 hours before it appears in public threat feeds. Key indicators: Domain age <90 days + /contact present + /legal present + no /careers or /investors + PageRank <0.5 + hosting in specific jurisdictions.
72-hour early warning advantage over traditional feeds

6Supply Chain Threat Monitoring

AI agent monitors the digital presence of software supply chain vendors — tracking changes to their security pages, partner integrations, and distribution infrastructure to detect supply chain compromise indicators before they impact customers.

1
Monitor Critical Supply Chain Vendors
/security /partners /products /docs OpenPageRank IAB Categories
SUPPLY CHAIN MONITORING — 2,340 VENDORS TRACKED ════════════════════════════════════════════════════════ ALERT: ANOMALOUS CHANGES DETECTED brightedge-analytics.com (JavaScript analytics SDK, embedded in 14,000 sites) /security: SOC2 badge removed 3 days ago /docs: SDK documentation updated — new data collection endpoints /partners: 3 major CDN partners removed from page /leadership: CISO departed, not replaced PageRank: Dropped 5.1 → 3.8 in 30 days RISK: Potential SDK compromise or acquisition by malicious entity cloud-ops-toolkit.io (DevOps automation, used by 3 Fortune 500 customers) /security: Present, unchanged /products: New "enterprise" tier added with broader permissions /api: New endpoints added — data exfiltration risk Domain Age: 2,190 days | PageRank: 5.4 RISK: Monitor — legitimate expansion or privilege escalation vector
2
Assess Supply Chain Impact Radius
Impact Assessment
brightedge-analytics.com — SDK embedded in 14,000 websites. Of those, 847 are in our customer protection portfolio. If compromised, this would be a Magecart-style supply chain attack affecting payment pages, login forms, and PII collection across financial services, healthcare, and retail sectors.
CRITICAL — 847 protected customers at risk

7APT Campaign Correlation Engine

AI agent correlates domain intelligence across multiple threat campaigns to identify shared infrastructure, overlapping tactics, and potential connections between seemingly unrelated attacks targeting different industries.

1
Cross-Campaign Infrastructure Analysis
/login /api /docs Domain Ages Countries Personas
CROSS-CAMPAIGN CORRELATION — 7 ACTIVE CAMPAIGNS ════════════════════════════════════════════════════════ CORRELATION DISCOVERED: Campaign A: "Healthcare Harvest" (targeting hospital systems) Campaign B: "GovCloud Breach" (targeting government cloud) Campaign C: "FinServ Phantom" (targeting banking APIs) SHARED INFRASTRUCTURE: Registrar: All use NameSilo → Tucows migration pattern /api endpoint structure: Identical beacon format (base64-encoded) /login page template: Same HTML structure, different CSS themes Domain Age pattern: 14-21 day staging period before activation Countries: Moldova → Latvia rotation pattern Personas overlap: All target IT administrators as initial access vector ASSESSMENT: Single threat actor operating 3 campaigns simultaneously Likely APT41 / Double Dragon based on TTP convergence Combined scope: 312 domains across 3 verticals
2
Generate Unified Threat Assessment

Multi-Campaign Threat Assessment

UNIFIED THREAT ACTOR PROFILE ──────────────────────────────────────── Campaigns linked: 3 | Total domains: 312 | Active IOCs: 189 Attribution: APT41 / Double Dragon (HIGH CONFIDENCE — 84%) Target sectors: Healthcare, Government, Financial Services Objective: Data theft + ransomware (dual extortion) DOMAIN INTELLIGENCE ADVANTAGE Without domain enrichment: 3 separate, unrelated campaigns With domain enrichment: 1 coordinated threat actor, 312 linked domains Correlation enabled by: Domain Ages, Country patterns, /api structure Early warning: 47 pre-staging domains identified for proactive blocking

8Vulnerability Exploitation Tracking

AI agent monitors domains that host exploit kits, vulnerability scanners, and proof-of-concept code — tracking when new CVEs move from disclosure to active exploitation infrastructure, enabling proactive protection for NGFW and XDR customers.

1
Detect Exploit Infrastructure Deployment
/products /docs /api Domain Ages Web Filtering IAB Categories
EXPLOIT INFRASTRUCTURE TRACKING — CVE-2026-1847 ════════════════════════════════════════════════════════ CVE: CVE-2026-1847 (Critical RCE in enterprise VPN gateway) CVSS: 9.8 | Disclosed: Feb 10, 2026 EXPLOITATION TIMELINE: Feb 10 (Day 0): CVE disclosed, patch available Feb 11 (Day 1): poc-exploit-hub.io — /docs published PoC code Domain Age: 412 days | Web Filtering: Hacking/Security Feb 12 (Day 2): 3 domains added /api endpoints serving weaponized exploits Feb 13 (Day 3): 14 new domains registered with exploit kit deployment Pattern: Domain Age <3 days, /products page with "VPN scanner" Feb 15 (Day 5): Mass exploitation detected — 89 domains serving exploits Feb 17 (Day 7): 147 domains total, targeting unpatched VPN gateways PROTECTION STATUS: NGFW IPS signature: Deployed Day 0 URL filtering (exploit domains): 89 blocked by Day 3 (proactive) DNS Security: 147 domains blocked before customer impact
2
Prioritize Vulnerability Response
Exploitation Velocity
CVE-2026-1847 — Exploitation infrastructure growing at 21 new domains/day. This exceeds the Log4Shell growth rate at equivalent timeline. Domain intelligence detected weaponized infrastructure 48 hours before CISA KEV listing. Customers protected proactively via PAN-DB updates.
RAPID WEAPONIZATION — Faster than Log4Shell timeline

9Threat Feed Quality Assessment

AI agent evaluates the quality, freshness, and accuracy of third-party threat intelligence feeds by cross-referencing IOCs against comprehensive domain intelligence — identifying stale entries, false positives, and coverage gaps.

1
Audit Threat Feed Accuracy
/about /security /products OpenPageRank Domain Ages Web Filtering
THREAT FEED QUALITY AUDIT — Q1 2026 ════════════════════════════════════════════════════ FEED: AlienVault OTX Community IOCs tested: 12,847 domains True positives: 8,234 (64.1%) False positives: 2,891 (22.5%) — legitimate domains incorrectly flagged Stale entries: 1,722 (13.4%) — domains expired or sinkholed Domain intelligence validation: 2,891 "malicious" domains have: PageRank >4, Domain Age >5yrs, /careers active These are clearly legitimate — false positives from community submissions FEED: Abuse.ch URLhaus IOCs tested: 5,412 domains True positives: 4,889 (90.3%) False positives: 198 (3.7%) Stale entries: 325 (6.0%) HIGH QUALITY — Recommended for automated blocking FEED: Internal Threat Intel (PAN Unit 42) IOCs tested: 3,891 domains True positives: 3,812 (97.9%) False positives: 34 (0.9%) Stale entries: 45 (1.2%) EXCELLENT — Highest accuracy across all feeds
2
Generate Feed Optimization Recommendations

Threat Feed Optimization Report

RECOMMENDATIONS ──────────────────────────────────────── 1. Add domain enrichment pre-filter to OTX feed — reduce FP by 82% 2. Auto-expire IOCs where domain is sinkholed (PageRank=0, no pages) 3. Weight Abuse.ch and Unit 42 feeds 3x higher in scoring model 4. Remove 2,891 false positives from active blocklists immediately 5. Implement PageRank + Domain Age checks before auto-blocking PROJECTED IMPACT Current false positive rate (all feeds): 14.2% Projected after enrichment filtering: 2.1% SOC analyst time saved: 23 hours/week (fewer FP investigations)

10Geopolitical Threat Landscape Analysis

AI agent monitors domain registration and infrastructure patterns across geopolitically sensitive regions — detecting state-sponsored cyber operations, sanctions evasion infrastructure, and regional threat actor activity shifts that inform strategic threat assessments.

1
Monitor Regional Threat Activity
/about /contact /press Countries Domain Ages IAB Categories
GEOPOLITICAL THREAT LANDSCAPE — FEBRUARY 2026 ════════════════════════════════════════════════════════ REGION: East Asia New suspicious domain registrations: +340% vs Q4 2025 Primary targets: Defense, semiconductor, telecommunications Notable: 89 domains mimicking TSMC, Samsung, and ASML vendor portals Country distribution: Hosting in China (via HK proxies), registered in Tonga, Palau REGION: Eastern Europe New suspicious domain registrations: +120% vs Q4 2025 Primary targets: Energy, critical infrastructure, government Notable: 134 domains targeting European energy grid operators Country distribution: Hosting in Russia, Belarus, registered in Netherlands, Iceland REGION: Middle East New suspicious domain registrations: +85% vs Q4 2025 Primary targets: Oil & gas, financial services, government Notable: 56 domains with /careers pages for social engineering against energy sector Country distribution: Hosting in Iran (via Turkey proxies), registered in UAE, Bahrain
2
Strategic Threat Assessment
Geopolitical Signal
East Asia Semiconductor Targeting — 340% increase in suspicious domain registrations targeting semiconductor supply chain. Correlates with increased geopolitical tensions. Domain intelligence provides 3-4 week early warning of coordinated campaign preparation before active exploitation begins.
ELEVATED — State-sponsored campaign preparation detected
Geopolitical Signal
European Energy Grid — 134 new domains targeting energy operators across 6 countries. Pattern matches pre-attack infrastructure buildup observed before 2024 Ukraine grid targeting. Domain intelligence provides unique visibility into preparation phase that network telemetry alone cannot detect.
PREPARING — Infrastructure buildup phase detected
3
Generate Executive Threat Briefing

Geopolitical Threat Briefing — February 2026

KEY FINDINGS ──────────────────────────────────────── 1. East Asia: Coordinated semiconductor supply chain targeting at scale 2. Eastern Europe: Energy sector infrastructure preparation phase 3. Middle East: Social engineering campaigns against oil & gas sector 4. Americas: No significant uptick — baseline activity levels CUSTOMER ADVISORY Sectors at elevated risk: Semiconductor, Energy, Defense, Oil & Gas Recommended actions: Enable enhanced URL filtering, DNS Security with threat intelligence feeds, and Cortex XDR behavioral detection for targeted spear-phishing indicators. Domain intelligence covers 94 countries simultaneously — providing the only comprehensive view of global threat actor infrastructure preparation across 100M+ domains with 20 page types per domain.
Get in Touch

Interested in AI Agent Domain Intelligence?

For pricing, subscription options, custom database builds, or enterprise partnerships — contact us below.

Power Your AI Agents with Domain Intelligence

Subscribe to the AI Agent Domain Database — continuous access to 100M+ domains, 20 page types each, quarterly refreshes, and real-time change signals.

AI Agent Database View Pricing

Annual subscription includes quarterly data refreshes, change detection alerts, and priority API access.