Product & Platform
Engineering Workflows

PAN-DB ENRICHMENT — DOMAIN INTELLIGENCE INTEGRATION ════════════════════════════════════════════════════════════ DOMAINS IN PAN-DB: 800M+ DOMAINS ENRICHABLE: 100M+ (with 20 page types + 6 enrichment fields) CATEGORIZATION IMPROVEMENT: BEFORE ENRICHMENT: Uncategorized domains: 14.2M (daily new domains) Time to categorize: 4-48 hours (traditional crawl + ML) False positive rate: 2.8% Phishing detection (new domains): 78% within 4 hours AFTER ENRICHMENT: Uncategorized domains: 2.1M (85% auto-categorized on registration) Time to categorize: 30 seconds (domain intelligence lookup) False positive rate: 0.4% Phishing detection (new domains): 96% within 30 minutes CATEGORIZATION LOGIC ENHANCEMENT: Domain intelligence signal → PAN-DB category mapping: /pricing + /products + /about + PR >3 + Age >1yr → Business SaaS /login only + Age <30d + PR=0 + no /security → Phishing /api only + Age <14d + Country: high-risk → Malware/C2 /products + /docs + /careers + PR >5 → Technology /blog + /about + Age >2yr + IAB: News → News & Media

DNS SECURITY PRE-SCORING — DAILY PIPELINE ════════════════════════════════════════════════════════ NEW DOMAINS REGISTERED TODAY: 142,000 PRE-SCORED BY DOMAIN INTELLIGENCE: 142,000 (100%) PREDICTIVE BLOCKS ISSUED: 8,412 PRE-SCORING MODEL: Risk indicators (domain intelligence based): Age <7 days + PageRank 0 + <3 pages = HIGH RISK (auto-block candidate) /login present within 48hrs of registration = +30 risk points /api present, no /docs = +25 risk points (possible C2) Country: high-risk jurisdiction = +15 risk points IAB mismatch (claimed vs actual content) = +20 risk points TODAY'S PREDICTIVE BLOCKS: Phishing staging domains: 4,234 (blocked before first email sent) C2 infrastructure: 1,847 (blocked before first beacon) Malware distribution: 2,331 (blocked before first download) VALIDATION (24-hour review): Pre-blocked domains confirmed malicious: 97.2% False positives reversed: 236 (2.8%) — all within 4 hours CUSTOMER VALUE: Threats blocked before they become active Average early block time: 47 hours before traditional feed detection

NGFW POLICY AUTOMATION — DOMAIN INTELLIGENCE DRIVEN ════════════════════════════════════════════════════════ AUTO-GENERATED POLICY RULES: RULE: trusted-saas-allow Match: Trust >80, IAB: Technology/Business, /security present Action: Allow, standard logging Domains matching: 12,847 | Auto-updated: Every 6 hours Example: salesforce.com, okta.com, github.com RULE: medium-trust-inspect Match: Trust 30-80, any IAB category Action: Allow with SSL decryption + DLP scan Domains matching: 34,891 | Auto-updated: Every 6 hours Example: Niche SaaS tools, new but legitimate services RULE: new-domain-sandbox Match: Age <30 days, Trust <30, any page type Action: Allow with full sandbox inspection Domains matching: 8,234 | Auto-updated: Hourly RULE: malicious-block Match: Trust <10, Web Filtering: Malware/Phishing/C2 Action: Block, alert SOC, log full context Domains matching: 147,234 | Auto-updated: Real-time POLICY MAINTENANCE: Rules auto-updated: No manual policy changes needed Domain reclassifications per day: 2,847 (automated) Policy consistency: 100% (no human error in rule creation)

XDR DETECTION ENHANCEMENT — DOMAIN INTELLIGENCE FEATURES ════════════════════════════════════════════════════════════ NEW DETECTION FEATURES (added to XDR ML models): Feature: domain_trust_score (0-100) Input to: C2 detection, data exfil detection, phishing detection Impact: +23% detection rate for novel C2 patterns Feature: domain_age_days Input to: All network-based detections Impact: Newly registered domains weighted 5x higher in risk models Feature: page_completeness_ratio (pages present / 20) Input to: Domain legitimacy scoring Impact: Domains with <5/20 pages flagged for deep inspection Feature: country_risk_score Input to: Geopolitical threat models Impact: Traffic to high-risk jurisdictions triggers enhanced analysis DETECTION IMPROVEMENT METRICS: C2 detection rate: 78% → 94.7% (+16.7pp) Phishing detection rate: 82% → 96.1% (+14.1pp) Data exfil detection rate: 71% → 89.3% (+18.3pp) False positive rate: 8.4% → 2.1% (-6.3pp) Domain intelligence features are now in the top 5 most predictive features in 4 of 6 XDR detection models

PRISMA ACCESS — DOMAIN INTELLIGENCE INTEGRATION ════════════════════════════════════════════════════════ SASE USE CASES POWERED BY DOMAIN INTELLIGENCE: 1. SaaS Application Discovery & Classification SaaS apps discovered in customer traffic: 14,891 Auto-classified by domain intelligence: 14,891 (100%) /pricing + /login + /products → SaaS classification /security presence → Sanctioned vs unsanctioned decision 2. Shadow IT Detection for Remote Users Remote users: 47,000+ across Prisma Access customers Shadow IT services detected per customer: Avg 67 Detection method: /pricing + /login without /security or /compliance 3. Adaptive Access Policy Domain trust score drives policy: Allow / Inspect / Block Policies adapt in real-time as domain intelligence changes Example: Vendor trust drops 85 → 42 → Auto-switches to SSL inspect CUSTOMER VALUE: SaaS categorization: 100% vs 72% without domain intelligence Shadow IT detection: 3x more unauthorized services identified Policy accuracy: 94% correct decisions vs 78% without enrichment

WILDFIRE ENRICHMENT — DOMAIN INTELLIGENCE LAYER ════════════════════════════════════════════════════════ SAMPLE ANALYSIS: SHA256:a4f8c2e1... BEHAVIORAL ANALYSIS (standard WildFire): File type: PE executable | Downloads payload | Makes DNS queries Network: Contacts 3 external domains | Modifies registry Verdict: Suspicious (score: 62/100) DOMAIN INTELLIGENCE ENRICHMENT: Download source: free-software-cracks.xyz Age: 4 days | PR: 0.0 | Web Filter: Malware +25 risk points: Malicious distribution source C2 domain: telemetry-update-service.com Age: 9 days | PR: 0.0 | Country: Russia /api: Accepts POST with encoded data +30 risk points: C2 infrastructure confirmed Data endpoint: cloud-backup-free.xyz Age: 6 days | PR: 0.0 | Country: Moldova +20 risk points: Exfiltration endpoint ENRICHED VERDICT: MALICIOUS (score: 97/100) Domain intelligence upgraded verdict from Suspicious to Malicious Verdict confidence improved by 35 percentage points

IoT/OT DEVICE DOMAIN PROFILING ════════════════════════════════════════════════════════ DEVICE TYPES PROFILED: 847 unique IoT/OT device models VENDOR DOMAINS BASELINED: 2,341 DEVICE: Siemens S7-1500 PLC Legitimate domains (verified): siemens.com — PR: 8.4 | /products, /support, /docs | Firmware updates siemens-cloud.com — PR: 6.2 | /api | Telemetry upload All other external domains: BLOCKED (whitelist-only for OT) ANOMALY DETECTED: PLC-PLANT-07 (Siemens S7-1500) contacted: iot-mgmt-cloud.xyz Domain Age: 14 days | Country: China | PR: 0.0 /api: Data collection endpoint Web Filtering: Newly Registered ALERT: OT device communicating with unauthorized domain RISK: Potential ICS compromise or unauthorized data collection ACTION: Isolate PLC, notify OT security team, forensics initiated BASELINE COVERAGE: Devices with complete domain baselines: 89% of IoT/OT fleet Anomalies detected this month: 14 (3 confirmed malicious)

THREAT FEED INTEGRATION — 14 SOURCES NORMALIZED ════════════════════════════════════════════════════════ INPUT FEEDS: Unit 42: 3,891 IOCs | Abuse.ch: 5,412 | OTX: 12,847 ISAC feeds: 2,234 | VirusTotal: 8,912 | Partner feeds: 4,567 Commercial feeds: 6 sources, 18,234 IOCs Total raw IOCs: 56,097 DEDUPLICATION RESULTS: Exact duplicates removed: 12,847 (22.9%) Domain intelligence resolved: 4,234 (7.5%) — same domain, different names Conflicting verdicts resolved: 891 (1.6%) CONFLICT RESOLUTION EXAMPLE: cdn-analytics-service.com OTX: MALICIOUS | Commercial feed: BENIGN Domain intelligence: Age 2,847d, PR 5.2, /security present, SOC2 RESOLVED: BENIGN (false positive in OTX) OUTPUT: Deduplicated, quality-scored feed: 38,125 unique IOCs High confidence (ready for auto-block): 28,412 (74.5%) Medium confidence (monitoring): 7,234 (19.0%) Low confidence (needs review): 2,479 (6.5%)

ML TRAINING DATA GENERATION — DOMAIN INTELLIGENCE ════════════════════════════════════════════════════════ TRAINING DATASETS GENERATED: 1. Phishing Detection Model Positive samples (phishing): 234,000 domains Negative samples (legitimate): 1.2M domains Features: 26 domain intelligence features per sample Labels: Ground truth from domain intelligence + manual verification Model accuracy improvement: +14.1pp (82% → 96.1%) 2. C2 Detection Model Positive samples (C2): 89,000 confirmed C2 domains Negative samples: 450,000 legitimate domains with /api pages Key feature: /api present + no /docs + low PageRank + young age Model accuracy improvement: +16.7pp (78% → 94.7%) 3. Domain Reputation Model Training set: 10M domains with full 20-page + 6-enrichment profiles Features: 52 features per domain Output: Trust score (0-100) with category labels Deployed to PAN-DB, DNS Security, and Cortex XDR DATA QUALITY ADVANTAGE: Domain intelligence provides 52 features per domain Traditional training data: 5-8 features per domain 6.5x more features → significantly better model performance

PLATFORM METRICS — DOMAIN INTELLIGENCE IMPACT ════════════════════════════════════════════════════════ Product Before DI After DI Improvement NGFW (PAN-DB) 2.8% FP 0.4% FP -86% false positives DNS Security 78% detect 96% detect +23% detection rate Cortex XDR 71% exfil 89.3% exfil +25.8% data exfil detect Prisma Access 72% SaaS 100% SaaS +39% SaaS classification WildFire 62/100 avg 97/100 avg +56% verdict confidence IoT Security 67% anomaly 89% anomaly +33% OT anomaly detect CUSTOMER PROTECTION SUMMARY: NGFW/Prisma deployments improved: 78,000+ Malicious domains pre-blocked daily: 8,412 Avg early protection vs traditional: 47 hours False positive reduction: 86% across all products