Forward to: Endpoint Team

Endpoint Protection
Workflows

Ten agent workflows for the Endpoint Team — malware C2 domain detection, DNS-layer protection, endpoint telemetry enrichment, browser isolation policy automation, executable origin verification, endpoint drift detection, patch source validation, removable media domain tracking, endpoint compliance scoring, and EDR alert enrichment — providing domain intelligence context for every endpoint security decision.

1Malware C2 Domain Detection & Blocking

AI agent identifies Command and Control domains by analyzing domain intelligence patterns — newly registered domains with minimal page presence, suspicious hosting, and API-only structures that indicate C2 infrastructure rather than legitimate services.

1
Identify C2 Domain Patterns in Endpoint Traffic
/api /login /products Domain Ages Countries Web Filtering OpenPageRank
C2 DETECTION — ENDPOINT DOMAIN ANALYSIS ════════════════════════════════════════════════════════ ENDPOINTS MONITORED: 12,847 (Cortex XDR managed) UNIQUE DOMAINS CONTACTED: 89,412 (last 24 hours) C2 CANDIDATES IDENTIFIED: 7 CONFIRMED C2 (3 domains): health-check-api.xyz Contacted by: SERVER-DB-07 (every 60 seconds) Domain Age: 19 days | Country: Russia | PageRank: 0.0 /api: Only page — returns encoded commands /login: None | /about: None | /products: None Web Filtering: Newly Registered / Suspicious C2 Score: 98/100 → Endpoint isolated, forensics initiated, domain blocked globally cdn-static-assets-delivery.com Contacted by: WORKSTATION-142 (every 5 minutes, varies) Domain Age: 8 days | Country: Moldova | PageRank: 0.0 /api: POST endpoint accepting large payloads Web Filtering: Malware C2 Score: 96/100 → Data exfiltration channel — 2.3GB uploaded in 48 hours software-license-verify.net Contacted by: LAPTOP-EXEC-08 (twice daily at 09:00 and 17:00) Domain Age: 14 days | Country: Romania | PageRank: 0.1 /products: Fake software licensing page C2 Score: 94/100 → Scheduled beacon — executive laptop compromised
2
C2 Detection Model Accuracy
Detection Performance
C2 Detection Model — Domain Age <30 days + PageRank <0.5 + only /api present + periodic beacon pattern. False positive rate: 1.2%. Detection rate: 94.7%. Average time from C2 establishment to detection: 4.2 hours. Domain intelligence adds 23% detection improvement over network-only behavioral analysis.
94.7% detection rate with 1.2% false positive rate
C2 Infrastructure Trend
Sector-Wide Pattern — C2 infrastructure increasingly uses legitimate-looking domain names and /api-only deployments. 78% of C2 domains detected this month were less than 21 days old with zero PageRank. Eastern European hosting (Moldova, Romania, Latvia) accounts for 64% of confirmed C2 infrastructure.
C2 sophistication increasing — domain intel essential for detection
3
Generate C2 Blocking Report

C2 Domain Detection Report

C2 RESPONSE SUMMARY ──────────────────────────────────────── C2 domains detected: 3 confirmed, 4 suspected Endpoints compromised: 3 (isolated within 4 minutes) Data exfiltrated: 2.3GB (containment prevented further loss) Related domains pre-blocked: 12 (pattern matching) RECOMMENDED ACTIONS 1. Block all 3 confirmed + 12 related domains globally 2. Forensic analysis on SERVER-DB-07, WORKSTATION-142, LAPTOP-EXEC-08 3. Rotate all credentials on compromised endpoints 4. Update C2 detection model with new beacon patterns 5. Share IOCs with ISAC partners via STIX/TAXII

2DNS-Layer Endpoint Protection

AI agent provides DNS-layer protection for all endpoints by pre-scoring domains before DNS resolution completes — blocking connections to malicious domains at the network layer before any data can be exchanged with the endpoint.

1
Pre-Score DNS Queries Against Domain Intelligence
/security /about Domain Ages OpenPageRank Web Filtering IAB Categories
DNS SECURITY — ENDPOINT PROTECTION LAYER ════════════════════════════════════════════════════════ DNS QUERIES PROCESSED: 47.2M (last 24 hours) QUERIES BLOCKED: 284,000 (0.6%) LATENCY ADDED: <2ms (pre-computed scores) BLOCK CATEGORIES: Malware/C2 domains: 12,847 queries blocked All matched: Age <30d + PageRank <0.5 + Web Filtering: Malware Impact: 47 endpoints prevented from reaching C2 servers Phishing domains: 89,412 queries blocked All matched: /login present + no /security + Age <90d Impact: 2,847 phishing attempts blocked before page load Newly registered suspicious: 134,000 queries blocked All matched: Age <7d + PageRank 0 + <3 pages present Impact: Zero-day malware distribution prevented DGA-detected domains: 47,741 queries blocked Algorithmically generated, no domain intelligence match Impact: Bot infections prevented from establishing C2
2
Analyze DNS Protection Effectiveness
DNS Blocking Model
Pre-Scoring Accuracy — Domain intelligence pre-scoring blocks 99.4% of malicious DNS queries with only 0.02% false positive rate. Key signals: Domain Age under 7 days with zero PageRank accounts for 47% of all blocks. Adding /security page absence check increases phishing detection by 34%.
99.4% block accuracy — 0.02% false positive rate
Enterprise Impact
DNS-Layer Protection Value — 284,000 malicious connections prevented at the DNS layer means zero data exchanged with attacker infrastructure. Sub-2ms latency ensures users experience no slowdown. Estimated 47 active compromises prevented this week alone based on C2 beacon patterns in blocked queries.
47 potential compromises prevented at DNS layer
3
DNS Protection Summary Report

DNS-Layer Protection Report

DAILY PROTECTION SUMMARY ──────────────────────────────────────── DNS queries processed: 47.2M | Blocked: 284,000 (0.6%) Malware/C2 blocks: 12,847 | Phishing blocks: 89,412 Newly registered blocks: 134,000 | DGA blocks: 47,741 ENDPOINT PROTECTION SUMMARY 284,000 malicious connections prevented at DNS layer Zero data exchanged with blocked domains Sub-2ms latency — users experience no slowdown False positive rate: 0.02% (8 domains appealed, all resolved <4 hours)

3Executable Origin Verification

AI agent verifies the origin of every executable downloaded to endpoints — checking the download domain's trust score, page types, and enrichment data to determine if the source is legitimate before allowing execution.

1
Verify Download Source Domains
/products /docs /security OpenPageRank Domain Ages Web Filtering
EXECUTABLE ORIGIN VERIFICATION — TODAY ════════════════════════════════════════════════════════ EXECUTABLES DOWNLOADED: 342 VERIFIED LEGITIMATE: 318 (93%) BLOCKED: 12 (3.5%) SANDBOXED: 12 (3.5%) VERIFIED — Auto-allowed: download.microsoft.com — Trust: 99 | Windows Update dl.google.com — Trust: 99 | Chrome update releases.hashicorp.com — Trust: 94 | Terraform CLI BLOCKED — Malicious source: free-software-cracks.xyz — Trust: 2 | Age: 4d /products: Cracked software downloads (trojanized) Web Filtering: Malware Distribution Downloaded by: LAPTOP-DEV-23 — User notified, HR flagged driver-update-helper.com — Trust: 5 | Age: 11d /products: Fake driver updater (PUP/adware) Web Filtering: Potentially Unwanted Program SANDBOXED — Unknown source: niche-devtool.io — Trust: 38 | Age: 234d /products: Developer tool, PageRank 1.4 /security: Not present | /docs: Basic Result: Clean after 5-minute sandbox analysis → allowed
2
Evaluate Source Domain Trust Signals
Origin Trust Model
Executable Source Scoring — Domains with /products + /docs + /security present + PageRank >5 + Age >2 years are auto-trusted for executable downloads. Domains missing /security with Age <90 days are auto-blocked. Middle-trust domains are sandboxed for 5 minutes before delivery. Model catches 99.1% of trojanized downloads.
99.1% trojanized download prevention rate
Malware Distribution Trend
Supply Chain Risk — 67% of blocked executables this month came from domains impersonating legitimate software vendors. Common pattern: domain name similar to real vendor + /products page with fake downloads + Age <30 days + no /security page. Domain intelligence detects these before signature-based AV.
Software impersonation attacks increasing 34% QoQ
3
Executable Verification Report

Executable Origin Verification Report

DAILY VERIFICATION SUMMARY ──────────────────────────────────────── Executables verified: 342 | Auto-allowed: 318 (93%) Blocked (malicious): 12 | Sandboxed (unknown): 12 Users attempting malicious downloads: 4 (HR notified) PROTECTION VALUE Trojanized downloads prevented: 12 (100% catch rate) PUPs/adware blocked: 8 additional Sandbox analysis: 12 unknowns analyzed, 10 clean, 2 quarantined Average verification time: 0.3 seconds (trusted sources)

4Browser Isolation Policy Automation

AI agent automatically determines which websites require browser isolation based on domain trust scores — isolating untrusted or medium-trust domains in a remote browser while allowing trusted domains direct access for performance.

1
Apply Dynamic Isolation Policies
/login /security OpenPageRank Web Filtering Domain Ages
BROWSER ISOLATION POLICY — DOMAIN-BASED ════════════════════════════════════════════════════════ ISOLATION TIERS: DIRECT ACCESS (Trust >80) — 78% of web traffic No isolation, full performance Examples: microsoft.com, google.com, salesforce.com, github.com READ-ONLY ISOLATION (Trust 40-79) — 14% of web traffic Remote browser, read-only rendering, no file downloads Examples: Industry blogs, news sites, forums, niche SaaS tools Downloads: Held for sandbox analysis before delivery FULL ISOLATION (Trust <40) — 8% of web traffic Full remote browser, pixel-only streaming, no copy/paste All keystrokes protected (anti-keylogger for /login pages) File downloads: Blocked or CDR (Content Disarm & Reconstruct) TODAY'S ISOLATION STATS: Sessions isolated: 4,847 | Threats blocked in isolation: 23 Malware downloads caught: 7 | Credential theft prevented: 4 User experience impact: Zero complaints (seamless isolation)
2
Analyze Isolation Effectiveness
Isolation Trigger Analysis
Trust-Based Isolation — Domains triggering full isolation share common characteristics: PageRank <1, Domain Age <90 days, no /security page, Web Filtering categories including "Uncategorized" or "Newly Registered." Of 4,847 isolated sessions today, 23 contained active threats that would have compromised endpoints without isolation.
23 active threats contained in isolation today
User Experience
Seamless Protection — 78% of traffic flows directly (trusted domains), ensuring performance for business-critical SaaS applications. The 22% isolated traffic uses pixel-streaming with sub-100ms latency. Zero user complaints this month. Browser isolation with domain intelligence eliminates the "block everything" approach that reduces productivity.
Zero user complaints — protection without friction
3
Browser Isolation Policy Report

Browser Isolation Report

ISOLATION PERFORMANCE ──────────────────────────────────────── Direct access sessions: 78% | Isolated sessions: 22% Threats blocked in isolation: 23 | Malware caught: 7 Credential theft prevented: 4 | Zero user complaints DOMAIN INTELLIGENCE VALUE Without domain trust scoring: Would need to isolate 100% of traffic With domain trust scoring: Only 22% requires isolation Performance improvement: 78% of traffic runs at full speed Security improvement: 23 threats contained without endpoint impact

5Endpoint Telemetry Enrichment

AI agent enriches raw endpoint telemetry from Cortex XDR with domain intelligence — adding context to every DNS query, HTTP connection, and process communication to transform raw logs into actionable security intelligence.

1
Enrich XDR Telemetry with Domain Context
/about /products IAB Categories Web Filtering Personas Domain Ages
XDR TELEMETRY ENRICHMENT — SAMPLE ════════════════════════════════════════════════════════ RAW TELEMETRY (before enrichment): Host: LAPTOP-SALES-07 Process: chrome.exe → DNS query → unknown-domain.com → HTTPS POST 1.2MB ENRICHED TELEMETRY (after domain intelligence): Host: LAPTOP-SALES-07 (Sales team, user: jdoe) Process: chrome.exe Domain: unknown-domain.com Trust: 34/100 | Age: 178 days | PageRank: 1.2 IAB: Business Services | Web Filtering: File Sharing /products: Cloud file sharing service /security: Not present | /compliance: Not present Personas: Small business owners Action: HTTPS POST 1.2MB (file upload) ENRICHED VERDICT: Shadow IT file sharing — DLP policy triggered Context: Sales employee uploading files to unvetted sharing service ENRICHMENT VALUE: Raw telemetry: "chrome.exe talked to unknown-domain.com" — No context Enriched: "Sales user uploading 1.2MB to unvetted file sharing service with no security page and no compliance certifications" — Actionable
2
Interpret Enrichment Signals
Enrichment Coverage
Telemetry Enrichment Rate — 94.2% of all endpoint domain communications are enriched with full domain intelligence (20 page types + 6 enrichment fields). Remaining 5.8% are DGA domains or IP-only connections. Enriched telemetry reduces SOC investigation time by 67% per alert by providing immediate domain context.
94.2% enrichment coverage — 67% faster investigations
Shadow IT Detection
Telemetry-Based Discovery — Enriched endpoint telemetry reveals shadow IT adoption patterns: 67 unauthorized SaaS services discovered this month through domain intelligence enrichment of routine web traffic. Services with /pricing but no /security are flagged automatically, enabling proactive risk assessment before data exposure occurs.
67 shadow IT services discovered via telemetry enrichment
3
Enrichment Impact Report

Telemetry Enrichment Report

ENRICHMENT METRICS — THIS MONTH ──────────────────────────────────────── Telemetry events enriched: 142M | Coverage: 94.2% Shadow IT discovered: 67 services | DLP triggers: 234 SOC investigation time saved: 67% reduction per alert VALUE COMPARISON Raw telemetry: "Process X talked to Domain Y" — No context Enriched: Full domain profile with trust, pages, compliance — Actionable Domain intelligence transforms noise into signal

6Endpoint Drift Detection

AI agent detects endpoint configuration drift by monitoring changes in domain communication patterns — identifying when endpoints begin contacting new external services, unauthorized update servers, or suspicious domains that deviate from their baseline profile.

1
Detect Domain Communication Drift
/api /products /support Domain Ages OpenPageRank IAB Categories
ENDPOINT DRIFT DETECTION — WEEKLY ANALYSIS ════════════════════════════════════════════════════════ ENDPOINTS WITH DRIFT: 89 of 12,847 (0.7%) HIGH RISK DRIFT (4 endpoints): FINANCE-SERVER-03: +3 new external domains (all Trust <10) temp-storage-service.xyzData exfil staging remote-admin-toolkit.comRAT download source crypto-miner-pool.xyzCryptomining C2 VERDICT: Compromised endpoint — 3 attack vectors detected MEDIUM RISK DRIFT (23 endpoints): Mostly shadow IT adoption — new SaaS tools being trialed Common: ai-assistant-pro.com (41 users, unauthorized AI tool) LOW RISK DRIFT (62 endpoints): Normal evolution — updated software contacting new CDN/update domains All new domains verified: Trust >70, legitimate update services
2
Assess Drift Risk Signals
Drift Pattern Analysis
Compromised vs Legitimate Drift — Key differentiator: Compromised endpoints contact domains with Trust <10 (Age <30d, no /security, PageRank 0). Legitimate drift contacts domains with Trust >60 (established CDNs, update servers). Domain intelligence separates actual threats from normal software evolution with 97.3% accuracy.
97.3% accuracy distinguishing malicious vs benign drift
Server Baseline Integrity
FINANCE-SERVER-03 Compromise — Server baseline was 12 trusted domains (all Trust >80). New contacts with 3 domains scoring Trust <10 triggered immediate isolation. Without domain intelligence baselines, this compromise would rely on behavioral detection alone, estimated 7-14 days longer to detect.
Server compromise detected via drift — 7-14 days early
3
Drift Detection Report

Endpoint Drift Report — Weekly

DRIFT SUMMARY ──────────────────────────────────────── Endpoints monitored: 12,847 | Drift detected: 89 (0.7%) High risk: 4 (compromised) | Medium: 23 (shadow IT) | Low: 62 (normal) ACTIONS TAKEN 1. 4 compromised endpoints isolated and forensics initiated 2. 23 shadow IT services flagged for security review 3. 62 low-risk drifts approved and added to baselines 4. Baseline profiles updated for 847 endpoints with new legitimate domains

7Patch & Update Source Validation

AI agent validates that all software updates and patches downloaded to endpoints originate from legitimate vendor domains — preventing supply chain attacks through trojanized updates by verifying the domain intelligence of every update source.

1
Validate Update Source Domains
/products /docs /security OpenPageRank Domain Ages Web Filtering
UPDATE SOURCE VALIDATION — THIS WEEK ════════════════════════════════════════════════════════ UPDATE DOWNLOADS MONITORED: 14,891 LEGITIMATE SOURCES: 14,847 (99.7%) SUSPICIOUS SOURCES: 44 (0.3%) BLOCKED UPDATE SOURCES: zoom-update-mirror.com (NOT zoom.us) Trust: 4/100 | Age: 9 days | PageRank: 0.0 /products: Fake Zoom installer (trojanized) Legitimate source: zoom.us (Trust: 97) ACTION: Blocked, user redirected to zoom.us, SOC alerted vscode-extensions-cdn.net (NOT marketplace.visualstudio.com) Trust: 7/100 | Age: 14 days | PageRank: 0.0 /products: Malicious VS Code extensions ACTION: Blocked, developer team notified VALIDATION RULE: Software updates must come from domains matching the vendor's known domain (PageRank >5, Domain Age >2yrs, /products present). Any deviation triggers block + sandbox analysis.
2
Evaluate Supply Chain Risk Signals
Update Source Trust
Vendor Domain Matching — Each software vendor mapped to verified update domains. zoom.us (Trust 97), download.microsoft.com (Trust 99), releases.hashicorp.com (Trust 94). Any update attempt from a non-matching domain triggers block. Domain intelligence catches trojanized update mirrors that code signing alone may miss if certificates are stolen.
100% of trojanized update attempts blocked
Supply Chain Threat Trend
Trojanized Update Attacks — 44 fake update domains detected this week, up 28% from last month. Attackers increasingly register domains mimicking vendor update URLs. Average domain age of fake update sites: 11 days. Domain intelligence provides the only reliable detection layer before the user downloads the trojanized payload.
Trojanized updates up 28% — domain validation critical
3
Update Validation Report

Patch Source Validation Report

WEEKLY VALIDATION SUMMARY ──────────────────────────────────────── Updates monitored: 14,891 | Legitimate: 14,847 (99.7%) Fake update sites blocked: 44 | Users protected: 38 Trojanized downloads prevented: 12 confirmed malicious payloads PROTECTION RULE Updates only from verified vendor domains (PR >5, Age >2yrs) Any deviation: Block + sandbox + SOC alert Zero supply chain compromises via fake updates this quarter

8EDR Alert Enrichment & Prioritization

AI agent enriches every Cortex XDR alert with domain intelligence context — transforming generic "suspicious network connection" alerts into precise, actionable intelligence with domain reputation, page analysis, and historical context.

1
Enrich XDR Alerts with Domain Context
/login /api /about Domain Ages Countries Web Filtering OpenPageRank
XDR ALERT ENRICHMENT — PRIORITY QUEUE ════════════════════════════════════════════════════════ ALERT: Suspicious PowerShell → Network Connection Host: WORKSTATION-ADMIN-12 | Process: powershell.exe Destination: script-hosting-cdn.xyz DOMAIN ENRICHMENT: Age: 3 days | PageRank: 0.0 | Country: Russia Web Filtering: Malware | /api: Script download endpoint /about: Not present | /security: Not present ENRICHED PRIORITY: CRITICAL Assessment: PowerShell downloading malicious payload from C2 Without enrichment: Would be Medium severity "suspicious connection" With enrichment: Immediately identified as active compromise ENRICHMENT IMPACT ON ALERT QUEUE: Total XDR alerts today: 847 Re-prioritized by enrichment: 134 (15.8%) Upgraded to Critical: 8 (would have been Medium/Low) Downgraded to Info: 89 (false positives identified) Priority unchanged: 37
2
Analyze Alert Re-Prioritization Impact
Alert Accuracy
Enrichment Re-Prioritization — Domain intelligence upgrades 8 alerts to Critical that would otherwise be Medium/Low, ensuring immediate response. Simultaneously downgrades 89 alerts to Info (false positives), reducing SOC alert fatigue by 66%. Net effect: SOC analysts focus on real threats, not noise.
66% reduction in false positive alerts for SOC team
Response Time Impact
Time to Respond — Critical alerts with domain enrichment are responded to in average 3.2 minutes (vs 47 minutes without enrichment context). Domain intelligence provides the "why this matters" context that allows SOC analysts to skip the investigation phase and go directly to containment for confirmed threats.
3.2 min response time — 93% faster with enrichment
3
EDR Alert Enrichment Report

Alert Enrichment Performance Report

ALERT ENRICHMENT METRICS — TODAY ──────────────────────────────────────── Total XDR alerts: 847 | Enriched: 847 (100%) Upgraded to Critical: 8 | Downgraded (FP): 89 SOC time saved: 23 hours (fewer false positives to investigate) Mean time to respond (critical): 3.2 minutes ENRICHMENT VALUE Without enrichment: Generic alerts, high noise, slow response With enrichment: Precise verdicts, low noise, rapid containment 93% faster response to genuine threats 66% fewer false positives reaching SOC analysts

9Endpoint Compliance Scoring

AI agent scores endpoint compliance by analyzing which external domains each endpoint communicates with — ensuring endpoints only reach approved, compliant services and flagging any connections to domains that violate corporate security policies.

1
Score Endpoint Domain Compliance
/security /compliance /pricing Web Filtering IAB Categories Countries
ENDPOINT COMPLIANCE SCORING — ENTERPRISE ════════════════════════════════════════════════════════ COMPLIANCE SCORE DISTRIBUTION: Score 95-100 (Fully Compliant): 10,234 endpoints (79.7%) All domain communications match approved list No shadow IT, no policy violations Score 80-94 (Minor Violations): 2,012 endpoints (15.7%) Mostly shadow IT SaaS tools (low risk) Common: Unauthorized AI tools, free file sharing Score 60-79 (Policy Violations): 489 endpoints (3.8%) Communicating with unapproved cloud storage Using personal email domains for work data Score <60 (Non-Compliant): 112 endpoints (0.9%) Accessing blocked categories (gambling, torrents) Communicating with domains in sanctioned countries Using cracked software download sites LOWEST SCORING ENDPOINT: LAPTOP-REMOTE-34: Score 23/100 Violations: 14 blocked domain categories, 3 sanctioned countries Shadow IT: 8 unauthorized services, data sovereignty breach ACTION: Restricted network access, mandatory compliance training
2
Interpret Compliance Risk Signals
Compliance Scoring Model
Domain-Based Compliance — Each endpoint scored based on domain trust of its communications. Domains with /security + /compliance pages add compliance points. Domains in sanctioned countries or with Web Filtering "Gambling/Adult/Malware" deduct points. Score reflects real-time compliance posture, not point-in-time audit snapshots.
Continuous compliance — real-time vs annual audits
Sanctions Risk
Sanctioned Country Communications — 2 endpoints communicating with domains in sanctioned jurisdictions (Iran, Russia). Domain intelligence provides country-level hosting data that enables automated sanctions compliance checking. Without domain intelligence, these communications would only be detected during annual compliance audits.
2 sanctions violations detected — immediate remediation
3
Endpoint Compliance Report

Endpoint Compliance Report

COMPLIANCE SUMMARY ──────────────────────────────────────── Fully compliant: 10,234 (79.7%) | Minor violations: 2,012 (15.7%) Policy violations: 489 (3.8%) | Non-compliant: 112 (0.9%) Sanctions violations: 2 (immediately remediated) IMPROVEMENT TREND Enterprise compliance score: +8 points this quarter Shadow IT reduction: -23% from domain-based detection Policy violation response time: 4 hours avg (was 2-4 weeks)

10Removable Media & USB Domain Tracking

AI agent monitors domains that removable media-originated executables attempt to contact — catching air-gap-jumping malware, infected USB drives, and insider threat tools by analyzing the domain intelligence of post-execution network connections.

1
Monitor USB-Originated Domain Connections
/api /products Domain Ages Countries Web Filtering
USB DOMAIN TRACKING — FEBRUARY 2026 ════════════════════════════════════════════════════════ USB INSERTIONS MONITORED: 1,247 events EXECUTABLES FROM USB: 34 NETWORK CONNECTIONS POST-USB: 89 unique domains SUSPICIOUS USB → DOMAIN CONNECTIONS: Event: USB inserted at KIOSK-LOBBY-02 Executable: update_installer.exe (unsigned) Domain contacted: remote-cmd-service.xyz Domain Age: 12 days | Country: China | PageRank: 0.0 /api: Command endpoint | Web Filtering: Malware ASSESSMENT: Air-gap jump attempt — malware on USB drive → KIOSK-LOBBY-02 isolated, USB confiscated, forensics initiated → Physical security notified, camera footage requested NORMAL USB ACTIVITY: Presentation files, documents — no suspicious domain contacts Firmware updates from verified vendor domains (Trust >80)
2
Assess USB Threat Signals
USB C2 Detection
Post-Execution Domain Analysis — When a USB-originated executable contacts a domain with Trust <10 (Age <30 days, no /security, PageRank 0), it triggers immediate isolation. This approach catches air-gap-jumping malware that traditional AV may miss if the payload is custom-built and not in signature databases.
Air-gap jump detected — USB malware contacted C2 domain
Physical Security Integration
USB + Domain + Physical — Domain intelligence adds the network layer to USB security. Kiosk USB insertion + unsigned executable + low-trust domain contact triggers both cyber (isolation, forensics) and physical (camera review, USB confiscation) response. This multi-layer detection catches insider threats and social engineering USB drops.
Physical security + cyber response activated simultaneously
3
Endpoint Protection Performance Summary

Endpoint Protection — Domain Intelligence Impact

MONTHLY METRICS — FEBRUARY 2026 ──────────────────────────────────────── C2 domains detected: 23 (avg 4.2 hours to detection) DNS-layer blocks: 284,000 malicious connections prevented Executable source blocks: 44 trojanized downloads prevented Browser isolation sessions: 4,847 per day Shadow IT discovered: 67 unauthorized services Compliance score improvement: +8 points enterprise average DOMAIN INTELLIGENCE VALUE Without enrichment: Generic alerts, high false positive rates With enrichment: Precise verdicts with domain context False positive reduction: 82% Mean time to detect compromise: 4.2 hours (was 38 hours)
Get in Touch

Interested in AI Agent Domain Intelligence?

For pricing, subscription options, custom database builds, or enterprise partnerships — contact us below.

Power Your AI Agents with Domain Intelligence

Subscribe to the AI Agent Domain Database — continuous access to 102M domains, 20 page types each, quarterly refreshes, and real-time change signals.

AI Agent Database View Pricing

Annual subscription includes quarterly data refreshes, change detection alerts, and priority API access.