Forward to: IR Team

Incident Response
Workflows

Ten agent workflows for the IR Team — breach investigation intelligence, attacker infrastructure mapping, domain forensics, rapid containment decisions, victim notification assessment, data exfiltration path analysis, post-incident threat landscape review, IR playbook enrichment, evidence collection automation, and post-breach vendor re-assessment — providing domain intelligence context for every phase of the incident response lifecycle.

1Breach Investigation Domain Forensics

AI agent performs rapid domain forensics during breach investigations — analyzing every domain involved in the incident to determine attacker infrastructure, C2 channels, data exfiltration endpoints, and the full scope of compromise using domain intelligence.

1
Analyze Incident Domains
/api /login /products Domain Ages Countries Web Filtering OpenPageRank
INCIDENT FORENSICS — INC-2026-0089 (ACTIVE BREACH) ════════════════════════════════════════════════════════════ INCIDENT: Unauthorized access to customer database DETECTED: Feb 15, 2026 09:14 UTC STATUS: Active investigation DOMAINS INVOLVED IN INCIDENT: health-check-api.xyz — C2 Channel Domain Age: 19 days | Country: Russia | PageRank: 0.0 /api: C2 beacon endpoint — base64 encoded commands Web Filtering: Malware | IAB: Technology First contact: Feb 2, 2026 03:47 UTC (13 days before detection) ROLE: Primary C2 — attacker commands delivered via API POST cdn-static-assets-delivery.com — Data Exfiltration Domain Age: 8 days | Country: Moldova | PageRank: 0.0 /api: Large file upload endpoint Web Filtering: Malware Data transferred: 2.3GB (Feb 12-15, encrypted archives) ROLE: Exfiltration staging — customer database extracted here software-license-verify.net — Initial Access Domain Age: 14 days | Country: Romania | PageRank: 0.1 /products: Fake software licensing portal /login: Credential harvester (executive targeted) Personas: IT administrators, executives ROLE: Initial access — executive credentials stolen via phishing remote-admin-toolkit.com — Persistence Domain Age: 21 days | Country: Russia | PageRank: 0.0 /products: Remote access tool download Web Filtering: Hacking Tools ROLE: Persistence — RAT installed on 3 systems
2
Map Attack Kill Chain
Kill Chain Mapping
Attack Reconstruction — Domain intelligence maps the complete kill chain: (1) Phishing via software-license-verify.net, (2) Credential theft via /login page, (3) C2 establishment via health-check-api.xyz /api, (4) Lateral movement, (5) Persistence via remote-admin-toolkit.com, (6) Data exfiltration via cdn-static-assets-delivery.com. All 4 domains share registration and hosting patterns indicating single threat actor.
4 domains, 1 threat actor, full kill chain mapped
3
Identify Related Infrastructure
RELATED INFRASTRUCTURE — PATTERN MATCHING ════════════════════════════════════════════════════════ Using domain intelligence patterns from 4 known attacker domains: ADDITIONAL DOMAINS MATCHING ATTACKER PATTERN (12 found): office365-sso-verify.com — 94% pattern match Same registrar, same hosting pattern, /login deployed 2 days ago LIKELY NEXT ATTACK: Targeting other employees with O365 phishing vpn-corp-access.com — 91% pattern match Same infrastructure fingerprint, registered 3 days ago LIKELY BACKUP C2: Pre-staged for if primary C2 is blocked CONTAINMENT RECOMMENDATION: Block all 12 related domains preemptively Search all endpoint logs for any contact with these 12 domains Scope may be larger than initially detected

2Rapid Containment Decision Support

AI agent provides rapid containment intelligence during active incidents — analyzing domain relationships to determine blast radius, identifying which systems communicated with attacker infrastructure, and recommending surgical containment actions.

1
Determine Blast Radius
/api /login Domain Ages Countries Web Filtering
BLAST RADIUS ANALYSIS — INC-2026-0089 ════════════════════════════════════════════════════════ SYSTEMS CONTACTING ATTACKER DOMAINS: health-check-api.xyz: SERVER-DB-07 (production database server) — Every 60 seconds since Feb 2 WORKSTATION-142 (developer workstation) — Intermittent since Feb 8 cdn-static-assets-delivery.com: SERVER-DB-07 — 2.3GB uploaded Feb 12-15 FILE-SERVER-03 — 890MB uploaded Feb 14 software-license-verify.net: LAPTOP-EXEC-08 — Initial phishing click Jan 28 LAPTOP-EXEC-12 — Visited but no credential submission (Feb 1) remote-admin-toolkit.com: SERVER-DB-07 — RAT installed Feb 3 WORKSTATION-142 — RAT installed Feb 9 FILE-SERVER-03 — RAT installed Feb 11 TOTAL COMPROMISED SYSTEMS: 4 confirmed, 1 exposed DATA AT RISK: 3.19GB exfiltrated (customer database + file server) CONTAINMENT ACTIONS (executed in 4 minutes): → 4 systems isolated from network → All 4 attacker domains + 12 related blocked globally → All admin credentials rotated → Database access tokens revoked and regenerated

3Data Exfiltration Path Analysis

AI agent traces the complete data exfiltration path by analyzing domain intelligence of every external endpoint that received data from compromised systems — determining what data left, where it went, and the legal jurisdiction implications.

1
Trace Data Exfiltration Destinations
/api /about Countries Domain Ages Web Filtering
DATA EXFILTRATION PATH ANALYSIS — INC-2026-0089 ════════════════════════════════════════════════════════ EXFILTRATION DESTINATIONS: cdn-static-assets-delivery.com Hosting country: Moldova | Data center: Chisinau Data received: 2.3GB (encrypted archives from SERVER-DB-07) + 890MB (file server documents from FILE-SERVER-03) Total: 3.19GB exfiltrated Domain registrar: NameSilo | WHOIS: Privacy protected /api: File upload endpoint, no authentication required JURISDICTION: Moldova — limited law enforcement cooperation DATA CLASSIFICATION: Customer PII: ~47,000 records (names, emails, phone numbers) Financial data: ~12,000 billing records (partial payment info) Internal documents: 847 files from file server Source code: Not detected in exfil traffic (good news) LEGAL IMPLICATIONS: GDPR: EU customer data transferred to Moldova (breach notification) CCPA: California residents affected (breach notification) SEC: Material incident — 4-day disclosure obligation triggered HIPAA: No health data identified in exfiltrated records

4Victim Notification Assessment

AI agent assesses which customers and individuals must be notified by analyzing the exfiltrated data against regulatory requirements — determining notification obligations, timelines, and jurisdictional requirements using domain intelligence for geographic analysis.

1
Assess Notification Requirements
/compliance /legal /about Countries IAB Categories Personas
NOTIFICATION OBLIGATION ASSESSMENT — INC-2026-0089 ════════════════════════════════════════════════════════ AFFECTED INDIVIDUALS BY JURISDICTION: EU/EEA (GDPR — 72hr notification to supervisory authority): Affected: 18,400 individuals across 14 EU countries Lead authority: Ireland DPC (primary EU establishment) Deadline: Feb 17, 2026 09:14 UTC (IMMINENT) Status: Draft notification prepared, awaiting CISO sign-off California (CCPA — "expeditious" notification): Affected: 8,200 California residents AG notification: Required (>500 residents) Status: Draft notification prepared SEC (8-K filing — 4 business days): Materiality determination: Material (47K records, customer data) Deadline: Feb 20, 2026 (4 business days from detection) Status: Legal team drafting 8-K, SEC counsel engaged Other states/jurisdictions (12 additional): Texas: 4,100 residents | New York: 3,800 | Illinois: 2,400 Each state has unique notification requirements and timelines Status: Compliance team processing each jurisdiction

5Attacker Attribution & Profiling

AI agent profiles the attacker by matching incident domain patterns against known threat actor infrastructure fingerprints — using domain intelligence patterns (registration, hosting, page types, enrichment) to attribute the attack and predict next moves.

1
Profile Attacker via Domain Intelligence
/login /api /products Domain Ages Countries Web Filtering
ATTACKER ATTRIBUTION — INC-2026-0089 ════════════════════════════════════════════════════════ DOMAIN INTELLIGENCE FINGERPRINT: Registrar: NameSilo (with privacy protection) Domain age at use: 8-21 days (staging period) Hosting: Russia + Moldova + Romania rotation /login: Present on phishing domains (credential harvesting) /api: Present on C2 domains (encoded command structure) /products: Present on persistence domains (fake software) PageRank: 0.0-0.1 on all domains Web Filtering: Malware/Phishing categorization ATTRIBUTION MATCH: APT-PHANTOM-DRAGON — 87% match Known TTPs: Credential harvesting → C2 via API → RAT persistence Geographic preference: Russia/Moldova/Romania hosting Target profile: Technology companies, customer databases Previous campaigns: 3 in last 12 months, similar pattern Alternative: FIN12 ransomware group — 42% match Note: No ransomware deployed (yet), but FIN12 sometimes exfils first PREDICTED NEXT MOVES: 1. Attempt to re-establish access via backup C2 domains 2. May deploy ransomware if exfiltration successful 3. Will register new domains in 4-7 days (rotation pattern)

6IR Playbook Enrichment

AI agent enriches incident response playbooks with real-time domain intelligence — automatically adding domain context, trust scores, and enrichment data to playbook steps so responders make faster, better-informed decisions during incidents.

1
Enrich Playbook with Domain Context
/security /about OpenPageRank Domain Ages Web Filtering
ENRICHED IR PLAYBOOK — PHISHING RESPONSE ════════════════════════════════════════════════════════ STEP 1: Analyze Reported Phishing Domain Standard: Check domain against threat feeds ENRICHED: Full domain intelligence analysis in 2 seconds: → Domain age, PageRank, Web Filtering category → /login page analysis (credential harvester detection) → /security page check (legitimate vs fake) → Country hosting analysis (high-risk jurisdiction flag) → Pattern matching against known threat actor infrastructure STEP 2: Determine Scope Standard: Search SIEM for domain in logs ENRICHED: Cross-reference with 12 related domains (pattern match): → Search not just reported domain, but all 12+ related domains → Domain intelligence identifies infrastructure the attacker rotates → Scope may be 3x larger than single domain investigation STEP 3: Containment Decision Standard: Block domain, isolate affected systems ENRICHED: Surgical containment with domain intelligence: → Block all related domains (not just reported one) → Trust score-based isolation (only isolate systems that contacted domains with Trust <20, not all flagged systems) → Pre-block predicted rotation domains

7Evidence Collection & Chain of Custody

AI agent automates evidence collection during incidents by capturing domain intelligence snapshots — creating timestamped, immutable records of domain configurations, page content, enrichment data, and hosting information for forensic and legal proceedings.

1
Capture Domain Evidence
/login /api /products /about Domain Ages Countries OpenPageRank Web Filtering
EVIDENCE PACKAGE — INC-2026-0089 ════════════════════════════════════════════════════════ EVIDENCE ITEMS CAPTURED: EVD-001: health-check-api.xyz — Full domain intelligence snapshot Captured: 2026-02-15 09:18 UTC | Hash: SHA256:a4f8c2... Contents: All 20 page type checks, enrichment data, WHOIS Chain of custody: IR-BOT → Evidence server → Encrypted archive EVD-002: cdn-static-assets-delivery.com — Full snapshot Captured: 2026-02-15 09:18 UTC | Hash: SHA256:b7e1d3... Contents: Domain intelligence + DNS records + SSL certificate EVD-003: software-license-verify.net — Full snapshot Captured: 2026-02-15 09:19 UTC | Hash: SHA256:c9a4f8... Contents: /login page screenshot + domain intelligence EVD-004: remote-admin-toolkit.com — Full snapshot Captured: 2026-02-15 09:19 UTC | Hash: SHA256:d2b5e7... Contents: /products page + malware hash + domain intelligence EVD-005: 12 related pattern-matched domains — Batch snapshot Captured: 2026-02-15 09:22 UTC | Hash: SHA256:e8c3a1... EVIDENCE INTEGRITY: All evidence SHA256 hashed at capture time Stored in write-once evidence archive Chain of custody log maintained automatically

8Post-Incident Threat Landscape Review

AI agent conducts a post-incident threat landscape review — analyzing the broader domain ecosystem to determine if the attack was targeted or part of a wider campaign, identifying other potential victims, and assessing ongoing risk from the same threat actor.

1
Assess Broader Campaign Scope
/partners /security /about IAB Categories Countries Personas
POST-INCIDENT LANDSCAPE REVIEW — INC-2026-0089 ════════════════════════════════════════════════════════ CAMPAIGN SCOPE ASSESSMENT: Using attacker's domain fingerprint, searched 100M+ domain database: Total domains matching pattern: 47 (including our 4) Active domains (not yet burned): 23 Domains targeting same sector (cybersecurity): 8 Domains targeting other sectors: 15 OTHER POTENTIAL VICTIMS (same campaign): cortex-update-portal.net — Targets Palo Alto customers /login: Mimics Cortex XSIAM login | Status: Active ALERT: Targeting our own customer base with brand impersonation sentinel-agent-download.com — Targets SentinelOne customers /products: Fake SentinelOne agent installer Status: Active, distributing trojanized installer zscaler-cloud-config.net — Targets Zscaler customers /login: Mimics Zscaler admin console Status: Active since Feb 10 ASSESSMENT: Our breach was part of a wider campaign targeting cybersecurity vendors 23 active domains still operational — share IOCs with ISAC partners IOC sharing initiated with IT-ISAC and peer vendor CISOs

9Post-Breach Vendor Re-Assessment

AI agent re-assesses all vendor relationships after a breach — analyzing whether the attack exploited vendor access, checking vendor domain health changes during the incident period, and identifying supply chain weaknesses that contributed to the breach.

1
Re-Assess Vendor Security Post-Breach
/security /compliance /leadership /partners OpenPageRank Domain Ages
POST-BREACH VENDOR RE-ASSESSMENT — ALL 412 VENDORS ════════════════════════════════════════════════════════ QUESTION: Did any vendor access contribute to the breach? FINDING: No vendor access was exploited in this breach Initial access: Executive phishing (not vendor-related) Lateral movement: Internal credentials only No vendor VPN or API keys used by attacker HOWEVER — Vendor Weaknesses Identified: enterprise-data-services.com (data processing vendor) /security: Removed during incident period If attacker had pivoted to this vendor, breach scope would be 5x larger RECOMMENDATION: Terminate relationship, migrate data crm-cloudpro.io (CRM vendor) /security: Investigating own potential unauthorized access Timing coincidence — may be same attacker targeting our supply chain RECOMMENDATION: Restrict data access until their investigation concludes POST-BREACH ACTIONS: 1. All vendor API keys rotated 2. Vendor access reviews accelerated to weekly 3. Domain intelligence monitoring frequency increased to hourly 4. 2 vendors flagged for termination or remediation

10Incident Response Metrics & Lessons Learned

AI agent generates comprehensive incident metrics and lessons learned — quantifying how domain intelligence accelerated detection, containment, and investigation, and recommending improvements to prevent similar incidents.

1
Generate Incident Report with Domain Intelligence Impact
/login /api Domain Ages Web Filtering OpenPageRank

Incident Report — INC-2026-0089

INCIDENT TIMELINE ──────────────────────────────────────── Jan 28: Initial phishing email sent to executive Feb 02: C2 channel established (13 days before detection) Feb 12: Data exfiltration began (3 days before detection) Feb 15: Incident detected by domain intelligence anomaly Feb 15: Containment completed in 4 minutes Feb 15: Full scope determined in 47 minutes Feb 16: Attribution completed in 3 hours DOMAIN INTELLIGENCE IMPACT Detection: Domain anomaly (new low-trust domain contacted by DB server) Without domain intel: Detection would rely on DLP or data volume alert Estimated detection delay without domain intel: +7-14 days Containment: 12 related domains blocked preemptively Without domain intel: Only the 4 known domains would be blocked Attacker would re-establish access via backup domains Investigation: Full kill chain mapped in 47 minutes using domain patterns Without domain intel: Estimated 4-8 hours for kill chain reconstruction LESSONS LEARNED & RECOMMENDATIONS 1. Block all domains with Trust <10 accessing database servers 2. Implement domain baseline for all production servers 3. Require MFA for all executive email (prevent initial phishing) 4. Increase domain intelligence scanning to real-time for servers 5. Share attacker fingerprint with ISAC for industry protection
2
Quantify Domain Intelligence ROI for IR
IR Performance
Domain Intelligence Impact on Incident Response — Detection: 7-14 days faster. Containment: 4 minutes vs 2-4 hours. Scope determination: 47 minutes vs 4-8 hours. Related infrastructure: 12 additional domains identified proactively. Evidence: Auto-captured with chain of custody. Estimated breach cost reduction: $2.4M (faster containment, smaller data exposure, better evidence for legal proceedings).
$2.4M estimated breach cost reduction from domain intelligence
Get in Touch

Interested in AI Agent Domain Intelligence?

For pricing, subscription options, custom database builds, or enterprise partnerships — contact us below.

Power Your AI Agents with Domain Intelligence

Subscribe to the AI Agent Domain Database — continuous access to 100M+ domains, 20 page types each, quarterly refreshes, and real-time change signals.

AI Agent Database View Pricing

Annual subscription includes quarterly data refreshes, change detection alerts, and priority API access.