Forward to: IR Team

Incident Response
Workflows

Ten agent workflows for the IR Team — breach investigation intelligence, attacker infrastructure mapping, domain forensics, rapid containment decisions, victim notification assessment, data exfiltration path analysis, post-incident threat landscape review, IR playbook enrichment, evidence collection automation, and post-breach vendor re-assessment — providing domain intelligence context for every phase of the incident response lifecycle.

1Breach Investigation Domain Forensics

AI agent performs rapid domain forensics during breach investigations — analyzing every domain involved in the incident to determine attacker infrastructure, C2 channels, data exfiltration endpoints, and the full scope of compromise using domain intelligence.

1
Analyze Incident Domains
/api /login /products Domain Ages Countries Web Filtering OpenPageRank
INCIDENT FORENSICS — INC-2026-0089 (ACTIVE BREACH) ════════════════════════════════════════════════════════════ INCIDENT: Unauthorized access to customer database DETECTED: Feb 15, 2026 09:14 UTC DOMAINS INVOLVED IN INCIDENT: health-check-api.xyz — C2 Channel Domain Age: 19 days | Country: Russia | PageRank: 0.0 /api: C2 beacon endpoint — base64 encoded commands ROLE: Primary C2 — attacker commands delivered via API POST cdn-static-assets-delivery.com — Data Exfiltration Domain Age: 8 days | Country: Moldova | PageRank: 0.0 Data transferred: 2.3GB (Feb 12-15, encrypted archives) ROLE: Exfiltration staging — customer database extracted here software-license-verify.net — Initial Access Domain Age: 14 days | Country: Romania | PageRank: 0.1 /login: Credential harvester (executive targeted) ROLE: Initial access — executive credentials stolen via phishing remote-admin-toolkit.com — Persistence Domain Age: 21 days | Country: Russia | PageRank: 0.0 ROLE: Persistence — RAT installed on 3 systems
2
Map Attack Kill Chain
Kill Chain Mapping
Attack Reconstruction — Domain intelligence maps the complete kill chain: (1) Phishing via software-license-verify.net, (2) Credential theft via /login page, (3) C2 establishment via health-check-api.xyz /api, (4) Lateral movement, (5) Persistence via remote-admin-toolkit.com, (6) Data exfiltration via cdn-static-assets-delivery.com. All 4 domains share registration and hosting patterns indicating single threat actor.
4 domains, 1 threat actor, full kill chain mapped
Attacker Infrastructure
Pattern Matching — All 4 domains registered via NameSilo with privacy protection, hosted in Eastern Europe, Age 8-21 days, PageRank 0.0-0.1. This fingerprint matches 12 additional domains in the 102M database — indicating pre-staged backup infrastructure the attacker can pivot to if detected.
12 related backup domains identified via pattern match
3
Generate Forensics Report
RELATED INFRASTRUCTURE — PATTERN MATCHING ════════════════════════════════════════════════════════ Using domain intelligence patterns from 4 known attacker domains: ADDITIONAL DOMAINS MATCHING ATTACKER PATTERN (12 found): office365-sso-verify.com — 94% pattern match Same registrar, same hosting pattern, /login deployed 2 days ago LIKELY NEXT ATTACK: Targeting other employees with O365 phishing vpn-corp-access.com — 91% pattern match Same infrastructure fingerprint, registered 3 days ago LIKELY BACKUP C2: Pre-staged for if primary C2 is blocked CONTAINMENT RECOMMENDATION: Block all 12 related domains preemptively Search all endpoint logs for any contact with these 12 domains Scope may be larger than initially detected

2Rapid Containment Decision Support

AI agent provides rapid containment intelligence during active incidents — analyzing domain relationships to determine blast radius, identifying which systems communicated with attacker infrastructure, and recommending surgical containment actions.

1
Determine Blast Radius
/api /login Domain Ages Countries Web Filtering
BLAST RADIUS ANALYSIS — INC-2026-0089 ════════════════════════════════════════════════════════ SYSTEMS CONTACTING ATTACKER DOMAINS: health-check-api.xyz: SERVER-DB-07 — Every 60 seconds since Feb 2 WORKSTATION-142 — Intermittent since Feb 8 cdn-static-assets-delivery.com: SERVER-DB-07 — 2.3GB uploaded Feb 12-15 FILE-SERVER-03 — 890MB uploaded Feb 14 remote-admin-toolkit.com: SERVER-DB-07, WORKSTATION-142, FILE-SERVER-03 — RAT installed TOTAL COMPROMISED: 4 confirmed, 1 exposed DATA AT RISK: 3.19GB exfiltrated CONTAINMENT (executed in 4 minutes): → 4 systems isolated | All attacker domains + 12 related blocked → All admin credentials rotated | DB tokens revoked
2
Assess Containment Speed Signals
Containment Speed
4-Minute Containment — Domain intelligence enables surgical containment in 4 minutes by immediately identifying all systems that contacted attacker domains. Without domain intelligence, blast radius determination relies on log analysis (2-4 hours) and network forensics (4-8 hours). The 12 pre-blocked related domains prevent attacker re-entry.
4-minute containment vs 2-4 hours without domain intel
Re-Entry Prevention
Backup Domain Blocking — By blocking 12 pattern-matched domains preemptively, the attacker cannot re-establish access through pre-staged backup infrastructure. Traditional containment only blocks known attacker domains (4), leaving 12 backup domains available. Domain intelligence pattern matching closes this gap completely.
12 backup C2 domains blocked — zero re-entry paths
3
Containment Action Report

Containment Report — INC-2026-0089

CONTAINMENT SUMMARY ──────────────────────────────────────── Systems isolated: 4 | Domains blocked: 16 (4 known + 12 related) Credentials rotated: All admin + DB tokens Time to contain: 4 minutes (from decision to execution) Re-entry paths blocked: All 12 backup domains pre-blocked DOMAIN INTELLIGENCE IMPACT Without domain intel: 4 domains blocked, 12 backup paths open With domain intel: 16 domains blocked, zero re-entry paths Containment 30-60x faster than traditional methods

3Data Exfiltration Path Analysis

AI agent traces the complete data exfiltration path by analyzing domain intelligence of every external endpoint that received data — determining what data left, where it went, and the legal jurisdiction implications.

1
Trace Data Exfiltration Destinations
/api /about Countries Domain Ages Web Filtering
DATA EXFILTRATION PATH ANALYSIS — INC-2026-0089 ════════════════════════════════════════════════════════ cdn-static-assets-delivery.com Hosting country: Moldova | Data received: 3.19GB JURISDICTION: Moldova — limited law enforcement cooperation DATA CLASSIFICATION: Customer PII: ~47,000 records (names, emails, phone numbers) Financial data: ~12,000 billing records (partial payment info) Internal documents: 847 files from file server Source code: Not detected in exfil traffic LEGAL IMPLICATIONS: GDPR: EU customer data transferred to Moldova (breach notification) CCPA: California residents affected (breach notification) SEC: Material incident — 4-day disclosure obligation triggered HIPAA: No health data identified
2
Assess Jurisdiction Risk Signals
Exfiltration Destination
Moldova Jurisdiction — Domain intelligence identifies the hosting country as Moldova, a jurisdiction with limited mutual legal assistance treaties. Data recovery is unlikely through legal channels. This jurisdiction analysis is critical for the legal team's incident response and for determining notification obligations across EU, US, and other jurisdictions.
Data exfiltrated to Moldova — limited legal recovery options
Notification Obligations
Multi-Jurisdiction Notifications — 47,000 affected records span EU (GDPR 72hr), California (CCPA), and 12+ other state laws. SEC 4-day disclosure triggered by materiality. Domain intelligence country data enables immediate jurisdiction mapping without manual analysis, saving 4-8 hours in the critical early response window.
3+ regulatory notification deadlines triggered
3
Exfiltration Analysis Report

Data Exfiltration Report

EXFILTRATION SUMMARY ──────────────────────────────────────── Total data exfiltrated: 3.19GB to Moldova Records affected: ~47,000 PII + ~12,000 financial Jurisdiction: Moldova (limited recovery options) NOTIFICATION DEADLINES GDPR: 72 hours from detection (Feb 17 09:14 UTC) SEC: 4 business days (Feb 20) CCPA: Expeditious (8,200 CA residents) 12+ state laws: Various timelines

4Victim Notification Assessment

AI agent assesses which customers and individuals must be notified — determining notification obligations, timelines, and jurisdictional requirements using domain intelligence for geographic analysis.

1
Assess Notification Requirements
/compliance /legal /about Countries IAB Categories Personas
NOTIFICATION OBLIGATION ASSESSMENT — INC-2026-0089 ════════════════════════════════════════════════════════ EU/EEA (GDPR — 72hr notification): Affected: 18,400 individuals across 14 EU countries Deadline: Feb 17, 2026 09:14 UTC (IMMINENT) California (CCPA): Affected: 8,200 California residents AG notification: Required (>500 residents) SEC (8-K filing — 4 business days): Materiality: Material (47K records, customer data) Deadline: Feb 20, 2026 Other states (12 additional): Texas: 4,100 | New York: 3,800 | Illinois: 2,400 Each has unique notification requirements
2
Analyze Notification Urgency Signals
Affected Population
Geographic Distribution — Domain intelligence enrichment of the affected customer database enables instant jurisdiction mapping: 18,400 EU, 8,200 California, 4,100 Texas, 3,800 New York, plus 12 more states. Without domain intelligence, geographic distribution analysis takes 4-8 hours of manual data classification.
GDPR 72-hour deadline imminent — notification drafted
SEC Materiality
Material Incident Determination — 47,000 customer records with PII + financial data meets SEC materiality threshold. Domain intelligence helps determine materiality by quantifying scope faster than manual analysis. The 4-business-day 8-K filing deadline requires immediate legal team engagement and SEC counsel coordination.
SEC 8-K filing required — 4 business day deadline
3
Notification Action Report

Victim Notification Report

NOTIFICATION STATUS ──────────────────────────────────────── Total individuals affected: ~47,000 across 15+ jurisdictions GDPR notification: Draft prepared, awaiting CISO sign-off SEC 8-K: Legal team drafting, SEC counsel engaged CCPA: Draft prepared for AG notification State notifications: Compliance team processing each state DOMAIN INTELLIGENCE VALUE Jurisdiction mapping: Instant (was 4-8 hours manual) Scope determination: 47 minutes (was 4-8 hours) Enables meeting all regulatory deadlines simultaneously

5Attacker Attribution & Profiling

AI agent profiles the attacker by matching incident domain patterns against known threat actor infrastructure fingerprints — using domain intelligence patterns to attribute the attack and predict next moves.

1
Profile Attacker via Domain Intelligence
/login /api /products Domain Ages Countries Web Filtering
ATTACKER ATTRIBUTION — INC-2026-0089 ════════════════════════════════════════════════════════ DOMAIN INTELLIGENCE FINGERPRINT: Registrar: NameSilo (privacy protection) Domain age at use: 8-21 days | Hosting: Russia + Moldova + Romania /login: Present on phishing domains | /api: Present on C2 domains /products: Present on persistence domains | PageRank: 0.0-0.1 ATTRIBUTION MATCH: APT-PHANTOM-DRAGON — 87% match Known TTPs: Credential harvesting → C2 via API → RAT persistence Previous campaigns: 3 in last 12 months, similar pattern Alternative: FIN12 ransomware group — 42% match Note: No ransomware deployed (yet), but FIN12 sometimes exfils first PREDICTED NEXT MOVES: 1. Attempt to re-establish access via backup C2 domains 2. May deploy ransomware if exfiltration successful 3. Will register new domains in 4-7 days (rotation pattern)
2
Assess Attribution Confidence Signals
Fingerprint Match
APT-PHANTOM-DRAGON — 87% Confidence — Domain intelligence fingerprint matches across 5 dimensions: registrar pattern, hosting geography rotation, domain staging period, page type deployment sequence, and PageRank profile. This fingerprint is unique enough to distinguish from other threat actors who use similar TTPs but different infrastructure patterns.
87% attribution confidence — APT-PHANTOM-DRAGON
Predicted Behavior
Next Move Prediction — Based on APT-PHANTOM-DRAGON's historical pattern: new domains registered every 4-7 days, ransomware deployed 7-14 days after successful exfiltration, and C2 rotation to backup infrastructure within 48 hours of detection. Domain intelligence will detect new infrastructure registration and alert proactively.
Ransomware deployment likely within 7-14 days
3
Attribution Report

Attacker Attribution Report

ATTRIBUTION SUMMARY ──────────────────────────────────────── Primary attribution: APT-PHANTOM-DRAGON (87% confidence) Alternative: FIN12 ransomware group (42% confidence) Infrastructure: 4 known + 12 related domains Predicted next action: Ransomware deployment in 7-14 days DEFENSIVE RECOMMENDATIONS 1. Monitor for new domain registrations matching fingerprint 2. Prepare ransomware containment playbook 3. Share IOCs + attribution with ISAC partners 4. Brief executive team on ransomware risk

6IR Playbook Enrichment

AI agent enriches incident response playbooks with real-time domain intelligence — automatically adding domain context, trust scores, and enrichment data to playbook steps so responders make faster, better-informed decisions.

1
Enrich Playbook with Domain Context
/security /about OpenPageRank Domain Ages Web Filtering
ENRICHED IR PLAYBOOK — PHISHING RESPONSE ════════════════════════════════════════════════════════ STEP 1: Analyze Reported Phishing Domain Standard: Check domain against threat feeds ENRICHED: Full domain intelligence analysis in 2 seconds: → Domain age, PageRank, Web Filtering category → /login page analysis (credential harvester detection) → Pattern matching against known threat actor infrastructure STEP 2: Determine Scope Standard: Search SIEM for domain in logs ENRICHED: Cross-reference with 12 related domains: → Scope may be 3x larger than single domain investigation STEP 3: Containment Decision Standard: Block domain, isolate affected systems ENRICHED: Surgical containment with domain intelligence: → Block all related domains (not just reported one) → Pre-block predicted rotation domains
2
Assess Playbook Enhancement Signals
Playbook Intelligence
Context-Enriched Steps — Every IR playbook step receives domain intelligence context automatically. Analysts no longer need to manually query threat feeds, check WHOIS, or verify domain reputation. A 2-second domain intelligence lookup replaces 15-20 minutes of manual investigation per domain, accelerating overall response by 5-10x.
2-second lookup replaces 15-20 min manual investigation
Scope Expansion
Related Domain Discovery — Standard playbooks investigate only the reported domain. Enriched playbooks automatically discover 3x more related infrastructure via pattern matching. This prevents the common failure mode where responders block one domain but the attacker pivots to pre-staged backup infrastructure within hours.
3x scope expansion — discovers related attacker infrastructure
3
Playbook Enhancement Report

IR Playbook Enhancement Report

ENRICHMENT IMPACT ──────────────────────────────────────── Analysis time per domain: 2 seconds (was 15-20 minutes) Scope discovery: 3x more related infrastructure found Containment accuracy: All attacker domains blocked, not just reported Overall response acceleration: 5-10x faster

7Evidence Collection & Chain of Custody

AI agent automates evidence collection during incidents by capturing domain intelligence snapshots — creating timestamped, immutable records of domain configurations for forensic and legal proceedings.

1
Capture Domain Evidence
/login /api /products Domain Ages Countries OpenPageRank Web Filtering
EVIDENCE PACKAGE — INC-2026-0089 ════════════════════════════════════════════════════════ EVD-001: health-check-api.xyz — Full domain intelligence snapshot Captured: 2026-02-15 09:18 UTC | Hash: SHA256:a4f8c2... EVD-002: cdn-static-assets-delivery.com — Full snapshot Captured: 2026-02-15 09:18 UTC | Hash: SHA256:b7e1d3... EVD-003: software-license-verify.net — Full snapshot Captured: 2026-02-15 09:19 UTC | Hash: SHA256:c9a4f8... EVD-004: remote-admin-toolkit.com — Full snapshot Captured: 2026-02-15 09:19 UTC | Hash: SHA256:d2b5e7... EVD-005: 12 related pattern-matched domains — Batch snapshot Captured: 2026-02-15 09:22 UTC | Hash: SHA256:e8c3a1... All evidence SHA256 hashed at capture time Stored in write-once evidence archive
2
Assess Evidence Quality Signals
Evidence Integrity
Tamper-Proof Collection — Domain intelligence snapshots are captured within minutes of incident detection, before attacker domains are taken down or modified. SHA256 hashes ensure integrity. Evidence includes all 20 page types, enrichment data, DNS records, and SSL certificates — comprehensive forensic record that courts and regulators accept.
Court-admissible evidence — SHA256 verified, timestamped
Evidence Timing
4-Minute Capture Window — Evidence captured within 4 minutes of detection. Attacker domains are frequently taken down within 24-48 hours of incident detection. Without automated capture, critical evidence (page content, hosting data, registration details) is lost. Domain intelligence automation ensures evidence preservation before the window closes.
Evidence captured in 4 minutes — before domain takedown
3
Evidence Collection Report

Evidence Collection Report

EVIDENCE SUMMARY ──────────────────────────────────────── Evidence items captured: 5 packages (16 domains total) Capture time: 4 minutes after detection Integrity: SHA256 hashed, write-once archive Chain of custody: Automated, fully documented EVIDENCE VALUE Comprehensive domain snapshots before attacker takedown Court-admissible format with integrity verification Supports legal proceedings, regulatory filings, and insurance claims

8Post-Incident Threat Landscape Review

AI agent conducts a post-incident threat landscape review — analyzing the broader domain ecosystem to determine if the attack was part of a wider campaign, identifying other potential victims, and assessing ongoing risk.

1
Assess Broader Campaign Scope
/partners /security /about IAB Categories Countries Personas
POST-INCIDENT LANDSCAPE REVIEW — INC-2026-0089 ════════════════════════════════════════════════════════ Using attacker's domain fingerprint, searched 102M domain database: Total domains matching pattern: 47 (including our 4) Active domains (not yet burned): 23 Targeting cybersecurity sector: 8 Targeting other sectors: 15 OTHER POTENTIAL VICTIMS (same campaign): cortex-update-portal.net — Targets Palo Alto customers sentinel-agent-download.com — Targets SentinelOne customers zscaler-cloud-config.net — Targets Zscaler customers Our breach was part of a wider campaign targeting cybersecurity vendors IOC sharing initiated with IT-ISAC and peer vendor CISOs
2
Interpret Campaign Scope Signals
Campaign Targeting
Industry-Wide Campaign — This attack is part of a coordinated campaign targeting 8 cybersecurity vendors simultaneously. Domain intelligence pattern matching across 102M domains reveals the full campaign scope that no single victim could detect alone. 23 active attacker domains still operational — IOC sharing with peers is critical.
8 cybersecurity vendors targeted in coordinated campaign
IOC Sharing Value
Industry Defense — Sharing domain intelligence fingerprints with IT-ISAC enables all member organizations to preemptively block 23 active attacker domains. The domain pattern match provides more actionable intelligence than individual IOCs because it predicts future infrastructure, not just known indicators. Peer CISOs briefed on campaign TTPs.
IOCs shared with ISAC — 23 domains blocked industry-wide
3
Threat Landscape Report

Post-Incident Landscape Report

CAMPAIGN ASSESSMENT ──────────────────────────────────────── Total attacker domains: 47 | Active: 23 | Sectors targeted: 2+ Cybersecurity vendors targeted: 8 (coordinated campaign) IOCs shared: Yes (IT-ISAC, peer CISOs) ONGOING RISK 23 active domains — monitoring for new registrations All known + predicted domains pre-blocked Industry-wide defense activated through ISAC sharing

9Post-Breach Vendor Re-Assessment

AI agent re-assesses all vendor relationships after a breach — analyzing whether the attack exploited vendor access, checking vendor domain health changes, and identifying supply chain weaknesses that contributed to the breach.

1
Re-Assess Vendor Security Post-Breach
/security /compliance /leadership /partners OpenPageRank Domain Ages
POST-BREACH VENDOR RE-ASSESSMENT — ALL 412 VENDORS ════════════════════════════════════════════════════════ FINDING: No vendor access was exploited in this breach Initial access: Executive phishing (not vendor-related) HOWEVER — Vendor Weaknesses Identified: enterprise-data-services.com /security: Removed during incident period RECOMMENDATION: Terminate relationship, migrate data crm-cloudpro.io /security: Investigating own potential unauthorized access RECOMMENDATION: Restrict data access until investigation concludes POST-BREACH ACTIONS: 1. All vendor API keys rotated 2. Vendor access reviews accelerated to weekly 3. Domain intelligence monitoring increased to hourly
2
Assess Vendor Risk Signals
Vendor Exposure
Vendor Access Review — Domain intelligence confirms no vendor access was exploited in this breach. However, enterprise-data-services.com removed their /security page during the incident period — a concerning coincidence. If the attacker had pivoted to this vendor, breach scope would be 5x larger due to their PII processing role.
Vendor /security removal during incident — high risk
Hardening Actions
Post-Breach Vendor Controls — All 412 vendor API keys rotated. Vendor access reviews accelerated from monthly to weekly. Domain intelligence monitoring frequency increased from 6-hourly to hourly for all critical vendors. Two vendors flagged for termination or enhanced restrictions based on concurrent security degradation.
All vendor keys rotated — monitoring accelerated to hourly
3
Vendor Re-Assessment Report

Post-Breach Vendor Report

VENDOR RE-ASSESSMENT ──────────────────────────────────────── Vendors reviewed: 412 | Vendor access exploited: None Vendors flagged: 2 (terminate or restrict) API keys rotated: All 412 | Monitoring: Hourly (was 6-hourly) RECOMMENDATIONS 1. Terminate enterprise-data-services.com 2. Restrict crm-cloudpro.io until investigation concludes 3. Maintain weekly vendor reviews for 90 days 4. Implement vendor domain baseline alerts

10Incident Response Metrics & Lessons Learned

AI agent generates comprehensive incident metrics and lessons learned — quantifying how domain intelligence accelerated detection, containment, and investigation, and recommending improvements to prevent similar incidents.

1
Generate Incident Report with Domain Intelligence Impact
/login /api Domain Ages Web Filtering OpenPageRank

Incident Report — INC-2026-0089

INCIDENT TIMELINE ──────────────────────────────────────── Jan 28: Initial phishing email sent to executive Feb 02: C2 channel established (13 days before detection) Feb 12: Data exfiltration began (3 days before detection) Feb 15: Incident detected by domain intelligence anomaly Feb 15: Containment completed in 4 minutes Feb 15: Full scope determined in 47 minutes DOMAIN INTELLIGENCE IMPACT Detection delay without domain intel: +7-14 days Containment: 12 related domains blocked preemptively Investigation: Full kill chain mapped in 47 minutes LESSONS LEARNED 1. Block all domains with Trust <10 accessing database servers 2. Implement domain baseline for all production servers 3. Require MFA for all executive email 4. Increase domain intelligence scanning to real-time for servers 5. Share attacker fingerprint with ISAC
2
Quantify Domain Intelligence ROI for IR
IR Performance
Domain Intelligence Impact on Incident Response — Detection: 7-14 days faster. Containment: 4 minutes vs 2-4 hours. Scope determination: 47 minutes vs 4-8 hours. Related infrastructure: 12 additional domains identified proactively. Estimated breach cost reduction: $2.4M (faster containment, smaller data exposure, better evidence).
$2.4M estimated breach cost reduction
Time Savings
Response Acceleration — Every phase of IR was accelerated: Detection (domain anomaly vs network-only), containment (4 min vs hours), scope (47 min vs hours), attribution (3 hrs vs days), evidence (auto-captured vs manual). Domain intelligence transformed a potentially weeks-long investigation into a 3-hour comprehensive response.
Weeks-long investigation compressed to 3 hours
3
Lessons Learned Report

IR Lessons Learned — INC-2026-0089

KEY METRICS ──────────────────────────────────────── Time to detect: 13 days (C2 active before detection) Time to contain: 4 minutes Time to full scope: 47 minutes Time to attribution: 3 hours Breach cost reduction: $2.4M estimated DOMAIN INTELLIGENCE VALUE FOR IR Every IR phase accelerated by domain intelligence Pattern matching prevented attacker re-entry Evidence auto-captured for legal and regulatory needs Industry-wide defense through IOC + pattern sharing
Get in Touch

Interested in AI Agent Domain Intelligence?

For pricing, subscription options, custom database builds, or enterprise partnerships — contact us below.

Power Your AI Agents with Domain Intelligence

Subscribe to the AI Agent Domain Database — continuous access to 102M domains, 20 page types each, quarterly refreshes, and real-time change signals.

AI Agent Database View Pricing

Annual subscription includes quarterly data refreshes, change detection alerts, and priority API access.