Forward to: Security Operations — Threat Intelligence

Cybersecurity & Fraud
Intelligence Workflows

Ten agent workflows for the Security Operations team — phishing domain detection, SIM swap fraud pattern analysis, brand impersonation monitoring, subscriber identity protection, telecom infrastructure threat intelligence, fraud ring ecosystem mapping, SMS phishing (smishing) prevention, dark web telecom threat tracking, NCA compliance monitoring, and vendor security posture assessment — using domain intelligence to protect subscribers and infrastructure.

1Phishing Domain Detection & Takedown

AI agent continuously monitors newly registered domains for phishing attempts targeting stc subscribers, detecting brand impersonation, lookalike domains, and credential harvesting pages.

1
Scan for stc Brand Impersonation
/login /products Web Filtering Categories Domain Ages OpenPageRank
PHISHING DETECTION AGENT — stc BRAND PROTECTION ══════════════════════════════════════════════════ SCAN: Domains containing "stc", "mystc", "stcpay" variations FILTER: Domain Age < 90 days + Web Filtering = "Phishing/Malicious" THREATS DETECTED (LAST 30 DAYS): stc-rewards-sa.com — Domain Age: 3 days Web Filtering: Phishing | PageRank: 0.1 /login: Fake stc login page (credential harvester) CRITICAL: Active credential harvesting — TAKEDOWN IMMEDIATE mystc-update.net — Domain Age: 7 days Web Filtering: Malicious | PageRank: 0.0 /products: Fake app download page (malware distribution) CRITICAL: Malware distribution — TAKEDOWN + BLOCK stcpay-verify.sa.com — Domain Age: 12 days Web Filtering: Phishing | PageRank: 0.2 /login: Fake stcpay verification (OTP capture) CRITICAL: OTP interception attempt — TAKEDOWN URGENT stc-careers-sa.org — Domain Age: 28 days Web Filtering: Suspicious | PageRank: 0.3 /careers: Fake job posting (personal data collection) HIGH: Employment fraud — INVESTIGATE + TAKEDOWN STATS: 47 phishing domains detected this month (vs 34 last month) Takedown success rate: 89% within 24 hours Subscriber impact prevented: Est. 12,000 potential victims
2
Phishing Trend Signals
Domain Signal
stcpay-verify.sa.com — Domain Age: 12 days. Web Filtering: Phishing. Hosting in Netherlands (non-Saudi). Mimics stcpay OTP verification flow. 3 similar domains registered same day from same registrar. Indicates coordinated phishing campaign targeting stcpay users. Block at DNS level + subscriber SMS warning.
ACTIVE CAMPAIGN — Coordinated stcpay phishing ring
Sector Signal
MENA Telecom Phishing — Phishing domains targeting telecom brands up 38% QoQ across MENA. stcpay is #1 target (financial + telecom convergence). Ramadan season shows 67% spike in phishing activity. Domain intelligence enables proactive blocking before subscribers encounter threats.
RISING THREAT — Telecom phishing up 38% QoQ

2SIM Swap Fraud Pattern Analysis

AI agent detects SIM swap fraud patterns by correlating domain intelligence with subscriber activity anomalies, identifying fraud ring infrastructure and social engineering vectors.

1
Identify Fraud Ring Infrastructure
/login /products Web Filtering Categories Domain Ages Countries
SIM SWAP FRAUD DETECTION — DOMAIN ANALYSIS ══════════════════════════════════════════════ FRAUD RING INFRASTRUCTURE DETECTED: Phase 1 — Data Collection Domains: sa-identity-check.com — Web Filtering: Phishing Collects: Name, national ID, phone number, bank details Domain Age: 5 days | Country: Turkey (hosting) Phase 2 — Social Engineering Prep: stc-agent-portal.net — Web Filtering: Fraud Mimics internal stc agent portal | Used to trick retail staff Domain Age: 14 days | Country: Romania (hosting) Phase 3 — Financial Exploitation: fast-transfer-sa.com — Web Filtering: Suspicious /products: "Instant Saudi money transfer" Used to drain accounts post-SIM swap Domain Age: 21 days | Country: Nigeria (hosting) PATTERN: 3-phase fraud chain detected across 12 related domains Same registrar pattern | Same hosting infrastructure ESTIMATED MONTHLY LOSSES: SAR 4.5M across all Saudi operators
2
SIM Swap Prevention Signal
Company Signal
Fraud Ring Infrastructure — 12 related domains identified serving 3-phase SIM swap operation. Domains share hosting infra in Turkey, Romania, and Nigeria. Pattern: data collection → social engineering → financial exploitation. Blocking these 12 domains at DNS + alerting retail staff prevents estimated SAR 1.2M/month in losses.
BLOCK IMMEDIATELY — 12 fraud domains identified

3SMS Phishing (Smishing) Prevention

AI agent detects SMS phishing campaigns by monitoring destination URLs in messages, cross-referencing against domain intelligence to identify malicious domains before subscribers click.

1
Classify SMS URLs Against Domain Database
Web Filtering Categories Domain Ages OpenPageRank /login
SMISHING DETECTION — REAL-TIME URL CLASSIFICATION ══════════════════════════════════════════════════════ METHOD: Cross-reference SMS URLs with 100M+ domain database SMISHING CAMPAIGNS DETECTED (LAST 7 DAYS): Campaign 1: "Your stc bill is overdue — pay now" URL: stc-bill-pay.xyz — Web Filtering: Phishing | Age: 2 days Volume: 45,000 SMS sent | BLOCKED at network level Campaign 2: "You won SAR 50,000 from stc rewards" URL: stc-prizes.site — Web Filtering: Scam | Age: 1 day Volume: 23,000 SMS sent | BLOCKED at network level Campaign 3: "Absher: verify your identity" URL: absher-verify.co — Web Filtering: Phishing | Age: 4 days Volume: 67,000 SMS sent | BLOCKED + reported to CERT Campaign 4: "Your package requires customs payment" URL: sa-customs-pay.com — Web Filtering: Fraud | Age: 6 days Volume: 89,000 SMS sent | BLOCKED at network level WEEKLY STATS: SMS URLs scanned: 12.3M | Malicious blocked: 224,000 (1.8%) Subscriber protection rate: 99.7%
2
Smishing Trend Signal
Sector Signal
Saudi Smishing Landscape — 224K malicious SMS URLs blocked weekly. Top impersonated brands: stc, Absher, Saudi Post, Al Rajhi Bank. Ramadan sees 89% spike in "prize" scams. Domain database enables real-time classification: Domain Age + Web Filtering Categories = instant phishing detection. 99.7% protection rate is industry-leading.
SUBSCRIBER PROTECTION — 99.7% smishing block rate

4Brand Impersonation Monitoring

AI agent monitors the entire domain landscape for stc brand impersonation across all subsidiaries, detecting fake apps, counterfeit websites, and unauthorized use of stc trademarks.

1
Scan for Brand Abuse Across Subsidiaries
/products /about /login Web Filtering Categories Domain Ages OpenPageRank
BRAND IMPERSONATION SCAN — stc GROUP ═══════════════════════════════════════════ MONITORING: stc, stcpay, stcplay, stc cloud, stc solutions, TAWAL IMPERSONATION DOMAINS DETECTED: Brand "stc": 23 lookalike domains (stc-sa.com, my-stc.net, etc.) Brand "stcpay": 18 lookalike domains (stcpay-app.com, stc-pay.sa, etc.) Brand "mystc": 12 lookalike domains (mystc-app.com, my-stc-sa.net) Brand "stcplay": 5 lookalike domains (stc-play.com, stcgaming.net) Brand "TAWAL": 3 lookalike domains (tawal-towers.com) RISK LEVEL BREAKDOWN: Critical (active credential harvesting): 8 domains High (brand abuse, potential scam): 23 domains Medium (parked/squatting): 30 domains Total: 61 impersonation domains identified
2
Brand Protection Signal
Company Signal
stc Brand Abuse — 61 impersonation domains identified across stc group brands. 8 actively harvesting credentials. stcpay most targeted (financial incentive). Recommend: Automated takedown pipeline, defensive domain registration for key variations, DNS-level blocking for subscribers. Cost of brand protection: SAR 2M/year vs estimated fraud loss prevention: SAR 54M/year.
BRAND RISK — 61 impersonation domains active

5Telecom Infrastructure Threat Intelligence

AI agent monitors threat actor infrastructure targeting telecom networks, tracking domains associated with SS7 attacks, SIP abuse, and telecom-specific malware campaigns.

1
Detect Telecom-Targeted Threats
/security /products Web Filtering Categories Domain Ages Countries
TELECOM THREAT INTELLIGENCE — INFRASTRUCTURE TARGETING ══════════════════════════════════════════════════════════ THREAT DOMAINS TARGETING TELECOM INFRASTRUCTURE: SS7 Attack Tools: ss7-scanner.io — Web Filtering: Hacking Tools /products: SS7 vulnerability scanning services Country: Russia | Domain Age: 2 years THREAT: Available SS7 attack infrastructure VoIP Fraud Platforms: voip-termination-cheap.com — Web Filtering: Fraud /products: "Bypass international call routing" /pricing: Revenue share for bypass traffic THREAT: International bypass fraud — SAR 23M/year revenue leakage Telecom Malware C2: net-mgmt-update.xyz — Web Filtering: Malware C2 Domain Age: 8 days | Country: Ukraine /products: Mimics network management update portal THREAT: Targeted malware for telecom NOC systems
2
Infrastructure Threat Signal
Sector Signal
Telecom Infrastructure Threats — 234 domains identified targeting telecom infrastructure globally. SS7 attack tool domains growing 45% YoY. VoIP bypass fraud causes estimated SAR 23M/year revenue leakage across Saudi operators. Domain intelligence enables proactive blocking of attack infrastructure before exploitation.
INFRASTRUCTURE RISK — Block 234 threat domains

6NCA Compliance Posture Assessment

AI agent monitors National Cybersecurity Authority (NCA) requirements and benchmarks stc's compliance posture against regulatory standards and peer operators.

1
Track NCA Regulatory Updates
/compliance /security /press /legal Countries
NCA COMPLIANCE MONITOR — TELECOM SECTOR ═══════════════════════════════════════════════ NCA ECC (Essential Cybersecurity Controls): nca.gov.sa /compliance: ECC v2.0 published — 5 new controls /press: "Telecom sector compliance deadline: Q3 2026" /events: "Cybersecurity audit framework" training scheduled OPERATOR COMPLIANCE BENCHMARK: stc.com.sa /security: ISO 27001 + SOC 2 Type II mentioned stc.com.sa /compliance: NCA ECC v1.0 compliant, v2.0 in progress mobily.com.sa /security: ISO 27001 mentioned only mobily.com.sa /compliance: NCA ECC v1.0 compliant zain.com.sa /security: Basic security page zain.com.sa /compliance: No NCA ECC reference found stc COMPLIANCE ADVANTAGE: Most mature security posture
2
Compliance Signal
Sector Signal
NCA ECC v2.0 Compliance — 5 new controls require additional investment. Q3 2026 deadline for telecom sector. stc already has strongest /security and /compliance web presence. Competitive differentiation: Use NCA compliance leadership as enterprise sales advantage. "Only Saudi operator with SOC 2 Type II" positioning.
MARKET ADVANTAGE — Security compliance as differentiator

7Vendor Security Posture Assessment

AI agent evaluates the cybersecurity posture of critical vendors and suppliers by analyzing their /security, /compliance, and /legal pages to ensure supply chain security.

1
Assess Vendor Security Maturity
/security /compliance /legal /docs Web Filtering Categories OpenPageRank
VENDOR SECURITY ASSESSMENT — CRITICAL SUPPLIERS ══════════════════════════════════════════════════ VENDOR SECURITY SCORES: ericsson.com — /security: ISO 27001, SOC 2, GSMA NESAS /compliance: GDPR + NCA referenced | /docs: Security whitepaper Security Score: 94/100 cloudflare.com — /security: ISO 27001, SOC 2, FedRAMP /compliance: Extensive regulatory page | /legal: Transparent ToS Security Score: 96/100 vendor-crm.sa (local CRM) — /security: Missing /compliance: Basic privacy policy only | /legal: Minimal Security Score: 28/100 RISK: Critical subscriber data handled by low-security vendor billing-system.com.sa (local billing) — /security: Basic page /compliance: No certifications mentioned | /legal: Standard ToS Security Score: 45/100 RISK: Billing data exposure risk
2
Vendor Risk Signal
Company Signal
vendor-crm.sa — No /security page, no certifications, minimal /compliance. Handles 10M+ subscriber records. Domain Age: 6 years (established but security-immature). Score: 28/100. NCA ECC v2.0 requires vendor security assessments. Issue: remediation demand or vendor replacement within 90 days.
VENDOR RISK — CRM vendor security score 28/100

8Fraud Ring Ecosystem Mapping

AI agent maps the interconnected ecosystem of fraud domains — from data collection to monetization — identifying fraud ring infrastructure and enabling proactive disruption.

1
Map Fraud Network Infrastructure
Web Filtering Categories Domain Ages Countries /products /login
FRAUD RING ECOSYSTEM — SAUDI TELECOM TARGETING ═══════════════════════════════════════════════════ METHOD: Cluster analysis of malicious domains by registrar, hosting, timing FRAUD RING #1: "Gulf Phishing Network" Domains: 34 related phishing sites Registrar: NameSilo (shared) | Hosting: Hetzner DE Targets: stc, Mobily, Etisalat, Ooredoo Revenue model: Credential sale on dark web Est. victims: 45,000/month | Revenue: $890K/month FRAUD RING #2: "IRSF Revenue Share" Domains: 12 premium rate fraud domains Model: International Revenue Share Fraud (IRSF) Routes: Through Moldova, Somalia, Cuba premium numbers Est. revenue leakage: SAR 8.5M/month across Saudi operators FRAUD RING #3: "SIM Farm Operations" Domains: 8 bulk SMS service sites Model: Unauthorized A2P SMS, OTP bypass services /products: "Bulk Saudi SMS — $0.001/message" Est. revenue leakage: SAR 12M/month in A2P bypass
2
Fraud Disruption Report

FRAUD RING DISRUPTION PLAN

FOR: Security Operations — Fraud Prevention SCOPE: 54 fraud domains across 3 organized rings ════════════════════════════════════════════════════ IMMEDIATE ACTIONS: 1. Block 34 phishing domains at DNS + firewall level 2. Report IRSF routes to GSMA i3 fraud system 3. Coordinate with CITC on SIM farm domain takedowns 4. Share intelligence with Mobily/Zain (shared threat) ESTIMATED IMPACT OF DISRUPTION: Phishing victim prevention: 45,000 subscribers/month IRSF revenue recovery: SAR 8.5M/month A2P bypass recovery: SAR 12M/month TOTAL MONTHLY SAVINGS: SAR 20.5M

9Subscriber Identity Protection

AI agent monitors domains that trade, sell, or expose Saudi subscriber personal data, detecting data breach dumps, identity theft services, and unauthorized data marketplaces.

1
Detect Data Exposure Domains
/products Web Filtering Categories Domain Ages Countries
SUBSCRIBER DATA EXPOSURE MONITOR ════════════════════════════════════ DATA MARKETPLACE DOMAINS (TARGETING SAUDI DATA): saudi-data-market.onion.ws — Web Filtering: Criminal /products: "Saudi phone number + National ID database" Price: $0.05/record | Claimed: 2M records CRITICAL: Possible stc subscriber data breach kyc-bypass.io — Web Filtering: Fraud /products: "Saudi KYC verification bypass service" Uses stolen identity documents for SIM registration HIGH: Enables fraudulent SIM activations lead-gen-gulf.com — Web Filtering: Suspicious /products: "Saudi consumer phone lists for marketing" /pricing: $500 for 100K phone numbers MEDIUM: Unauthorized data sharing, not necessarily breach
2
Data Protection Signal
Company Signal
Subscriber Data at Risk — Data marketplace domain claims 2M Saudi subscriber records. Cross-reference with stc database needed immediately. If confirmed: PDPL notification required within 72 hours, NCA incident reporting, and subscriber alerts. Domain intelligence enables early detection of data exposure before regulatory or media discovery.
INVESTIGATE — Potential 2M record data exposure

10Cybersecurity Services Market Intelligence

AI agent maps the Saudi cybersecurity services market to identify partnership opportunities for managed security service offerings to enterprise clients.

1
Map Saudi Cybersecurity Vendor Landscape
/products /partners /careers /case-studies IAB Categories Countries
CYBERSECURITY VENDOR LANDSCAPE — SAUDI MARKET ══════════════════════════════════════════════════ RESULTS: 234 cybersecurity domains with Saudi presence CYBERSECURITY SEGMENTS: SOC / MSSP: 45 domains — Managed security providers Endpoint Security: 34 domains — EDR, antivirus vendors Cloud Security: 23 domains — CASB, CWPP, CSPM Identity & Access: 28 domains — IAM, PAM, SSO Network Security: 34 domains — Firewall, IDS, SASE GRC/Compliance: 23 domains — Audit, compliance platforms Threat Intelligence: 18 domains — CTI feeds, dark web monitoring Saudi-Origin: 29 domains — Local cybersecurity companies PARTNERSHIP OPPORTUNITIES: aramcodigital.com — /products: Cybersecurity for industrial OT cybersecurity.sa — /products: Saudi SOC + incident response sirar.sa — stc subsidiary | /products: Managed security TOTAL MARKET: SAR 8.9B by 2027
2
Cybersecurity Market Signal
Sector Signal
Saudi Cybersecurity Market — SAR 8.9B by 2027, growing 19% CAGR. NCA compliance driving enterprise spend. Only 13.8% of enterprises have adequate /security presence. stc+Sirar positioned to capture managed security. Domain intelligence adds unique value: real-time threat domain detection that traditional SOCs lack. Differentiation through domain-powered threat intelligence.
GROWTH MARKET — SAR 8.9B cybersecurity opportunity
Get in Touch

Interested in AI Agent Domain Intelligence?

For pricing, subscription options, custom database builds, or enterprise partnerships — contact us below.

Power Your AI Agents with Domain Intelligence

Subscribe to the AI Agent Domain Database — continuous access to 100M+ domains, 20 page types each, quarterly refreshes, and real-time change signals.

AI Agent Database View Pricing

Annual subscription includes quarterly data refreshes, change detection alerts, and priority API access.