WebsiteCategorizationAPI
Home
Demo Tools - Categorization
Website Categorization Text Classification URL Database Taxonomy Mapper
Demo Tools - Website Intel
Technology Detector Quality Score Competitor Finder
Demo Tools - Brand Safety
Brand Safety Checker Brand Suitability Quality Checker
Demo Tools - Content
Sentiment Analyzer Context Aware Ads
Resources
API Documentation Pricing Login
Try Categorization

Domain Intelligence for Security Teams

Every alert, proxy log line and email link resolves to a domain — and the first question is always the same: what is this domain? We answer it three ways at once: content category, domain age, and the technology stack behind it. Served from a 102M-domain offline database inside your perimeter, with a real-time API for anything the attacker registered last night.

102M
classified domains, queryable on-prem
3
signals per domain: category, age, tech stack
0
telemetry egress with offline lookups
1
POST to classify a never-seen domain
Try the Live Demo Request a Sample Dataset API Documentation

The problem: uncategorized domains are where attacks live

Phishing kits, C2 staging and credential-harvesting pages are overwhelmingly hosted on domains that are either brand new or too obscure for reputation feeds to have an opinion about. That is not a coincidence — attackers select for the gap. Meanwhile the analyst triaging the alert gets a bare hostname and has to build context by hand, tab by tab.

New domains, weaponized fast

Phishing campaigns routinely burn domains within days of registration — live before any blocklist update ships. Registration age is one of the strongest cheap predictors of malicious use, but only if it is queryable at triage time.

Lookalike content pages

A fake bank login reads like banking. A fake parcel notice reads like logistics. When a two-week-old domain classifies as Finance or Shipping, the mismatch between content and age is itself the detection.

Alerts arrive without context

A SIEM rule fires on an outbound connection and the analyst gets a hostname. Category, age, infrastructure — every question is a manual pivot across WHOIS, crawlers and search. Minutes per alert, multiplied by thousands of alerts.

Cloud lookups leak telemetry

Sending every visited or alerted domain to a third-party cloud API is itself a data-egress problem — browsing telemetry is sensitive, and regulated environments often cannot ship it out at all. Enrichment has to be possible without disclosure.

The solution: three signals, one lookup layer

Category answers what the site claims to be, domain age answers how long it has existed, and the technology stack answers what it is actually built on. Individually each is a hint; joined on one domain key they triage most alerts automatically.

Category for policy & triage

Write allow/block policy in categories, not hostname lists: the web-filtering taxonomy includes the malware/phishing-adjacent, gambling and adult classes SWG policies are built on, while the IAB taxonomy gives business context (is this "Finance" site really a bank?). Both via real-time categorization.

Domain age for new-domain risk

The domain-age database flags newly registered and recently reactivated domains in bulk, and the domain age checker answers one-off questions during an investigation. "Younger than 30 days" is the cheapest high-yield detection rule most SOCs are not yet running.

Tech fingerprinting for attribution

The technology detector and the technology database reveal what a site runs — CMS, frameworks, CDNs, analytics. Phishing kits reuse infrastructure: matching tech fingerprints clusters related campaign domains that share nothing at the hostname level.

Offline database = data sovereignty

Load the 102M-domain database into your SIEM or data lake and enrichment never leaves your perimeter: no latency, no rate limits, no third party learning which domains your users touch. The offline database exists precisely for environments where cloud lookups are a non-starter; the API covers the rest.

Enriching a SIEM alert in practice

A proxy alert fires on an outbound request. The enrichment job checks the local database first, calls the API for unknowns, and attaches category, age and tech stack before an analyst ever opens the ticket.

Enrichment pipeline (Python)
import requests

BASE = "https://www.websitecategorizationapi.com"

def enrich(alert):
    domain = alert["dest_domain"]

    # Local first: 102M-domain offline DB inside the perimeter
    intel = local_db.get(domain)

    if intel is None:  # unknown tail -> real-time API
        cat = requests.post(
            f"{BASE}/api/iab/iab_web_content_filtering.php",
            data={"query": f"https://{domain}",
                  "api_key": API_KEY, "data_type": "url"},
            timeout=30,
        ).json()
        intel = {"category": cat["classification"][0]}

    alert["enrichment"] = {
        "category":  intel["category"],
        "age_days":  domain_age(domain),   # domain-age DB
        "tech":      tech_stack(domain),   # technology DB
    }

    if (alert["enrichment"]["age_days"] < 30
            and intel["category"]["category"] in
            {"Finance", "Shipping & Logistics"}):
        alert["verdict"] = "ESCALATE: young lookalike domain"
    return alert
Enriched alert — what the analyst now sees
{
  "alert_id": "SIEM-2026-071233",
  "dest_domain": "secure-payportal-verify.example",
  "enrichment": {
    "category": {"category": "Finance", "confidence": 0.91},
    "age_days": 11,
    "tech": ["nginx", "Cloudflare", "jQuery"]
  },
  "verdict": "ESCALATE: young lookalike domain"
}

An eleven-day-old "Finance" site on throwaway infrastructure is a phishing profile, and the rule that catches it is two lines. The same fingerprint (nginx + Cloudflare + jQuery, no CMS) can then be hunted across the technology database to surface sibling domains from the same kit before they appear in your logs.

A category-and-age triage matrix

Most SOCs converge on a matrix like this — category from the database or API, age from the domain-age dataset, action from policy:

Category signalDomain ageReadingAction
Malware / phishing-adjacentAnyKnown-bad content classBLOCK
Finance, logistics, webmail lookalike< 30 daysClassic phishing profileESCALATE
Uncategorized / unreachable< 30 daysNo history, no content recordESCALATE
Uncategorized> 1 yearObscure but establishedREVIEW
Business, education, news> 2 yearsEstablished, consistent identityALLOW

Email-security and threat-intel teams run the same matrix at different points: on URLs extracted from inbound mail before delivery, and across candidate IOC lists during campaign analysis. The joins are identical because all three datasets share the domain key.

Frequently asked

Is this a threat-intelligence feed?

No — it is the context layer feeds don't provide. Reputation feeds tell you a domain is already known-bad; we tell you what any domain is: its content category, age and technology stack. That context is what turns an unknown into a decision, and it composes with whatever TI feeds you already run.

Can lookups run fully on-premises?

Yes. The 102M-domain database, domain-age data and technology data all deploy locally, so air-gapped and regulated environments never send a hostname outside. The real-time API is an optional overlay for the newest domains.

What about domains that appeared this morning?

That is what the real-time path is for: the API fetches and classifies the live page on demand, and the domain age checker confirms registration recency. New-domain plus lookalike-category is precisely the combination the offline snapshot alone would miss.

Related resources

Enrich a week of your own alerts

Send us a de-identified list of alerted domains and get back category, age and technology enrichment for each — the same joins your SIEM would run against the offline datasets.

Try the Live Demo Request a Sample Read the API Docs
Stay in the loop

You are on the list!

We will send you updates that matter — no spam.