Every alert, proxy log line and email link resolves to a domain — and the first question is always the same: what is this domain? We answer it three ways at once: content category, domain age, and the technology stack behind it. Served from a 102M-domain offline database inside your perimeter, with a real-time API for anything the attacker registered last night.
Phishing kits, C2 staging and credential-harvesting pages are overwhelmingly hosted on domains that are either brand new or too obscure for reputation feeds to have an opinion about. That is not a coincidence — attackers select for the gap. Meanwhile the analyst triaging the alert gets a bare hostname and has to build context by hand, tab by tab.
Phishing campaigns routinely burn domains within days of registration — live before any blocklist update ships. Registration age is one of the strongest cheap predictors of malicious use, but only if it is queryable at triage time.
A fake bank login reads like banking. A fake parcel notice reads like logistics. When a two-week-old domain classifies as Finance or Shipping, the mismatch between content and age is itself the detection.
A SIEM rule fires on an outbound connection and the analyst gets a hostname. Category, age, infrastructure — every question is a manual pivot across WHOIS, crawlers and search. Minutes per alert, multiplied by thousands of alerts.
Sending every visited or alerted domain to a third-party cloud API is itself a data-egress problem — browsing telemetry is sensitive, and regulated environments often cannot ship it out at all. Enrichment has to be possible without disclosure.
Category answers what the site claims to be, domain age answers how long it has existed, and the technology stack answers what it is actually built on. Individually each is a hint; joined on one domain key they triage most alerts automatically.
Write allow/block policy in categories, not hostname lists: the web-filtering taxonomy includes the malware/phishing-adjacent, gambling and adult classes SWG policies are built on, while the IAB taxonomy gives business context (is this "Finance" site really a bank?). Both via real-time categorization.
The domain-age database flags newly registered and recently reactivated domains in bulk, and the domain age checker answers one-off questions during an investigation. "Younger than 30 days" is the cheapest high-yield detection rule most SOCs are not yet running.
The technology detector and the technology database reveal what a site runs — CMS, frameworks, CDNs, analytics. Phishing kits reuse infrastructure: matching tech fingerprints clusters related campaign domains that share nothing at the hostname level.
Load the 102M-domain database into your SIEM or data lake and enrichment never leaves your perimeter: no latency, no rate limits, no third party learning which domains your users touch. The offline database exists precisely for environments where cloud lookups are a non-starter; the API covers the rest.
A proxy alert fires on an outbound request. The enrichment job checks the local database first, calls the API for unknowns, and attaches category, age and tech stack before an analyst ever opens the ticket.
import requests
BASE = "https://www.websitecategorizationapi.com"
def enrich(alert):
domain = alert["dest_domain"]
# Local first: 102M-domain offline DB inside the perimeter
intel = local_db.get(domain)
if intel is None: # unknown tail -> real-time API
cat = requests.post(
f"{BASE}/api/iab/iab_web_content_filtering.php",
data={"query": f"https://{domain}",
"api_key": API_KEY, "data_type": "url"},
timeout=30,
).json()
intel = {"category": cat["classification"][0]}
alert["enrichment"] = {
"category": intel["category"],
"age_days": domain_age(domain), # domain-age DB
"tech": tech_stack(domain), # technology DB
}
if (alert["enrichment"]["age_days"] < 30
and intel["category"]["category"] in
{"Finance", "Shipping & Logistics"}):
alert["verdict"] = "ESCALATE: young lookalike domain"
return alert
{
"alert_id": "SIEM-2026-071233",
"dest_domain": "secure-payportal-verify.example",
"enrichment": {
"category": {"category": "Finance", "confidence": 0.91},
"age_days": 11,
"tech": ["nginx", "Cloudflare", "jQuery"]
},
"verdict": "ESCALATE: young lookalike domain"
}
An eleven-day-old "Finance" site on throwaway
infrastructure is a phishing profile, and the rule that catches it is two lines. The same
fingerprint (nginx + Cloudflare + jQuery, no CMS) can then be hunted across the
technology database to surface sibling
domains from the same kit before they appear in your logs.
Most SOCs converge on a matrix like this — category from the database or API, age from the domain-age dataset, action from policy:
| Category signal | Domain age | Reading | Action |
|---|---|---|---|
| Malware / phishing-adjacent | Any | Known-bad content class | BLOCK |
| Finance, logistics, webmail lookalike | < 30 days | Classic phishing profile | ESCALATE |
| Uncategorized / unreachable | < 30 days | No history, no content record | ESCALATE |
| Uncategorized | > 1 year | Obscure but established | REVIEW |
| Business, education, news | > 2 years | Established, consistent identity | ALLOW |
Email-security and threat-intel teams run the same matrix at different points: on URLs extracted from inbound mail before delivery, and across candidate IOC lists during campaign analysis. The joins are identical because all three datasets share the domain key.
No — it is the context layer feeds don't provide. Reputation feeds tell you a domain is already known-bad; we tell you what any domain is: its content category, age and technology stack. That context is what turns an unknown into a decision, and it composes with whatever TI feeds you already run.
Yes. The 102M-domain database, domain-age data and technology data all deploy locally, so air-gapped and regulated environments never send a hostname outside. The real-time API is an optional overlay for the newest domains.
That is what the real-time path is for: the API fetches and classifies the live page on demand, and the domain age checker confirms registration recency. New-domain plus lookalike-category is precisely the combination the offline snapshot alone would miss.
Send us a de-identified list of alerted domains and get back category, age and technology enrichment for each — the same joins your SIEM would run against the offline datasets.
Try the Live Demo Request a Sample Read the API Docs