In Domain Intel and related tools, we show “threat intel” badges and enrichment data. That data comes from public security and abuse feeds. This post explains what we use and how to interpret the results.
Where the data comes from
We query well-known, publicly available sources, including:
- URLhaus (abuse.ch) — Malware URLs and phishing.
- PhishTank — Community-reported phishing.
- AbuseIPDB — IP abuse reports (when we resolve domains to IPs).
- AlienVault OTX — Open Threat Exchange indicators.
We don’t run our own threat lab or private intelligence. We aggregate and present what these projects publish. Each source has its own scope, update frequency, and false-positive rate.
What the results mean
- A “clean” or “no hits” result means we didn’t find the domain/URL in the feeds we checked. It does not mean the resource is safe—feeds are incomplete and lag behind real-world abuse.
- A “listed” or “flagged” result means the domain or URL (or associated IP) appeared in one or more of these feeds. It’s a signal to investigate, not a verdict. False positives and outdated listings do occur.
- We don’t guarantee coverage or freshness. New threats appear constantly. Use our output as one input to your workflow, not as the only check.
Privacy and ethics
We send only the minimal data required for the lookup (e.g. domain or URL) to these services. We don’t add tracking or share your identity. Our use is consistent with each project’s terms and typical usage for security research.
For the full picture of how we protect your data and the platform, see our Security Practices and Privacy Policy.