Security
DomainTools announces real time threat feeds
Monday, June 15, 2026
|
Brittany Hainzinger |
Exploring how upgraded feeds deliver real time insights and context for security teams; in DomainTools Announces Real Time Threat Feeds we unpack why mapping and scoring the full surface speeds response.
Real time is a phrase that gets tossed around until it means very little. In astrophotography, real time lives in the interval between when a satellite intrudes on your exposure and when you decide to toss the frame. A feed is only as useful as the speed and relevance of what it delivers. Here, the feeds do not simply ping you with trivia. The automatic infrastructure mapping gives you context the moment a suspicious signal shows up. There is embedded intelligence that helps tie a domain to the IPs and hosting layer that may pivot your investigation. It is the difference between seeing a single star and reading the constellation.
From alert fatigue to informed action
Most of us have lived under alert fatigue. If your console looks like a long exposure full of hot pixels, signal gets buried in noise and morale drops. The intent here is to cut the noise. By delivering domain and IP intelligence in a single stream and scoring them together, the feeds aim to become a force that multiplies what a Security Operations Center can do. New Real Time IP Risk and Real Time IP Hotlist extend coverage to the hosting layer behind every domain, which means you are not blind to the neighborhood around a threat. When your team sees a device reach for a new or high risk IP, you get context fast, and you can move with confidence.
What makes this different
Traditional feeds often tell you what became bad after the fact. That is like logging a meteor after it has already burned out. These Real Time Threat Feeds score domains based on proximity to malicious infrastructure and on the likelihood of malicious intent. You get context on a domain before it has the chance to be weaponized. The scores are built from observed data rather than guesses. That matters. In practice, it reduces time to triage and lets your investigators form a testable hypothesis instead of chasing vague hunches.
The stack you already use gets smarter
SOC analysts, threat hunters, and cyber threat intelligence teams can plug these feeds into the tools they already trust. Whether you live inside a SIEM, direct playbooks through SOAR, curate intel in a TIP, or are experimenting with agentic AI that leans on large language models, the feeds bring a lift. The DomainTools Risk Score powers sets like the Real Time IP Hotlist so you can prioritize traffic that deserves eyes on it. You can trigger enrichment, throttle or block risky egress, and route the right events to the right humans rather than paging everyone for everything.
The full sky in a single stream
One reason I keep returning to deep sky imaging is the coherence you feel when a stack of subs finally reveals a structure. Spirals resolve, dust lanes appear, and a story clicks into place. Security data can feel the same when domains, hostnames, and IPs are seen together. The updated feeds collect the dynamic threat surface in one view. You are not forced to jump between separate feeds to see how a domain relates to hosting, or how a new hostname might sit next to a known cluster of badness. The sequence of events and relationships is what makes an investigation work. This turns what used to be an exercise in manual stitching into a direct look.
What is in the bundle
General availability includes domain centric intelligence through Domain Risk, Domain Hotlist, Domain Discovery, Newly Observed Domains, Newly Active Domains, and Newly Observed Hostnames. On the IP side you get IP Risk and IP Hotlist. That range covers early stage discovery, rapid triage, and sustained monitoring, which keeps value from decaying after the first week of use. You can follow the fresh registrations, catch the first signs of activation, and track hostnames that light up around a campaign. On infrastructure, you can identify the IPs that merit immediate controls.
Practical ways to use it
Here is how I would put this to work without ceremony. Pipe the Real Time IP Hotlist into your egress monitors and alert when any managed device talks to a listed IP. In your SIEM, enrich events with DomainTools Risk Scores and bump the priority on traffic destined for high risk targets. In SOAR, build a simple playbook that fetches adjacent domains and IPs so your triage view presents a map rather than a single point. In your TIP, tag campaigns with the feed signals so your hunters can pivot from one asset to the related infrastructure in a click. If you are testing agentic AI, supply the feeds as trusted context so the model can explain why a hit is risky, rather than guessing its way to a narrative.
Signal before sunrise
Every clear night on the driveway teaches me patience. I frame, focus, and wait for the first subs to show that the plan is working. Good security is not about frantic motion. It is about setting up your tools so signal reveals itself early and clearly. DomainTools is leaning into that principle. With real time insights, automatic infrastructure mapping, and embedded intelligence, they are giving teams a clearer first light on what matters, and that is the moment that changes the whole picture.
Become a subscriber of App Developer Magazine for just $5.99 a month and take advantage of all these perks.
MEMBERS GET ACCESS TO
- - Exclusive content from leaders in the industry
- - Q&A articles from industry leaders
- - Tips and tricks from the most successful developers weekly
- - Monthly issues, including all 90+ back-issues since 2012
- - Event discounts and early-bird signups
- - Gain insight from top achievers in the app store
- - Learn what tools to use, what SDK's to use, and more
Subscribe here
