Threat Intelligence Feeds

Operational malicious domain feeds for protective DNS and network enforcement

Pull enforcement-ready domain snapshots built for DNS filtering, firewall policy, and security pipelines that need domains they can actually act on, not a dump of every internal signal.

Full hourly snapshots delivered over HTTPS with API key access.
Four enforcement streams mapped to real policy decisions: phishing, malware, scam, and suspicious.
Active delivery sets can range from tens of thousands to hundreds of thousands of domains depending on grouping and filters.
Each record can carry the context needed for action and escalation: category, risk score, and a report link for analyst follow-up.

See delivery details

What buyers typically need to know

Refresh Model

Hourly

Full snapshots published on a recurring schedule.

Use Case Fit

DNS-ready

Structured for protective DNS, SIEM, firewall, and enforcement workflows.

Formats

CSV / GZ

Built for infrastructure ingestion and scheduled pulls.

Evaluation

PoC-ready

Partner evaluation access and integration review flow are supported.

Buyers use the feed to do three things well: block faster, keep policy cleaner, and reduce analyst time spent sorting low-signal domain noise.

What is included

The feed is organized around enforcement outcomes, not internal taxonomy. Instead of handing off dozens of narrow labels, we package related detections into stable streams that map directly to blocklists, resolver policy, and analyst review queues.

Phishing

Credential theft and impersonation domains

Targets login theft, credential capture, impersonation, fake account portals, and other domains used to trick users into handing over access or payment details.

Malware

Malware distribution and harmful downloads

Focused on payload hosting, droppers, fake software downloads, malicious installers, and other domains used to deliver malware or unwanted binaries.

Scam

Financial, crypto, investment, hiring, raffle, and general scam coverage

Built for fraud-oriented blocking. It combines the major scam families into one stream so teams can stop social-engineering and payment-extraction funnels without maintaining separate mappings for each scam subtype.

Suspicious

Higher-friction suspicious activity for policy-driven environments

Designed for destinations that often need softer enforcement, user warning, or separate review rather than the same hard-block policy used for phishing and malware. Typical examples include suspicious shops, suspicious dating, browser spam, and unwanted-app destinations.

Delivery model

Delivery is optimized for scheduled ingestion, not analyst browsing: stable columns, full snapshots, predictable refresh cadence, and enough context to support both automated action and human review without forcing a second enrichment system.

Format illustration

Typical schema

Minimal enough for DNS and firewall pipelines, while still preserving the context analysts need when a blocked domain is escalated or reviewed.

domain,category,risk_score,report_url
example-phish.com,Phishing,96,https://gridinsoft.com/online-virus-scanner/url/example-phish-com
example-scam.net,Investment Scam,91,https://gridinsoft.com/online-virus-scanner/url/example-scam-net
example-shop.org,Suspicious Shop,84,https://gridinsoft.com/online-virus-scanner/url/example-shop-org

At a glance

Operational characteristics

Refresh

A fresh full snapshot is published every hour over HTTPS.

Formats

CSV and GZIP-compressed CSV are available for simple scheduled pulls and ETL jobs.

Records

Typical records include the domain, grouped category, risk score, and report URL used for escalation or validation.

Scope

Volume depends on the intended policy scope and filters, with active delivery sets ranging from tens of thousands to hundreds of thousands of domains.

Workflow

Feeds are suited both for direct enforcement and for secondary analyst review queues where blocked domains need quick context.

How engagement usually works

The goal is to make evaluation operational quickly: agree the policy target, align the scope, measure block yield and review overhead, and then decide whether the feed earns a production slot.

Initial fit check

We map your environment, enforcement point, and which threat streams should land in hard block, softer policy, or analyst review.

Evaluation scope

We align the feed scope, delivery format, and the access or legal framework needed for the PoC.

Integration

Your team ingests hourly snapshots and measures block yield, quality, review overhead, and operational fit inside the actual policy stack.

Production decision

If the feed performs, we lock in production scope, access model, and the commercial framework.

Frequently asked questions

How often is the feed updated?

We publish full snapshots every hour so downstream systems can pull a current operational view on a predictable cadence.

What volume should buyers expect?

The delivered scope depends on the intended use case, grouping model, and applied filters. In practice, active delivery sets can range from tens of thousands to hundreds of thousands of domains, rather than being a raw dump of the broader internal corpus.

Can this be used for protective DNS?

Yes. The current delivery model is specifically shaped for protective DNS, resolver policy, secure web gateways, and adjacent enforcement workflows where domains are scored, blocked, or routed into review.

Is evaluation access possible?

Yes. We support partner PoCs and can align access around the intended integration model, enforcement workflow, and evaluation goals.

Interested in a feed evaluation?

Tell us where the feed would sit in your stack, which policy decisions it is meant to support, and what you want to measure during evaluation. We will help scope the right access path.

Review delivery model