Domain Risk Score User Guide¶
Introduction¶
Domain Risk Score is powered by our real-time, historical database of observed changes in domain names, registrations, and infrastructure values. Our industry-leading data makes it possible for us to generate best-in-class analysis. We estimate a domain's observed connections to known-bad actors with Proximity, and its predicted risk with our Threat Profile suite of machine learning classifiers.
Our Threat Profile uses machine learning (ML) classifiers to estimate the probability that a domain was registered with malicious intent, for the purpose of malware, phishing, and/or spam. We continuously refine our ML classifiers against changes in the global DNS and the malicious domain landscape, drilling down to the signals (out of hundreds) most important for predicting malice.
Our Proximity score measures a domain’s observed closeness to known malicious domain infrastructure. We enrich known-bad domains with our own data, and reveal the innocent-looking domains to which they are linked. The Proximity score updates rapidly in response to changes in global DNS infrastructure.
Domain Risk Score is fully incorporated into multiple DomainTools products for security automation and investigation.
Domain Risk Score Components¶
Domain Risk Score Field Names and Valid Values¶
| Domain Risk Score Component | Field Name | Valid Values |
|---|---|---|
| Overall Domain Risk Score (of malware_risk, phishing_risk, spam_risk, and proximity) |
overall_score |
0-100 |
| Malware Risk | malware_risk |
0-100 | null |
| Phishing Risk | phishing_risk |
0-100 | null |
| Spam Risk | spam_risk |
0-100 | null |
| Proximity | proximity |
0-100 |
Threat Profile (Malware, Phishing, and Spam)¶
The Threat Profile consists of three components:
malware_risk: A machine learning algorithm tuned to look for malware-related domains: domains used as part of malware hosting, dropping, command-and-control, or other activities.phishing_risk: A machine learning algorithm tuned to look for phishing-related domains: domains which may try to deceive a user by pretending to represent a product or service in order to perform malicious activities against a user.spam_risk: A machine learning algorithm tuned to look for spam-related domains: domains part of spam email creation, distribution, or tracking.
Each is computed by a set of machine learning (ML) classifiers that predict if a domain was registered with malicious intent -- and assesses the similarity between a domain’s inherent characteristics and those associated with phishing, malware, and spam. The Threat Profile Score only applies to domains of an age of 28 months or younger.
Each Threat Profile component is scored 1-99 or null:
- Threat profile component scores of
nullindicate that the domain has aged out of a threat profile. - Scores of
0and100are special-casing for zero-listing and allow-listing, respectively (consult Domain Risk Score ranges, below).
Proximity¶
The Proximity score (proximity) quantifies the closeness of a domain to known-malicious domains. It provides an indication of the likelihood that a domain is associated with malicious intent, based on signals from the domain’s registration details and hosting infrastructure.
The Proximity score is calculated between 1-99. Scores of 0 and 100 are special-casing for zero-listing and allow-listing, respectively (consult Domain Risk Score ranges, below).
Proximity assigns risk much like a human investigator: looking at the connections domains have to each other. For example, if a large percentage of domains on a given IP address are malicious, the other domains on that IP address are assumed to be malicious.
How the Overall Domain Risk Score is Calculated¶
The Domain Risk Score is calculated by taking the highest of Threat Profile components and Proximity. Threat Profile is calculated by taking the highest of Phishing, Malware, and Spam.
In the following example, the Domain Risk Score inherits 81 from Malware:
- Domain Risk Score: 81
- Proximity: 23
- Malware: 81
- Phish: 69
- Spam: 1
Domain Risk Score Ranges¶
| Score Range | Score Color | Description |
|---|---|---|
| 100 | Red | Blocklisted. These domains can be considered known-bad, and have the highest likelihood of malicious intent. DomainTools combines third party blocklists with our own scoring to determine which domains to blocklist. |
| 90-99 | Red | Strong confidence in near-term weaponization. |
| 70-89 | Orange | A potential threshold for suggesting malicious intent, and our default recommendation for significance in an investigation. Individual mileage may vary, depending on your security context and priorities. |
| 50-69 | Yellow | May require attention, depending on your security posture. |
| 1-49 | Grey | Very little evidence of malicious intent. |
| 0 | Grey | Zero-listed. DomainTools zero-lists a domain when we have no evidence that it was registered with malicious intent. Zero-listing guards well-known legitimate domains against accidental blocking and includes domains which are vital to the expected operation of the Internet. |
Note that DomainTools does not assess or condone the quality of the content hosted on scored domains.
No component of the Domain Risk Score definitively confirms malicious activity–because threat actors may register many domains but only utilize a few for malicious purposes.
Using the Domain Risk Score¶
The Domain Risk Score is fully integrated into our suite of Iris Products: Investigate, Enrich, and Detect.
Iris Platform: UI and API¶
The Domain Risk Score is fully integrated into the DomainTools family of Iris products: Investigate, Enrich, and Detect. Risk scores appear for all active domains both in the web application user experience as well as in all Iris APIs.
Risk Score API Endpoints¶
The Domain Risk Score also has its own API endpoints, and is included in Iris API products. Consult our API documentation and the Domain Risk Score endpoint for more information.
Threat Feeds¶
Threat intelligence feeds offer risk scoring in various products. Consult our Real-time and Daily Threat Feeds.
Integrations¶
Domain Risk Score is built into our third-party integrations, such as Splunk. Consult our Integrations page for more information.
Last modified: Aug 19, 2025