Domain Risk Score¶
Introduction¶
Domain Risk Score uses a real-time, historical database of observed changes in domain names, registrations, and infrastructure values. This industry-leading data enables best-in-class analysis. The system estimates a domain's observed connections to known-bad actors with Proximity, and its predicted risk with the Threat Profile suite of machine learning classifiers.
The Threat Profile uses machine learning classifiers to estimate the probability that someone registered a domain with malicious intent for malware, phishing, and/or spam. DomainTools continuously refines these machine learning classifiers against changes in the global Domain Name System (DNS) and the malicious domain landscape, drilling down to the signals—out of hundreds—most important for predicting malice.
The Proximity score measures a domain's observed closeness to known malicious domain infrastructure. DomainTools enriches known-bad domains with its own data, and reveals the innocent-looking domains to which they're linked. The proximity score updates rapidly in response to changes in global DNS infrastructure.
You can access Domain Risk Score through DomainTools products for security automation and investigation.
Domain Risk Score Components¶
Domain Risk Score Field Names and Valid Values¶
| Domain Risk Score Component | Field Name | Valid Values |
|---|---|---|
| Domain Risk Score Highest of malware_risk, phishing_risk, spam_risk, and proximity |
overall_score |
0-100 |
| Malware Risk | malware_risk |
0-100 | null |
| Phishing Risk | phishing_risk |
0-100 | null |
| Spam Risk | spam_risk |
0-100 | null |
| Proximity | proximity |
0-100 |
Threat profile: malware, phishing, and spam¶
The Threat Profile consists of three components:
malware_risk: A machine learning algorithm tuned to look for malware-related domains: domains used as part of malware hosting, dropping, command-and-control, or other activities.phishing_risk: A machine learning algorithm tuned to look for phishing-related domains: domains which may try to deceive a user by pretending to represent a product or service to perform malicious activities against a user.spam_risk: A machine learning algorithm tuned to look for spam-related domains: domains part of spam email creation, distribution, or tracking.
Each component uses a set of machine learning classifiers that predict if someone registered a domain with malicious intent. The classifiers assess the similarity between a domain's inherent characteristics and those associated with phishing, malware, and spam. The Threat Profile Score only applies to domains of an age of 28 months or younger.
Realtime risk scoring¶
DomainTools provides realtime risk scoring for newly discovered domains:
- Provisional scoring: Initial proximity and phishing risk scores are available within a few minutes of domain discovery
- Full risk scoring: Complete risk scoring across all 4 algorithms—proximity, phishing, malware, and spam—is typically available within 15-20 minutes of discovery
- Dynamic re-scoring: The system updates risk scores when it detects significant changes to a domain's DNS records or other attributes
- Daily scoring: The system continues to score all active domains daily to ensure up-to-date risk assessments
Each Threat Profile component scores 1-99 or null:
- Threat profile component scores of
nullshow that the domain has aged out of a threat profile. - The system reserves scores of
0and100for zero-listing and allow-listing, respectively. Consult Domain Risk Score ranges, below.
Proximity¶
The proximity score quantifies the closeness of a domain to known-malicious domains. It shows the likelihood that a domain has malicious intent, based on signals from the domain's registration details and hosting infrastructure.
The proximity score calculates between 1-99. The system reserves scores of 0 and 100 for zero-listing and allow-listing, respectively. Consult Domain Risk Score ranges, below.
Proximity assigns risk much like a human investigator: looking at the connections domains have to each other. For example, if a large percentage of domains on a given Internet Protocol (IP) address are malicious, Proximity assumes the other domains on that IP address are also malicious.
How the system calculates the Domain Risk Score¶
The Domain Risk Score takes the highest of Threat Profile components and Proximity. Threat Profile takes the highest of Phishing, Malware, and Spam.
In the following example, the Domain Risk Score inherits 81 from Malware:
- Domain Risk Score: 81
- Proximity: 23
- Malware: 81
- Phish: 69
- Spam: 1
Domain Risk Score Ranges¶
| Score Range | Score Color | Description |
|---|---|---|
| 100 | Red | Blocklisted. These domains can be considered known-bad, and have the highest likelihood of malicious intent. This includes sinkholed domains. DomainTools combines third party blocklists with our own scoring to determine which domains to blocklist. |
| 90-99 | Red | Strong confidence in near-term weaponization. |
| 70-89 | Orange | A potential threshold for suggesting malicious intent, and our default recommendation for significance in an investigation. Individual mileage may vary, depending on your security context and priorities. |
| 50-69 | Yellow | May require attention, depending on your security posture. |
| 1-49 | Grey | Very little evidence of malicious intent. |
| 0 | Grey | Zero-listed. DomainTools zero-lists a domain when we have no evidence that it was registered with malicious intent. Zero-listing guards well-known legitimate domains against accidental blocking and includes domains which are vital to the expected operation of the Internet. |
Note that DomainTools doesn't assess or condone the quality of the content hosted on scored domains.
No component of the Domain Risk Score definitively confirms malicious activity–because threat actors may register many domains but use only a few for malicious purposes.
Using the Domain Risk Score¶
The Domain Risk Score is fully integrated into the suite of Iris products: investigate, enrich, and detect.
Iris Platform: user interface and API¶
The Domain Risk Score is fully integrated into the DomainTools family of Iris products: investigate, Enrich, and Detect. Risk scores appear for all active domains both in the user experience of the web app as well as in all Iris APIs.
Risk score API endpoints¶
The Domain Risk Score also has its own API endpoints. Iris API products include Domain Risk Score. Consult the API documentation and the Domain Risk Score endpoint for more information.
Threat Feeds¶
Threat intelligence feeds offer risk scoring. Consult the Real-time and Daily Threat Feeds.
Integrations¶
Third-party integrations, such as Splunk, include Domain Risk Score. Consult the Integrations page for more information.
Last modified: Aug 19, 2025