The Value of Emerging Threats Intelligence
Threat campaigns often evolve too quickly for traditional defenses to catch them in time. Our Emergent Threats Domains feed is built to provide early visibility into domains that are likely to be used in malicious activity. By combining multiple data sources with advanced analysis techniques, we surface high-risk domains before they are operationalized in active campaigns. This allows security teams to move from reactive defense to proactive action, reducing exposure and improving response times.
Identifying Risk Before It’s Weaponized
To identify emerging threats, we combine several raw data sources, including newly registered domains (NRDs), newly observed domains (NODs) from DNS traffic and other signals from our global collection systems. On their own, these datasets are high-volume and unfiltered, but by applying multiple layers of analysis we can identify domains that are far more likely to be weaponized in malicious campaigns.
Each domain is scored based on the following (among other) criteria:
Structural analysis: Detecting randomness, entropy, and other patterns common in algorithmically generated domains (DGAs)
Infrastructure associations: Mapping connections to infrastructure from both current and previous malicious campaigns tracked in Malware Patrol’s extensive historical database, revealing reuse of attacker resources
Brand lookalikes: Spotting domains designed to impersonate trusted brands, a common precursor to phishing and fraud
TLD reputation: Factoring in the track record of top-level domains (for example, .xyz) that frequently appear in malicious campaigns
This combination of broad input data and layered analysis transforms raw domain activity into a curated feed of high-risk signals. Even though these domains may not yet appear on VirusTotal or in traditional intelligence feeds, they often carry subtle indicators of risk.
Key Benefits for Security Teams
By highlighting suspicious domains early, the feed gives defenders a head start. With emerging threats intelligence, security teams can:
- Block high-risk domains before they are weaponized
- Identify suspicious infrastructure earlier in the attack chain
- Reduce attacker dwell time by acting faster
- Strengthen DNS-layer defenses and detection systems with predictive data
Advantages and Limitations
Like any security solution, our Emergent Threats Domains feed has strengths and trade-offs that should be considered.
Advantages:
- Pre-filtered and enriched, reducing noise and making it ready to deploy in firewalls, SIEMs, and DNS layers
- Compact enough to work within the limits of tools that cannot process large blocklists
- Includes enrichment and scoring, providing immediate context for faster decisions
- Well-suited for smaller teams or those without capacity to build enrichment pipelines internally
Limitations:
- Filtering and scoring are determined by vendor criteria, which may not fully align with every organization’s unique threat model
- By design, not every domain is included, only those identified as suspicious, so some activity could be missed
- Less flexible than raw feeds, making it less suitable for organizations that prefer to create custom detection logic
Comparison: Newly Registered Domains vs Emergent Threats Domains
Both NRDs and emerging threats intelligence provide valuable visibility, but they serve different needs as outlined in the table below.
| Newly Registered Domains (NRDs) | Emergent Threats Domains |
|---|---|
| Broad coverage of all new domains | Focused coverage of domains flagged as suspicious |
| High volume and unfiltered | Pre-filtered, enriched, and scored |
| Requires custom enrichment and filtering by the user | Includes enrichment such as entropy, brand lookalikes, infrastructure ties, and TLD reputation |
| Useful for hunting, research, and building custom detections | Useful for immediate blocking and SOC operations |
| May overwhelm tools or teams without filtering | Compact size avoids overwhelming security tools |
| Best for mature SOCs and research teams | Best for smaller teams or those prioritizing operational efficiency |
In short, NRDs give maximum visibility and flexibility, while Emergent Threats Domains provides ready-to-use intelligence that reduces noise and speeds up action.
Try Malware Patrol’s Emergent Threats Domains With a Free Trial
Whether you want the flexibility of raw NRDs or the convenience of enriched Emergent Threats Domains, we can help you choose the right approach for your environment. We also offer free evaluations so you can see the data in action and decide which feed best fits your security needs.
Get started today and take the first step toward staying ahead of tomorrow’s threats. We’d be happy to discuss options and set up a free trial. Use this link to schedule time with us.
How big are your threat data gaps?
See for yourself.