Datazag

The Datazag Engine — Designed for Action

See how our triple-layer product architecture transforms raw internet registry noise into instant, downstream defensive blocklines.

THE DATAZAG PRODUCT MATRIX

ASSESSHealth Reports
  • Platform Usage Mapping
  • Impersonation History
  • Email & Domain Trust Profile
  • DNS Gaps
MONITORAlerts
  • Platform & Brand Impersonation Alerts
  • False Positive Detection
  • Reasons and Confidence Score
  • Brand Takedown Pack
BUILDCloud Shares
  • Apache Iceberg Delta Lake Formats for Time Travel
  • API & Webhook access for SIEMs
  • Access to 330M domain Corpus
Real-Time Signals Feed

YOUR SECURITY STACK

EMAIL

  • Malicious Sender Identification
  • Mailbox Categorisation (Parked/Disposable/Spam)
  • URL Infrastructure Mapping
  • MX, SPF,Dmarc & BIMI Hygeine

DNS & Routing Graph

  • Prefix & ASN Mapping
  • Blast Zone Density Calculation
  • NS, MX, IP Tracking
  • Updated Hourly

Platforms & Brand

  • Platform & Brand DNS matching
  • Cloud Provider Whitelisting
  • Identity Ingestion (Spoof IDs)
  • Malicious Infrastructure Mapping

PRE-COMPROMISE THREATS BLOCKED BEFORE THEY LAND

Datazag engine primitives delivering raw intelligence.

From Raw Telemetry to Defensive Action

How our data pipeline ingests, correlates, and pushes threat infrastructure updates globally.

[01]

Ingestion at Scale

We continuously process active certificate transparency logs (CertStream), BGP routing tables, and global DNS updates, capturing infrastructure modifications live.

[02]

Graph Enrichment

Incoming domains are mapped against our 330M-domain historical corpus. We isolate infrastructure footprints, configurations, and network risk indices.

[03]

Edge Delivery

Correlated telemetry streams directly into your operational stack. Zero dashboards required—high-fidelity data blocks are pushed straight to your APIs and SIEM tools.

Most threat intelligence is a list of indicators. Datazag is a graph of relationships.

Flat feeds tell you a domain is malicious. They don't tell you what ASN it belongs to, whether its routing posture is hijacked, or how its risk score is changing relative to its peers. The Datazag Graph models all of that as a connected dataset — nodes for every entity, edges for every relationship. The result is guilt-by-association detection.

Signal correlation and graphing

Every entity in the Graph is a node with typed edges to every other entity it touches.

Domain ↔ IP

every observed resolution, with timestamps

Domain ↔ Certificate

every certificate ever issued, with time and CA

Domain ↔ ASN

the autonomous system hosting the domain

Domain ↔ Threat feed

every external indicator that has touched the domain

ASN ↔ ASN

peering relationships derived from BGP observations

Prioritise what mattersReduce noise and false positivesDesigned for SOC workflows

Explainable risk scoring

Every entity in the Graph carries a risk score, recomputed continuously from dozens of signals. Critically, every score ships with the signals and rationale that drove it. Black-box scores require trust; explainable scores produce action.

Real-time telemetry

Static feeds tell you what was bad yesterday. The Datazag Graph tells you what's becoming bad now. The Graph is fed by streaming pipelines: Certificate transparency (<10s latency), BGP multi-collector observations, Active DNS polling, MX probing, and WHOIS feeds. Running on Apache Arrow Flight and DuckDB.

Routing hygiene verification

Most threat-intelligence systems treat hosting as binary. The Datazag Graph treats it as a continuum. Every ASN and prefix is checked against RPKI, MANRS, IRR, and Origin AS consistency.

What flows in

The Datazag Graph is built from continuous monitoring of the internet's core infrastructure.

  • 📨

    Mail provider analysis: Active probing of MX records across 1,000+ providers.

  • 🌐

    DNS infrastructure: Continuous polling of authoritative nameservers across 330M domains.

  • 🔐

    Certificate transparency: Real-time CertStream monitoring of SSL/TLS issuance.

  • 📡

    BGP and routing data: Multi-collector observations via RouteViews and RIPE RIS.

The Graph in motion — four named mechanisms

  1. Step 1

    Platform Fingerprinting

    Maps the platforms and vendors the organisation depends on.

  2. Step 2

    Corpus Matching

    Checks candidates against known DNS footprints and internet context.

  3. Step 3

    Build-Time Detection

    Impersonation infrastructure is flagged at the moment it's provisioned.

  4. Step 4

    Pre-Arrival Blocking

    Feeds directly into the blocking stack — email gateway, DNS filtering.

What the Graph is not

Not a threat-intel feed

Feeds are flat lists. The Graph is a structured relational dataset.

Not an ASM tool

ASM looks inward. The Graph looks outward at the internet.

Not a SaaS dashboard

The Graph is intelligence infrastructure consumed via API or data share.

Not built from licensed feeds

Datazag operates the collection infrastructure directly.

Prioritise what mattersReduce noise and false positivesDesigned for SOC workflows
Built for security and trust teams

Want to see the Graph in action?

Get my free reportTalk to engineering

Transparent pricing, explainable signals, and flexible delivery via API, feeds, or webhooks.