Datazag

Infrastructure Intelligence — Identify Threats Earlier, with Context You Can Trust

Stop threats before they reach content or users.

Get Free API Key
Explainable risk factorsDesigned to reduce noiseAPI, feeds & webhooks

The Manual Enrichment Problem

Your security team waste hours on checking every DNS record for a domain and then interpreting the information.

The Manual Enrichment Problem

Datazag's domain intelligence automates enrichment in one SQL join across all your logs, against the full 330M+ domain corpus. Hours of analyst time saved per investigation.

The Solution: Use Datazag's Domain Intelligence.

Live Cloud Data Shares

Benefits

  • Zero-ETL and get the data instantly. No API throttling, no download scripts, no maintenance overhead. The data just appears in your SQL editor as a table.
  • Query without fear. This is a flat-rate license. You have raw access to the full 330M+ row dataset. Run analytical queries, train ML models, or hunt for threats across the entire internet as often as you want. There is no meter running.
  • The complete map. Our shares include the "Shadow Domains" discovered via CertStream and the "Infrastructure Graph" (PTR/CNAME) found via our Datazag Graph. You aren't just ingesting a list of names; you are ingesting a map of attacker infrastructure that legacy feeds miss completely.
  • Better economics. We provide the storage. Vendors who offer SaaS portals charge a huge markup because they have to pay cloud provider for the compute to run your queries. With Cloud Shares you use your existing corporate cloud credits to query the data. This is 50-70% cheaper than buying a "SaaS License" where the vendor marks up the compute cost.
  • Fresh Data. Other systems provide "Daily Snapshots" that are 24-48 hours old by the time they are ingested. Our grid re-scans the priority internet every hour and the full internet every ~40 hours. The result is Your SIEM / Threat Hunting team is looking at today's internet, not yesterday's snapshot.

Supported Platforms ( Available Q3 2026)

  • AWS Data Exchange
  • Azure Data Share
  • Google Cloud Analytics Hub
  • Snowflake Marketplace
  • Databricks Marketplace
sql
-- Example: Enrich DNS logs
SELECT logs.*, dz.risk_score, dz.classification
FROM dns_logs logs
LEFT JOIN datazag.domain_intelligence dz ON logs.domain = dz.domain
WHERE dz.risk_score > 80;

Real-Time API Access

Benefits

  • Zero Dead Ends: Don't settle for "404 Not Found." If a domain isn't in our DB, we trigger an instant Build-Time Detection to resolve, trace, and risk-score it in <2 seconds.
  • Forensic Verification: Validate takedowns instantly. We return precise DNS diagnostics (NXDOMAIN, SERVFAIL) so you can distinguish between a deleted threat and a blocking firewall.
  • Trust, But Verify: Force a Live Refresh on any record to bypass our cache and see the DNS and risk scores as they are now.
  • Subdomain Discovery: Catch the threats others miss. Our API sees "Shadow Domains" (paypal.secure.com) via real-time CertStream integration.
  • Sub-Second Latency: Millisecond response times on cached lookups. Couple of seconds on a live refresh.

Use Cases

  • User verification at sign-up
  • Real-time phishing detection
  • Email validation and cleaning
  • Fraud scoring engines
  • SIEM enrichment pipelines
python
import requests

API_KEY = "your_api_key"
BASE_URL = "https://api.datazag.com"

def enrich_domain(domain):
    url = f"{BASE_URL}/data/{domain}"
    headers = {"X-API-Key": API_KEY}
    
    response = requests.get(url, headers=headers)
    data = response.json()
    
    return {
        "domain": data["domain"],
        "age_days": data["age_days"],
        "is_phishing": data["phishing_detected"],
        "risk_score": data["risk_score"],
        "mailbox_provider": data["mx_classification"]
    }

# Example: Check a suspicious domain
result = enrich_domain("suspicious-example.com")
print(f"Risk Score: {result['risk_score']}/100")
Integration Diagram

More than a raw feed — pre-enriched, pre-scored, ready to JOIN.

Other data vendors hand you raw signals and leave the interpretation to you. Datazag delivers domain intelligence with risk scores, classifications, infrastructure context and historical patterns already computed — so your SQL queries return answers, not attributes.

Pre-enriched: Every record carries 50+ attributes — DNS, WHOIS, certificates, hosting, reputation — joined in advance.

Pre-scored: Risk scores, classifications and trust indicators are computed against the full graph at ingestion. Your queries return decisions, not lookups.

Refreshed continuously: Real-time updates from CertStream, BGP and active DNS scanning. Today's internet, not yesterday's snapshot.

Explainable: Every score includes the signals and reasoning that drove it — for defensive AI, SOC automation and audit workflows.

Our Approach:

Contextual:Every data point includes temporal context and historical patterns
Actionable:Pre-calculated risk scores and classifications, not just raw attributes
Current:Real-time updates mean you're working with the freshest intelligence available
More than a raw feed — pre-enriched, pre-scored, ready to JOIN.

Complete Domain Coverage, Updated in Real-Time

330M+
Active domains Monitored

Description: Comprehensive coverage across all major TLDs with historical data and daily updates

<10 sec
Alert Speed

Real-time ingestion from Certificate Transparency logs and DNS changes

50+
Attributes Per Domain

Whois Registration data, DNS records, SSL certificates, phishing tags, mailbox intelligence, and more

24/7
Live Monitoring

25 -server infrastructure continuously collecting and processing domain intelligence

Every domain. Every detail.

We don't just collect domain names—we build a complete intelligence profile for every domain we track.

Registration Intelligence

  • Domain age and creation date
  • Registrar information
  • Renewal patterns
  • Real-time monitoring with historical context
  • Sub-domain updates

DNS & Infrastructure

  • DNS - All records
  • Nameserver changes
  • TLD country
  • Hosting provider
  • ASN country

Email & Deliverability

  • Mailbox provider classification
  • BIMI, MTA-STS and TLS-RPT record validation
  • MX record validation
  • Disposable/parked detection
  • Email hygiene scoring

Infrastructure Chain Following

  • CNAME chains followed to source
  • PTR records followed to source
  • MX records resolved to mail server IPs
  • Master domain identification

Registrar & Network Intelligence:

  • ASN-based registrar inference
  • SOA record analysis
  • Hosting provider classification

Domain Relationship Mapping:

  • Campaign clustering through shared infrastructure
  • Related domain discovery
  • Infrastructure reuse detection

Security Signals

  • Phishing detection flags
  • Malware associations
  • Certificate Transparency monitoring
  • SSL/TLS certificate data
  • Brand & Platform impersonation indicators

Classification & Scoring

  • Domain purpose detection
  • Explainable risk scoring
  • Mailbox provider categorization
  • Trust indicators
  • Anomaly detection

Temporal Data

  • First-seen timestamps
  • Last-updated timestamp
  • Change detection
  • Infrastructure modification tracking
  • Domain lifecycle monitoring

See What Enrichment Looks Like

Raw DNS log entry: 2025-01-14 | 10.0.1.45 | microsoft365-login-verify.xyz | 203.0.113.50

sql
SELECT logs.*, 
       dz.risk_score,              -- 94 (CRITICAL)
       dz.classification,          -- "phishing_suspected"
       dz.domain_age_days,         -- 1 (registered yesterday)
       dz.hosting_provider,        -- "BulletProof Hosting Ltd"
       dz.cname_chain,             -- Reveals actual server: malicious-host.darknet.ru
       dz.related_domain_count,    -- 15 (same campaign)
       dz.campaign_id              -- "camp_2025_01_financial_phish"
FROM dns_logs logs
LEFT JOIN datazag.domain_intelligence dz ON logs.domain = dz.domain
WHERE dz.risk_score > 80;

Result:

Block entire 15-domain campaign in seconds, not hours.

Manual investigation: 15 minutes

With enrichment: 10 seconds

Logs You Can Enrich

DNS Query Logs

  • CNAME/PTR chain visibility
  • Risk scores for every query
  • C2 and malware detection

SMTP/Email Logs

  • Phishing detection
  • Mail server hosting analysis
  • Infrastructure mismatch detection
  • Sender validation

Proxy/Web Logs

  • CNAME chain following
  • Hosting provider analysis
  • URL risk scoring

Firewall/NGFW Logs

  • Destination risk assessment
  • ASN and registrar intelligence

EDR/Endpoint Logs

  • C2 domain detection
  • Infrastructure chain visibility

IAM/Authentication Logs

  • Email domain validation
  • Domain legitimacy scoring

Built from the Ground Up

Our intelligence comes from continuous monitoring of the internet's core infrastructure—not just static databases.

Mail Provider Analysis

Active probing of MX records and mail server configurations to classify email infrastructure

DNS Infrastructure

Continuous polling of authoritative nameservers and passive DNS collection across millions of domains

Certificate Transparency Logs

Real-time monitoring of SSL certificate issuance to catch newly registered domains within seconds of activation

Threat Intelligence Feeds

Integration with phishing databases, malware feeds, and security community sources for reputation data

WHOIS data

Direct feeds from registry operators and zone file access for authoritative registration data

Lookup Tables

Curated lookup tables to identify the providers and attributes for DNS records to Provider

  • MX -> Mailbox Provider
  • Hosting Providers
  • TLD & IP Country
  • ASN names &location

Power critical security workflows

From phishing detection to lead verification, our domain intelligence adapts to your needs.

Phishing Detection

Challenge

Detect malicious domains before they reach users

Solution

Real-time domain registration monitoring with <10 second detection on suspicious patterns

"Domain registered 3 hours ago + typo squatting detected → instant block"

Fraud Protection

Challenge

Filter fake accounts and junk sign-ups

Solution

Score domains at ingestion based on age, reputation, and infrastructure patterns

"Remove 90%+ of fraudulent registrations before they enter your funnel"

Email Deliverability

Challenge

Clean email lists and improve inbox placement

Solution

Identify disposable, parked, or misconfigured domains in your database

"Boost deliverability rates by 20-30% and reduce bounce rates"

Log Analytics & SIEM

Challenge

Enrich security logs with domain context

Solution

Bulk enrichment of domains from firewall logs, DNS queries, SMTP logs and web traffic

"New domain + high entropy + no mail records → escalate to analyst"

KYC & Compliance

Challenge

Verify business legitimacy at onboarding

Solution

Cross-reference domain age, SSL certificates, and email infrastructure

"Flag suspicious businesses (1-day-old domain + free email provider)"

Brand Protection

Challenge

Monitor for brand & platform impersonation

Solution

Real-time alerts on similar domains registered to your brand

"Catch typo squatting domains within minutes of registration"

Try It yourself

Try It Yourself

* This is a demonstration of our real-time API. Full results available in our portal.

Flexible access for every team

Brand & Platform protection

Free forever

1,000 API calls/month

  • Phishing & Brand impostors flagged within 60 seconds off SSL issuance
  • Webhook, Email, Slack & MS Teams notifications
  • Customized for your brands
Sign Up Now

API Access

From $79/month

Multiple API endpoints tailored for different use cases

  • Under 200 millisecond response time
  • Webhook notifications
  • Perfect for: KYC, KYB and email validation applications
Purchase Now

Live Cloud Shares

From

Access to over 315M domains

  • Updated every 10 minutes
  • Available as parquet files in Delta & Iceberg data lake formats
  • SLA guarantees
  • Perfect for: Security Operations, Log Analytics, Large-scale Applications

Start building with domain intelligence

Get immediate access to the most comprehensive domain database. No credit card required for free tier.

Create Free AccountView Full Pricing Details
Explainable risk factorsDesigned to reduce noiseAPI, feeds & webhooks

Frequently asked questions

How often is your data updated?

Our infrastructure monitors domains in real-time, with new domain registrations detected within 60 seconds through Certificate Transparency logs. DNS and reputation data is refreshed continuously.

What's the difference between the API and Cloud Data Shares?

The API is perfect for real-time lookups and application integration. Cloud Data Shares give data teams direct SQL access to our complete dataset in their cloud platform—ideal for bulk analysis and joining with your own data.

Do you have historical data?

Yes, we maintain historical records for domains we've tracked, including DNS changes, SSL certificate history, and reputation changes over time.

What makes Datazag different from other domain intelligence providers?

We focus on actionable intelligence rather than raw data dumps. Our multi-signal approach combines real-time monitoring, phishing detection, and contextual scoring to give you answers, not just attributes.

Can I try it before committing?

Absolutely. Our free tier includes 1,000 API calls per month with access to all domain attributes. No credit card required.

What support do you offer?

Free tier includes community support. Paid plans include email support with priority response times. Enterprise customers get dedicated support channels and SLA guarantees.

Infrastructure Intelligence