Frequently Asked Questions
Everything you need to know
about DomainRisk.io
40 questions across 8 categories - from how the security score works to integrations, reports, billing and privacy. Can't find your answer?Contact us.
Getting Started
What is DomainRisk.io?
DomainRisk.io is a continuous domain security monitoring platform for security operations teams, MSSPs, IT administrators and compliance professionals. It collects WHOIS, DNS, SSL/TLS and email-authentication intelligence on every domain scan, converts those signals into a weighted, explainable 0-100 security score, and delivers specific remediation actions - plus real-time email and webhook alerts. PDF and CSV reports are available for audit and compliance use.
Do I need to install anything to get started?
No. DomainRisk.io is entirely web-based - no agents, browser extensions or local software required. Create an account, enter a domain name, and the platform handles all data collection, scoring and alerting from its own infrastructure. You can be monitoring your first domain within minutes of signing up.
Is there a free trial with no credit card required?
Yes. Account creation is free and requires no payment information. The free plan gives you access to the complete monitoring stack - WHOIS, DNS, SSL, email authentication and subdomain analysis - on a limited number of domains. There is no time limit; your free plan remains active until you choose to upgrade or close your account.
How quickly can I get my first scan result?
Most first-time scans complete within 60 seconds. Scans are processed asynchronously via a background queue, so the dashboard remains fully usable while the job runs. Once complete, your security score, security sub-scores, security findings, recommendations, subdomain inventory and DNS snapshot are all immediately available.
What types of domains can I monitor?
Any registered domain accessible via public WHOIS and DNS - regardless of TLD (.com, .io, .org, country-code TLDs and more) or registrar. Common use cases include monitoring your own brand domains, acquired assets, subsidiary domains, partner or vendor domains, domains under due-diligence review, or domains identified during threat intelligence work.
Domain Monitoring
How many domains can I monitor at once?
The domain limit depends on your plan. Free and Starter plans cover a limited domain set; Business and Agency plans progressively raise the ceiling.
See the full breakdown on the pricing page.
How often are domains automatically scanned?
Scan frequency depends on your plan - daily on Business and Agency plans, weekly on lower tiers. You can also trigger a manual refresh at any time, subject to your monthly allowance. Business and Agency plans include priority queue processing so scans are handled before standard-tier jobs during peak demand.
What happens when I trigger a manual refresh?
A manual refresh immediately queues a new scan for the selected domain. The scan runs asynchronously - your dashboard stays responsive throughout. Once complete, the new snapshot replaces the current one, changes from the previous scan are logged to the timeline, and any alert conditions are evaluated. Manual refreshes count against your monthly allowance.
Can I set different scan frequencies for different domains?
Scheduled scan frequency applies to all domains in your account based on your plan tier. For domains requiring more frequent checks between scheduled cycles, use manual refreshes to scan on-demand at any time (subject to your monthly allowance).
What happens when I reach my domain monitoring limit?
You will not be automatically charged or have domains silently dropped. When you reach your plan's domain limit, adding new domains prompts you to upgrade. All existing monitored domains continue to scan normally on their scheduled frequency until you take action.
Security Scoring
How is the domain security score calculated?
The Global Security Score is a weighted composite of three major axes: Exploitable Risk (50%), Hardening Gaps (30%), and Governance (20%). Each axis is scored 0-100, then combined into one overall score from 0 (critical exposure) to 100 (strong security posture). For transparency, you also get foundational security sub-scores (WHOIS, DNS, SSL, Email) so you can see exactly where weaknesses come from.
What do the different security score ranges mean?
0-20 - Critical exposure. Severe findings requiring immediate action.
21-50 - High exposure. Significant findings that should be addressed promptly.
51-75 - Moderate exposure. Issues present that warrant review and scheduled remediation.
76-100 - Strong security posture. Few or no detected issues. Standard maintenance cadence is appropriate.
What is a security finding?
A security finding is a specific named finding from a domain scan - for example "DMARC policy set to none", "TLS certificate expires in 11 days" or "No A records detected". Each factor carries a severity level (critical, high, medium or low), a description of the observed condition, and a recommended remediation action. Security findings are the building blocks of the score: every score deduction corresponds to one or more named factors.
Why did my domain's security score change between scans?
Score changes reflect changes in the underlying domain data. Common causes: a DNS record was added or removed, an SSL certificate approached an expiry threshold, a WHOIS expiration date was updated, a DMARC or SPF policy changed, or a new subdomain was discovered with high-risk characteristics. The timeline view shows exactly which factors changed and when.
What are security sub-scores and why do they matter?
The four foundational sub-scores (WHOIS, DNS, SSL, Email) are detailed breakdown views. They do not replace the major-axis weighting, but explain it. In practice: the global score comes from Exploitable/Hardening/Governance weighting, and the foundational sub-scores show which technical area is driving that result. Shifts of >=10 points in any foundational sub-score between scans are surfaced as distinct change events on the timeline.
How often is the scoring model updated?
The model is versioned and updated periodically to reflect new threat intelligence, rule improvements or weighting adjustments. Each scan stores the model version used, so historical scores remain interpretable after updates. Changes attributable to model updates are distinguishable from changes caused by real-world domain state changes.
Data Sources & Analysis
What WHOIS data is collected and analyzed?
Each scan collects registrar identity, creation date, expiration date, domain status flags (hold, lock, pending delete), nameservers from WHOIS and registrant privacy status. Security findings are raised for domains approaching expiration (at 90, 30, 14, 7 and 3-day thresholds), domains with no registrar lock, very young domains, unauthorized registrar changes and hidden registrant information.
Which DNS record types are monitored?
A (IPv4), AAAA (IPv6), MX (email routing), TXT (SPF and policies), CNAME and NS (nameservers) records are collected at the apex domain level. The same record types are also analyzed for each subdomain discovered during enumeration. Any change to these records between scan cycles is logged as a change event - nameserver changes are flagged as high-severity.
How is SSL/TLS certificate status analyzed?
The scan checks certificate validity status, issuing authority and days remaining until expiration. Security findings are raised for: invalid or untrusted certificates, certificates expiring within 30 days (with escalating severity at 14 and 7 days), and certificates that transition from valid to invalid between scans. All SSL status changes are tracked in the timeline.
What email security checks are performed (SPF, DKIM, DMARC)?
SPF is checked for presence and policy scope - particularly whether the domain uses permissive policies like
+all. DMARC is checked for presence and enforcement level (none, quarantine or reject). DKIM checks are selector-aware. Crucially, the platform distinguishes between three states: not configured, misconfigured (present but weak) and compliant - avoiding false reassurance from a present-but-ineffective record.How does subdomain attack surface discovery work?
Every scan includes automated subdomain enumeration to discover subdomains associated with the monitored domain. For each discovered subdomain, a DNS analysis is performed (A, AAAA, CNAME, MX records). Results are risk-classified at three levels: low, medium and high. High-risk findings include dangling CNAMEs, subdomains with no valid resolution and subdomains associated with risky IP ranges.
What is a dangling CNAME and why is it dangerous?
A dangling CNAME is a DNS record that points to an external resource - an S3 bucket, Heroku app, GitHub Pages site, Azure endpoint - that no longer exists or is no longer claimed. If that resource can be registered by a third party (which is common with cloud providers), an attacker can host arbitrary content under your subdomain - phishing pages, malware or credential-harvesting forms - while appearing to be part of your legitimate domain. DomainRisk.io flags dangling CNAMEs as high-severity findings with a specific recommended action.
Alerts & Integrations
What events trigger an alert?
Alerts fire when a new finding at or above your configured severity level (High, Medium, or Low) is detected during a scan - for example, a DNS record change, an SSL certificate entering a critical expiry window, or a new high-severity security finding. Alert sensitivity is configured per domain by choosing a severity level.
How do I configure alert thresholds?
Alert sensitivity is configured per domain by selecting a minimum severity level: High, Medium, or Low. When a scan detects one or more findings at or above that level, an alert fires - by email, webhook, or both depending on your setup.
Choosing a higher level (High) reduces noise and ensures only urgent findings reach you. Choosing a lower level (Low) casts a wider net and includes all findings regardless of severity. You can set a different level per domain, so you can be strict on production assets and more permissive on secondary domains.
What does each alert severity level cover - and which should I choose?
The severity threshold filters which finding types trigger an alert. Here is exactly what each level covers:
High
Alerts fire only for the most severe findings: imminent SSL expiry (<= 7 days), DMARC entirely absent, nameserver change detected, domain expiring within 3 days, dangling CNAME with confirmed takeover risk, missing A record, unauthorized registrar change.
Best for: Production and brand-critical domains. Maximum signal-to-noise ratio - only actionable, urgent issues reach your inbox.
Medium
Everything above, plus: SSL expiry <= 30 days, DMARC policy set to none, SPF overly permissive (+all), registrar lock absent, very young domain age, DMARC in quarantine (not reject), new subdomains discovered, security sub-score drops of >= 10 points.
Best for: Most teams. Catches real threats and gradual degradation before they become critical - without excessive noise. Recommended default.
Low (all)
All findings at any severity - including informational observations such as WHOIS privacy enabled, SSL expiry <= 60 days, domain age under 1 year, or minor DNS record additions with no direct threat implication.
Best for: Audit-intensive environments, due-diligence monitoring of newly acquired domains, or testing your alerting pipeline.
Recommended starting point: set severity to Medium. This catches meaningful threats without flooding your inbox, and gives you a baseline you can tighten or relax per domain over time.
How does webhook delivery work?
When an alert condition is met, DomainRisk.io sends an HTTP POST to your configured webhook URL with a structured JSON payload. The payload includes the domain name, event type, security score, top security findings with severity and recommended actions, and a change summary. Webhook delivery is available on plans that include webhook endpoints.
What data is included in webhook payloads?
Each payload includes: domain name and scan timestamp, event type (scan complete / alert triggered / change detected), current and previous security score, scoring model version, top security findings with type / severity / message / recommended action, and a change summary. The structured format is designed for direct ingestion by SIEM platforms, ticketing systems and custom automation pipelines.
Which tools does DomainRisk.io integrate with?
Any tool that accepts HTTP webhooks - including Slack (incoming webhooks), PagerDuty, Jira, ServiceNow, Microsoft Teams, Splunk and custom SIEM or SOAR platforms. Email alerts work with any address. The structured webhook payload provides all the data needed to build custom automation workflows without additional API calls.
Reports & Exports
What is included in a PDF domain report?
PDF reports span 13 structured sections: executive summary with security posture narrative, scored findings ranked by severity, WHOIS evidence and registrar details, DNS record snapshot with change flags, SSL/TLS certificate status and expiry timeline, email authentication posture (SPF / DKIM / DMARC), subdomain inventory with per-entry risk classification, dangling CNAME and takeover exposure findings, score history and security sub-score trend overview, change timeline with snapshot diffs, recommended actions per finding, compliance checklist and raw evidence appendix.
How do CSV exports work?
CSV exports provide raw scan data in a flat, machine-readable format. The export includes domain metadata, security scores, security sub-scores, all security findings with severity and recommended actions, and DNS record snapshots. Use CSV exports to feed data into spreadsheets, SIEM platforms or custom reporting pipelines.
Can I generate a report at any time, or only after scheduled scans?
Reports can be generated on demand at any time from the domain detail view, based on the most recently completed scan. To ensure the report reflects the latest live state, trigger a manual refresh before generating - the report will be built from the fresh scan data.
How are reports used for compliance and audits?
PDF reports include a compliance checklist summarising the status of key domain security controls across WHOIS, DNS, SSL and email authentication. The change timeline provides a dated, auditable trail of all detected changes - suitable for demonstrating continuous monitoring to internal or external auditors. The scoring model version stored with each scan ensures historical reports remain traceable and defensible over time.
Plans & Billing
What is the difference between plans?
Plans differ in domain count, scan frequency, PDF report allowance, manual refresh allowance and webhook endpoint count. The full monitoring stack (WHOIS, DNS, SSL, email auth, subdomains), explainable security scoring, change detection, timeline history, email alerts and CSV exports are included on every plan. Higher tiers add daily scans, priority queue, more webhooks and larger domain ceilings.
See the pricing page for the full breakdown.
Can I upgrade or downgrade at any time?
Yes. Plan changes take effect immediately. Upgrades grant access to new capabilities right away. When downgrading, if your active domain count exceeds the new limit, you will be prompted to reduce your portfolio before the change is applied.
What happens when my free trial ends?
The free plan has no time limit - it never expires on its own. If you upgrade to a paid plan and later cancel, your account reverts to free plan limits rather than being deleted. Your data and monitored domains remain accessible.
Is there a plan designed for agencies managing multiple clients?
Yes. The Agency plan is designed for MSSPs and security consultants monitoring domain portfolios across multiple client accounts. It includes a high domain ceiling, priority queue processing, expanded webhook endpoints and unlimited PDF reports.
Contact us for volume requirements or custom configurations.
What payment methods are accepted?
Paid plans are processed via Stripe. Accepted methods include major credit and debit cards (Visa, Mastercard, American Express). For agency or enterprise arrangements, contact the sales team to discuss alternative options.
Security & Privacy
Is my account and domain data secure?
Yes. Account credentials are stored using bcrypt hashing - no plaintext passwords are ever stored or transmitted. All data in transit is encrypted via HTTPS/TLS. Domain scan data is stored with access controls that enforce per-user isolation. Two-factor authentication (2FA) is available to protect your account login.
What data does DomainRisk.io collect about monitored domains?
DomainRisk.io collects only publicly available data - the same information anyone can access via public WHOIS lookups and DNS queries. This includes WHOIS registration data, DNS record values, SSL certificate metadata and email-authentication policy records (SPF, DKIM, DMARC). No proprietary or private domain data is accessed. Scan results are stored in your account only.
Can other users or accounts see my monitored domains?
No. Your domain portfolio is private to your account. Domain data, scan results, security scores, findings and reports are not visible to other users and are never shared across accounts. Access is enforced at the data layer, not just the UI.
Can I monitor domains I don't own?
The platform collects only public data, so any registered domain can technically be added. Legitimate use cases include monitoring vendor or partner domains before onboarding, assessing acquisition targets during due diligence, investigating suspicious domains during threat intelligence work, or tracking competitor domain hygiene. Use of the platform must comply with the terms of service.
Still have questions?
Our team is happy to walk you through any scenario. Or just start free and see the platform answer your questions directly.