1
Add Your Domain
Register any domain with your preferred scan frequency, alert threshold and notification channel. No limit on TLD or registrar.
Platform Features
Domain risk intelligence,
signal by signal
DomainRisk.io runs 50+ deterministic security checks across WHOIS, DNS, SSL/TLS, email authentication and subdomain infrastructure. Findings are correlated into named attack scenarios, a 90-day volatility signal, and an explainable weighted security score — every deduction traced to a named issue and a concrete remediation step.
Free trial — no credit card required50+ checks · 5 intelligence sourcesDeterministic attack scenario correlation
5
Data Sources
50+
Security Checks
8
Attack Scenarios
3
Scoring Axes
0–100
Score Range
PDF + CSV
Audit Exports
How domain risk monitoring works
From domain registration to alert delivery, every step is queued, traceable and auditable — no black boxes, no silent failures.
2
Queue a Scan Job
Scan requests enter a durable queue processed by background workers. Your dashboard stays responsive regardless of portfolio size or scan volume.
3
Collect & Score
WHOIS, DNS, SSL/TLS, email authentication and subdomain signals are fetched in parallel, normalised, and scored across three weighted axes. Optional RFC1035 zone import extends coverage to every record in your zone.
4
Correlate & Detect
Every snapshot is compared to the previous one. The deterministic scenario engine then correlates findings into named attack scenarios — with severity, evidence and recommended action.
5
Alert & Report
Alerts fire via email and webhook for raw findings and correlated attack scenarios. PDF and CSV exports give your team audit-ready evidence for every finding and recommendation.
Six intelligence layers. One security score.
Each monitored domain is assessed across six distinct data layers — 50+ individual checks in total. Together they produce a single weighted security score with full explainability at the factor level, every deduction traced to a named issue and a concrete action.
WHOIS Intelligence
Track the full ownership and registration lifecycle of every domain — from creation date through expiration status, registrar identity and administrative flags.
- Registrar identity and unauthorized transfer detection
- Multi-stage expiration alerts (90, 30, 14, 7, 3 days)
- Lifecycle status flags — hold, lock, pendingDelete, redemption, pendingTransfer
- Missing registrar locks — transfer-prohibited, update-prohibited
- Registrant privacy and domain age risk signals (<3 months, <1 year)
- WHOIS vs DNS nameserver mismatch detection
DNS Record Surveillance
Monitor every critical DNS record type for unauthorized changes. A single nameserver replacement can redirect your entire domain — traffic, email and APIs — in minutes.
- A, AAAA, MX, TXT, CNAME, NS and CAA records tracked
- Nameserver changes flagged as high-severity events
- CAA record audit — missing issue/issuewild directives, unknown critical tags
- DNSSEC status tracking — validated, unsigned, broken validation
- Cross-scan diff view — additions and deletions highlighted
- RFC1035 DNS zone import for exhaustive coverage (hidden hosts, DKIM selectors, stale CNAMEs)
SSL/TLS & HTTP Security Headers
Certificate expiry causes outages; missing HTTP security headers create XSS, clickjacking and data-leakage vectors. DomainRisk.io audits both layers on every scan.
- Certificate validity, issuer and SAN/CN hostname coverage
- Expiry alerts at 60, 30, 14 and 7 days; validity window anomalies (<30 or >430 days)
- HSTS — presence, max-age strength (≥15 552 000 s) and includeSubDomains flag
- Content-Security-Policy — absence and permissive directives (unsafe-inline, wildcards)
- X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy
- Score guardrail: global score floor enforced on web-facing domains without valid TLS
Email Security Analysis
SPF, DMARC, DKIM, MTA-STS and TLS-RPT posture determine whether your domain can be impersonated or your mail transport intercepted. Weak or missing configurations are surfaced with explicit severity and policy fixes.
- SPF record presence, policy scope and include-chain complexity (>8 lookups)
- DMARC enforcement — none, quarantine, reject; partial pct flagged
- Selector-aware DKIM checks; zone import validates all selectors exhaustively
- MTA-STS TXT record + HTTPS policy file audit (mode, max_age, MX entries)
- TLS-RPT presence and rua endpoint validation
- Three-state distinction — missing vs. misconfigured vs. compliant
Subdomain Attack Surface Discovery
Your subdomain inventory is part of your attack surface. Every scan enumerates and analyses discovered subdomains for DNS misconfigurations, takeover exposure, remote access leakage and weak mail posture.
- Automated subdomain enumeration on every scan
- Dangling CNAME detection — S3, Heroku, GitHub Pages and other cloud providers
- Sensitive pattern exposure — admin, vpn, staging, cpanel, dev
- Remote access leakage — RDP (3389), SSH (22), FTP (21) confirmed on public IPs
- SMTP service probe on mail-enabled subdomains (ports 25, 465, 587)
- Per-subdomain risk classification — low, medium, high; acknowledgements suppress false positives
Change Detection & Audit Timeline
Every scan produces an immutable snapshot compared to the previous one. Changes — a DNS record, a 10-point score drift, a new critical finding, an ASN hop — are logged to an auditable timeline.
- Registrar, expiration, nameservers, DNS records (A/AAAA/MX/TXT/CNAME/NS/CAA)
- ASN routing changes — Web (A/AAAA), Mail (MX), DNS (NS) independently tracked
- Security sub-score drift ≥10 points surfaced as distinct timeline events
- New critical and high findings flagged as dedicated events
- Full evidence trail for incident response and compliance audit
Key Differentiator
Deterministic attack scenario correlation
Most tools report raw findings. DomainRisk.io goes further: a deterministic correlation engine maps combinations of findings to named, actionable attack scenarios — no AI hallucinations, no guesswork. Each scenario carries an attack vector, impact assessment, likelihood rating and supporting evidence. Scenarios are tracked across scans: you are alerted on new detections, severity escalations, resolutions and regressions.
Email Spoofing Risk
Triggered when SPF is absent and SMTP service is active. Escalates to Critical when DMARC is also absent on a mail-active domain. Suppressed when a known provider with active DKIM alignment is detected.
SeverityHigh / Critical
Brand Impersonation Risk
SPF absent + DMARC absent + MX present on an active domain. Downgraded when a trusted mail provider with DKIM alignment and valid DMARC is confirmed.
SeverityHigh / Critical
Potential Admin Takeover
Dangling CNAME on a sensitive host pattern (admin, vpn, panel, cpanel). Escalates to Critical when takeover is confirmed via HTTP error signature or registrable target WHOIS availability.
SeverityHigh / Critical
Remote Access Exposure
RDP (3389), SSH (22) or FTP (21) confirmed open on a public subdomain IP. Only ports with confirmed open state are counted — filtered ports are excluded to avoid false positives.
SeverityMedium / High
User Traffic Interception
Web-facing domain with invalid or absent TLS. Critical for missing TLS or CN/SAN mismatch on the primary hostname; High for expired certificates; Medium for secondary self-signed certificates.
SeverityHigh / Critical
DNS Hijack Signal
Strict correlation: registrar change + NS change within ≤14 days + volatility spike. Bonus weight when the new NS provider was never previously observed in the domain's history.
SeverityHigh
Mail Transport Downgrade
Active mail infrastructure without MTA-STS and/or TLS-RPT, leaving SMTP opportunistic encryption unverified and reporting blind. High when external MX provider detected; Medium when only TLS-RPT is absent.
SeverityMedium / High
Infrastructure Single Point of Failure
Web, DNS and mail routing concentrated on one provider or ASN. Critical when all three converge on the same operator; High when DNS and web share the same ASN.
SeverityMedium / Critical
Business Risk Signal
Volatility Score — 90-day domain stability signal
The Volatility Score tracks domain change activity over a rolling 90-day window and compresses it into a 0–100 instability index. Registrar changes, nameserver flips, SSL invalidation events and new subdomain discoveries each contribute weighted signals — with deduplication to prevent inflated scores on high-frequency scan schedules.
Use Volatility Score for vendor risk due diligence, acquisition screening, portfolio prioritisation, or as an early-warning indicator for domains drifting toward instability before the security score reflects it.
×3
Registrar changes
Highest-weight signal — registrar transfers are rare and almost always high-risk.
×2
Nameserver changes
NS delegation changes carry double weight as high-impact infrastructure events.
×2
SSL invalid events
Certificate becoming invalid mid-scan window signals operational instability.
×1
DNS record changes
A, AAAA, MX, NS, TXT, CNAME and CAA additions or deletions.
×1
New subdomain discoveries
Newly enumerated subdomains expanding the external attack surface.
Anti-noise deduplication
Signals are aggregated per day per type — frequent rescans of the same domain do not artificially inflate the score.
Transparent, weighted security scoring
The Global Security Score is not a black box. It is built from three weighted axes — Exploitable Risk (50%), Hardening Gaps (30%) and Governance (20%). Every contributing factor is named, explained and linked to a specific remediation action.
A critical guardrail enforces a score ceiling of 30/100 whenever any Exploitable Risk finding is rated Critical — ensuring severe vulnerabilities are never masked by strong governance scores. Scores are tied to a versioned model so comparisons across time remain defensible even after model updates.
50%
Exploitable Risk
30%
Hardening Gaps
20%
Governance
Versioned scoring model
Each scan stores the model version used. Score comparisons across time remain meaningful and defensible even after model updates.
Critical guardrail
Any Critical-severity Exploitable Risk finding caps the global score at 30/100 — a strong governance posture cannot compensate for an actively exploitable vulnerability.
Explainable factors with actions
Every score deduction traces to a named factor with severity, evidence and a concrete remediation step — not just a label.
Sub-score drift detection
Shifts of ≥10 points in any axis are surfaced as change events — catching degradation before it crosses a critical threshold.
Machine-readable outputs
Webhook payloads include model version, top factors with severity, a change summary and recommended actions in structured JSON — ready for SIEM, ticketing or custom automation.
Alerts and integrations that fit your workflow
Get notified when it matters — via email for human review, or via webhook for automated response pipelines. Alert coverage spans both raw findings and correlated attack scenarios, with per-domain threshold control to eliminate noise on low-risk assets.
Email Alerts
Instant notifications when risk thresholds are crossed, DNS records change, SSL certificates approach expiry or a new attack scenario is detected.
Webhook Delivery
Enriched JSON payloads with model version, top risk factors, change summary and machine-readable recommended actions — ready for Slack, PagerDuty, Jira or your own pipeline.
Scenario Event Notifications
Distinct events for new scenarios, severity escalations, resolutions and regressions. Critical scenarios fire immediately; a 2-scan stability gate prevents noise from transient states. 24-hour cooldown per scenario key.
Configurable Thresholds
Set minimum score or severity level per domain. Opt into Medium-severity scenario alerts. Stay sharp on critical assets without drowning in noise from low-risk ones.
Audit-ready PDF and CSV reports
Every domain scan produces a downloadable report suitable for internal audits, executive briefings, MSSP client deliverables and compliance evidence packages.
PDF reports span 13 structured sections — from the executive summary and scored findings to the HTTP header audit, change timeline, recommended actions and compliance checklist. CSV exports give analysts raw data for custom processing or SIEM ingestion.
Report contents — 13 sections
1Executive summary with security posture narrative
2Scored findings ranked by severity and category
3WHOIS details and registrar evidence
4DNS record snapshot with change flags
5SSL/TLS certificate status and expiry timeline
6HTTP security header audit (HSTS, CSP, X-Frame-Options, …)
7Email authentication posture — SPF, DKIM, DMARC, MTA-STS, TLS-RPT
8Subdomain inventory with per-entry risk classification
9Dangling CNAME and takeover exposure findings
10Score history and security sub-score trend overview
11Change timeline with snapshot diffs and ASN routing changes
12Recommended actions mapped to each finding
13Compliance checklist and raw evidence appendix
Frequently asked questions
Everything you need to know about how the platform works.
What domains can DomainRisk.io monitor?
Any registered domain accessible via public WHOIS and DNS — regardless of TLD or registrar. Monitor primary brand domains, acquired assets, partner domains, subsidiary domains or any domain relevant to your risk scope.
How is the Global Security Score calculated?
The Global Security Score is a weighted composite across three axes: Exploitable Risk (50%), Hardening Gaps (30%) and Governance (20%). Each axis is scored 0–100 based on detected findings, then combined. A critical guardrail caps the global score at 30 whenever a Critical-severity Exploitable Risk finding is present — preventing a strong governance posture from masking a severe vulnerability. Foundational WHOIS, DNS, SSL and Email sub-scores are also provided to explain where issues originate.
What is the Attack Scenario Generator and how is it different from raw findings?
Raw findings (e.g. "SPF absent") tell you what is misconfigured. The Attack Scenario Generator correlates multiple findings to answer the question your security team actually cares about: what can an attacker do with this? It uses a deterministic rules engine — no AI, no hallucinations — to produce named scenarios such as Email Spoofing Risk or DNS Hijack Signal, each with an attack vector, impact rating, likelihood and evidence. Scenarios are tracked over time: you receive alerts on new detections, severity escalations, resolutions and regressions.
What is the Volatility Score?
The Volatility Score is a 0–100 business risk signal computed from weighted change events over a rolling 90-day window. Registrar changes (×3), nameserver changes (×2), SSL invalidation (×2), DNS record changes (×1) and new subdomain discoveries (×1) all contribute. A deduplication layer prevents high-frequency rescans from inflating the score. Use it for vendor due diligence, acquisition screening or portfolio triage.
How quickly are domain changes detected?
Changes are detected on the next completed scan after they occur. Scan frequency is configurable from daily to weekly. For critical assets, daily monitoring minimises detection lag for high-severity events such as a nameserver replacement or registrar transfer.
Does DomainRisk.io detect subdomain takeover risks?
Yes. Every scan includes automated subdomain enumeration followed by DNS analysis on each discovered subdomain. Dangling CNAMEs pointing to unclaimed cloud resources — S3 buckets, Heroku, GitHub Pages and others — are flagged as high-severity findings. Takeover confirmation uses HTTP response error signatures and WHOIS availability checks on the registrable target domain.
Do you audit HTTP security headers?
Yes. For all web-facing domains DomainRisk.io checks HSTS (presence, max-age ≥15 552 000 s, includeSubDomains), Content-Security-Policy (presence and permissive directives such as unsafe-inline or wildcard sources), X-Frame-Options, X-Content-Type-Options, Referrer-Policy and Permissions-Policy. Missing or permissive headers are classified as Hardening Gaps with specific remediation recommendations.
Can I import my DNS zone file for full DNS security coverage?
Yes. DomainRisk.io supports RFC1035 DNS zone file import to extend coverage beyond API and passive discovery. This improves completeness for hidden subdomains, DKIM selectors, stale CNAME records and legacy DNS entries. Zone import is read-only and used only for analysis.
What formats are available for domain security reports?
PDF reports include 13 structured sections: executive summary, scored findings, WHOIS and DNS evidence, SSL and email-auth posture, HTTP security header audit, subdomain inventory, timeline changes, recommended actions and a compliance checklist. CSV exports provide raw scan data suitable for SIEM import or custom reporting.
Can DomainRisk.io integrate with my existing security tools?
Yes. Webhook delivery is available for all alert and scan events. Each payload includes the scoring model version, top risk factors with severity, a change summary and machine-readable recommended actions — ready to feed into SIEM platforms, Jira, ServiceNow, Slack or PagerDuty.
Start monitoring your domains today
Free trial, no credit card required. Add your first domain, run a full scan across all five intelligence layers, and download an audit-ready report in minutes.