PassiveTotal centralizes numerous data sets into a single platform, making it easier for our community and customers to conduct infrastructure analysis. Our primary focus is to provide as much data as possible about Internet infrastructure.

Resolutions - Passive DNS
Passive DNS is a system of record that stores DNS resolution data for a given location, record and time period. This historical resolution data set allows analysts to view which domains resolved to an IP address and vice verse. This data set allows for time based correlation based on domain or IP overlap.

A protocol that lets anyone query for information about a domain, IP address, or subnet. One of the most common functions for WHOIS in threat infrastructure research is to identify or connect disparate entities based on unique data shared within the WHOIS record content.

SSL Certificates
SSL certificates are files that digitally bind a cryptographic key to a set of user-provided details. Using internet-scanning techniques, PassiveTotal collects SSL certificate associations from IP addresses on various ports. These certificates are stored inside of a local database and allow us to create a timeline for where a given SSL certificate appeared on the Internet.

Malicious software used in attacks or found on the Internet. Outlines capabilities, intent and motives of an attacker. Aids in connecting back to infrastructure.

Open Source Intelligence
Long and short form reporting developed by individuals and companies combined with data feeds of known bad infrastructure. This data set provides context to the actors, campaign or malicious infrastructure.

Trackers are unique codes or values found within web pages and often used to track user interaction. These codes can be used to correlate a disparate group of websites to a central entity.

Our tracker data set includes IDs from providers like Google, Yandex, Mixpanel, New Relic, Clicky and is continuing to grow on a regular basis.

Host Pairs
Host pairs are two domains (a parent and a child) that shared a connection observed from a RiskIQ crawl. The connection could range from a top-level redirect (HTTP 302) to something more complex like an iframe or script source reference.


Web components are details describing a web page or server infrastructure gleaned from RiskIQ performing a web crawl or scan.  These components allow an analyst to understand the makeup of a webpage or the technology and services driving a specific piece of infrastructure.  

Pivoting on unique components can find actors infrastructure or other sites that are compromised.  Analysts can also understand if a website might be vulnerable to a specific attack or compromise based on the technologies that it is running.


Cookies are small pieces of data sent from a server to a client as the user browses the internet. These values sometimes contain state for the application or little bits of tracking data.  RiskIQ highlights and indexes cookie names observed when crawling a website and allows analysts to dig into everywhere RiskIQ has observed specific cookie names across its crawling and data collection.