External Threats

Product Description

RiskIQ External Threats automates the detection, monitoring, and remediation of fraudulent websites, domains, social profiles, and mobile apps impersonating an organization.

As businesses evolve and move more processes and interactions online, cyber-criminals are exploiting digital channels to launch new types of attacks. The RiskIQ platform enables security and anti-fraud teams to effectively manage Internet threats, including phishing, domain infringement, rogue mobile apps, social media impersonation, and brand-lure malware impacting their organization and its customers.

External Threats leverages information about an organization's legitimate digital presence to inform detection configuration as well as pricing. Licensing tiers are based on the rough number of unique hostnames under management, which serves as an indicator of the likely volume of threats targeting the organization's brands. External Threats is an all-in-one package with RiskIQ Managed Intelligence Services included to act as an extension of your team, tuning workspace configurations and assisting with alert triage and mitigation efforts. 

Threat Detection

RiskIQ leverages its Internet intelligence datasets and proprietary virtual user technology to automate and streamline the detection and monitoring of threats over time. Virtual users closely simulate human Internet users in the ways they discover, analyze, and interact with web content in order to uncover previously unknown threats targeting specific user demographics and circumvent cloaking techniques used by criminals to evade detection. RiskIQ enriches the observations captured by virtual users with the intelligence gathered by the full RiskIQ platform, including the knowledge of what legitimate assets the organization has and what they look like, in order to contextualize risks and prevent false positives. 

When threats are detected, RiskIQ automatically creates alerts in the form of events within the platform and schedules virtual users to re-examine the threat resource at scheduled intervals to observe changes over time and track the entire lifecycle of a threat.

RiskIQ’s vast Virtual User network includes:

  • A diversified bank of IP addresses from hundreds of geographic locations
  • All major browsers, both desktop and mobile
  • Algorithms to initiate crawlers from configurable search queries, API integrations, or on specific pages and follow links to simulate referred traffic
  • Algorithms to simulate clicking through a page as an intentioned user would rather than a bot systematically or randomly clicking links
  • The ability to extract, normalize, and target key attributes from social media profiles and mobile app store pages

Full records of virtual user sessions, including screenshots, the captured document object model of each page, and preserved sequence of links and redirects provide the technical basis of RiskIQ's detection capabilities, upon which layers of analytics are automatically applied in order to classify each threats and enrich data with additional insights to determine the appropriate response. 

Threat Event-Types


External Threats provides detection and workflow for mitigating phishing sites that are impersonating an organization in order to phish their users, customers, prospects, or partners via the use of one of their brands.

 RiskIQ ingests suspected phishing URLs from a broad range of sources including third-party blacklists, an organization’s internal or external abuse boxes, web server referrer logs, and DMARC data, as well as any customer submissions to streamline detection, review, and mitigation of phish. Phishing simulation campaign URLs are excluded automatically from threat analysis through integrations with popular phishing awareness training products. Machine learning algorithms intelligently sort phishing pages from legitimate sites, automatically validating the vast majority of phish and leaving a small fraction, if any, left for human review. Full crawl metadata and user sessions are recorded as forensic evidence. 

Integrations with Google Safe Browsing and Microsoft SmartScreen to automatically submit phish for browser blocking for 98% of Internet users, and pre-configured templates to generate and send takedown notices for phishing sites through email or web form or API integrations dramatically reduce mean time to mitigation and overall lifetime of phish. 

Domain Infringement

External Threats provides detection and monitoring of suspicious domain and subdomain names that contain or are confusingly similar to an organization's official domains and brand names.

RiskIQ analyzes Whois registrations and passive DNS data to identify newly created third party owned domain names and subdomain names exploiting brand names. Domains are analyzed for similarity to official asset domains via a proprietary algorithm developed by the RiskIQ data science team, as well as for homographic similarity/punycode obfuscation, and regular expression matching to optimize accuracy and detection coverage. 

Automatic analysis of the domain's threat level, including any web content hosted on the domain, the domain's capability to send or receive email, related infrastructure, and detection of Whois and DNS changes allows users to quickly identify high priority threats and determine the proper response and mitigation strategy using pre-configured templates and built-in workflow.

Rogue Mobile App

External Threats provides visibility into an organization's presence throughout the global mobile app ecosystem and identifies unauthorized download locations of official applications, mobile spoofs impersonating or leveraging the organization's brands to commit fraud, and mobile malware targeting the organization's users. 

RiskIQ searches hundreds of official and unofficial app stores sites around the world with native-level integrations including a unique source of "feral app" files found outside of dedicated app stores in order to automatically extract app details and download mobile binaries. Analysis of app store attributes, app posting details, and app code and files enable RiskIQ to automatically categorize legitimate app assets and monitor for new version releases, identify old or modified versions of official apps available for download in unauthorized stores, and detect third party apps posing as official branded apps or otherwise packaged with malware targeting an organization and its users.

Pre-configured templates for reporting violations to contacts at each app store via email or web form integration allow users to mitigate mobile threats across all stores quickly and effectively.


External Threats provides visibility into an organization's presence on all major social networks, including Facebook, Twitter, LinkedIn, Instagram, YouTube, and Pinterest and workflow for mitigating social media accounts impersonating the organization. 

RiskIQ uses a combination of API integrations and unique virtual user technology to search social networks and analyze profile details for unofficial social media accounts claiming to represent customer organizations. Through this analysis, RiskIQ categorizes official social channels, unauthorized social profiles set up by various business units throughout the organization that are out of compliance with company policy,  as well as fake third party social accounts, such as fake customer support channels phishing for customer data, fake job recruiters asking applicants for personal information or job application fees, and social accounts associating a brand with offensive or illegal content.

Pre-configured templates for reporting violations to contacts at each social network via email or web form integration allow users to mitigate social threats quickly and effectively.


External Threats provides detection and workflow for the use of official branding such as product names or logos in web pages delivering malware. 

RiskIQ virtual users search for web content using a combination of threat feeds and configured search engine searches for brand keywords to encounter threats the same way real users targeted by them do. RiskIQ analyzes each webpages observed by virtual users for text or logos and leverages machine learning, RiskIQ's own proprietary malware research, third party blacklist reputation, and other advanced analytics to identify the presence of threats leveraging official brands.

Pre-configured templates for reporting violations to hosting providers and registrars of sites via email or API integration allow users to mitigate impersonation and malicious web content quickly and effectively.

Event Management & Mitigation

RiskIQ provides both a web interface and API access to customers and their support teams to submit and investigate detected events. The web interface is designed to provide users with all the necessary details for each type of threat in a single view to facilitate fast review and investigation.

For each threat event, users can take the following workflow actions: 

  • Confirm: Validate event without sending an enforcement notice
  • Enforce: Generate and send a notice to initiate takedown, content removal, or other type of threat mitigation
  • Monitor: Automatically alert on any changes in content or behavior of a suspicious event that raise its threat-level and could trigger future enforcement
  • Review: Set aside for discussion/review to decide on proper response
  • Dismiss: Label event as a false positive
  • Assign a specific user to manage this event
  • Tag an event with a custom label for searching or reporting
  • Send the details of this event to a specified email address

Continuous monitoring of online resources lets customers know when threats have been successfully remediated, and RiskIQ’s post-resolution monitoring automatically re-opens events and alerts users to any tenacious threats posing a recurring risk to the organization.


RiskIQ provides customizable dashboards, email alerts, data exports, webhooks, APIs, and integrations with popular SIEM and other tools to extract and interact with our data. PDF reports also provide External Threat Management program performance metrics related to event detection, management, and enforcement over time.


External Threats - Advanced

The External Threats - Advanced add-on enables organizations to adapt the broad capabilities of the RiskIQ platform and the expertise of RiskIQ Solutions Architect and Managed Intelligence Services (MIS) teams to automate detection and monitoring for use-cases that require a deeper understanding of the business to identify and respond to appropriately, including: 

  • Compromised Data: Search a broad range of known sources for compromised data, ex. Pastebin, GitHub, SlideShare, forums, and blogs, along with source-agnostic searches in order to detect stolen customer data, such as credit card information, as well as other leaked company data, including employee emails or source code being posted in the open, offered for sale, or otherwise made available to third parties outside the organization.
  • Scams: Monitor major social platforms or other sources for MoneyFlipping, giveaway scams, or other forms of  financial fraud outside of traditional phishing and report abuse to social networks or site operators as appropriate.
  • Trademark Infringement: Detect and mitigate web content misusing brand trademarks or associating them with illegal or offensive content, including pornography, liquor, tobacco, weapons, drugs, and gambling. Mitigation requires a representative trademark chart and description of the tarnishment relevant to the Internet presence location, as well as customer approval after performing a fair-use analysis.

Use of this product requires a concurrent subscription to RiskIQ External Threats. Monitoring and detection are limited to threats targeting the customer organization and its subsidiaries as defined for RiskIQ External Threats coverage.

External Threats - Deep and Dark Web

The External Threats - Deep and Dark Web add-on provides customers visibility into mentions of their company names or other keywords of interest on the deep and dark web. Data is sourced via Flashpoint, a RiskIQ partner organization specializing in monitoring the deep and dark web, and sent to the RiskIQ platform, so that it can be viewed side-by-side with threats on the open web. Viewing different pieces of the puzzle together enables organizations to draw additional insights from connections in the data and track a threat from planning and discussion stages in forums through to the actions taken and infrastructure used on the open web to launch the attack.

This add-on is available for free to mutual customers of RiskIQ and Flashpoint with an existing valid Flashpoint API key, or API access can be purchased through RiskIQ, provided the customer has not terminated a contract with Flashpoint within the last 12 months.