Domain Intelligence
pro/v1/composite/domain-intelligenceAggregates WHOIS/RDAP registration data, SSL certificate chain validation, Certificate Transparency logs, subdomain enumeration, DNS provider detection, and registrar reputation scoring into a single API call. Uses the RDAP protocol (the successor to WHOIS, mandated by ICANN since January 2025) for structured, machine-readable registration data.
What It Does
Executes multiple domain lookups in parallel and aggregates the results. Returns WHOIS/RDAP registration data (registrar, dates, nameservers, EPP status codes, DNSSEC status), SSL certificate validity and days until expiry, Certificate Transparency log history from crt.sh, discovered subdomains with active DNS verification, DNS provider detection with confidence scoring, domain age analysis, registrar reputation grading, and an overall risk assessment with infrastructure score. Supports selective component inclusion via query parameters — request only the data you need to reduce response time.
Why It's Useful
Instead of making 5-7 separate API calls, get comprehensive domain intelligence in a single request. Reduces integration complexity, minimizes latency through parallel execution, and provides a unified risk assessment based on all available data. Essential for security teams performing threat intelligence enrichment, compliance teams conducting vendor due diligence, and brand protection teams monitoring domain registrations.
Use Cases
Threat Intelligence Enrichment
Enrich Indicators of Compromise (IOCs) with comprehensive domain context — WHOIS registration data, SSL certificate chain, CT log activity, and domain age analysis — for incident response and threat reports.
Complete domain context for SIEM enrichment and threat intelligence platforms without multiple API integrations.
Brand Protection Monitoring
Detect newly registered domains that mimic your brand using subdomain enumeration and CT log monitoring. Assess risk level based on domain age, registrar reputation, and infrastructure patterns.
Early detection of phishing, typosquatting, and impersonation domains before they cause damage.
Vendor Risk Assessment
Assess vendor domain security posture during onboarding — verify SSL validity, DNSSEC configuration, registrar standing, and infrastructure maturity as part of supply chain risk management.
Automated vendor infrastructure assessment with quantified risk scoring from a single API endpoint.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
domain | string | Required | The domain to analyze (e.g., example.com)Example: example.com |
include.whois | boolean | Optional | Include WHOIS/RDAP data, domain age, DNS provider, and registrar reputation. Default: true.Example: true |
include.ssl | boolean | Optional | Include SSL certificate chain validation. Default: true.Example: true |
include.ct_logs | boolean | Optional | Include Certificate Transparency log entries. Default: true.Example: true |
include.subdomains | boolean | Optional | Include subdomain enumeration via CT logs. Default: true.Example: true |
include.registrar | boolean | Optional | Include registrar reputation scoring (requires include.whois=true). Default: true.Example: true |
include.threat | boolean | Optional | Include threat intelligence from URLhaus and threat feeds. Default: true.Example: true |
include.email_security | boolean | Optional | Include email security analysis (SPF, DKIM, DMARC). Default: true.Example: true |
ct_logs_limit | number | Optional | Maximum CT log entries to return (1-100). Default: 10.Example: 25 |
subdomains_limit | number | Optional | Maximum subdomains to return (1-100). Default: 20.Example: 50 |
Response Fields
| Field | Type | Description |
|---|---|---|
domain | string | The analyzed domain |
timestamp | string | ISO 8601 timestamp of the analysis |
whois | object | RDAP/WHOIS registration data: registrar (name, URL), dates (created, updated, expires), nameservers, EPP status codes, DNSSEC status |
registrar_reputation | object | Registrar trust assessment: name, reputation score (0-100), and grade (A+ to F) based on ICANN accreditation and abuse rate data |
ssl | object | SSL certificate status: validity, issuer, not_before/not_after dates, days until expiry, chain validation status |
ct_logs | object | Certificate Transparency log entries from crt.sh: total certificates found, certificate IDs, issuance dates, issuers, and Subject Alternative Names (SANs) |
subdomains | object | Discovered subdomains via CT logs with DNS verification: total found, active/inactive status per subdomain |
age | object | Domain age analysis: age in days/years, creation date, and newly registered flag |
dns_provider | object | DNS provider detection: provider name, type (CDN, cloud, managed, registrar), nameservers, confidence score |
threat | object | Threat intelligence: is_threat flag, URLhaus listing data (listed, category, url_count), and threat feed matches (feed name, source) |
email_security | object | Email security: SPF (exists, policy), DKIM (exists, selector count), DMARC (exists, policy), overall score/grade, spoofing risk level, protected flag |
summary | object | Risk assessment: risk level (low/medium/high/critical), established flag, SSL validity, infrastructure score (0-100), threat_detected flag, email_protected flag |
_errors | object | Per-component error details when components fail. Maps component name to error message. Only present when errors occur. |
meta | object | Request metadata: request_id, response_time_ms, components_fetched, components_cached, partial_failure flag |
Code Examples
curl "https://api.edgedns.dev/v1/composite/domain-intelligence" \
-H "Authorization: Bearer YOUR_API_KEY" \
-d "domain=example.com"const response = await fetch(
'https://api.edgedns.dev/v1/composite/domain-intelligence?domain=example.com',
{
headers: {
'Authorization': 'Bearer YOUR_API_KEY'
}
}
);
const data = await response.json();
console.log(data);import requests
response = requests.get(
'https://api.edgedns.dev/v1/composite/domain-intelligence',
headers={'Authorization': 'Bearer YOUR_API_KEY'},
params={
'domain': 'example.com'
}
)
data = response.json()
print(data)Read the full Domain Intelligence guide
Why it matters, real-world use cases, parameters, response fields, and how to call it from Claude, ChatGPT, or Gemini via MCP.
Read the guide →Related Endpoints
External References
Learn more about the standards and protocols behind this endpoint.
Try This Endpoint
Test the Domain Intelligence endpoint live in the playground.