Domain Intelligence: a beginner's guide
Comprehensive domain analysis in one call
What "domain intelligence" actually means (and why it's bigger than a WHOIS lookup)
Domain intelligence is the umbrella term for the structured profile you can build about a single domain by combining many independent data sources at once: DNS records, WHOIS ownership, SSL certificates, Certificate Transparency log history, email-authentication setup, threat-intelligence feeds, tech-stack fingerprints, performance metrics, content snapshots, and (sometimes) historical data going back years. Each individual source is useful on its own, but the combination is much more than the sum of the parts. A WHOIS lookup tells you who owns the domain. A WHOIS lookup plus the SSL certificate history plus the DNS provider plus the tech stack tells you a story.
You should care because the story is what sales, security, and investment teams actually care about — and the story can only be told by combining sources. A single WHOIS field saying "registered six months ago" is just a fact. The same fact combined with "hosting on Cloudflare," "using Stripe for payments," "running Next.js," "DKIM signed by SendGrid," and "appearing on Google Cloud's published customer list" tells you the company is a small B2B SaaS startup that takes engineering seriously. That is not just data — it is intelligence. It changes how you sell to them, how you evaluate them as a partner, how you write the security questionnaire, and how you predict their next move.
The seven sources every domain intelligence report typically combines:
DNS records. A, AAAA, MX, NS, TXT, CAA, and DNSSEC status — the structural facts.
WHOIS / RDAP. Ownership, registration history, expiry, registrar.
SSL/TLS configuration. Certificate, chain, supported protocols, ciphers, CT log entries.
Email authentication. SPF, DKIM, DMARC, BIMI, MTA-STS — the email posture.
Tech stack. CMS, framework, analytics, hosting, CDN, payment processor.
Threat intelligence. Public reputation feeds, blocklist status, typosquat detection.
Performance and SEO. Core Web Vitals, response times, structured data, sitemap quality.
Three questions a domain intelligence report answers:
What is the complete public profile of this domain in one document?
For a sales call, M&A diligence, or partnership scoping, what do I need to know that isn't on the company's marketing pages?
Has anything about this domain changed recently in a way I should care about?
The cost of running individual checks separately is the time it takes to stitch them together by hand, plus the inconsistency that comes from different reports being generated at different times. The fix is to run them all at once, in one structured format, and treat the combined output as the canonical "what we know about this domain" snapshot.
The Domain Intelligence endpoint, in plain language
In one sentence: Comprehensive domain analysis in one call
Aggregates WHOIS/RDAP registration data, SSL (Secure Sockets Layer) certificate chain validation, Certificate Transparency logs, subdomain enumeration, DNS (Domain Name System) provider detection, and registrar reputation scoring into a single API (Application Programming Interface) call. Uses the RDAP (Registration Data Access Protocol) protocol (the successor to WHOIS (who is), mandated by ICANN since January 2025) for structured, machine-readable registration data.
Don't worry if some of the words above are still unfamiliar — there's a plain-language glossary at the bottom of this page, and most of the terms link to their own beginner guides if you want to learn more.
What is actually happening when you call it
Here's what's actually happening behind the scenes when you call this endpoint:
Executes multiple domain lookups in parallel and aggregates the results. Returns WHOIS/RDAP registration data (registrar, dates, nameservers, EPP status codes, DNSSEC (Domain Name System Security Extensions) status), SSL (Secure Sockets Layer) certificate validity and days until expiry, Certificate Transparency log history from crt.sh, discovered subdomains with active DNS (Domain Name System) verification, DNS provider detection with confidence scoring, domain age analysis, registrar reputation grading, and an overall risk assessment with infrastructure score. Supports selective component inclusion via query parameters — request only the data you need to reduce response time.
If you're using an AI assistant through MCP, you don't need to understand any of the technical details — the assistant calls the tool and translates the result for you.
Why this specific tool matters
Let's skip the marketing fluff and answer the only question that actually matters: why should you, a real human with a real to-do list, care about the Domain Intelligence tool? Here's the plain-English version, written the way you'd hear it from a friend who happens to do this for a living.
Instead of making 5-7 separate API (Application Programming Interface) calls, get comprehensive domain intelligence in a single request. Reduces integration complexity, minimizes latency through parallel execution, and provides a unified risk assessment based on all available data. Essential for security teams performing threat intelligence enrichment, compliance teams conducting vendor due diligence, and brand protection teams monitoring domain registrations.
Picture this in real life. Imagine an SOC analyst / threat hunter. Here's the situation they're walking into: Enrich Indicators of Compromise (IOCs) with comprehensive domain context — WHOIS (who is) registration data, SSL (Secure Sockets Layer) certificate chain, CT log activity, and domain age analysis — for incident response and threat reports. Without the right tool, that person would be stuck copy-pasting between five browser tabs, reading documentation written for engineers, and crossing their fingers that the answer they cobble together is correct. With the Domain Intelligence tool, the same person gets a clear answer in seconds — no spreadsheets, no guessing, no waiting for someone on the infrastructure team to free up.
Three questions this tool answers in plain English. If any of these have ever crossed your mind, the Domain Intelligence tool is built for you:
Can I get the entire story about a domain in a single report instead of running ten checks?
What is the single document I would share with my team, my client, or my board?
Where should I focus my next hour of work to make the biggest difference?
You can either click the tool and get the answer yourself, or ask your AI assistant — connected through MCP (Model Context Protocol) — to ask the question for you and translate the answer into something you can paste into Slack.
Who gets the most out of this. Account executives prepping a sales call, agencies producing a monthly client deliverable, investors doing diligence, and founders building a board deck. If you see yourself in that list, this is one of the EdgeDNS tools you should bookmark today.
What happens if you skip this entirely. Skip it and you have to assemble the same snapshot by hand every time you need it — which means you stop bothering. That's why running this check — even once a month — is one of the cheapest forms of insurance you can give your domain.
Available on the pro plan. The technical details: `GET /v1/composite/domain-intelligence`.
When would I actually use this?
If you're still on the fence about whether the Domain Intelligence tool belongs in your toolbox, this section is for you. Below you'll meet three real people — an SOC analyst / threat hunter, a brand protection analyst, and a third-party risk manager — facing three real situations where this tool turns a stressful afternoon into a five-minute task. Read whichever story sounds closest to your week.
Story 1: Threat Intelligence Enrichment
Imagine you're an SOC analyst / threat hunter. Enrich Indicators of Compromise (IOCs) with comprehensive domain context — WHOIS (who is) registration data, SSL (Secure Sockets Layer) certificate chain, CT log activity, and domain age analysis — for incident response and threat reports.
Why it matters: Complete domain context for SIEM enrichment and threat intelligence platforms without multiple API (Application Programming Interface) integrations.
Story 2: Brand Protection Monitoring
Imagine you're a brand protection analyst. Detect newly registered domains that mimic your brand using subdomain enumeration and CT log monitoring. Assess risk level based on domain age, registrar reputation, and infrastructure patterns.
Why it matters: Early detection of phishing, typosquatting, and impersonation domains before they cause damage.
Story 3: Vendor Risk Assessment
Imagine you're a third-party risk manager. Assess vendor domain security posture during onboarding — verify SSL (Secure Sockets Layer) validity, DNSSEC (Domain Name System Security Extensions) configuration, registrar standing, and infrastructure maturity as part of supply chain risk management.
Why it matters: Automated vendor infrastructure assessment with quantified risk scoring from a single API (Application Programming Interface) endpoint.
Common situations across teams. Beyond the three stories above, here are the everyday workplace moments when people across the company reach for the Domain Intelligence tool — or one of the tools right next to it in this category. If any of these are on your calendar this month, that's your sign:
Right before a sales call, to walk in already knowing the prospect.
For a monthly client status update or executive summary.
During M&A or investor diligence on a target domain.
When you want to share "everything we know about this domain" in a single link.
If you can see yourself in even one of those bullets, the Domain Intelligence tool will pay for itself the first time you use it.
Still not sure? Here's the easiest test in the world. Open Claude, ChatGPT, Gemini, or any other AI assistant connected to the EdgeDNS MCP server and ask, in your own words: "Is the Domain Intelligence tool useful for my job?" The assistant will look at the tool, ask you a couple of follow-up questions about what you're trying to accomplish, and give you a straight answer in plain English. No commitment, no signup forms, no jargon.
The easiest way: just ask your AI assistant
If you've connected the EdgeDNS MCP server to Claude, ChatGPT, Gemini, Cursor, or any other AI assistant, you don't need to write any code. Just ask in plain English:
"Use the Domain Intelligence tool to check example.com and explain anything that looks wrong in plain language."
The AI will figure out which tool to call, fill in the right parameters, run it, and then explain the result back to you. No copy-pasting between tabs. No reading raw JSON. No memorizing endpoint names.
MCP (Model Context Protocol) access is free on every plan, including the free tier. One API key works for both REST and AI — you do not have to choose.
The technical way: call it from code
If you're a developer and want to call the endpoint from a script or your own application, here's the simplest possible example. Replace the placeholder API key with the real one from your dashboard.
# Replace edns_live_YOUR_KEY with your real API key from the dashboard
curl -H "Authorization: Bearer edns_live_YOUR_KEY" \
"https://api.edgedns.dev/v1/composite/domain-intelligence?domain=example.com"What you need to provide
You need to provide 10 pieces of information when you call this tool. The table below lays them out side by side, with a real example for each one so you can see exactly what to send.
| Field | Type | Required? | What it means | Example |
|---|---|---|---|---|
domain | string | Yes | The domain to analyze (e.g., example.com) | example.com |
include.whois | boolean | Optional | Include WHOIS/RDAP data, domain age, DNS (Domain Name System) provider, and registrar reputation. Default: true. | true |
include.ssl | boolean | Optional | Include SSL (Secure Sockets Layer) certificate chain validation. Default: true. | true |
include.ct_logs | boolean | Optional | Include Certificate Transparency log entries. Default: true. | true |
include.subdomains | boolean | Optional | Include subdomain enumeration via CT logs (Certificate Transparency logs). Default: true. | true |
include.registrar | boolean | Optional | Include registrar reputation scoring (requires include.whois=true). Default: true. | true |
include.threat | boolean | Optional | Include threat intelligence from URLhaus and threat feeds. Default: true. | true |
include.email_security | boolean | Optional | Include email security analysis (SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), DMARC (Domain-based Message Authentication, Reporting and Conformance)). Default: true. | true |
ct_logs_limit | number | Optional | Maximum CT log entries to return (1-100). Default: 10. | 25 |
subdomains_limit | number | Optional | Maximum subdomains to return (1-100). Default: 20. | 50 |
What you get back
When you call this tool, you'll get back a JSON object with the fields below. If you're talking to it through an AI assistant, the assistant reads these for you and explains them in plain language — you don't need to memorize them.
| Field | Type | What you'll see in it |
|---|---|---|
domain | string | The analyzed domain |
timestamp | string | ISO 8601 timestamp of the analysis |
whois | object | RDAP/WHOIS registration data: registrar (name, URL (web address)), dates (created, updated, expires), nameservers, EPP status codes, DNSSEC (Domain Name System Security Extensions) status |
registrar_reputation | object | Registrar trust assessment: name, reputation score (0-100), and grade (A+ to F) based on ICANN accreditation and abuse rate data |
ssl | object | SSL (Secure Sockets Layer) certificate status: validity, issuer, not_before/not_after dates, days until expiry, chain validation status |
ct_logs | object | Certificate Transparency log entries from crt.sh: total certificates found, certificate IDs, issuance dates, issuers, and Subject Alternative Names (SANs) |
subdomains | object | Discovered subdomains via CT logs (Certificate Transparency logs) with DNS (Domain Name System) verification: total found, active/inactive status per subdomain |
age | object | Domain age analysis: age in days/years, creation date, and newly registered flag |
dns_provider | object | DNS (Domain Name System) provider detection: provider name, type (CDN (Content Delivery Network), cloud, managed, registrar), nameservers, confidence score |
threat | object | Threat intelligence: is_threat flag, URLhaus listing data (listed, category, url_count), and threat feed matches (feed name, source) |
email_security | object | Email security: SPF (Sender Policy Framework) (exists, policy), DKIM (DomainKeys Identified Mail) (exists, selector count), DMARC (Domain-based Message Authentication, Reporting and Conformance) (exists, policy), overall score/grade, spoofing risk level, protected flag |
summary | object | Risk assessment: risk level (low/medium/high/critical), established flag, SSL (Secure Sockets Layer) validity, infrastructure score (0-100), threat_detected flag, email_protected flag |
_errors | object | Per-component error details when components fail. Maps component name to error message. Only present when errors occur. |
meta | object | Request metadata: request_id, response_time_ms, components_fetched, components_cached, partial_failure flag |
Words you might be wondering about
If any words on this page felt like jargon, here's a plain-language version. Click any linked term to read a full beginner-friendly guide.
DNS (Domain Name System) — The internet's address book. When you type a website name, DNS turns it into the actual numeric address computers use to find each other.
API (Application Programming Interface) — A way for one program to ask another program for something — like a waiter taking your order to the kitchen.
SSL (Secure Sockets Layer) — The original encryption used by HTTPS. The name stuck even though every modern site actually uses TLS, the newer replacement.
DNSSEC (Domain Name System Security Extensions) — A way to digitally sign DNS records so attackers can't trick your computer into looking up the wrong server.
WHOIS (who is) — A public record that tells you who registered a domain name, when, and through which company. Modern WHOIS is now called RDAP but most people still say 'WHOIS'.
RDAP (Registration Data Access Protocol) — The modern, structured replacement for WHOIS. Returns the same kind of information (who owns this domain?) but in a format computers can read more easily.
Need Programmatic Access?
Automate domain intelligence with 100+ API endpoints and a free MCP server for AI integration.