The Threat API lets your systems query relevant intelligence directly.
Webhooks notify you the moment something changes: a new high-risk campaign
in your industry, a watch match, a confirmed impersonation attempt.
Named, scoped, shown once at creation, stored only as a hash. Revoke or rotate any time, with a full audit history.
Webhooks with delivery history
Choose exactly which events you want, test a webhook before relying on it, and see every delivery attempt with its response status.
The same evidence, not a stripped model
Every response includes Risk, Confidence, and Network Confirmation as separate fields, plain-English summaries, and related-object references. Not a black-box score.
Where is your business based?
You can change this at any time.
How Network Confirmation works
Every object in the registry (a sender, a domain, a campaign) moves through five
stages as independent evidence builds:
UNSEENNothing reported yet.
OBSERVEDOne report exists. A single data point, not yet corroborated.
CORROBORATEDA second, independent organisation has reported the same thing.
NETWORK CONFIRMEDFive or more independent organisations agree.
VERIFIEDTen or more independent organisations, the strongest confidence level.
This is deliberately separate from Risk and Confidence. How much of the network agrees
is a different question from how dangerous something looks, or how certain we are.
How Threat DNA works
Every campaign gets scored across 8 axes: infrastructure, domain patterns, message
templates, link behaviour, attachment patterns, target industries, target roles, and
campaign velocity. All plotted as a fingerprint.
Sender Registry compares every campaign's fingerprint against every other campaign's
using cosine similarity: the same technique used to compare documents by meaning, not
just matching words. A high match (we only ever suggest one above 55% similarity) means
two campaigns that look unrelated on the surface may share real infrastructure, even
under completely different domain names.
How the Intelligence Map works
Senders, domains, URLs, attachments, campaigns, brands and suppliers all become nodes
in a shared relationship graph, built from real evidence: a sender using a domain, a
domain appearing in the same report as another domain, a report belonging to a campaign.
On a phone, we deliberately don't force a giant graph onto a small screen. Instead you
get a focused view: the object you're looking at, and everything directly connected to
it, with a tap to move to any of those connections in turn.