Bulk Domain Enrichment

Updated
  • Updated on Sep 29, 2025
  • Published on Sep 26, 2025
  • 5 minute(s) read
Prev Next

Silent Push's Bulk Domain Enrichment feature enables security analysts, threat hunters, and Network investigators to process up to 100 domains simultaneously, delivering comprehensive enriched data in a single Query.

Access Bulk Domain Enrichment

From the left navigation menu, select Advanced Query Builder > Enrichment Queries > Domain – bulk for handling lists of domains.

This interface supports silent pushes for automated workflows, tabbed views for organized results, and PADNS lookups for additional historical context.

The bulk interface is user-friendly, supporting up to 100 domains for efficient processing. Follow these steps:

  1. In the Domains field (marked with an asterisk as required), enter one domain per line. The maximum is 100 domains to ensure optimal performance and API limits. For example:
    example.com
    suspicious-domain.net
    malware-site.org

  2. (Optional) Click Explain next to the field to view the methodology behind risk score calculations, including weighted factors like listing density and age anomalies.

  3. (Optional) Check the Scan Data box to include raw scanning outputs, such as vulnerability scans or port scans, for more in-depth forensics.

  4. Select Simple Query for standard enrichment or Advanced Query to customize filters (e.g., by date range or score thresholds).

  5. Click Search to initiate processing. Results are displayed in a tabular or JSON view, with options to sort by risk score or rank.

  6. Use Tab View for multi-perspective analysis or Lookup PADNS to cross-reference passive DNS records.

  7. Export the full JSON response for integration with tools like SIEMs or spreadsheets.

  8. Generate a shareable API endpoint for automation or team collaboration.

  9. Clear inputs for a new batch.

Save Bulk queries

For recurring analyses, organizational users can persist their setups:

  1. Configure parameters, including your domain list and options like scan data.

  2. Click Save Query.

  3. Enter a Name and Description.

  4. Click Save to store it in the Saved Queries menu, accessible for quick reloads.

Key Enrichment data for Domains

Bulk Domain Enrichment aggregates rich datasets tailored to domain analysis. For each domain in your list, you'll receive:

Data type

Description

Tranco Rank

Global popularity ranking of the domain, indicating traffic volume and legitimacy.

Dynamic Domain Indicator

Flags if the domain exhibits behaviors typical of dynamically generated malicious domains (e.g., DGA - Domain Generation Algorithms).

URL Shortener Indicator

Identifies if the domain is used as a URL shortener, which can mask phishing or redirects.

Basic Domain Info

Core details like creation date, registrar, Whois data, and nameservers.

Warning Flags

Alerts for risks such as open directories, expired SSL certificates, exposed S3 buckets, or other misconfigurations.

IP & ASN Scores

Associated IP addresses and Autonomous System Numbers (ASNs) with reputational scores.

Listing Scores

Aggregation of blacklisting across threat feeds, quantifying exposure to known malicious activity.

Nameserver Reputation Data

Evaluation of the domain's nameservers for abuse history or takedown events.

Server Changes

Timeline of infrastructure shifts, like IP or ASN changes, to detect evasion tactics.

Silent Push Risk Score

A proprietary composite score assessing

overall threat level, factoring in reputation, listings, and behavioral indicators.

Sample output

{
  "status_code": 200,
  "error": null,
  "response": {
    "domains": [
      {
        "domain": "example.com",
        "tranco_rank": 100,
        "dynamic_domain_indicator": false,
        "url_shortener_indicator": false,
        "basic_info": {
          "creation_date": "19950414",
          "registrar": "EXAMPLE REGISTRAR",
          "nameservers": ["ns1.example.com", "ns2.example.com"]
        },
        "warning_flags": {
          "open_directories": false,
          "expired_certificates": false,
          "open_s3_buckets": false
        },
        "ip_asn_scores": [
          {
            "ip": "93.184.216.34",
            "asn": 15133,
            "asn_name": "EDGECAST, US",
            "sp_risk_score": 2
          }
        ],
        "listing_score": 0,
        "nameserver_reputation": 9,
        "server_changes": [
          {
            "change_date": "20230115",
            "type": "IP_UPDATE"
          }
        ],
        "sp_risk_score": 2,
        "sp_risk_score_explain": {
          "decider": "low_listings_and_high_reputation"
        }
      },
      {
        "domain": "suspicious-domain.net",
        "tranco_rank": null,
        "dynamic_domain_indicator": true,
        "url_shortener_indicator": false,
        "basic_info": {
          "creation_date": "20250901",
          "registrar": "SHADY REGISTRAR LTD",
          "nameservers": ["ns.malware.net"]
        },
        "warning_flags": {
          "open_directories": true,
          "expired_certificates": true,
          "open_s3_buckets": false
        },
        "ip_asn_scores": [
          {
            "ip": "192.0.2.1",
            "asn": 12345,
            "asn_name": "RISKY ASN",
            "sp_risk_score": 9
          }
        ],
        "listing_score": 85,
        "nameserver_reputation": 1,
        "server_changes": [],
        "sp_risk_score": 9,
        "sp_risk_score_explain": {
          "decider": "high_listings_and_dynamic_indicator"
        }
      }
    ]
  }
}

In a comprehensive response, each entry expands with subfields such as listing_score_explain (a breakdown of threat feeds) and asn_reputation_explain (takedown history metrics), mirroring the depth seen in single-query outputs.