Many users notice that Total View queries, especially in Web Search view, take longer than simple DNS or WHOIS lookups. This is because Total View provides deeper, integrated intelligence from multiple sources, delivering richer insights for critical use cases.
Understand Query Types
DNS and WHOIS are lightweight lookups that return results in under a second, using pre-indexed data like IP addresses or domain details. Total View, however, aggregates data from six sources, including real-time web crawling, enrichment scans, and cross-referencing, which can take 5-30 seconds or more. This depth is essential for comprehensive analysis but requires strategies to manage delays.
Use Case 1: Gain Holistic Understanding
Total View synthesizes data to provide a complete picture of domains, IPs, or threats, going beyond basic facts to reveal contextual information such as historical threats or related infrastructure.
Perform an Insight Query
Start with a DNS or WHOIS tab for quick basics (e.g., IP resolution for “shadybank.com” in under 1 second).
Switch to Total View or Web Search for deeper analysis: Enter your query and let it aggregate data from clearnet crawling (HTML, favicons), dark web scans, and SSL chains.
Use SPQL filters like
since:7dto focus on recent data, reducing time from 20 seconds to under 5.Review results for pivots, such as mapping IPs to ASNs or threat actors.
Example: Querying "shadybank.com" in Web Search checks against malware databases and hashes, providing actionable insights into potential risks.
Use Case 2: Protect Against Threats
Total View helps identify and mitigate threats, including phishing, vulnerabilities, and malicious activity, through enriched scans and risk scoring.
Defend with Total View
Select the Web Search tab for comprehensive threat detection.
Apply filters like
type:malwareto target suspicious elements, scanning for open directories or indicators of vulnerability.Leverage machine learning-based risk scoring for prioritized alerts.
Export results via the “Export Endpoint” for team collaboration or monitoring.
This process may add 5-10 seconds due to the computational intensity, but it ensures a reliable defense by cross-referencing 100+ observables.
Use Case 3: Scout and Map
Total View enables pivoting and mapping of infrastructure, ideal for investigations or threat hunting.
Conduct Reconnaissance
Begin with DNS for initial mappings (e.g., IP resolutions).
Import into Total View for advanced cross-referencing: Associate domains with actors or uncover related IPs.
Use asynchronous processing for background runs on large sets.
Limit batches to 100 observables, or use SDK scripting with chunks to avoid queuing (up to +20 seconds in high-traffic scenarios).
Network dependencies (e.g., Tor for the dark web) can vary from 2 to 30 seconds; schedule during off-peak hours for best results.
Enhance Efficiency Across Use Cases
To reduce delays by up to 40%, apply these strategies:
Refine with SPQL: Pre-filter to cut dataset size by 50%.
Purposeful Tabs: Use DNS/WHOIS first, then enrich in Total View.
Asynchronous Processing: Run in the background and export links.
Manage Bulks: Process in smaller chunks via API or SDK.
Monitor Dynamically: Use UI indicators or low-priority mode.
Performance Factors Table
Factor | Description | Typical Impact | Optimization Insight |
|---|---|---|---|
Data Volume | Terabytes of daily scans filtered for relevance. | +10-15 seconds | SPQL pre-filters reduce by 50%. |
Compute Intensity | Hashing and ML risk scoring. | +5-10 seconds | Prioritize single tabs. |
Queueing | High traffic prioritization. | +20 seconds for large batches | Use smaller batches or async. |
Network Dependencies | External services like Tor. | 2-30 seconds | Cache and off-peak scheduling. |