Infrastructure Variance empowers security teams to quickly distinguish legitimate infrastructure evolution (e.g., cloud scaling, CDN usage) from malicious tactics like fast-flux evasion, bulletproof hosting shifts, or compromised DNS management. Visualizing historical and real-time changes in a unified timeline reduces manual cross-tool querying and highlights anomalies tied to risk scores.
ASN Sub-tab Use Cases
Security analysts monitor for unexpected ASN hops that signal adversary infrastructure migration. For instance, a sudden switch from a reputable provider like AS15169 (Cloudflare, high takedown score of 95) to a low-reputation ASN like AS207713 (often linked to bulletproof or flux hosting) on a specific date can indicate evasion tactics.
Teams use this sub-tab to:
Detect fast-flux or double-flux networks, where domains rapidly rotate across multiple ASNs to obscure C2 servers (as seen in historical botnets like Conficker or modern APT campaigns).
Investigate linked threats: One-click enrichment reveals subnet details and pivots to IOFA feeds for actor attribution (e.g., correlating with known adversary clusters).
Cross-check with Whois for registrant overlaps or PADNS for tied A/AAAA records, helping explain whether the change is benign scaling or malicious flux.
This is especially valuable for SOC triage, where an outlier ASN alert triggers immediate investigation, preventing prolonged exposure.
IP Diversity Sub-tab Use Cases
Sudden spikes in IP count or diversity often flag manipulation, such as fast-flux botnets ramping up IPs (e.g., from 1-2 to 15+ in days) across compromised proxies for resilience against blocklisting.
Practical applications include:
Identifying campaigns where malware "phones home" to fluxing domains, evading IP-based detection (common in phishing, malware delivery, or ransomware C2).
Mapping exposures: Visualize timelines (e.g., 10 new IPs on 2025-09-01 tied to a suspicious ASN) and correlate with PADNS first/last-seen timestamps to assess persistence.
Brand protection: Defenders spot unauthorized IP sprawl on monitored domains, revealing potential compromises or spoofing.
Alerts for outlier diversity (e.g., >10 IPs in 30 days on non-standard ASNs) enable proactive blocking or monitoring.
Name Server Changes Sub-tab Use Cases
Shifts to high-density nameservers (e.g., 10,000+ domains per server) frequently indicate shared malicious infrastructure or DNS compromise risks.
Teams leverage this to:
Spot takeover patterns: Correlate NS changes with Dangling DNS in Subdomains or Attack Surface Mapping to detect subdomain hijacking.
Track adversary TTPs: Rapid NS rotations (double-flux) add obfuscation layers, as in sophisticated botnets using compromised hosts as proxies.
Combine with WHOIS history: Identify registrar changes or suspicious density spikes, differentiating legitimate DNS management from evasion.
Overall Benefits
Infrastructure Variance centralizes these signals for holistic risk assessment. Security operations teams export timelines to SIEMs for alerting, set watches on new hops, or pivot to Web Search for content validation on new IPs—turning fragmented logs into actionable intelligence. This approach accelerates detection of threats like fast-flux, while minimizing false positives through context-rich scoring and correlations.