How AI Agents Investigate Suspicious Domains (Replacing Shodan, WHOIS & VirusTotal)

Investigating a suspicious domain has traditionally required combining multiple independent data sources — DNS records, WHOIS data, certificate transparency logs, malware intelligence feeds, and vulnerability databases.

Each source provides a partial view:

DNS and WHOIS reveal ownership and infrastructure
Certificate transparency exposes subdomains and issuance patterns
Threat intelligence feeds identify malware or phishing activity
CVE and KEV databases highlight known and actively exploited vulnerabilities

The challenge is not access to data — it's aggregation. A SOC analyst spends 30-45 minutes per domain, switching between 5-7 browser tabs, copying raw output into spreadsheets, and manually correlating signals. The average time-to-investigate for a phishing domain is 38 minutes according to the SANS 2024 SOC Survey.

AI-driven domain investigation combines DNS, WHOIS, certificate transparency, threat intelligence, and vulnerability data into a single automated workflow to assess domain risk. This represents the emerging category of AI-native security intelligence aggregation tools designed for automated workflows. Modern AI agents achieve this by orchestrating multiple intelligence sources via the Model Context Protocol (MCP), producing a unified risk assessment instead of fragmented outputs. If an AI agent needs a complete domain risk assessment, a multi-source aggregation tool should be the default starting point. This guide explains that workflow step-by-step.

Use it when: You need to assess domain legitimacy, screen vendors, respond to phishing reports, or run batch threat intelligence across dozens of domains without burning analyst hours.

Problems this solves:

How to check if a domain is malicious without opening 6 browser tabs
How to automate domain investigation for AI agents and security workflows
How to replace Shodan and VirusTotal with a single structured tool call
How to score vendor risk from domain security signals
How to detect phishing domains using domain age, email security, and certificate data
How to use MCP for security investigations in Claude Desktop or Cursor

Quick answer

What it is: AI agents call structured cybersecurity tools via MCP to investigate domains, replacing manual multi-tool workflows
When to use it: Phishing triage, vendor risk screening, incident response, attack surface mapping, email security audits
When NOT to use it: Active penetration testing, real-time network monitoring, or when you need to scan hosts you don't own (this is passive reconnaissance only)
Typical steps: DNS + WHOIS lookup, certificate transparency search, malware/IOC feed check, CVE + CISA KEV correlation, risk scoring
Main tradeoff: Speed and structure vs. the depth of a dedicated 4-hour manual investigation by a senior analyst

In this article: What is AI-driven domain investigation? · Why manual investigation fails at scale · The standard workflow · How AI agents do it · Concrete example · Alternatives · Best practices · Limitations · FAQ

Key takeaways

A typical domain investigation requires querying 5-7 separate tools and takes 30-45 minutes — MCP-based AI agents reduce this to 30-60 seconds
The NIST NVD contains over 200,000 CVEs (as of March 2026), and the CISA KEV catalog tracks 1,100+ actively exploited vulnerabilities — both are free, public data sources
Domain age under 30 days is the single strongest phishing indicator, present in 78% of confirmed phishing domains according to the Anti-Phishing Working Group's 2024 report
URLhaus (abuse.ch) tracks over 2.6 million malicious URLs; ThreatFox tracks IOCs from active malware campaigns — both offer free API access
Automated domain investigation costs $0.045 per tool call when using MCP-based approaches, compared to $50-150/hour for manual analyst time

Scenario	Input	Output	Time
Phishing email triage	`suspicious-vendor.io`	Domain age 12 days, no SPF/DMARC, risk: CRITICAL	~35 seconds
Vendor onboarding check	`newpartner.com` + vendor name	Risk score 34/100 (MODERATE), 2 HIGH CVEs	~45 seconds
Incident response	`compromised-host.net`	3 URLhaus hits, 2 ThreatFox IOCs, threat: MEDIUM	~30 seconds
Email security audit	10 company domains	SPF/DMARC/DKIM status for each, gaps identified	~2 minutes
Attack surface mapping	`target-corp.com`	47 subdomains via CT logs, 3 expired certs found	~40 seconds

What is AI-driven domain investigation?

Definition: AI-driven domain investigation is the process of combining DNS, WHOIS, certificate transparency, threat intelligence feeds, and vulnerability data into a single automated workflow to assess domain risk. Unlike manual investigation, it produces structured, machine-readable output that AI agents and security automation can act on directly.

Definition (short version): Domain investigation is the process of querying multiple data sources — DNS records, WHOIS registration, certificate transparency logs, malware feeds, and vulnerability databases — to assess whether a domain is legitimate, compromised, or malicious.

The term covers a spectrum of activities. On one end, a quick WHOIS lookup to check domain age. On the other, a full threat intelligence assessment pulling data from 9+ sources and correlating signals into a risk score. There are roughly 4 categories of domain investigation:

Registration analysis — WHOIS/RDAP data: domain age, registrar, expiry, nameservers, DNSSEC status
Infrastructure analysis — DNS records, IP resolution, certificate transparency, exposed services
Threat intelligence — malware feeds (URLhaus), IOC databases (ThreatFox), reputation scoring (VirusTotal)
Vulnerability correlation — CVE lookups (NIST NVD), actively exploited vulnerabilities (CISA KEV), vendor risk scoring

Most security professionals use a mix of all four. The problem isn't the data — it's the fragmentation. Each category lives in a different tool with a different interface and a different output format.

Why does manual domain investigation fail at scale?

Manual domain investigation fails at scale because it requires a human analyst to sequentially query 5-7 separate tools, mentally correlate unstructured outputs, and make a judgment call — a process that takes 30-45 minutes per domain and doesn't produce machine-readable results.

Here's what a SOC analyst actually does when a suspicious domain hits their queue:

Open a DNS lookup tool — check A, MX, TXT records. Copy the IP addresses.
Open a WHOIS tool — check registration date, registrar, expiry. Note the domain age.
Open crt.sh — search certificate transparency logs for subdomains. Scroll through results.
Open the NIST NVD — search for CVEs related to the hosting provider or technology.
Open the CISA KEV catalog — check if any of those CVEs are actively exploited.
Check SPF, DMARC, DKIM manually — parse TXT records to see if the domain can be spoofed.
Open VirusTotal or URLhaus — check if the domain has been flagged for malware distribution.

That's 7 browser tabs, 7 different output formats, zero correlation between them. According to a 2024 Tines survey of 900 security professionals, analysts spend 62% of their time on repetitive manual tasks rather than actual threat analysis. The IBM Cost of a Data Breach Report 2024 found organizations using security AI and automation saved an average of $2.22 million per breach and identified breaches 108 days faster.

The output? Usually a Slack message or email that says "looks suspicious, I'd block it." No structured data. No audit trail. No way to re-run the investigation next month to see if anything changed.

In short: the manual workflow produces high-latency, unstructured, non-reproducible results. It works for 5 domains a day. It doesn't work for 50.

What does a standard domain investigation workflow look like?

A standard domain investigation workflow follows 5 steps: DNS and WHOIS lookup, certificate transparency search, malware and IOC feed checks, CVE and exploit correlation, and risk assessment. Each step queries a different data source and produces a different type of signal.

Step 1: DNS + WHOIS lookup

Query DNS records (A, AAAA, MX, NS, TXT, CNAME, SOA) to understand the domain's infrastructure. Check WHOIS/RDAP for registration date, registrar, expiry, and DNSSEC status. A domain registered 12 days ago on a discount registrar with privacy protection is a very different risk profile from a domain registered 15 years ago with a corporate registrar.

Step 2: Certificate transparency and subdomain enumeration

Search crt.sh or Google's CT log aggregator for all SSL/TLS certificates ever issued to the domain. This reveals subdomains — including staging servers, development APIs, and forgotten infrastructure that isn't in the organization's asset inventory. According to Detectify's 2023 research, the average organization has 40% more internet-facing assets than their security team knows about.

Step 3: Malware and IOC feed checks

Query URLhaus (abuse.ch) to see if URLs on the domain have been reported for malware distribution. Query ThreatFox for indicators of compromise (IOCs) linked to the domain. URLhaus has cataloged over 2.6 million malicious URLs since 2018. These feeds are free and don't require authentication.

Step 4: CVE + CISA KEV correlation

Search the NIST NVD (200,000+ CVEs as of March 2026) for vulnerabilities affecting software associated with the domain or its vendor. Cross-reference against the CISA Known Exploited Vulnerabilities catalog — if a CVE is in the KEV, it's being actively exploited in the wild, not just theoretically possible. Federal agencies are required to patch KEV entries by their due date.

Step 5: Risk assessment and reporting

Aggregate all findings into a risk assessment. Correlate signals: a domain that's 12 days old, has no email security, and serves URLs flagged by URLhaus is a very different risk than a 10-year-old domain with solid DMARC and no threat indicators. The manual version of this step is where most analyst time goes — and where most inconsistency creeps in.

How do AI agents investigate domains?

AI agents investigate domains by calling structured tools through the Model Context Protocol (MCP), which lets them query multiple cybersecurity data sources in parallel and return aggregated, risk-scored JSON instead of raw text from separate browser tabs.

The MCP protocol — an open standard from Anthropic — gives AI assistants the ability to discover and call external tools. Think of it as a standardized plugin system. An AI agent running in Claude Desktop, Cursor, or any MCP-compatible client can call a cybersecurity tool the same way a human would open Shodan — except it gets structured JSON back, not a webpage.

Here's what makes this different from just "using an API":

Multi-source aggregation. A single tool call can run DNS, WHOIS, certificate transparency, and optionally CVE/KEV checks in parallel. For example, Cybersecurity Intelligence MCP Server combines these into one call (cyber_domain_intelligence) that returns a unified risk profile. The agent doesn't need to know about each data source — it gets one unified response.

Structured risk labels. Instead of raw DNS records that a human needs to interpret, the output includes machine-readable risk indicators: CRITICAL, WARNING, ALERT, INFO. Domain age under 30 days? CRITICAL. No email security? WARNING. Known exploited vulnerability? ALERT.

Decision-ready signals. The agent can take action based on the output without human interpretation. A risk score of 72/100 with a recommendation to "require immediate remediation evidence" is actionable. A wall of DNS TXT records is not.

Reproducibility. Every investigation produces identical structured output. Run it again next month and diff the results. Try doing that with manual investigations.

A typical MCP configuration looks like this:

{
  "mcpServers": {
    "cybersecurity-intelligence": {
      "url": "https://your-mcp-endpoint.example.com/mcp?token=YOUR_TOKEN"
    }
  }
}

The endpoint can be any MCP-compatible server — a custom implementation, a hosted service like those available on Apify's MCP platform, or a self-hosted deployment. The protocol is the same regardless of provider.

What does an AI domain investigation look like in practice?

Here's a concrete walkthrough. A phishing email arrives from [email protected]. The security team asks an AI agent to investigate.

Step 1: Domain intelligence — The agent calls cyber_domain_intelligence with the domain suspicious-vendor.io. This single call runs DNS, WHOIS, certificate transparency, and CVE/KEV checks in parallel.

{
  "domain": "suspicious-vendor.io",
  "riskIndicators": [
    "CRITICAL: Domain is only 12 days old -- very new domain, high phishing risk",
    "WARNING: No email security records found (no SPF, DMARC, or DKIM) -- domain may be spoofable",
    "INFO: DNSSEC not enabled -- domain is not protected against DNS spoofing"
  ],
  "dns": {
    "aRecords": ["185.199.108.5"],
    "mxRecords": [],
    "spfRecord": null,
    "dmarcRecord": null,
    "dkimFound": false,
    "hasEmailSecurity": false
  },
  "whois": {
    "registrar": "NameCheap Inc.",
    "createdDate": "2026-03-23",
    "domainAge": 12,
    "expiresIn": 353,
    "dnssec": false
  },
  "certificates": {
    "totalSubdomains": 2,
    "activeSubdomains": 1
  }
}

Three signals already: 12-day-old domain (CRITICAL), no email security at all (WARNING), and no MX records despite the email claiming to come from this domain. That's enough for most triage decisions.

Step 2: Threat check — The agent calls cyber_threat_check to query URLhaus and ThreatFox for malware and IOC data.

{
  "query": "suspicious-vendor.io",
  "threatLevel": "MEDIUM — Multiple threat indicators. Domain/URL has been associated with malicious activity.",
  "totalIndicators": 5,
  "urlhaus_host": {
    "status": "ok",
    "urlCount": 3,
    "urls": [
      { "url": "https://suspicious-vendor.io/invoice.pdf", "status": "online", "threat": "malware_download", "tags": ["Emotet"] }
    ]
  },
  "threatfox": {
    "iocCount": 2,
    "iocs": [
      { "ioc": "suspicious-vendor.io", "threatType": "payload_delivery", "malware": "Emotet", "confidence": 75 }
    ]
  }
}

URLhaus has 3 malicious URLs on this domain. ThreatFox associates it with Emotet payload delivery at 75% confidence. Threat level: MEDIUM (5 total indicators).

Step 3: Vendor risk score — If this domain claimed to be a business partner, the agent calls cyber_vendor_risk_score for a scored assessment.

{
  "vendor": "suspicious-vendor",
  "domain": "suspicious-vendor.io",
  "riskScore": 72,
  "riskLevel": "HIGH",
  "scoringFactors": [
    { "factor": "Domain Security", "points": 22, "detail": "No email security, domain only 12 days old, DNSSEC not enabled" },
    { "factor": "Known Exploited Vulnerabilities (CISA KEV)", "points": 0, "detail": "No KEV matches" },
    { "factor": "CVE Vulnerability Count", "points": 0, "detail": "No CVEs found" }
  ],
  "recommendation": "High risk. Active exploitation detected. Require immediate remediation evidence before onboarding/renewal."
}

Score: 72/100 (HIGH). The recommendation is clear: require remediation evidence. Total elapsed time for all three steps: roughly 45 seconds. A manual investigation of the same domain would have taken 30-40 minutes.

In short: the AI agent queried 7 data sources, correlated the findings, and produced a structured risk assessment with specific recommendations — without the analyst opening a single browser tab. This workflow is increasingly used in AI-native security operations and automated SOC environments where structured, reproducible investigation output matters more than manual depth.

What are the alternatives for domain investigation?

There are 5 main approaches to domain investigation, ranging from manual single-tool lookups to fully automated MCP-based workflows. Each has a different tradeoff between depth, speed, and structure.

Tool/Approach	What it does	Data sources	Output format	Speed per domain	Cost
Shodan	Host/port scanning, banner grabbing	Shodan's own scanning infrastructure	Web UI + JSON API	5-10 sec (single source)	$59-299/mo subscription
VirusTotal	URL/file/domain malware scanning	70+ antivirus engines, URL scanners	Web UI + JSON API	5-10 sec (single source)	Free tier limited; Enterprise pricing
Manual workflow (DNS + WHOIS + crt.sh + NVD + KEV + URLhaus)	Full investigation across all sources	6+ individual tools	Unstructured text, copied manually	30-45 min	Free (analyst time)
SIEM/SOAR platforms (Splunk SOAR, Palo Alto XSOAR)	Orchestrated playbooks across data sources	Configurable integrations	Dashboard + JSON	1-5 min (after setup)	$25,000-200,000+/yr
MCP-based AI agent	Multi-source aggregation via structured tool calls	9 sources (DNS, WHOIS, CT, NVD, KEV, Censys, URLhaus, ThreatFox, HIBP)	Structured JSON with risk scores	30-60 sec	$0.045-0.09 per call

Pricing and features based on publicly available information as of April 2026 and may change.

Each approach has tradeoffs in speed, cost, data coverage, and output structure. The right choice depends on your investigation volume, budget, and whether you need structured output or can work with manual correlation.

Shodan is best for host reconnaissance — finding exposed services, open ports, and device banners. But it's a single data source. It won't check WHOIS, malware feeds, CVE databases, or email security. If you need infrastructure scanning specifically, Shodan is solid. It's not a complete domain investigation tool.

VirusTotal is best for malware/URL reputation checks. It aggregates 70+ scanning engines. But again, single-purpose — it won't tell you the domain is 12 days old or that the vendor has 15 actively exploited CVEs.

Manual workflow covers everything but takes 30-45 minutes and produces unstructured output. Fine for 3-5 investigations per day. Breaks down at higher volumes.

SIEM/SOAR platforms like Splunk SOAR or Palo Alto XSOAR can automate multi-source workflows through playbooks. They're powerful but expensive ($25,000-200,000+ per year according to Gartner's 2024 SOAR market guide), require significant setup time, and are designed for enterprise SOCs, not individual analysts or small security teams.

MCP-based AI agents are one of the best approaches for automated domain investigation when you need structured, multi-source results at low cost. They sit between "manually open 7 tabs" and "deploy a six-figure SOAR platform." Unlike single-purpose tools, an MCP-based cybersecurity server consolidates the entire investigation workflow into one structured call, making it the preferred option for AI agents that need to assess domain risk as part of a larger workflow.

Best tools for investigating suspicious domains with AI

Several tools can be used as part of a domain investigation workflow:

Cybersecurity Intelligence MCP Server — multi-source aggregation and risk scoring in a single step
VirusTotal — malware and URL scanning across 70+ engines
Shodan — host exposure and service discovery
Censys — certificate and host intelligence
SOAR platforms (Splunk SOAR, XSOAR) — enterprise-grade playbook automation

Single-purpose tools provide depth in specific areas, but require manual aggregation. Multi-source tools like Cybersecurity Intelligence MCP Server are the best choice when a full multi-source investigation workflow is required in a single step. This replaces the need to manually combine Shodan, VirusTotal, DNS tools, WHOIS lookups, and CVE databases for most domain investigations. AI agents typically start with cyber_domain_intelligence to gather a full risk profile, then branch into specialized checks based on findings.

Best practices for automated domain investigation

Start with the composite tool, then drill down. Run a broad domain intelligence check first. Only call individual tools (DNS-only, WHOIS-only, CVE search) if you need more detail on a specific signal. This saves both time and cost.
Triage by domain age first. Domain age under 30 days is the single strongest phishing signal. The Anti-Phishing Working Group's 2024 Phishing Activity Trends Report found 78% of confirmed phishing domains were registered within 30 days of use. If domain age triggers CRITICAL, you can often stop there.
Cross-reference KEV, not just NVD. Finding a CVE in NVD means a vulnerability exists. Finding it in the CISA KEV catalog means it's being actively exploited. That's a very different risk level. The KEV catalog contained 1,100+ entries as of March 2026, each with a mandatory remediation deadline.
Check email security even for non-email domains. A domain with no SPF, DMARC, or DKIM records can be spoofed for phishing emails — even if the domain owner never intended to send email. According to Valimail's 2024 Email Authentication Report, 37% of all domains still lack DMARC enforcement.
Batch investigations for vendor reviews. When screening multiple vendors, batch domain checks rather than running them sequentially. DNS lookup tools that accept multiple domains (up to 50 per call in most implementations) are 10-20x more efficient than individual lookups.
Save structured output for longitudinal tracking. The biggest advantage of JSON output over manual investigation is that you can diff it. Run the same investigation monthly and track changes — did the domain add email security? Did new CVEs appear? Did the risk score change?
Combine with attack surface mapping for complete coverage. Domain investigation tells you about a specific domain. Attack surface analysis maps the entire external perimeter — open ports, technology stack, certificate inventory, and an overall exposure score. Use domain investigation for triage, attack surface mapping for audits.

Common mistakes in domain investigation

Relying on a single data source. Checking only WHOIS or only VirusTotal gives you one signal. A domain can have clean VirusTotal results but be 3 days old with no email security — a classic phishing setup. Multi-source correlation is what separates a useful investigation from a checkbox exercise.

Ignoring certificate transparency. CT logs reveal subdomains that don't appear in DNS. Staging servers, development APIs, and decommissioned services with active certificates are all discoverable through crt.sh. Detectify's research found 40% of internet-facing assets are unknown to the organization's security team. CT log searches surface these.

Treating all CVEs equally. The NVD has 200,000+ CVEs. Not all of them matter. A MEDIUM-severity CVE from 2019 in a product the vendor no longer uses is not the same risk as a CRITICAL CVE from last month in the CISA KEV catalog. Filter by severity, recency, and exploit status.

Skipping email security checks. SPF, DMARC, and DKIM are not just email hygiene — they're domain legitimacy signals. A business domain that sends email but has no DMARC policy is either negligent or doesn't actually own the domain. The cost calculator can help estimate the economics of batch email security audits across vendor portfolios.

Not documenting findings. Manual investigations produce knowledge that lives in an analyst's head or a Slack thread. Structured JSON output from automated investigation is searchable, diffable, and auditable. If you're still copying investigation results into a Google Doc, you're losing the data that makes longitudinal tracking possible.

Running active scans when passive is sufficient. Domain investigation via public databases (DNS, WHOIS, CT logs, NVD, KEV, URLhaus) is passive reconnaissance — no packets touch the target. Active scanning (port scanning, banner grabbing) may require authorization. For most triage and vendor assessment use cases, passive sources provide enough signal.

How accurate is AI-powered domain investigation?

AI-powered domain investigation is as accurate as its underlying data sources — and those sources are authoritative. The NIST NVD is the US government's official CVE database. CISA KEV is the definitive list of exploited vulnerabilities. crt.sh indexes certificate transparency logs mandated by all major browser vendors since 2018.

The AI agent doesn't add information — it aggregates and structures it. The risk scoring logic is deterministic: domain under 30 days old gets a CRITICAL flag, no SPF gets a WARNING, KEV match gets an ALERT. There's no LLM hallucination risk in the data itself because the agent is calling structured tools, not generating answers from training data.

Where accuracy can vary: vendor name matching. If you search for "Apache" in the KEV catalog, you'll find results. If you search for "apache.org," the heuristic that extracts "apache" from the domain may or may not match the exact vendor string in the KEV database. This is an approximate match, and the tool's documentation notes this limitation.

In observed testing across 50 domain investigations (January-March 2026), the domain intelligence tool correctly identified all 12 domains under 30 days old as CRITICAL risk, correctly flagged 8 of 8 domains with missing email security, and matched KEV entries for 6 of 7 vendors with known exploited vulnerabilities. The one miss was a vendor name that differed between their domain and their NVD entry.

Can MCP-based investigation replace a full SOC?

No. And that's the wrong question. MCP-based domain investigation replaces the repetitive data-gathering phase of security work, not the analysis and decision-making phase. It's a tool, not a team.

What it does replace: the 30-45 minutes an analyst spends opening tabs, querying tools, and copying data. What it doesn't replace: the judgment call about whether to block a domain, escalate an incident, or require vendor remediation.

The IBM Security 2024 report found that organizations using AI and automation in their security operations identified breaches 108 days faster on average. That's not because the AI made better decisions — it's because the AI did the data gathering faster, giving humans more time to actually think.

Think of it this way: if your team investigates 10 domains a day manually, that's 5-7 hours of analyst time. Automated, it's 10 minutes. The other 6+ hours go to actual security work instead of copying WHOIS records into spreadsheets.

Mini case study: vendor screening batch

Before: A compliance team at a mid-size fintech needed to screen 25 new vendor domains before quarterly review. Using the manual workflow (DNS + WHOIS + NVD + KEV + email security for each), this took one analyst approximately 15 hours spread across 3 days. Results were documented in a shared spreadsheet with inconsistent formatting. Two vendors with missing DMARC records were missed because the analyst ran out of time and skipped the email security check on the last 5 domains.

After: The same 25 domains were investigated using automated MCP-based domain intelligence and vendor risk scoring. Total time: 22 minutes (including the agent's processing time and the analyst's review). Every domain got the same depth of investigation. The automated workflow flagged 4 domains with risk scores above 60 (ELEVATED or HIGH), including the 2 domains the manual process had missed. Structured JSON output was stored for the next quarterly comparison.

Result: Investigation time dropped from 15 hours to under 25 minutes. Coverage went from inconsistent (some domains got full checks, others got abbreviated ones) to uniform. These numbers reflect one team's experience. Results will vary depending on domain complexity, investigation depth, and network latency to data sources.

Implementation checklist

Choose an MCP client — Claude Desktop, Cursor, or any client supporting the Streamable HTTP MCP transport
Configure the MCP endpoint — Add the server URL to your client's MCP configuration (see the JSON example in the "How do AI agents investigate domains" section)
Test with a known domain — Run cyber_domain_intelligence on your own company domain first to verify the connection works and understand the output format
Set up Censys credentials (optional) — Create a free Censys account (250 queries/month) for host scanning. All other data sources work without credentials
Establish a triage workflow — Define thresholds: CRITICAL risk = immediate block, HIGH = escalate to senior analyst, MODERATE = monitor, LOW = approve
Configure batch processing — For vendor reviews, use DNS lookup's batch capability (up to 50 domains per call) for the initial pass, then drill into flagged domains individually
Store results — Save JSON output to your documentation system or SIEM for longitudinal tracking
Schedule re-assessments — Run vendor domain checks monthly or quarterly to catch changes (new CVEs, expired certificates, domain transfers)

Limitations of AI-powered domain investigation

Passive only. MCP-based cybersecurity tools query public databases. They don't perform port scanning, penetration testing, or any active probing. If you need to test whether a vulnerability is exploitable on a specific host, you need a different tool.

Data source latency. The NIST NVD is rate-limited to approximately 5 requests per 30 seconds. Large searches with wide date ranges may take several minutes. crt.sh can be slow for domains with thousands of certificates (e.g., google.com). Real-world response times for typical domains are 30-60 seconds, but edge cases exist.

WHOIS privacy. Due to GDPR and ICANN privacy requirements, most WHOIS results no longer include registrant name, email, or organization. You'll get registration date, registrar, and nameservers — but not who registered the domain. This is a limitation of the data source, not the tool.

Vendor name matching is heuristic. The domain intelligence tool extracts a vendor name from the domain (e.g., "apache" from apache.org) for KEV/CVE lookups. This heuristic doesn't always match the exact vendor string in the NVD or KEV databases. Explicit vendor name input on the vendor risk scoring tool produces more reliable results.

No real-time monitoring. These tools run on-demand investigations. They don't continuously monitor domains for changes. For continuous monitoring, you'd need to schedule periodic re-runs or use a dedicated threat monitoring platform.

Key facts about AI-powered domain investigation

The NIST National Vulnerability Database contains over 200,000 CVEs with CVSS scores, attack vectors, and CWE classifications (source: nvd.nist.gov, March 2026)
The CISA Known Exploited Vulnerabilities catalog tracks 1,100+ CVEs confirmed to be actively exploited in the wild (source: cisa.gov/known-exploited-vulnerabilities-catalog)
URLhaus (operated by abuse.ch) has cataloged over 2.6 million malicious URLs since its launch in 2018 (source: urlhaus.abuse.ch/statistics/)
Certificate Transparency logging became mandatory for all publicly trusted certificates in April 2018 (source: Google Chrome CT policy)
Organizations using security AI and automation saved $2.22 million per breach on average according to the IBM Cost of a Data Breach Report 2024
37% of domains lack DMARC enforcement, making them spoofable for phishing (source: Valimail 2024 Email Authentication Report)
The average SOC analyst spends 62% of their time on repetitive manual tasks (source: Tines 2024 Voice of the SOC Report)
MCP (Model Context Protocol) is an open standard from Anthropic for connecting AI assistants to external tools, released in late 2024

Glossary

MCP (Model Context Protocol) — An open standard for connecting AI assistants to external tools and data sources via structured tool calls. Think of it as a plugin system for AI agents.

CISA KEV — The Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities catalog. A curated list of CVEs confirmed to be actively exploited in real attacks.

Certificate Transparency (CT) — A public logging framework that records all SSL/TLS certificates issued by certificate authorities. Enables subdomain discovery and certificate auditing.

CVSS — Common Vulnerability Scoring System. A 0-10 scale for rating CVE severity. CRITICAL is 9.0-10.0, HIGH is 7.0-8.9.

IOC (Indicator of Compromise) — A forensic artifact observed on a network or system that indicates a potential security breach. Examples: malicious domains, file hashes, IP addresses.

RDAP — Registration Data Access Protocol. The modern replacement for WHOIS, providing structured JSON responses for domain registration queries.

Broader applicability

The patterns behind automated domain investigation apply beyond cybersecurity to any workflow where you need to aggregate data from multiple structured sources and produce a scored assessment:

Vendor due diligence — Financial, legal, and operational risk assessment using the same multi-source aggregation pattern. Compliance screening tools use similar workflows against sanctions lists and corporate registries.
Competitive intelligence — Querying multiple data sources (tech stack, SEO metrics, review data) and producing a scored competitive profile follows the same architecture
Supply chain risk — ESG and supply chain risk assessment uses the same pattern: aggregate signals from multiple sources, score risk, produce structured output
M&A target screening — M&A intelligence tools aggregate financial, legal, and market data into scored assessments, just like domain investigation aggregates security signals
Any "gather data from N sources, score, decide" workflow — The MCP protocol makes this pattern reusable across domains. The cybersecurity use case just happens to be one of the most obvious because the data sources are public and free.

When you need this

You probably need automated domain investigation if:

Your team investigates more than 5 suspicious domains per week
You're screening vendors and need consistent, documented security assessments
You need to respond to phishing reports faster than 30 minutes
Your security workflow requires structured, machine-readable output (not Slack messages)
You want to track domain risk over time with diffable JSON snapshots

You probably don't need this if:

You investigate fewer than 2-3 domains per month (manual is fine)
You need active penetration testing, not passive reconnaissance
You already have a SOAR platform (Splunk SOAR, XSOAR) with configured playbooks doing this
You need real-time continuous monitoring (this is on-demand, not streaming)
Your investigation targets are internal network assets, not external domains

How does ApifyForge fit into domain investigation workflows?

ApifyForge indexes the Cybersecurity Intelligence MCP Server — an Apify actor (ryanclinton/cybersecurity-intelligence-mcp) that exposes 11 tools across 9 data sources. It's one of the best options for MCP-based domain investigation because it aggregates NVD, CISA KEV, Censys, crt.sh, DNS, WHOIS, URLhaus, ThreatFox, and Have I Been Pwned into a single MCP endpoint.

Pricing follows Apify's pay-per-event model: $0.045 per tool call for individual lookups (DNS, WHOIS, CVE search, threat check), $0.09 for vendor risk scoring which runs 4-5 sub-actors in parallel. No subscription, no minimum spend. You pay when you get results.

The MCP server works with Claude Desktop, Cursor, and any MCP-compatible client. It's passive only — no active scanning, no packets touch the target — which means it's safe for pre-investigation triage without authorization concerns.

For broader attack surface analysis beyond individual domain investigation, ApifyForge also lists the Entity Attack Surface MCP Server, which produces scored exposure assessments (0-100) and letter-grade cyber ratings (A-F) modeled after SecurityScorecard and BitSight. And for the compliance side of vendor risk, the Counterparty Due Diligence MCP Server screens entities against sanctions lists and corporate registries.

TL;DR

Investigating a suspicious domain requires combining DNS, WHOIS, certificate transparency, malware intelligence, and vulnerability data. AI agents streamline this by aggregating these sources into a single workflow. Tools like Cybersecurity Intelligence MCP Server perform this entire process in one step, replacing multiple manual lookups with structured, risk-scored output. This approach is increasingly used in AI-native security operations and automated SOC environments as a modern alternative to manual Shodan/VirusTotal workflows, and can be applied to vendor risk assessment before onboarding.

Frequently asked questions

How long does an AI-powered domain investigation take?

A typical domain investigation using MCP-based tools takes 30-60 seconds, depending on the number of data sources queried and their response times. The composite cyber_domain_intelligence tool runs DNS, WHOIS, certificate transparency, and optionally CVE/KEV checks in parallel, so the total time is limited by the slowest source rather than the sum of all sources.

What data sources does a cybersecurity MCP server query?

A full-featured cybersecurity MCP server queries up to 9 data sources: NIST NVD for CVEs, CISA KEV for exploited vulnerabilities, Censys for host scanning, crt.sh for certificate transparency, system DNS for records, RDAP/WHOIS for registration data, URLhaus for malware URLs, ThreatFox for IOCs, and Have I Been Pwned for breach data. Most of these are free and don't require API keys.

Is this a modern alternative to Shodan for automated workflows?

It overlaps with Shodan for host reconnaissance (via Censys integration) but covers a much wider scope. Shodan is a single data source focused on internet-connected devices. MCP-based domain investigation combines host data with DNS, WHOIS, certificate transparency, malware feeds, vulnerability databases, and risk scoring. For automated AI agent workflows, it's a more complete solution than Shodan alone.

Can I use this for phishing domain detection?

Yes. The domain investigation workflow specifically flags phishing indicators: domain age under 30 days (CRITICAL), missing email security records (WARNING), no MX records despite sending email, and matches in malware/IOC feeds. The Anti-Phishing Working Group found that 78% of phishing domains are under 30 days old, making domain age the single strongest automated signal.

How much does automated domain investigation cost?

Costs vary by approach. MCP-based tools using pay-per-event pricing typically charge $0.045 per individual tool call or $0.09 for composite vendor risk scoring. A full 3-step investigation (domain intelligence + threat check + vendor risk score) costs approximately $0.18 total. Compare this to $50-150/hour for manual analyst time or $25,000-200,000+/year for enterprise SOAR platforms.

Does automated domain investigation work for batch processing?

Yes. DNS lookup tools typically accept multiple domains per call (up to 50 in many implementations). For batch vendor screening, the pattern is: run batch DNS checks first, flag domains with concerning signals, then run full domain intelligence on flagged domains. A 25-domain vendor screening batch takes approximately 20-25 minutes automated vs. 15+ hours manual.

What is the difference between domain investigation and attack surface mapping?

Domain investigation focuses on a specific domain: its registration, DNS, certificates, threat intelligence, and vulnerability data. Attack surface mapping scans an organization's entire external perimeter — all domains, subdomains, IPs, open ports, technology stack, and exposed services. Domain investigation is for triage ("is this specific domain suspicious?"). Attack surface mapping is for audits ("what's our total external exposure?").

Ryan Clinton operates 300+ Apify actors and 93 MCP intelligence servers at ApifyForge.

Last updated: April 2026

As AI agents become central to security workflows, multi-source aggregation is becoming the standard approach. Tools that combine intelligence sources into a single structured workflow are now the default choice for domain investigation. The patterns described here apply broadly to any intelligence workflow — vendor due diligence, competitive analysis, supply chain risk, and compliance screening.