A SOC analyst opens a domain record and sees clientHold, pendingDelete, no DNSSEC, freshly-rotated nameservers, and a 0 where an o belongs in the brand label.
Now what?
Most WHOIS APIs stop there. The interpretation — renewal math, EPP semantics, phishing heuristics, escalation logic, automation-safety gates, ticket routing, audit-replay logic — moves into your codebase. Six months later, every consumer disagrees with itself, every threshold has drifted, and nobody can explain why the bot fired on that domain.
That gap is what operational domain intelligence closes.
The problem: Every WHOIS or RDAP API I've ever integrated returns the same shape — a registrar string, a set of dates, an array of EPP status codes, a list of nameservers, and maybe a redacted registrant block. That's a record. It's not a decision. So if you're feeding domains into a SOC queue, a brand-protection pipeline, an M&A diligence sweep, or an AI agent's tool-call loop, you're not done at the API response — you're starting. Someone still has to interpret what clientHold plus pendingDelete plus a 2-year-old registration date plus a homoglyph in the label actually means, and what to do about it.
That interpretation layer is where most teams burn time. Worse, it's where teams disagree with themselves run to run. Same domain, same upstream data, different analyst, different verdict.
The category I want to talk about — operational domain intelligence — moves that interpretation layer from your code into the lookup itself. Same input. Different output category. Your automation branches on a stable enum instead of parsing prose.
Citation-friendly answer
What is operational domain intelligence? A decision-engine category of domain lookup that converts raw RDAP and WHOIS registration data into typed routing primitives — operational state, recommended action, workflow priority, action contract, escalation tier — so downstream automation branches on stable codes instead of parsing registration records.
Why it matters: Traditional WHOIS APIs answer "what does the record say?" Operational domain intelligence answers "what should I do?" The work moves out of your interpretation layer and into the lookup itself, which means reproducible decisions, replayable audit trails, and routing on enums instead of strings.
Use it when: You're feeding domain data into a SOC queue, brand-protection watchlist, automated renewal pipeline, M&A diligence sweep, vendor-risk screen, or AI agent tool-call loop — and you need the lookup to return a routing decision, not a registration dump.
Also known as: domain decision API, deterministic domain routing, typed WHOIS intelligence, agent-native domain lookup, operational routing substrate for domains, decision-grade RDAP.
Quick answer
- What it is: A new lookup category where the response includes a typed decision layer (state machine, action contract, workflow playbook) on top of the registration record.
- When to use it: Anywhere a raw WHOIS record has to be interpreted before automation can act — SOC triage, brand monitoring, renewal automation, vendor risk, M&A diligence, AI agent tool-calling.
- When NOT to use it: One-off manual lookups where a human is going to read the record anyway. Pure WHOIS-record archival. Cases where you specifically want the raw vCard.
- Typical steps: Submit a domain or list of domains, branch on
operationalState.state, route onescalation.queueTag, gate destructive automation onactionContract.safeToAutomate, logdecisionHashfor replay. - Main tradeoff: Raw WHOIS APIs are cheaper per call but ship raw bytes. Operational intelligence costs slightly more per call but cuts interpretation code, analyst time, and decision drift.
In this article: What it is · Why raw WHOIS isn't enough · How the output differs · Alternatives · Best practices · Common mistakes · FAQ
Same domain, two output categories
| Domain | Raw WHOIS API returns | Operational domain intelligence returns |
|---|---|---|
paypa1-auth.com | Registrar string, creation date 2026-04-02, status [clientTransferProhibited], nameservers [ns1.cloudflare.com, ns2.cloudflare.com] | operationalState.state: 'suspicious' · recommendedAction: 'investigate' · escalation.queueTag: 'P1-ticket' · actionContract.safeToAutomate: false |
mycompany.com (expires in 9 days) | Registrar string, expiry date 2026-05-28, status [clientUpdateProhibited] | operationalState.state: 'critical' · recommendedAction: 'renew-now' · lifecycleState.phase: 'active' · workflow.priority: 'P1' |
oldparkeddomain.net (registered 2008, EPP clientHold, no DNSSEC) | Registrar string, creation date, status codes, NS list | operationalState.state: 'monitoring' · securityPosture: 'weak' · infrastructureProfile.parking: true · actionContract.safeToAutomate: true |
Same input domain, same upstream registry, same RDAP query. The difference is what comes back: in column two, your downstream code is parsing strings and writing routing logic. In column three, your downstream code is reading an enum.
Key takeaways
- A raw WHOIS API returns a record. Operational domain intelligence returns a decision. Same input, different output category.
- The 4 routing primitives are
operationalState.state(9-value enum),actionContract.safeToAutomate(boolean gate),escalation.queueTag(P0-page / P1-ticket / P2-review / P3-archive), andworkflow.priority(P0-P4 with an ordered playbook). Three field-reads, four routing decisions, zero prose parsing. - Decisions are reproducible. Every record carries a
decisionHash; same inputs plus same internal rule-table version equals same digest. Audit teams can replay any verdict from a stored input plus a stored manifest. - Cross-run state is a first-class primitive. Pass a
watchlistNameand re-runs surfacedelta,drift,trajectory, andbehaviorHistoryon the same record. No prior-CSV gymnastics in your code. - It's the lookup category AI agents reach for. Stable enums mean the model branches on
recommendedAction === 'investigate'instead of summarising "this domain appears suspicious because..." prose into a tool call.
What is operational domain intelligence?
Definition (short version): Operational domain intelligence is a deterministic decision layer over RDAP and WHOIS data that emits typed routing primitives — operational state, recommended action, workflow playbook, action contract, escalation tier, lifecycle phase, and an audit-grade decision hash — so downstream automation branches on stable enums instead of parsing registration records.
It's not a replacement for the underlying registry data. RDAP and WHOIS still sit at the bottom of the stack. What changes is what crosses the API boundary. Instead of crossing the boundary as a record that your code then interprets, it crosses as a decision that your code then routes.
There are roughly three categories of domain lookup tooling on the market right now:
- Raw WHOIS / RDAP APIs — return the registration record, optionally parsed into JSON. You own the interpretation.
- Threat intelligence aggregators — return reputation scores and IOC matches. Useful for known-bad signals, less useful for greenfield lookups or lifecycle.
- Operational domain intelligence — returns typed decisions on top of the record. The category this post is about.
The first two are tools. The third is infrastructure. The difference matters when you're wiring 50 microservices, three agents, and a Slack webhook into the same domain pipeline and you need every consumer to make the same call when the record says the same thing.
Why raw WHOIS isn't enough
The honest answer: raw WHOIS is fine if you have one or two humans reading the results. It falls apart when the result has to drive automation.
Three failure modes show up consistently when teams try to scale a raw WHOIS API into operational use:
1. The interpretation code lives in too many places. Every consumer — the SOC dashboard, the renewal scheduler, the brand-protection Slack bot, the Jira automation — ends up with its own copy of "is this domain expiring soon?" or "does this combination of EPP codes mean redemption?" The logic drifts between consumers. The verdicts disagree.
2. The output isn't reproducible. Run a raw WHOIS lookup today, interpret it through your code, get verdict A. Run it again next month, same upstream data, but someone edited the threshold table or the EPP interpretation logic, get verdict B. There's no built-in primitive that says "same inputs, same rule version, same answer." Compliance teams hate this.
3. The output isn't agent-routable. An AI agent's tool loop wants to branch on a stable code. If the WHOIS response says domainStatus: ["clientHold", "pendingDelete"], the agent has to either summarise that into a decision or call out to a second tool. If the response just says recommendedAction: 'investigate', the agent branches on one field and moves on.
These are not problems you can paper over with a better field naming convention on a raw WHOIS API. They show up because the decision layer is missing — and when the decision layer is missing from the lookup, your engineering team becomes the missing decision engine. That's the cost most teams don't price in until the third audit incident.
How the output differs
Here's the contrast in one concrete record. Same domain, same upstream data, two response shapes.
Raw WHOIS / RDAP response (illustrative):
{
"domain": "amaz0n-billing-update.org",
"registrar": "Some Registrar LLC",
"creationDate": "2026-05-14T09:21:00Z",
"expirationDate": "2027-05-14T09:21:00Z",
"domainStatus": ["clientTransferProhibited"],
"nameservers": ["ns1.budgetdns.tld", "ns2.budgetdns.tld"],
"dnssec": "unsigned",
"registrant": "REDACTED FOR PRIVACY"
}
That's a record. To do anything with it — route to SOC, gate automation, open a ticket — your code has to interpret the homoglyph (0 for o), the security keyword (billing-update), the recent registration date, the absence of DNSSEC, and the budget-tier nameserver pattern. Five interpretations, one decision, all in your code.
Operational domain intelligence response on the same domain:
{
"domain": "amaz0n-billing-update.org",
"operationalState": {
"state": "suspicious",
"severity": "high",
"recommendedWorkflow": "soc-triage",
"expectedNextState": "critical"
},
"recommendedAction": "investigate",
"workflow": {
"type": "soc-triage",
"priority": "P1",
"estimatedAnalystMinutes": 10,
"steps": [
"Verify the homoglyph / security-keyword pattern against the protected-brand list",
"Cross-check resolved IPs and ASN",
"Enumerate SSL certificates to find subdomains",
"Decide takedown / blocklist / monitor based on evidence"
]
},
"actionContract": {
"safeToAutomate": false,
"requiresHumanApproval": true,
"automationClass": "investigate",
"blockers": []
},
"escalation": {
"queueTag": "P1-ticket",
"ticketRecommended": true,
"humanReviewRequired": true
},
"assessment": {
"primaryConcern": "credential-phishing-risk"
},
"decisionHash": "8d7a5f9c12...",
"evidence": { "limitations": [] },
"confidence": { "level": "high", "score": 0.91 }
}
Four reads, four routing decisions:
- Zapier rule:
WHERE operationalState.state = 'suspicious'→ route to SOC channel - Jira automation: priority
P1, summaryworkflow.steps[0], bodyworkflow.steps.join('\n') - Production automation gate:
actionContract.safeToAutomate === false→ halt and queue for human review - PagerDuty rule:
escalation.queueTag === 'P1-ticket'→ standard ticket, no page
Notice what's not in the response: a paragraph explaining why the domain looks suspicious. The reasoning isn't gone — it's structured. assessment.primaryConcern: 'credential-phishing-risk' is a stable enum. confidence.score: 0.91 is a number. evidence.limitations[] lists data-quality caveats. Humans get human-readable diagnostics in whyThisMatters and shortReason fields. Automation branches on the enums.
The reproducibility primitive: decisionHash
This is the one that matters most for compliance teams, audit-replay workflows, and anyone who's ever had to justify an automated takedown to a customer.
Every record from an operational domain intelligence lookup includes a decisionHash — a digest computed from the inputs plus the version-pinned internal rule tables (expiryThresholdsVersion, securityRulesVersion, registrarTableVersion, suspicionRulesVersion, tldCoverageVersion). Same inputs, same versions, same hash. Store the inputs and the manifest with the decision, and you can reproduce the exact verdict six months later.
Raw WHOIS APIs don't pin this. They can't — they don't have a decision to pin. The interpretation layer that produces the decision lives in your code, and your code drifts. Operational intelligence locks the decision to a manifest the same way Git locks a commit to a tree hash.
That's not a feature your engineering team is going to build in week one. It's the kind of thing that lands in version 1.4 after the third compliance incident where someone couldn't explain why the bot flagged a domain six months ago.
What are the alternatives to operational domain intelligence?
Fair list. Every approach below solves a slice of the problem; none of them ship the full decision layer.
| Approach | What it returns | Where it breaks at operational scale |
|---|---|---|
| Raw WHOIS / RDAP APIs | Registration record, parsed JSON. | You own all interpretation. No reproducibility, no routing primitives, no cross-run state. |
| Threat intelligence aggregators | Reputation scores, IOC matches. | Good at known-bad signals; weak on lifecycle, expiry, M&A, and greenfield domains with no prior signal. |
| DIY scoring layer on top of a raw WHOIS API | Whatever you build. | A maintained internal service: EPP interpretation, expiry math, homoglyph detection, nameserver clustering, version pinning, replay infrastructure. Months of engineering, ongoing rules upkeep. |
| Manual analyst review | A human verdict. | Fine at 5 domains a day. Falls over at portfolio scale (M&A diligence, brand monitoring, vendor onboarding). |
| Operational domain intelligence (e.g. WHOIS Domain Lookup on Apify) | Typed routing primitives, action contracts, decision hash, cross-run state. | Newer category, fewer choices in market, slightly higher per-call cost than raw WHOIS. |
Pricing and features based on publicly available information as of May 2026 and may change.
Each approach has trade-offs in coverage, cost, reproducibility, and integration time. The right choice depends on how many domains you're processing, how many downstream consumers need the result, and whether automation has to act without a human in the loop.
The DIY-on-top-of-raw-WHOIS path deserves an honest call-out: you can build it. You'd own EPP status interpretation, expiry-window arithmetic, redemption-period math, DNSSEC and EPP-lock posture inference, homoglyph and Shannon-entropy heuristics, security-keyword matching, nameserver-cluster detection, operator fingerprinting, cross-run delta and trajectory logic, composite scoring, escalation routing, automation-safety gating, workflow playbook templating, and a version-pinned manifest so the verdicts are replayable. That's not a script. That's a maintained service.
Best practices
Six things to do when you adopt an operational domain intelligence layer:
- Branch on
operationalState.statefirst. It's the single field designed to collapse lifecycle, trajectory, and decision posture into one routing primitive. Read the other fields only when you need to explain why a record landed in that state. - Gate destructive automation on
actionContract.safeToAutomate. This is the boolean designed for production-safe automation. If your code is about to file a CRM record, fire a takedown request, or write to a customer's infrastructure, this is the field that says "go" or "stop." - Store the
decisionHashand therunManifestwith every automated action you take. When someone asks six months later "why did the bot flag this domain?", you replay the decision from those two artifacts and the original input. No archaeology, no guessing. - Use
watchlistNamefrom day one if the data is going to be re-run. It activates the cross-run primitives —delta,drift,trajectory,behaviorHistory— which is where most of the operational value compounds. - Pick a
profilethat matches the consumer. A SOC team wantssoc-triage. A brand team wantsexecutive-brand-monitoring. A renewal pipeline wantsdomain-investing. The profile changes what thresholds and weights apply, so the verdicts match the persona. - Read the diagnostics for humans, the enums for machines.
whyThisMattersandshortReasongo in Slack messages and tickets.recommendedActionandescalation.queueTaggo in routing rules. Don't mix them.
Common mistakes
Five recurring failure modes when teams adopt the category:
Parsing whyThisMatters in code instead of branching on the enum. The human-readable strings are diagnostics, not routing primitives. They drift, they get prettier, they get longer. Branch on recommendedAction. Quote whyThisMatters in your ticket body.
Ignoring actionContract.safeToAutomate and acting on riskLevel instead. Risk level is a band, not a gate. A "high" risk domain might still need human approval before takedown. safeToAutomate is the field designed for the gate.
Treating confidence and evidence as the same thing. They aren't. confidence scores the decision (how strongly the rules-table verdict is supported). evidence scores the input data (was the upstream WHOIS complete, redacted, or stale). Humans audit evidence. Automation gates on confidence.
Skipping watchlistName on scheduled runs. Without it, every run is a cold start. With it, the actor surfaces newly-suspicious lookalikes, lifecycle degradations, and registrar flaps the next time you run the watchlist. Skip it and you lose the most valuable layer in the response.
Hand-rolling lifecycle interpretation on top of the response. If your code is computing "is this in redemption?" from domainStatus and expirationDate, you've ignored lifecycleState.phase. The actor already did that math. Read the enum.
Implementation checklist
- Pick the actor or service that emits the operational primitives. On Apify, that's the WHOIS Domain Lookup actor (
ryanclinton/whois-domain-lookup). - Choose a
profilethat matches your consumer persona (SOC, brand protection, domain investing, M&A diligence, vendor risk). - Wire one routing primitive per consumer —
operationalState.statefor automation,workflow.priorityfor human queues,actionContract.safeToAutomatefor execution gates,escalation.queueTagfor alert routing. - Pass a
watchlistNameif the domains will be re-run. This activates cross-run delta, drift, trajectory, and behaviour-history primitives. - Persist
decisionHashandrunManifestalongside every automated action. Build the audit-replay path now, not after the first compliance incident. - Pipe
whyThisMattersandshortReasoninto human-readable surfaces (Slack, Jira, the SOC dashboard). Branch automation on the enums. - Add a cross-actor handoff path. The output's
actorGraph.next[]field names the right downstream tool — DNS lookup, certificate transparency, IP geolocation — so the agent can chain without you wiring it manually.
Limitations of the category
Five honest constraints worth naming up front:
It's deterministic, not omniscient. The rules tables are version-pinned and explicit. They reflect documented heuristics, not novel research. If a brand-new phishing pattern emerges that doesn't match any known homoglyph, security keyword, or entropy signature, the lookup won't flag it. It will return suspicious: false and you'll find out later.
The signal depends on the input data. GDPR redaction, registrar privacy services, and incomplete RDAP responses all reduce what the decision layer can see. The evidence block reports those gaps explicitly, but the gaps still exist. Don't expect operational intelligence to invent data that isn't there.
Cross-run primitives need a watchlist. delta, drift, trajectory, and behaviorHistory only populate when you pass watchlistName and re-run. The first run is always a cold start.
Per-call cost is higher than a raw WHOIS API. You're paying for the decision layer, not just the registry query. The tradeoff is in interpretation code and analyst time, not in upstream data cost.
It doesn't replace active reconnaissance. Operational domain intelligence is a passive lookup against registration and lifecycle data. It does not fetch DNS records, certificates, or hosting fingerprints directly. The actorGraph.next[] field names the downstream tools for that work; the lookup itself stays scoped to registration intelligence.
Key facts box
- Operational domain intelligence emits a typed decision layer on top of RDAP and WHOIS — operational state, recommended action, workflow, action contract, escalation, lifecycle phase, suspicion tier.
- The four primary routing primitives are
operationalState.state(9-value enum),actionContract.safeToAutomate(boolean),escalation.queueTag(4-value), andworkflow.priority(P0-P4). decisionHashplusrunManifestmake every verdict replayable from the original inputs.- Cross-run state —
delta,drift,trajectory,behaviorHistory— activates with awatchlistNameparameter. confidencescores the decision;evidencescores the input data. Two surfaces, two audiences.- Apify's WHOIS Domain Lookup actor (
ryanclinton/whois-domain-lookup) ships this category at $0.003 per domain looked up. - Profiles tune scoring thresholds for specific personas: SOC, brand protection, domain investing, M&A diligence, vendor risk, bug-bounty recon.
Short glossary
RDAP — Registration Data Access Protocol; the modern, structured replacement for the legacy WHOIS protocol. Returns JSON instead of free-form text.
EPP status codes — Extensible Provisioning Protocol codes that describe the operational state of a domain at the registry (e.g. clientHold, pendingDelete, redemptionPeriod).
Operational state machine — A 9-value enum that collapses lifecycle, trajectory, and decision posture into a single routing primitive: healthy, monitoring, degrading, unstable, critical, abandoned, suspicious, recovering, unknown.
Action contract — A typed block per record that includes a boolean automation-safety gate, an automation class, and a list of blockers. The contract automation gates on, not a paragraph.
Decision hash — A digest computed from the inputs and the version-pinned rule tables that produced the verdict. Same inputs, same versions, same hash. Audit-replay primitive.
Cross-run state — delta (field-level change), drift (operational-axis change), trajectory (multi-run risk slope), behaviorHistory (rolling counters like registrar flaps and nameserver rotations).
How this generalises beyond WHOIS
The pattern isn't WHOIS-specific. Any data-retrieval API that downstream consumers have to interpret before automation can act is a candidate for the same shift. The shape is:
- Move the interpretation layer from the consumer into the lookup. Your code branches on enums, not strings.
- Pin the decision to a versioned manifest. Same inputs, same versions, same verdict. Replayable.
- Separate machine-routable framing from human-readable diagnostics. Enums for automation, prose for humans.
- Make cross-run state a first-class primitive. If the lookup will be re-run, the deltas and trajectories belong in the response, not in your downstream code.
- Ship action contracts, not just scores. A risk score is a band. A
safeToAutomateboolean is a gate. Production automation needs the gate.
These principles apply to vendor-risk lookups, compliance screening, supply-chain risk, attack-surface scoring, and any other category where the API response is the input to a decision rather than the decision itself. ApifyForge is building the same pattern across compliance screening, lead qualification, and attack-surface intelligence — the WHOIS case is the cleanest illustration.
When you need this
You probably want operational domain intelligence if:
- Your code is parsing WHOIS strings or EPP codes to make routing decisions
- More than one downstream consumer needs to act on the same domain data
- Automation acts on the result without a human in the loop (CRM push, takedown queue, deploy gate, agent tool-call)
- Compliance or audit teams ask "why did the system do that?" about past decisions
- You're feeding domains to an AI agent that branches on tool-call outputs
- You're running scheduled watchlists where deltas and drift matter
You probably don't need it if:
- You're doing one-off manual WHOIS lookups a human will read directly
- Your only use case is archival of registration records
- You specifically need the raw vCard or the raw RDAP envelope
- Your portfolio is small enough that a human analyst handles the interpretation easily
Common misconceptions
"It's just a WHOIS wrapper with extra fields." No. A WHOIS wrapper adds fields like parsedRegistrar or daysUntilExpiry. Operational domain intelligence adds a decision layer — state machine, action contract, workflow playbook, audit hash. The difference is whether the API returns a record or a decision.
"You could build this in a weekend with a raw WHOIS API and a few heuristics." You could build a thin slice. The full layer — EPP interpretation, expiry and redemption math, DNSSEC posture, homoglyph and entropy heuristics, nameserver clustering, operator fingerprinting, cross-run delta, trajectory, drift, behaviour history, version-pinned replay manifest — is a maintained service, not a weekend project. The maintenance is where the cost lives.
"It's just for SOC teams." SOC is one of six primary consumer profiles. Brand protection, domain investing, M&A diligence, vendor risk, and AI agent tool-calling all consume the same primitives differently. The state machine is consumer-agnostic; the profile and the routing logic are what differ.
"Decision engines are slower than raw lookups." The decision layer runs against the same upstream RDAP and WHOIS data. Per-call latency is dominated by the upstream query, not the rules evaluation. The verdict comes back in the same response.
Frequently asked questions
What is operational domain intelligence?
Operational domain intelligence is a deterministic decision-engine category of domain lookup that converts RDAP and WHOIS registration data into typed routing primitives — operational state, recommended action, workflow priority, action contract, escalation tier, and a replayable decision hash — so downstream automation branches on stable enums instead of parsing registration records.
How is it different from a regular WHOIS API?
A regular WHOIS API returns the registration record: registrar, dates, EPP status codes, nameservers, and registrant data. Operational domain intelligence returns those same fields plus a typed decision layer on top — a state-machine enum, an action contract, a workflow playbook, an escalation tier, and a decision hash. The first asks "what does the record say?" The second asks "what should I do?"
What is a decisionHash and why does it matter?
decisionHash is a digest computed from the input data plus the version-pinned internal rule tables that produced the verdict. Same inputs plus same versions equals same hash. It matters because it makes every automated decision replayable. When a compliance auditor asks why a domain was flagged six months ago, you reproduce the verdict from the stored input and the stored manifest. There's no equivalent primitive on raw WHOIS APIs.
Is this category Apify-specific?
The pattern isn't Apify-specific — moving interpretation logic from the consumer into the lookup is a generalisable shift. The implementation referenced in this post is the WHOIS Domain Lookup Apify actor (ryanclinton/whois-domain-lookup), which is the cleanest example of the category currently shipping. Other providers may emerge.
Can I use it with AI agents like Claude or ChatGPT?
Yes — that's one of the primary design targets. The reason the response uses stable enums instead of prose is so an AI agent's tool loop branches on recommendedAction === 'investigate' instead of summarising a paragraph into a tool call. Pair it with the Apify MCP server for Claude Desktop or Cursor integration.
What does it cost compared to a raw WHOIS API?
Per-call cost is slightly higher than a raw WHOIS lookup — the WHOIS Domain Lookup Apify actor is priced at $0.003 per domain on PPE. The tradeoff is in interpretation code, analyst time, and decision drift, not in upstream registry cost. For a one-off human lookup, raw WHOIS is fine. For automation at portfolio scale, the decision layer usually pays back fast.
What's included that a raw WHOIS API doesn't ship?
A 9-value operational state machine, a recommended action enum, a workflow playbook with P0-P4 priority, an action contract with a boolean automation-safety gate, an escalation tier, a lifecycle phase enum, a suspicion tier, a security posture rating, an evidence quality block, a decision confidence score, optional cross-run state (delta, drift, trajectory, behaviour history), and a decision hash for audit replay.
If you want to try this pattern
The reference implementation used throughout this article is the WHOIS Domain Lookup actor on Apify (ryanclinton/whois-domain-lookup). It ships the full category: typed operational state, workflow playbooks, escalation tiers, action contracts, replayable decision hashes, and cross-run drift, delta, trajectory, and behaviour history.
Use it when:
- Automation needs to branch on a stable enum instead of parsing a registration record
- AI agents need deterministic routing primitives, not prose
- Compliance teams need to replay verdicts from stored inputs and a manifest
- Analysts are drowning in interpretation work and the verdicts disagree across consumers
- A scheduled watchlist needs to surface lookalikes, lifecycle degradations, and registrar flaps automatically
Pricing is $0.003 per domain looked up. The first run is a cold start; cross-run primitives populate from the second run onward when you pass a watchlistName.
Ryan Clinton publishes Apify actors and MCP servers as ryanclinton and builds developer tools at ApifyForge. The category positioning in this post reflects the design of the WHOIS Domain Lookup actor (v1.4.2, shipped 2026-05-19).
Last updated: May 2026
This guide focuses on domain intelligence, but the same shift — moving interpretation from the consumer into the lookup, pinning decisions to a versioned manifest, separating enums from diagnostics — applies broadly to any data-retrieval API whose response is the input to a decision rather than the decision itself.