Threat Intelligence

Know whether what's running on your site is dangerous

Not every change is a threat. Report URI applies threat intelligence to your browser telemetry so you can tell the difference — flagging indicators of compromise, suspicious domains, and CSP bypass vectors before they become breaches.

Detection Without Context

A change isn't the same as a threat

Monitoring tools tell you when something new appears on your site. Without threat context, every change gets the same weight — and either everything is urgent or nothing is. The signal that matters is whether a change is actually dangerous.

Compromised Dependencies

Malicious script sources

A new script loads from a week-old domain. An existing dependency starts pulling resources from infrastructure flagged in active skimming campaigns. Without threat intelligence, it looks like any other script change.

Data Exfiltration

Hostile destinations

An existing script starts sending data to a known hostile endpoint. The script itself didn't change — its behaviour did. Change detection alone won't flag it. Threat context will.

Policy Bypass

CSP bypass vectors

Your CSP explicitly permits a JSONP endpoint that allows arbitrary code execution. No violation is ever reported because the browser treats it as allowed. The risk is in what your policy permits, not what it blocks.

What It Covers

Six layers of threat detection across your browser telemetry

Report URI checks every domain in your reports against external threat feeds, internal analysis, and registration data — then surfaces the signal right where you're already looking.

Indicators of Compromise

Every report, checked against active threat infrastructure

When a domain in your CSP reports is known to host malware, steal data, or participate in active attack infrastructure, it's flagged as an IoC — directly on the report in your dashboard, and in Policy Watch, where your CSP is scanned for permitted hostile hosts before a browser ever loads one.

When the Polyfill.io supply-chain attack turned cdn.polyfill.io hostile, every site trusting it in their CSP was serving malware from a domain they'd explicitly allowed — exactly the case an IoC flag surfaces.

Policy Concern

The dangerous hosts your policy already trusts

Some domains in your CSP are trusted but dangerous. JSONP endpoints and known CSP bypass vectors let an attacker execute arbitrary JavaScript from a host your policy explicitly permits — no violation report is ever generated because the browser treats it as allowed. Policy Watch checks your CSP against a maintained list of these vectors and flags them before an attacker exploits them.

IoC

Indicators of Compromise

When a domain in your reports is known to host malware, steal data, or run attack infrastructure, it's flagged as an IoC — checked against external threat feeds and internally generated signals.

DGA

Domain Generation Algorithm detection

Malware uses algorithmically generated domains like svn0czn.com or 6uyqy3.com to load resources or exfiltrate data. Pattern analysis flags them so they surface instead of hiding among thousands of legitimate violations.

Suspicious

Suspicious domains

Not every domain reaches the confidence threshold for a confirmed IoC. Typosquats of legitimate CDNs and domains that score highly in internal analysis but lack public corroboration are placed on a curated watch-list and flagged with a distinct marker.

Policy Concern

CSP bypass vectors

JSONP endpoints and known bypass vectors let an attacker run arbitrary JavaScript from a host your policy explicitly permits. Policy Watch checks your CSP against a maintained list of these vectors and flags them before they're exploited.

Reputation

Domain reputation scoring

Every domain in your reports is scored against industry reputation sources, 0–100. A long clean history scores high; association with malicious activity scores low. Filter your reports by score to surface low-reputation hosts across your telemetry.

New Domain

New domain detection

A legitimate CDN didn't get registered last Tuesday. Report URI flags domains with recent registration dates that are loading scripts or receiving data, so you can investigate before assuming they're safe.

How It Works

Automatic enrichment. No configuration.

Threat Intelligence runs across your CSP, CSP Integrity, and Integrity Policy reports automatically. Every inbound report is checked against external threat feeds, internal analysis, and domain registration data as part of the ingestion pipeline — before it reaches your dashboard.

Every marker — IoC, DGA, Suspicious, Policy Concern, Domain Reputation, New Domain — is visible in your dashboard and filterable in the UI. Isolate confirmed threats, review watch-list domains, or scan for low-reputation hosts across your entire report history.

Policy Watch extends it proactively. Rather than waiting for a browser to block a request to a hostile domain, Policy Watch checks what your CSP allows. If a script-execution directive permits a known-malicious host or a JSONP bypass vector, it's flagged before any malicious resource is loaded.

No rules to configure

No feed subscriptions to maintain

Applied to your data before it reaches your dashboard

Runs across CSP, CSP Integrity, and Integrity Policy reports

Every marker is filterable in the UI

Where It Fits

The intelligence layer between detection and response

This isn't competing with enterprise threat-intelligence platforms — it's applying threat context to a data source those platforms don't cover: what actually runs and connects in your users' browsers.

Threat Intelligence does Doesn't replace
Flag known-malicious domains in your browser telemetry External threat intelligence platforms (Recorded Future, Mandiant)
Detect DGA-generated and recently registered domains Network-level IDS/IPS
Identify CSP bypass vectors in your policy Penetration testing or red team exercises
Score domain reputation across your reports SIEM correlation or SOC triage workflows

Threat Intelligence enriches the data Report URI already collects. Together with Script Watch, Data Watch, and Policy Watch, it moves you from “something happened” to “something dangerous happened” to “here's what to do about it.”

Get Started

See what's dangerous, not just what's different

Threat Intelligence is included on our Ultimate and Enterprise plans.

Automatic enrichment  ·  No configuration  ·  Every marker filterable

Related Capabilities

Threat Intelligence adds the context. These provide the signal.

Threat Intelligence enriches what Report URI already collects. Each of these feeds it a different stream of browser-native data to apply threat context to.

Capability What it adds
Script Watch Continuous inventory and change detection for every script on your site. Threat Intelligence adds the context: is that new script loading from a known hostile domain?
Data Watch Tracks where your pages send data. Threat Intelligence flags when a destination is associated with malicious activity or was registered days ago.
Policy Watch Monitors your deployed CSP. Threat Intelligence checks what your policy allows against known IoCs and CSP bypass vectors — before an attacker uses them.

Together, these form the client-side security visibility layer that sits between your CSP policy and your incident response process.