Not every change is a threat. Report URI applies threat intelligence to your browser telemetry so you can tell the difference — flagging indicators of compromise, suspicious domains, and CSP bypass vectors before they become breaches.
Monitoring tools tell you when something new appears on your site. Without threat context, every change gets the same weight — and either everything is urgent or nothing is. The signal that matters is whether a change is actually dangerous.
A new script loads from a week-old domain. An existing dependency starts pulling resources from infrastructure flagged in active skimming campaigns. Without threat intelligence, it looks like any other script change.
An existing script starts sending data to a known hostile endpoint. The script itself didn't change — its behaviour did. Change detection alone won't flag it. Threat context will.
Your CSP explicitly permits a JSONP endpoint that allows arbitrary code execution. No violation is ever reported because the browser treats it as allowed. The risk is in what your policy permits, not what it blocks.
Report URI checks every domain in your reports against external threat feeds, internal analysis, and registration data — then surfaces the signal right where you're already looking.
When a domain in your CSP reports is known to host malware, steal data, or participate in active attack infrastructure, it's flagged as an IoC — directly on the report in your dashboard, and in Policy Watch, where your CSP is scanned for permitted hostile hosts before a browser ever loads one.
When the Polyfill.io supply-chain attack turned cdn.polyfill.io hostile, every site trusting it in their CSP was serving malware from a domain they'd explicitly allowed — exactly the case an IoC flag surfaces.
Some domains in your CSP are trusted but dangerous. JSONP endpoints and known CSP bypass vectors let an attacker execute arbitrary JavaScript from a host your policy explicitly permits — no violation report is ever generated because the browser treats it as allowed. Policy Watch checks your CSP against a maintained list of these vectors and flags them before an attacker exploits them.
When a domain in your reports is known to host malware, steal data, or run attack infrastructure, it's flagged as an IoC — checked against external threat feeds and internally generated signals.
Malware uses algorithmically generated domains like svn0czn.com or 6uyqy3.com to load resources or exfiltrate data. Pattern analysis flags them so they surface instead of hiding among thousands of legitimate violations.
Not every domain reaches the confidence threshold for a confirmed IoC. Typosquats of legitimate CDNs and domains that score highly in internal analysis but lack public corroboration are placed on a curated watch-list and flagged with a distinct marker.
JSONP endpoints and known bypass vectors let an attacker run arbitrary JavaScript from a host your policy explicitly permits. Policy Watch checks your CSP against a maintained list of these vectors and flags them before they're exploited.
Every domain in your reports is scored against industry reputation sources, 0–100. A long clean history scores high; association with malicious activity scores low. Filter your reports by score to surface low-reputation hosts across your telemetry.
A legitimate CDN didn't get registered last Tuesday. Report URI flags domains with recent registration dates that are loading scripts or receiving data, so you can investigate before assuming they're safe.
Threat Intelligence runs across your CSP, CSP Integrity, and Integrity Policy reports automatically. Every inbound report is checked against external threat feeds, internal analysis, and domain registration data as part of the ingestion pipeline — before it reaches your dashboard.
Every marker — IoC, DGA, Suspicious, Policy Concern, Domain Reputation, New Domain — is visible in your dashboard and filterable in the UI. Isolate confirmed threats, review watch-list domains, or scan for low-reputation hosts across your entire report history.
Policy Watch extends it proactively. Rather than waiting for a browser to block a request to a hostile domain, Policy Watch checks what your CSP allows. If a script-execution directive permits a known-malicious host or a JSONP bypass vector, it's flagged before any malicious resource is loaded.
This isn't competing with enterprise threat-intelligence platforms — it's applying threat context to a data source those platforms don't cover: what actually runs and connects in your users' browsers.
| Threat Intelligence does | Doesn't replace |
|---|---|
| Flag known-malicious domains in your browser telemetry | External threat intelligence platforms (Recorded Future, Mandiant) |
| Detect DGA-generated and recently registered domains | Network-level IDS/IPS |
| Identify CSP bypass vectors in your policy | Penetration testing or red team exercises |
| Score domain reputation across your reports | SIEM correlation or SOC triage workflows |
Threat Intelligence enriches the data Report URI already collects. Together with Script Watch, Data Watch, and Policy Watch, it moves you from “something happened” to “something dangerous happened” to “here's what to do about it.”
Threat Intelligence is included on our Ultimate and Enterprise plans.
Automatic enrichment · No configuration · Every marker filterable
Threat Intelligence enriches what Report URI already collects. Each of these feeds it a different stream of browser-native data to apply threat context to.
| Capability | What it adds |
|---|---|
| Script Watch | Continuous inventory and change detection for every script on your site. Threat Intelligence adds the context: is that new script loading from a known hostile domain? |
| Data Watch | Tracks where your pages send data. Threat Intelligence flags when a destination is associated with malicious activity or was registered days ago. |
| Policy Watch | Monitors your deployed CSP. Threat Intelligence checks what your policy allows against known IoCs and CSP bypass vectors — before an attacker uses them. |
Together, these form the client-side security visibility layer that sits between your CSP policy and your incident response process.