How do I investigate a suspicious domain?

Run /domain-investigation in your AI coding agent against the domain. It checks VirusTotal, URLScan, Shodan DNS, OTX and ransomware.live, then returns a consolidated verdict, resolution, hosting fingerprint and pivot candidates.

Can I check if a domain is linked to ransomware?

Yes. The skill sweeps public ransomware leak-site data via ransomware.live to flag whether the domain or its organisation appears as a claimed victim, which adds useful context during triage.

Do I need paid API keys for domain investigation?

No. The free tiers of VirusTotal, URLScan, Shodan and OTX are enough to get useful results, and the skill still works with partial keys by using whatever sources are available.

CTI Skill · Investigation

Domain Investigation.

/domain-investigation

Domain investigation is the work of characterising a domain or hostname: is it malicious, where does it resolve, who hosts it, and is it tied to a known incident? This free, open-source skill runs inside your AI coding agent and enriches any domain by querying several threat-intel sources together. It is built for SOC analysts and CTI practitioners who need a fast, consolidated picture of a suspicious domain.

Get the free pack on GitHub →Or join the free tier waitlist

What it does.

It chains VirusTotal, URLScan, Shodan DNS resolution and OTX, then runs a ransomware.live victim check and can add Censys for deeper host data. The results are consolidated into a single summary covering reputation, resolution and hosting.

When to use it.

Use it during SOC triage when a domain appears in an alert, an email or proxy logs and you need to decide whether to block it. It also supports CTI work when you are mapping out attacker infrastructure and want to confirm whether a domain is linked to a ransomware claim.

What you get back.

You get a reputation verdict, current DNS resolution, a hosting fingerprint, ransomware-claim status from public leak-site data, and a set of pivot candidates such as resolving IPs, certificates and related domains.

How it fits your workflow.

Run it from Claude Code, Cursor, Codex or Windsurf with one command. Free API tiers work for getting started, and the skill degrades gracefully without keys, returning whatever the configured sources can provide.

Keep going.

Frequently Asked Questions.

Ready to do more with less?

Request a demo or start your free trial today. Get instant access to AI-powered threat intelligence tailored to your organisation.