RiskIQ PassiveTotal

Start your investigation from a single clue—an IP, domain, or certificate fingerprint—and move fast. In RiskIQ PassiveTotal, drop that artifact into search, then pivot through DNS resolutions, registrar ownership, page components, and certificate reuse to map connected assets in minutes. Use the timeline to spot first‑seen events and bursts of activity. Check risk indicators, malware sightings, and blocklist hits to decide: escalate, contain, or close. Save relevant items to a project and tag them for team visibility.

For alert triage, wire PassiveTotal into your SIEM or EDR workflow. When an alert fires, open the artifact’s profile, review historical hosts, co-occurring trackers, and host pairs to see how users might be redirected. Compare infrastructure against known-good baselines. Add suspicious domains to a staging denylist, export IP ranges for firewall rules, and attach a snapshot of the graph to the ticket. Document the decision path directly in the case notes so handoffs to the next shift are clean.

Build proactive monitoring by creating watchlists for your brand, VIPs, or critical vendors. Track new subdomains, WHOIS changes, and certificate issuances tied to your keywords. Configure alerts when a fresh resolver appears or an old certificate resurfaces on an unexpected host. Schedule a weekly review, batch-export changes to CSV, and feed them to your SIEM for correlation. Share a read-only case link with legal or fraud teams so they can follow progress without extra accounts. more