We’re proud to announce that ThreatSTOP is now using Machine Learning (ML) to enhance the protections we deliver to our customers.
This isn’t a marketing gimmick or a checkbox feature. We’re not throwing around terms like “AI” for attention. We’re applying real machine learning models to solve a real-world cybersecurity problem: detecting and stopping malicious domains that traditional methods miss. When we visited RSA2025 this year, "AI" was baked into many company names and solutions on the show floor. This announcement isn't marketing, it's something we're doing.
Our models are trained on massive volumes of DNS telemetry and threat intelligence. They’re designed to identify subtle patterns and domain characteristics that may indicate phishing, command and control, or other malicious activity. This intelligence is then used to augment specific targets within the ThreatSTOP ecosystem—improving the accuracy and responsiveness of our protective policies.
The best part? Our customers don’t need to take any action to benefit. As these enhancements roll out, protections will automatically improve behind the scenes, with no configuration changes required on your end.
We’re beginning this rollout in an experimental phase. If you’re interested in participating and seeing how ML-driven protections can further improve your security posture, reach out to us at support@threatstop.com and let us know.
Our Protective DNS solutions, DNS Defense Cloud and DNS Defense, are starting to use ML-driven analysis to stop malicious domains before they can impact your organization. Whether it’s phishing domains that mimic real brands or infrastructure built using random-looking domain names, our system is designed to catch threats early and automatically.
Cyber attackers are constantly registering domains that look just like familiar websites. A small typo, an extra character, or a clever substitution can be enough to trick someone into clicking a dangerous link. These domains are often missed by traditional filters.
ThreatSTOP’s new ML engines help spot and block these threats before they ever reach your users.
Our system uses a proximity scoring algorithm to measure how closely a new domain resembles a known good one. For example, if someone creates “mybrqnd.com” to trick users into thinking it’s “mybrand.com,” our engine sees the similarity and flags it.
This approach is especially effective against typosquatting, where attackers depend on people not noticing small changes.
We don’t just look at what a domain says. We analyze how it’s built.
Our ML pulls together several data points, including:
Entropy Score: High-entropy domains often come from automated tools. We use this randomness measure to catch domains that look fake.
Structural Features: We look at length, subdomain depth, and the ratio of the name to the suffix. Strange combinations are a red flag.
Symbols and Numbers: Suspicious use of hyphens, numbers, or other characters can indicate a domain is up to no good.
Together, these signals create a detailed fingerprint for every domain, helping us make fast and accurate decisions.
To catch new tricks that don’t rely on familiar keywords, our ML scans the domain name in small overlapping sequences. These short chunks, often three or four letters long, help us detect dangerous patterns that aren’t obvious at first glance. Over time, the system learns which sequences tend to appear in safe domains and which show up in malicious ones.
This gives us an edge in spotting brand new threats the moment they appear.
We constantly monitor global DNS activity. As soon as a new domain is registered or resolved for the first time, our system evaluates it. If the domain looks risky, it can be blocked before anyone even sends the first phishing email.
This gives you a valuable time advantage. You’re able to stop attacks early instead of reacting after the fact.
Our ML doesn’t stand still. It keeps learning, using fresh data from across our network and from customer feedback. This process, which we call the ThreatSTOP Feedback Loop, allows us to fine-tune protections based on real-world activity.
By retraining the models when necessary, we stay ahead of attacker tactics and avoid the need for endless manual updates.
What makes ThreatSTOP different is our ability to combine science, scale, and security expertise.
Multiple Layers of Analysis: We use similarity scoring, randomness detection, character pattern analysis, and more to build a complete picture of risk.
Real-Time Adaptability: Our system improves as new data comes in, adjusting automatically to new trends and threats.
Built for Your Environment: Whether you use DNS Defense Cloud or manage your own infrastructure with DNS Defense, you’re getting the same level of intelligent protection.
Our protections are created by the ThreatSTOP Security, Intelligence, and Research team. They focus on identifying and blocking command and control traffic, data exfiltration, peer-to-peer abuse, phishing, spam, DDoS activity, and other malicious behaviors that hide in the DNS layer.
ThreatSTOP is evolving, and we’re excited to introduce a new layer of intelligence into our platform. We’re now applying machine learning to help identify and block malicious domains with greater precision, giving your organization stronger protection without any added complexity.
This new capability will be used to enhance select targets in our ecosystem, providing smarter, faster, and more adaptive protection based on real-world threat signals. There’s nothing you need to configure to benefit from it — as we roll it out, your protections will automatically get stronger.
We’re beginning with an experimental phase, and we’re inviting interested customers to be part of it. If you’d like early access to our machine learning-driven protections and want to help shape how they evolve, we encourage you to get in touch. Right now, it's available on an Opt-In basis. We'll be rolling it out across our entire customer base very soon.
To participate in the experiment, contact us at support@threatstop.com and let us know.
For more on how ThreatSTOP protects networks of all sizes with DNS Defense Cloud, DNS Defense, and IP Defense, visit our product page. You can explore our pricing, request a demo, and find the right fit for your environment.
MITRE ATT&CK Mapping
|
MITRE Category |
Technique Name |
ID |
How ThreatSTOP Applies |
|---|---|---|---|
|
Reconnaissance |
Phishing for Information |
T1598.003 |
Detects lookalike domains designed for phishing |
|
Command and Control |
Domain Generation Algorithms |
T1568.002 |
Uses entropy and structure analysis to block DGA |
|
Credential Access |
Spearphishing via Service |
T1566.002 |
Prevents delivery of phishing emails using DNS |
|
Initial Access |
Drive-by Compromise |
T1189 |
Identifies malicious hosting domains early |
|
Persistence |
Domain Fronting or Alternate Channels |
T1090.004 |
Detects unusual subdomain patterns and use cases |