Independent reference. Not affiliated with any vendor named on this site. Some links may be affiliate links. Expand full disclaimer.

This site is an independent technical reference. It is not affiliated with or endorsed by Recorded Future, Mandiant, Google Cloud, CrowdStrike, Microsoft, Anomali, ThreatConnect, EclecticIQ, Intel 471, Flashpoint, Palo Alto Networks, Unit 42, Cisco, Fortinet, SentinelOne, IBM, Dropzone AI, Prophet Security, Torq, Cyware, Radiant Security, Tenable, Qualys, Rapid7, DomainTools, SOCRadar, or any other vendor, project, or framework named on this site. MISP, OpenCTI, TheHive, and YARA are trademarks of their respective maintainers. All other trademarks belong to their respective owners. Pricing, feature, and platform-capability information was verified in April 2026 and may have changed since publication.

Some outbound links on this site may be affiliate links. Affiliate relationships do not influence ranking, verdicts, pricing data, or editorial positions. Where a verdict or comparison could be paid-placement-adjacent we mark it explicitly; otherwise assume zero vendor input.

COMPARISON / VENDOR REVIEW

DomainTools Iris Investigate in 2026: passive DNS plus risk scoring

A reference review of Iris Investigate and Iris Detect, the largest commercial passive DNS plus historical WHOIS plus risk-score dataset, with verified pricing range and credible alternatives.

Last verified: May 2026. Independent. No vendor input.

What Iris Investigate does

Iris Investigate is the platform SOC analysts and incident responders reach for when a suspicious domain shows up in a SIEM alert or an EDR detection. The investigation flow is: enter the domain, see passive DNS history (every IP it has resolved to historically), see WHOIS records (every registrant detail dating back to as early as 2002), see screenshot history, see SSL certificate observations, and pivot on any of those attributes to find related infrastructure.

The pivoting is the core capability. A single suspicious domain becomes a graph of related infrastructure: domains registered by the same registrant in the same week, domains hosted on the same name server with the same SSL certificate pattern, domains that resolved to the same IP in a specific time window. This pattern is how threat hunters identify campaign infrastructure beyond the single IoC that initially triggered investigation.

The proprietary risk score (0-100) is a machine-learning-derived composite of signals about the domain. Above 80 is reliably malicious in observed data; below 20 is reliably clean; the middle band requires analyst judgement. The score is well-regarded as a triage signal and a SOAR-playbook input, with the caveat that it should inform rather than drive automated action. False-positive cost on auto-block is too high for the middle-band scores.

For organisations integrating DomainTools into SIEM detection content, see AI threat intel with Splunk or AI threat intel with Microsoft Sentinel. Both platforms have native DomainTools connectors that enrich SIEM events with risk score and passive DNS context.

Iris Detect: monitoring at scale

Iris Detect is the monitoring product for brand-protect, typosquat detection, and infrastructure-monitoring use cases. Iris Investigate is the analyst workbench; Iris Detect is the continuous monitoring engine. The product alerts on newly observed domains that match brand patterns, registrant patterns, certificate patterns, or other watchlist criteria.

The brand-protect use case is the typical entry point. Configure watchlist patterns for your brand (typosquats, homoglyphs, look-alike domains, brand-plus-keyword combinations) and Iris Detect alerts when matching domains are newly registered or resolve to a malicious-looking IP. The output integrates with takedown workflows (Brand Engagement Network, Group-IB, vendor-managed takedown services).

For broader brand-impersonation monitoring covering visual clone detection, phishing-page screenshots, and social-media impersonation, see AI brand-impersonation monitoring. DomainTools Iris Detect is a depth tool for the DNS-and-registration layer; broader brand-protect requires complementary visual-similarity products.

Pricing range, April 2026

DomainTools publishes some pricing context through AWS Marketplace and Gov.UK G-Cloud listings. Specific contracts negotiated. Ranges aggregated from public sources plus Vendr contract data.

ConfigurationTypical annual contractWhat is included
Iris Investigate per-analyst seat$15,000 - $45,000Web UI investigation workbench. Typical 3-5 seat deployment.
API access (SIEM/SOAR integration)$30,000 - $80,000Query-volume licensed. Mid-size SOC consumption pattern. Negotiate carefully.
Iris Detect (brand monitoring)$25,000 - $60,000Per brand portfolio. Watchlist pattern monitoring plus alerting.
Combined SOC deployment$80,000 - $200,000Mid-size SOC with Investigate seats plus API integration plus Detect for brand-protect.

Source: AWS Marketplace DomainTools listings, Gov.UK G-Cloud 14 framework, Vendr contract data 2024-2026. Last verified May 2026.

Honest alternatives

urlscan.io

Free for non-commercial; paid commercial tiers start around $250/mo. Excellent for active scanning (visit a URL, get screenshot, DOM, and resource list) but does not provide historical passive DNS or WHOIS history at DomainTools scale.

SecurityTrails

Commercial passive DNS and DNS history. Smaller dataset than DomainTools but meaningfully cheaper. Entry tier around $9,000/yr; enterprise comparable to DomainTools mid-tier.

RiskIQ / Microsoft Defender External Attack Surface Management

Microsoft acquired RiskIQ in 2021. The passive DNS dataset is competitive with DomainTools. Pricing bundled with Defender EASM, often more accessible for Microsoft-licence customers.

VirusTotal Intelligence

Google Mandiant's premium VirusTotal tier includes passive DNS and historical WHOIS. Different shape (file-centric rather than domain-centric) but complementary for malware-led investigations.

OSINT path (CIRCL passive DNS, free WHOIS, urlscan.io free tier)

Practical for occasional investigations and small SOC teams. Lacks historical depth and the pivoting UX that makes Iris Investigate productive.

Best fit and avoid

Strong fit

  • +Established SOC with 3-plus dedicated analysts
  • +Active incident response function with daily investigation workload
  • +Brand-protect requirement on top of SOC investigation needs
  • +SIEM-led detection with API-driven enrichment in playbooks
  • +Federal and Gov.UK procurement (G-Cloud listing simplifies)
  • +Need historical WHOIS records pre-GDPR redaction

Look elsewhere if

  • xSole need is occasional one-off domain lookup (use urlscan.io free)
  • xBudget under $25k per year
  • xMicrosoft customer with EASM entitlement (use Defender EASM)
  • xSole need is malware-centric investigation (VirusTotal Intelligence)
  • xNeed broader curated intelligence (RecF, Mandiant)
  • xNo SOC analyst function to operationalise the workbench

FAQ

What is DomainTools Iris Investigate?

Iris Investigate is DomainTools' flagship investigation platform. It combines the largest commercial passive DNS dataset, historical WHOIS records dating to 2002, screenshot history, infrastructure pivoting, and a proprietary domain risk score. The platform is the workhorse for SOC analysts and incident responders investigating malicious domains, attribution pivots, and infrastructure relationships. Iris Detect (formerly Iris Detect Standard) is the related monitoring product for brand-protect and typosquat detection.

What does DomainTools cost in 2026?

DomainTools publishes some pricing context through the AWS Marketplace and Gov.UK G-Cloud listings, but specific contract values are negotiated. Typical Iris Investigate seat licences land between $15,000 and $45,000 per analyst per year, with bulk discounts. API access for SIEM and SOAR integration is licensed by query volume; common SOC use lands in the $30,000 to $80,000 per year range. Iris Detect for brand monitoring is typically $25,000 to $60,000 per year per brand portfolio. Combined deployments for mid-size SOCs commonly land at $80,000 to $200,000 per year.

How does DomainTools compare to OpenCTI?

OpenCTI is an open-source threat intelligence knowledge graph and platform; it does not collect data itself. DomainTools is a commercial data collector and investigation tool: passive DNS, WHOIS history, risk scoring, infrastructure pivoting. The two are complementary, not competitive: many organisations ingest DomainTools data into OpenCTI for unified analyst workflow. The OSS alternative to DomainTools data is harder to assemble: free passive DNS sources (CIRCL, RiskIQ Community for limited query volume, urlscan.io) cover part of the dataset but not the historical depth that DomainTools commercial subscription provides.

What is the DomainTools risk score and is it reliable?

The DomainTools risk score (0-100) combines several signals: WHOIS history patterns, SSL certificate observations, passive DNS resolutions, name-server hosting patterns, and machine-learning-derived features. The score is well-regarded for high-risk and low-risk extremes (above 80 is reliably malicious; below 20 is reliably clean). The middle band (30-70) requires analyst judgement; the score should inform triage, not drive automated action without human review. The score has not been a credible target for automated SOAR auto-block in 2026; the false-positive cost is too high.

Does DomainTools integrate with SIEM and SOAR?

Yes. DomainTools has documented integrations with Splunk Enterprise Security, Microsoft Sentinel, Palo Alto Cortex XSOAR, Splunk SOAR (Phantom), Chronicle, IBM QRadar, Anomali ThreatStream, ThreatConnect, MISP, OpenCTI, and many others. The integration model is typically API-key-based with query-volume licensing. For high-volume use cases, expect to negotiate API query bundle pricing carefully; uncontrolled API usage from a SOAR playbook can run a SOC over the contracted volume quickly.

Phishing infrastructure →Brand impersonation →Microsoft Defender TI →OSS stack →

Updated 2026-05-11