Beyond Aesthetics : PassiveTotal Interactive Heatmap – RiskIQ


If you are a heavy PassiveTotal web user, then surely you have noticed a big change in our application design since being acquired by RiskIQ. If this news is brand new, check out the post we did earlier this month before reading on!

PassiveTotal Heatmap Walk Through from RiskIQ on Vimeo.

One of the areas Steve and I continually find ourselves being drawn to within PassiveTotal is the heatmap. We've blogged about it, talked about it in podcasts and really feel like its a critical piece in simplifying cyber threat infrastructure analysis. When we sat with the RiskIQ team before launch, we brainstormed some additional features and worked to get them into the final release you see today. Since some of the changes are not entirely clear, we wanted to write this post to highlight the new power thats been added to our once static visual aid.


Naturally, one of the biggest changes to the heatmap were the colors used to represent the plotted data. Making this change wasnt easy given we had trained our minds to recognize the color patterns, but had to be done in order to tie together the new branding. After a week, weve found that our minds have adjusted to the new color scheme and its no longer an issue.


From a style perspective, we made two major changes, colored corner flags and rounded blocks. Instead of using borders to denote important information like never-before-seen data showing up on a specific day, we used a corner of the block. While subtle, this change not only looks better, it also provides a way for us to represent additional data in three of the other corners going forward.

The use of rounded blocks in order to denote start and end of the month days was another subtle, yet valuable change. Our x-axis always showed the previous six months, but the positions were relative and it was never clear where a new month would begin. The visual indication provides yet another possible pattern point a user no longer needs to calculate on their own.

Last, but certainly not least were changes in functionality. Again, there were two big changes here, smarter tooltips and an interactive data filter. Prior to our relaunch, users could hover over a particular day in order to see the unique items that resolved on that day, but if something never-before-seen (orange border now orange corner) showed up, it was not clear what was new since it wasnt filtered out. Hovering over any day where something new showed up now reveals an additional tooltip menu showing the never-before-seen items.

Of all the changes, the one we are most excited about is the ability to interact with the heatmap to filter the DNS table data. Simply clicking a block or shift-clicking a range on the heatmap now allows a user to filter the results shown in the table to just the time period selected. No more will users need to wade through hundreds of results to find the data for the time period they thought looked suspicious or interesting. This feature alone is incredibly helpful, but when paired with everything mentioned above, it completely redefines how analysts can use PassiveTotal to identify research leads.

Now that PassiveTotal is part of RiskIQ, we see an amazing opportunity to expand the power of the heatmap into new datasets like WHOIS, SSL certificates, page content and more. Over the next several months, expect to see small sets of changes similar to these to improve your overall experience inside and outside the platform. Special thanks to Sunder from RiskIQ for leading the design overhaul and suggesting small, but amazing improvements.

Subscribe to Our Newsletter

Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more.

Base Editor