RiskIQ PassiveTotal®

More Than 80,000 Security Analysts Trust RiskIQ for Their Threat Investigations

Faster, More Complete Threat Investigations

As businesses adapt to the changing digital landscape, more customer and business operations are shifting from being behind the protection of firewalls to being available via the internet. This exposes your company and customers to extremely skilled, malicious, and persistent threats.

The good news for threat hunters in your organization is that data exists to help expose the infrastructure being used by attackers. This allows you to find, block, and prevent attacks.

RiskIQ PassiveTotal® expedites investigations by connecting internal activity, event, and incident indicator of compromise (IOC) artifacts to what is happening outside the firewall—external threats, attackers, and their related infrastructure.

PassiveTotal simplifies the event investigation process and provides analysts access to a consolidated platform of data necessary to accurately understand, triage, and address security events.

  • Simplify and accelerate the investigative process
  • Intelligently aggregate and correlate data to provide context to events
  • Proactively track and alert on changes in threat infrastructure to predict new attack vectors
  • Identify and proactively block all threat infrastructure being used by the attackers


Watch the video: PassiveTotal in 60 Seconds

Terabytes of Internet Data at Your Fingertips

PassiveTotal gives threat hunters access to internet data they need to help understand who their adversary is and what infrastructure they use to conduct their attacks. By bringing together critical data sources in an easy-to-use visual interface, PassiveTotal enables analysts to investigate digital threats and map and analyze adversary infrastructure. Simply search PassiveTotal using an indicator of compromise (IOC) or suspicious artifacts, like a domain, IP address, or email address, and uncover all that RiskIQ has observed about that artifact.

PassiveTotal provides access to:

Connect What You See Inside with Threats Outside

Your internal security systems are constantly generating alerts based on events and anomalies inside your organization. Often, the alerts are triggered by activity that has origins or is beaconing outside the firewall and need to be enriched quickly to provide context and triage them for investigation.

PassiveTotal provides your security teams with the tools needed to investigate and connect your internal anomalies or indicators of compromise (IOCs) with threat actors, their tactics, techniques, and procedures (TTPs), and other infrastructure that they’re using. PassiveTotal helps answer questions like:

  • Who is attacking me?
  • Where are they coming from?
  • What else belongs to them?

See how The Citizen Lab Defends Civil Society with PassiveTotal in this case study.

PassiveTotal Dashboard User Interface

Intelligently Pivot Across Data Sets

Threat hunting and incident response is difficult. Not only do you need to understand what happened during a potential breach, incident, or exposure, but you need to provide additional context and other potential attack vectors that could also be exploited.

PassiveTotal normalizes, correlates, and links data across data sets, allowing for easy pivoting between them. This reduces the number of dead-ends that you might encounter while performing an investigation. With access to the most comprehensive number of internet data sets available, you no longer need multiple tabs open to search through WHOIS records, IP resolutions, DNS data, SSL certificate data, or other open source intelligence.

For example, if you find a suspicious or malicious domain, you can pivot and find WHOIS registrant details, find that it is registered to guy@bad[.]com, and then pivot off of that email address and instantly find other domains and IPs registered to or associated with guy@bad[.]com.

Collaborate and Share Projects

Don’t reinvent the wheel. PassiveTotal makes it easy for analysts to share information about existing and ongoing investigations and known threat infrastructure using projects.

Projects allow organization of related threat infrastructure elements, like domains, IPs, website trackers, WHOIS registrant information, to make it easier to hand off investigation working files to other analysts or maintain an ongoing workspace for a particular research project. These projects can be shared publicly with the security community, or privately with other analysts in within the organization.

RiskIQ also works closely with the analyst community and publishes curated public projects as starting points for new investigations. These projects include recent threats, many of which appear in the news, giving you a head start in your research.

Read what Ovum Research says about how RiskIQ helps businesses see, manage, and mitigate web, social, and mobile threats in the On The Radar Report.

Community Edition

Community Edition

In RiskIQ Community Edition, threat hunters have access to the industry’s most comprehensive set of internet security data for free, so any organization can more efficiently conduct threat analysis, understand their inventory of known and rogue assets, and expedite testing and risk assessment. Users can conveniently upgrade from RiskIQ Community to Premium and Enterprise Editions of all of our products for greater functionality and capacity.

Integrate PassiveTotal data into your existing tools

Leverage PassiveTotal’s extensive internet data sets in existing security tools via apps written for Splunk and IBM QRadar. PassiveTotal has an extensive API capability that allows your organization to bring the vast RiskIQ and PassiveTotal data sets directly into your own security operations tools. You can even create visual graphs using PassiveTotal Maltego transforms hosted by Malformity.

Other Featured Integrations Include...