ThreatEx Labs

PatternEx ThreatEx Labs features timely and actionable insights from world-class security researchers with AI expertise.
Readers will enhance their skill sets with tools and knowledge to efficiently leverage AI for information security.

Domain Detection II: the domain feed

Earlier today we announced the release of the PatternEx malicious domain feed. The feed is updated periodically and is available on Github:

Description of the feed

The feed is released as a set of csv files, each with a maximum of 100K domains, where each line contains:

  • the detection date (yyyy-mm-dd)

  • the reported domain (for instance windowdowngradegreataflash[.]icu)

  • the category (currently we are reporting social engineering domains)

  • the score (probability of the domain being malicious)

Below we show a sample of domains detected on 2019-02-03:
2019-02-03,,social engineering,1.0 
2019-02-03,,social engineering,1.0 
2019-02-03,,social engineering,0.9998 
2019-02-03,,social engineering,0.9998 
2019-02-03, social,engineering,0.9977 
2019-02-03,,social engineering,1.0

Initial stats of the feed

As of the day of writing this document (2019-02-03), the feed contains 203.9K malicious domains. These domains are retrieved from the zone files of multiple top level domains (.bid, .click, .date, .download, .fun, .host, .icu, .link, .loan, .men, .online, .party, .pro, .racing, .review, .site, .space, .stream, .tech, .top, .trade, .website, .win, .works, .xyz, and .zip) available via the Centralized Zone Data service (

How to use the feed?

The feed is available for non-commercial use and without warranty.  It may be used for any activity ranging from live detection or threat hunting to AI/ML. We encourage users to check whether the correlation of the PatternEx feed with the network traffic logs of their organization results in malicious findings missed by existing organizational security defenses. We would love to hear your success (or failure) stories (!

How is it different from other feeds?  

In a nutshell, we identify many domains weeks before they are reported in any other blacklist. To back this claim, we presented a comparative analysis in a peer-reviewed paper at the IEEE BigData conference in December 2018 (

Call to action

We look forward to expanding the feed by either analyzing other open data sources, or by detecting other categories of malicious domains. Either way, if you would like to contribute to this project please do get in touch (

What’s next? 

In the the next blog of the domain detection series, we will provide details of the deep learning model used to generate the feed. Please keep posted for updates and don’t hesitate to share any success or failure stories using the feed!

Topics: Artificial Intelligence PatternEx CyberSecurity Ignacio Arnaldo Supervised Learning machine learning Threat Detection AI Threat Intel

PatternEx Threat Prediction Platform Architecture

Learn how PatternEx dynamically accepts security analysts feedback to create predictive models that continuously adapt to detect new and existing threats. Using this feedback PatternEx is continuously trained to improve detection accuracy. Download the white paper to learn more.

Download Now