When we started building our own threat intelligence pipeline, we didn't set out to create a product. We set out to solve a problem we kept hitting over and over: domain data is everywhere, but it's never ready to use.
The Problem
Every day, millions of new domains are registered. Thousands of TLDs publish zone files. ICANN releases raw dumps. Whois servers answer queries at their own pace. And somewhere in all that noise are phishing domains, typosquats, and infrastructure that attackers rely on.
The issue isn't access to data. It's that most domain datasets weren't built for detection.
Zone files require custom parsing per TLD. Whois is inconsistent, rate-limited, and legally messy. Scraping pipelines are brittle and break when policies change. Most teams end up building their own ingestion pipeline, spending engineering time on data plumbing instead of on the detections that actually matter.
What We Noticed
While working on our own security operations, we saw a pattern repeat across teams:
- Engineers spending weeks building domain ingestion pipelines before writing a single detection rule
- Whois lookups taking days for some TLDs, missing the window when it matters most
- Domain context trapped in spreadsheets, custom scripts, and tribal knowledge
- "Newly registered" domain feeds that were actually days or weeks old
- Data that arrived raw, unnormalized, and incompatible with existing SIEM pipelines
We realized that analysts should focus on detections, not pipeline maintenance.
What Primitive.host Does
We built Primitive.host to be the reliable, normalized, detection-ready domain data layer that we wished existed.
The platform continuously ingests domain registrations across 4,100+ TLDs, enriches them with DNS records (NS, MX, A, CNAME, TXT), and serves everything through a single, consistent API. New domains flow into your security systems automatically — no scraping, no parsing, no glue code.
Here's what that means in practice:
1. One API, Every Zone
Instead of building connectors for every TLD and registrar, you get one endpoint with a consistent schema. Filter by TLD, registration date, DNS records, or full-text search. Paginated results with bulk export in CSV, JSON, and NDJSON.
2. Brand Protection That Works While You Sleep
Monitor for newly registered domains that mimic your brand. We detect typosquats, homoglyphs, and lookalikes across all 4,100+ TLDs, pushing alerts in real-time. Integrate directly with your SIEM or SOAR.
3. Expired Domain Intelligence
Track domains as they expire, drop, and get re-registered. Spot valuable drops, policy violations, and repurposed properties before they become someone else's infrastructure.
4. Daily Filtered Lists
Get ready-to-use domain lists filtered by TLD, category, CMS, or hosting provider. Delta updates minimize transfer size. Fresh data every day, not every week.
5. Attack Surface Mapping
Discover all domains resolving to your IP ranges and cloud accounts. Identify shadow IT, forgotten infrastructure, and third-party dependencies. Track infrastructure changes over time.
The Scale
At the point of publishing this post, we track 76+ million domains across 4,280+ zone files, updated daily. The data is cleaned, normalized, and structured for direct ingestion into SIEM/SOAR pipelines. No post-processing required.
Who This Is For
Primitive.host is built for security teams:
- Threat intelligence analysts building phishing, fraud, and abuse detections
- SOC teams enriching alerts and running hunting campaigns
- Security data engineers powering commercial tools and internal pipelines
- AppSec teams mapping their attack surface from the outside in
Where We Are Today
We're currently in the design partner / early access phase, working closely with security teams to refine the platform. Self-serve plans are coming soon. If you're tired of maintaining domain data pipelines and want to focus on what matters — detection and response — we'd love to talk.
Join the waitlist or browse our services to learn more.