Investigate incidents using the data layer underneath.
Incident response runs on time. Incident Investigation and Response gives IR teams direct query access to the indexed dataset that drives the rest of the platform: reverse lookups, sametime-registered domain finders, breach-corpus cross-reference, threat actor TTP correlation, and historical state for forensic timelines.
Pivot, scope, and timeline incidents from the data layer.
Incident-response teams, SOC analysts, and digital-forensics functions run this workflow. The question they answer: what does the indicator we've found connect to, when did the activity start, and which actor group is consistent with the pattern? Pre-Deepinfo, IR teams stitch answers from multiple OSINT and threat-intel tools. Post-Deepinfo, the answer comes from one query interface against the same dataset that powers the platform's monitoring.
The workflow covers four IR stages: scoping (what assets are affected), pivot (what other infrastructure connects to the indicator), attribution (which actor group's TTPs match), and timeline (when did the activity start). Each stage runs against the same indexed corpus with full historical state preserved.
Outcomes: IR cycles close faster because evidence-gathering doesn't require multi-tool stitching; attribution comes with sector-specific actor context; forensic timelines have observational data, not just the systems' own logs.
Search, intelligence, and historical state.
Domain Search for pivots. Vulnerability Search for affected-asset scoping. Threat Actor Intelligence for attribution context. Data Breach Index for breach-corpus cross-reference. Instant Lookups with DNS and Whois history for forensic timelines.
Domain Search pivots.
Reverse-IP, reverse-MX, reverse-NS, reverse-WHOIS, sametime-registered, associated-domain. Start from one indicator and pivot exhaustively to find connected infrastructure.
Threat Actor Intelligence.
Mentions and indicators matched against actor profiles. TTPs mapped to MITRE ATT&CK with sector-specific context. Recent campaigns with dates and observed targeting.
Data Breach Index.
Cross-reference compromised credentials against the breach corpus to scope which credentials were exposed in which breach.
Historical state via Instant Lookups.
DNS history (every record change observed) and Whois history (every registration update) preserved. Forensic timelines reconstruct what infrastructure looked like at any past moment.
Customers running IR investigations at real coverage.
A national telecom operator
Threat actor intelligence and continuous monitoring at carrier scale across tens of thousands of public-facing assets.
Read the storyA defense manufacturer
Incident investigation across subsidiary brands and supply chain with sector-specific actor framing.
Read the storyThreat hunting
Proactively search for hidden threats using IOC feeds, domain intelligence, and vulnerability data.
Read the use case“During incidents, query speed against historical Whois, DNS, and SSL data is what cuts the investigation timeline. Direct dataset access turns hours of pivots into minutes.”
Related use cases.
Hunt against internet-scale data.
Threat hunting runs on hypotheses tested against data.
See use case USE CASEOperational threat intelligence, not just feed subscriptions.
Threat intelligence is useful when it lands in the systems analysts already operate, not when it sits in a portal nobody opens.
See use case USE CASEPivot through the internet's domain layer at scale.
Investigations rarely start with the answer.
See use caseRun an investigation against an indicator you bring.
Book a demo. We'll walk through pivot, attribution, and timeline workflows with a real indicator from your environment.