Currently, the URL risk detection in DefensX relies heavily on urlscan.io, which sometimes fails to identify or classify malicious domains in real time.

We recently faced a customer downloading bits from x1.vototao9.ru, which was flagged by DefensX as uncategorized but later confirmed as malicious by other feeds and our internal investigation.

To enhance threat coverage and reduce reliance on a single source, it would be valuable to integrate additional IOC feeds, such as:

• ThreatFox (abuse.ch)

• URLhaus

• OpenPhish or PhishTank

Proposed Feature:

• Enable ingestion of IOCs from multiple public and reputable feeds (e.g., domains, URLs, hashes).

• Correlate and enrich detections using these sources in parallel with urlscan.io.

• Allow users to enable/disable specific feeds or set confidence levels.

Impact:

Improved detection accuracy for malicious URLs and domains, especially in phishing and malware distribution scenarios.

Example:

• Case: vototao9.ru was undetected by urlscan but flagged as malicious in ThreatFox.

• This integration could have prevented the missed detection.

⸻