LookingGlass Threat Intelligence

Malicious C2 Feed

Limit and block outgoing traffic from infected machines from reaching C2 servers. Get a daily updated list of fully qualified domain names (FQDNs) associated with infected C2. The list is generated from a combination of LookingGlass virus and botnet tracking, sinkhole servers, and reverse engineering of domain-generation algorithms (DGA) and analysis of advanced persistent threats (APTs).

Phishing URL Feed

Keep an eye on URLs that host phishing attacks. The near real-time feed comes from a variety of sources including spam email, domain name registrations, proprietary web crawling technology and “suspect email” streams from major web-based email providers. Our experienced threat analysts quality control it before it goes to you.

Compromised Account Credentials

LookingGlass Compromised Information Monitoring provides early warning of compromised account credentials, credit card numbers, and SSNs discovered in the wild. With this service, your organization has global coverage of leaked personal information, helping to protect users from identity theft, unauthorized account purchases and lines of credit, and even blackmail or extortion schemes.

Worldwide Infection Records

Cast a worldwide net with a list of newly identified and historical global infections collected by LookingGlass Virus Tracker botnet monitoring technology.

Newly Registered Domains

Stay up to date every day with an aggregated list of Domains (TLDs) registered globally in the last 24 hours. We don’t stop at just the top five traditional TLDs — our systems span more thousands of new generic TLD (gTLD) extensions.

Virus Tracker™

LookingGlass Virus Tracker is a global botnet monitoring system that provides real-time access to incoming new botnet infections and viruses. It’s billions of historical infection records – more than 3 billion – dating back to 2012, identify millions of malware infections every day.

LookingGlass owns 40% of all known APT domains, giving you unrivaled insight into targeted attacks and infections.


  • infections in your network communicating with Virus Tracker sinkholes masquerading as malware C2 servers.


  • threats posed to your organization by third parties that connect to your network.


  • on viruses seen in your network or third party networks.


  • against new malware infections and spear phishing attacks by receiving a list of newly active malicious domains for use in network security appliances.

Threat Map

View global threat activity — infections, live attacks, and botnets — in real-time.

Visit Threat Map

High-Quality Multifaceted 
Threat Coverage

LookingGlass MRTI raw intelligence is gathered from a wide variety of deployed internet sensors; surface, deep and darkweb sources; botnet sinkholes; underground channels and LookingGlass proprietary crawling algorithms. It is continuously refined and updated, and then vetted by expert security analysts and machine learning algorithms.

Flexible Consumption Model

High-quality threat intelligence that can be easily consumed and integrated with your own workflows and security platforms.


  • Security Information and Event Management (SIEM)
  • Threat Intelligence Management and Platform products
  • Security Appliances (e.g., Application Level Gateways)

Cut Through the Noise

With LookingGlass MRTI, your analysts see only highly-relevant security incidents, ensuring they are prioritizing their time and energy on the most important threats to your company.
  • Application programming interface (API)-based integration (e.g., JSON/OpenTPX, XML, CSV, STIX)
  • Helper libraries to speed up the integration process (e.g., SDKs, bundled scripts, etc.)

STIX and TAXII: Sharing cyber threat intelligence

Allan Thomson, CTO

Acquire Intelligence.