Two directions, one dataset
Deteqtive exposes the same body of DNS observations from two angles:
- Forward search (by domain): every IP address a domain has resolved to. Start with
evil-login.exampleand see where it has pointed over time. - Reverse search (by IP, CIDR, or hostname): every domain that has resolved to a given address or network. Start with
198.51.100.20and see everything hosted alongside it.
Each answer becomes the next question. A domain resolves to an IP; that IP hosts forty other domains; three of them are lookalikes of the brand you're protecting. You've gone from one indicator to a cluster without leaving the dataset.
A typical pivot
- A phishing report names
secure-acme-login.com. - Forward search shows it resolved to
203.0.113.40last week. - Reverse search on
203.0.113.40returns a dozen siblings —acme-verify.com,acme-account.net, and others following the same naming pattern. - Reverse search on the wider
203.0.113.0/24block exposes the rest of the hosting footprint, including domains that haven't been reported yet.
In four steps you've mapped infrastructure that a single takedown would have missed.
Finding the lookalikes you don't know about
Pivoting assumes you already have an indicator. Often you don't — you just have a brand to protect. Word-match and fuzzy search close that gap: search for everything that resembles acme.com and surface typosquats and homoglyph domains before they're used. Each hit is a fresh starting point to pivot from.
Why threat-focused data matters here
Pivoting only works if the neighbourhood is informative. Deteqtive's corpus is weighted toward malicious and abusive infrastructure, so when you pivot onto an IP or a netblock, the domains you find are far more likely to be relevant to an investigation than noise. The signal is in the data, not buried under it.