NEW WEBINAR: Watch Netcraft's latest deep dive into P2P messaging scams like never before. Watch now  

Platform Overview > Threat Intelligence
A man and woman collaborate on writing code on a computer screen
Blue computer screen icon

Threat Intelligence

Rely on validated, actionable threat intelligence at scale through Netcraft’s anti-cybercrime platform

A hand rests on a laptop keyboard, which shows code on a screen

Data-driven, actionable intelligence

Netcraft’s threat intelligence platform is powered by automation using machine learning and AI alongside thousands of carefully curated rules. Suspected threats collected across a multitude of noisy sources are transformed into verified and actionable cybercrime threat intelligence.

Netcraft’s global threat feeds cover phishing, malware, and other cybercrime targeting any institution, including customers and non-customers alike, and are widely licensed by browsers and antivirus companies. Billions of people are protected against attacks confirmed by Netcraft—often within minutes of detection.

Defeating cyber attacks with unmatched scale and effectiveness

Netcraft’s online brand protection operates 24/7 to discover phishing, fraud, scams, and cyber attacks through extensive automation, AI, machine learning, and human insight. Our disruption & takedown service ensures that malicious content is blocked and removed quickly and efficiently—typically within hours.

Blocked Attacks Icon


of the world’s phishing attacks taken down

Website Host Icon


threat reports and suspicious URLs analyzed every day

Content Sites icon


cybercrime attacks blocked to date

Global Phishing Icon


attacks taken down and growing

Extensive information gathering

Across 100+ attack types, including phishing, malware, evil JavaScript and conversational scams, Netcraft takes an evidence-based approach, with suspected attacks being carefully validated before blocking.

Netcraft maintains a comprehensive global network of fetch locations and proxies to access malicious websites, including residential and mobile connections. These are carefully selected for each attack, to maximize the chance of defeating any attacker evasion attempts including geo-blocking.

Extensive automation layered with human insight is key to Netcraft’s approach, allowing us to validate threats around the clock and often within minutes of detection.

Diagram of Threat Intelligence & Feeds
A PHP script.

Deeper insight

Once blocked, attacks can be automatically explored in depth including optional credential stuffing and automatic phishing kits, web shells and traffic distribution system discovery.

Identifying and downloading phishing kits—the source files powering the attack—reveals the attack’s inner workings. For example, by finding and taking down the email address or telegram bot used by a criminal to stash stolen credentials. And finding carefully hidden backdoors left by the kit’s original author.

Frequently Asked Questions

We process reports from our cybercrime detection platform including our reporting community, industry and partner feeds, large-volume spam email datasets, customers’ own reporting mechanisms — covering enterprises and governments, large and small — alongside our own discovery techniques. Suspicious URL feeds are typically very high volume and have a low signal-to-noise ratio: validation prior to blocking is essential.

A sophisticated automated classification system then confirms the attack type and attributes it to an impersonated entity. We handle a very wide range of cybercrime, including phishing, malware, and malicious JavaScript. Our analysis is heavily automated and operates without intervention around the clock, with manual involvement limited to edge cases, high-risk blocks, and for the purpose of improving future automated classification.

Once confirmed, threat data is included into our threat intelligence feeds, and for our customers can begin the disruption and takedown process. Our threat intelligence feeds are widely licensed by browsers, antivirus companies, and internet infrastructure providers, protecting billions of people from cyber attacks while the takedown process is ongoing.

Netcraft’s analysis is heavily automated and operates without intervention around the clock, with manual involvement only required for a tiny minority of edge cases, high-risk blocks, and for the purpose of improving future automated classification.

This includes:

  • a global network of fetch locations that are intelligently selected to defeat criminals’ attempts to restrict access using IP blocking
  • rule-based matching across thousands of potential target organizations
  • automatic classification based on previously seen phishing content
  • machine learning based on previous classification by rule-based or human classification
  • proactively interacting with forms using a headless web browser, submitting realistic data and exploring multi-stage attacks

As Netcraft’s threat intelligence feeds are truly global and cover impersonated organizations whether they are customers or not, our feeds are used by browsers, antivirus companies, internet infrastructure providers and impersonated enterprises themselves.

Threats impersonating your brand can be sent for disruption and takedown, and those which may affect staff members—like email and work collaboration platforms—can be used within your information security team in SIEM products and to block access within browsers with our apps and extensions.

Netcraft operates both human and automated false positive fail-safes for high-risk potential blocks. Netcraft’s decades of experience exploring the internet allow us to rely on hosting provider data and other sources of intelligence on legitimate organizations’ own infrastructure. Where there is reason to be cautious, we require a second human verification before blocking.

Netcraft collates and validates reports from many of the world’s largest banks, threat intelligence providers, and anti-cybercrime organizations. Netcraft also recovers URLs from ongoing analysis of malicious email attachments, many of which serve as key infrastructure in malware operations.



Two clicks from empty – IPFS-powered crypto drainer scams leveraging look-alike CDNs

More than $40k lost to crypto drainer scams leveraging IPFS and malicious code hidden behind look-alike CDN imitations. At Netcraft, … Read More

Learn More


Too good to be true: Beware the temptation of recovery scams 

Being a victim of fraud can be devastating enough, but that’s not always the end of the story. Often, fraud … Read More

Learn More

Schedule time with us

Learn more about Netcraft’s powerful brand protection, external threat intelligence and digital risk protection platform