Investigate threats
Users can investigate the details of an IP address, domain name, URL, Autonomous System Number (ASN), or JavaScript file. You can find the Investigate feature in your Cloudflare account’s Security Center and in Cloudflare Radar.
You can search with Investigate by IP address, domain, URL and AS number.
IP Address
An IP address is a unique address that identifies a server. It stands for Internet Protocol, which is the set of rules that allows servers to communicate with each other.
IP address search allows you to search both IPv4 and IPv6 addresses and retrieve relevant information such as their pointer records, AS numbers and passive DNS records.
Domain
A domain name is a string of text that maps to an IP address. Domain names are used to help people remember where websites are hosted. Domain names are purchased through registrars and can be acquired easily by anyone.
When you search for a domain name, Cloudflare will provide an overview of the domain’s category and IP addresses it currently resolves to.
Domain categories
Cloudflare categorizes domains into content categories and security categories, which cover security risks and security threats:
- Content categories: An upstream vendor supplies content categories for domains. These categories help us organize domains into broad topic areas. However, the specific criteria and methods used by our vendor may not be disclosed.
- Security risks: Cloudflare determines security risks for domains using internal models. These models analyze various factors, including the age of a domain and its reputation. This allows us to identify potentially risky domains.
- Security threats: To identify malicious domains that pose security threats, Cloudflare employs a mix of internal data sources, machine learning models, commercial feeds, and open-source threat intelligence.
For a detailed list of categories, refer to Domain categories.
A domain can have multiple categories. Cloudflare displays both the parent category and the detailed child category. You can request category changes for a domain. Miscategorized domains can also request to have a category added. This request goes through an approval process with the Cloudflare team.
As part of the domain search results, Cloudflare show the WHOIS details and a history of its category changes over time.
AS Number
An AS number is a group of IP addresses belonging to and controlled by a single organization. The entire group of networks have a single unified routing policy. The Internet Assigned Numbers Authority (IANA) is the organization responsible for managing the assignment and distribution of AS numbers. The AS number’s routing policies are used by BGP which is how Cloudflare’s anycast network works.
When you search for an AS number, Cloudflare will return registration data such as its country, description and type. It will also display data such as domain count, top 10 domains and subnets.
With sufficient data, AS number search results will also return the geographical distribution of traffic in its network, application level attacks and network level attacks, each broken down by Cloudflare mitigation techniques and network protocols, respectively.
URL
When you search for a URL, Cloudflare will provide a list of recent scan reports for that specific URL, limited to the past 30 days. You can view previously generated reports or scan again to generate a new report.
Different Cloudflare plans will have different scan limitations.
Visibility
When generating a new scan report, the default visibility is set to Unlisted
, but you have the option to set it to Public
. By choosing Public
, the generated scan will be available to all Cloudflare dashboard and Cloudflare Radar users alike, which will increase awareness of potentially malicious websites for others.
We recommend choosing Unlisted
if you are scanning infrastructure that is not intended to be shared with the wider Cloudflare community.
Filters
While viewing the most recent scans, you can use the filtering options. Selecting All account scans
will display both Unlisted
or Public
scans initiated from your Cloudflare account. However, by selecting All global scans
, only Public
scans are displayed.