Overview

SecurityTrails offers a platform and API designed for collecting and analyzing internet infrastructure data, focusing on domains and IP addresses. The service provides access to current and historical DNS records, WHOIS information, and passive DNS data, which can be utilized for various security and research purposes. Developers and security professionals use SecurityTrails to conduct threat hunting, maintain an accurate asset inventory, and perform open-source intelligence (OSINT) investigations.

The core of SecurityTrails' offering is its extensive database, which aggregates a broad spectrum of internet data points. This includes historical records that allow users to trace changes over time for specific domains or IP addresses. For instance, a security analyst might use the historical DNS data to identify previous infrastructure linked to a known malicious domain, helping to uncover broader attack campaigns. The platform's capabilities extend to mapping the digital footprint of an organization by identifying all associated domains and subdomains, which is crucial for comprehensive asset management and vulnerability assessment.

SecurityTrails also supports proactive threat intelligence gathering. By providing access to passive DNS data, users can observe domain resolutions over time, revealing relationships between seemingly unrelated domains or identifying newly registered domains that might pose a risk. This data can be integrated into existing security information and event management (SIEM) systems or custom tools via the SecurityTrails API reference. The API is structured to allow granular queries, enabling users to retrieve specific data points such as email addresses linked to WHOIS records, registrar information, or reverse DNS lookups.

The platform is particularly valuable for incident response teams seeking to understand the full scope of a security incident by mapping compromised infrastructure. It also aids penetration testers in reconnaissance phases, helping them discover potential attack surfaces. For researchers, SecurityTrails provides a dataset for analyzing trends in domain registration, hosting patterns, and the evolution of internet infrastructure. The service is owned by Recorded Future, a prominent threat intelligence company, which further integrates its data sources into a broader intelligence ecosystem.

Key features

  • SurfaceBrowser™: A web-based interface for interactive exploration of domain and IP data, including DNS, WHOIS, and historical records.
  • SecurityTrails API: Programmatic access to the platform's data, allowing for integration into custom applications, security tools, and workflows. The API provides endpoints for domain search, IP address details, WHOIS lookups, and historical data retrieval.
  • Feeds: Curated data feeds providing specific subsets of internet data, such as newly registered domains, expiring domains, or domains associated with specific technologies, for continuous monitoring and analysis.
  • Historical Data: Access to an archive of DNS, WHOIS, and IP records, enabling users to track changes and analyze past infrastructure configurations.
  • Passive DNS: A dataset that records all observed DNS resolutions, useful for identifying previously unknown connections between domains and IP addresses.
  • Domain and Subdomain Discovery: Tools to enumerate all known subdomains for a given domain, assisting in asset inventory and attack surface mapping.
  • WHOIS Data: Comprehensive current and historical WHOIS records, including registrant details, registration dates, and nameservers.
  • IP Data: Information about IP addresses, including associated domains, open ports, and hosting providers.

Pricing

SecurityTrails offers various pricing tiers, including a community access option with limited features and custom enterprise pricing for comprehensive access.

Plan Type Description Key Features Pricing Model As-of Date
Community Access Limited access for individual users and basic research. Basic domain/IP search, limited API requests. Free (limited) 2026-05-28
Enterprise Plans Full access to all data, API endpoints, and platform features for businesses and organizations. Unlimited API requests, extensive historical data, premium support, custom data feeds. Custom pricing 2026-05-28

For detailed information on enterprise plans and specific feature breakdowns, consult the SecurityTrails pricing page.

Common integrations

  • Security Information and Event Management (SIEM) Systems: Integrate SecurityTrails data into SIEM platforms like Splunk or Elastic Security for enriched log analysis and automated threat detection.
  • Threat Intelligence Platforms (TIPs): Combine SecurityTrails data with other threat intelligence sources in TIPs to create a more comprehensive view of threats.
  • Incident Response Platforms: Incorporate domain and IP data into incident response workflows to quickly identify and analyze compromised infrastructure.
  • Vulnerability Scanners: Enhance vulnerability assessment tools by providing a complete inventory of an organization's digital assets.
  • Custom Security Tools: Develop bespoke scripts and applications using the API to automate data collection and analysis tasks tailored to specific security needs.
  • SOAR Platforms: Integrate with Security Orchestration, Automation, and and Response (SOAR) platforms to automate investigative tasks based on domain and IP intelligence.

Alternatives

  • Shodan: A search engine for internet-connected devices, offering insights into open ports, banners, and network configurations.
  • Censys: Provides a search engine and API for discovering and analyzing internet hosts and certificates, focusing on attack surface management.
  • RiskIQ (Microsoft Defender TI): Offers a suite of tools for external attack surface management, digital risk protection, and threat intelligence.

Getting started

To begin using the SecurityTrails API, you will need an API key. This key is included in the APIKEY header of your requests. The following Python example demonstrates how to perform a basic domain search for subdomains using the requests library.

First, ensure you have the requests library installed:

pip install requests

Then, you can execute a query like the following to retrieve subdomains for a target domain. Replace YOUR_API_KEY with your actual API key.

import requests
import json

api_key = "YOUR_API_KEY"  # Replace with your actual API key
domain = "example.com"
url = f"https://api.securitytrails.com/v1/domain/{domain}/subdomains"

headers = {
    "accept": "application/json",
    "APIKEY": api_key
}

try:
    response = requests.get(url, headers=headers)
    response.raise_for_status()  # Raise an HTTPError for bad responses (4xx or 5xx)
    data = response.json()

    print(f"Subdomains for {domain}:")
    if data and "subdomains" in data:
        for subdomain in data["subdomains"]:
            print(f"- {subdomain}.{domain}")
    else:
        print("No subdomains found or unexpected response format.")

except requests.exceptions.RequestException as e:
    print(f"An error occurred: {e}")
except json.JSONDecodeError:
    print("Failed to decode JSON response.")

This Python script makes a GET request to the SecurityTrails subdomains endpoint and prints the list of discovered subdomains. The API's clear documentation provides further examples for various endpoints, including WHOIS lookups, historical DNS data, and IP address details, often with cURL and Python code snippets for ease of implementation.