Below are a few answers to some of the most popular and frequently asked questions we get at Pulsedive:
- What does Pulsedive do?
- Who uses Pulsedive?
- What can I do for FREE?
- What kinds of data can I find?
- What’s the difference between scanning and submitting?
- Can you tell me more about these passive and active scans - and your infrastructure?
- How does Pulsedive risk scoring work?
- What kinds of data can Pulsedive users edit?
- How do you keep data recent and relevant?
- How are threats linked to indicators?
- What if I want a private version of Pulsedive’s platform just for myself/my team?
What does Pulsedive do?
Pulsedive's community platform brings together known community threat intelligence into one place and vet that data to reduce noise and help make determinations. We correlate observed IOCs not only by ASN or country, but by more complex characteristics like HTTP headers and PTR records.
In other words, we ingest from user submissions and many quality feeds (see our current list here) and also perform our own scans to provide a wealth of real-time contextual information on each indicator. This includes all the properties, linked indicators, risk factors and risk scores you see on our indicator pages (you can check out our Pulsedive domain indicator page as an example). We also deduplicate indicators, merge threat aliases, update news streams, and more to provide vetted, unique, and timely threat intelligence.
Who uses Pulsedive?
Our global community includes a wide range of users, from students to CISO’s across sectors - and teams blue, red, and purple. A majority of users come from security analyst and engineering backgrounds, most often in security operations and (obviously) threat intelligence teams. However, we also support many home hobbyists, academic and independent researchers, students, and special use cases too.
What can I do for FREE?
With a free account, you can search and/or scan any indicator and get back contextual intelligence, investigate threats, check out our source feeds, query and filter across our entire database, stream the latest news/events, and more. A quick walkthrough can be found on YouTube here: https://youtu.be/xFD6o4EkrOo
To put it simply, many of the actions an individual researcher, hunter, analyst, or enthusiast might want to do to poke around in a threat intelligence platform is already free. We even include an API key with every account. API documentation is available here: https://pulsedive.com/api/
If you have additional needs for yourself or your team, we have upgrades like:
- Individual Pro subscriptions, which comes with more data in the same intuitive interface
- Commercial API plans to flexibly integrate Pulsedive into your workflow
- Commercial Feed plans for bulk download of vetted threat intelligence
What kinds of data can I find?
Here's just a few of the types of data you can find related to indicators, threats, and feeds in Pulsedive. Users can also pivot from these data points within the platform and easily copy or export data for further analysis.
- Risk scores and risk factors
- Registration timeline
- Pulsedive timestamps
- Source feeds and comments
- Associated threats
- Ports and protocols
- Web technologies
- WHOIS registration
- Location data
- DNS records
- Query strings
- HTTP headers
- SSL certificate metadata
- Meta tags
- Mail servers
- Related domains and URLs
- Screenshots (Pro*)
- Third party integrations (Pro*)
- Risk scores
- Related news
- Risky properties
- Linked indicators
- Name and organization
- Linked Indicators
What’s the difference between scanning and submitting?
In Pulsedive, you can scan without submitting. If an indicator is not already in our database, it means you can opt to perform a passive or active scan, retrieve and review the data, but no data is permanently stored.
This is valuable for users who do not want, or cannot, share indicators publicly with the community. However, we encourage our users to submit when possible, so everyone can benefit from new threat intelligence.
Can you tell me more about these passive and active scans - and your infrastructure?
Every indicator is scanned and enriched by Pulsedive. The result is a wealth of real-time, contextual information.
Passive Scans: Perform WHOIS requests and fetch DNS records.
Active Scans: Reach out with a web browser to collect valuable data like HTTP headers, SSL certificate information, and redirects.
Pulsedive has several scanning “nodes” setup all around the world that are hardened and set up to forward these WHOIS, DNS, and HTTP requests, so there is no direct connection between Pulsedive and malicious IOCs.
How does Pulsedive risk scoring work?
While we pull data from many sources, we scan and enrich each indicator ourselves. Pulsedive uses all of the data collected to determine which risk factors are present and evaluate an indicator’s risk level.
Many risk factors go into the risk score for an indicator, including considerations like:
- “Is this a direct-to-IP URL?”
- “Is the SSL certificate self-signed?”
- “Was this domain registered recently?”
- “Is this a shared hosting IP?”
- “Is this a top 10k domain?”
- “Has this been seen on a threat feed?”
What kinds of data can Pulsedive users edit?
Basic account users can submit and scan indicators, as well as add comments to indicator and threat pages.
Our enrichment and evaluation process is designed to avoid false positives, but we do have a trusted group of Contributors and Admins with elevated permissions who can further vet and update data. Message us at email@example.com if you have questions or find an issue with our data.
How do you keep data recent and relevant?
Due to our many sources and unique user submissions, we are processing threat intelligence data no one else has every day.
Indicators are automatically aged out after a period of inactivity, unless they reappear in one or our sources, were reported by users, or reactivated by a Contributor or Admin. These retired indicators show a “Retired” risk rating and do not show up in “Explore” searches by default. However, users can search an indicator that is retired and still see all of the historic data, and manually adjust "Explore" queries to include retired indicators.
How are threats linked to indicators?
Some OSINT feeds occasionally have threat information listed in one of the fields or columns, and other feeds are published to track a specific threat, like Zeus Bad Domains or Phishtank. Pulsedive is configured to link IOCs in these feeds to the relevant threat.
Additionally, a limited set of vetted users with elevated permissions can link IOCs to threats upon submission, as well as edit IOCs to add or remove threats.
What if I want a private version of Pulsedive’s platform just for myself/my team?
It’s possible and we’re happy to chat. Drop us a note at firstname.lastname@example.org.
Still have questions? We have answers! Email email@example.com