Certus
Malware Domain Predictor
Every day, hundreds of thousands of new domains are registered. Most are benign. Some aren't. Certus scores all of them — in real time, at the moment of certificate issuance — so you know which ones to watch before they do damage.
Threats register before they attack
Phishing infrastructure, malware C2 domains, and lookalike sites all share one thing in common: they had to be registered first. Certificate Transparency logs capture that moment — every domain, every certificate, in public view.
The problem is volume. Hundreds of thousands of new certificates are issued every day. Manual review is impossible. Certus applies machine learning to separate signal from noise at scale, so your team focuses on what matters.
~500K
New certificates issued daily via CT logs
<1 min
Average time from issuance to Certus score
Days–weeks
Head start before domains appear in threat feeds
How Certus Works
From certificate issuance to risk score in under a minute.
Monitor
CertStream delivers a real-time feed of newly issued SSL/TLS certificates from public Certificate Transparency logs. Every new domain on the internet passes through this stream.
Enrich
Each domain is immediately enriched with DNS infrastructure signals — registrar data, nameserver patterns, hosting characteristics, WHOIS age, and behavioral features drawn from related domains.
Score
Bayence's ML models produce a predictive malware score for each domain. The model was trained on real-world threat data and continuously updated as new patterns emerge.
Deliver
Domains exceeding your risk threshold are surfaced as a structured feed. Historical scored data is also available for enrichment workflows, retrospective analysis, and model training.
Use Cases
Certus fits naturally into existing security and network operations workflows.
Threat Intelligence Enrichment
Feed Certus scores into your SIEM or TIP to pre-emptively flag suspicious domains before they appear in logs.
DNS Firewall & Reputation Defense
Block or flag domains at the resolver layer using live Certus scores, reducing exposure before connections are made.
Brand & Customer Protection
Detect lookalike and typosquat domains targeting your brand as they are registered — not after they are weaponized.
Retrospective Investigation
Query historical scored data to understand whether domains seen in past incidents were flagged at registration time.
Data Delivery
Two ways to access Certus data, depending on your workflow.
Live Alert Feed
Real-time, threshold-based
Receive a structured feed of domains that exceed your configured risk threshold, as they are scored. Integrate directly into your SIEM, DNS firewall, or threat intelligence platform.
- → Configurable score threshold
- → Structured JSON output with enrichment metadata
- → API or webhook delivery
Historical Data
Available for purchase
Access our archive of scored domains for retrospective analysis, model training, or enrichment of historical incidents. Data is available in bulk by time range, score band, or domain characteristics.
- → Flexible query by date, score, and feature flags
- → Bulk export for training and enrichment pipelines
- → Priced per volume — contact us for details
Get ahead of the threat
Certus is available now for design partners and early adopters. Reach out to discuss access, pricing, or data licensing.