Threat Intelligence

SpoofSentry detects seven categories of threat signalLive from your DMARC data and DNS records. Volume spikes flag abnormal sending volume from known or unknown sources. Auth degradation detects sudden drops in SPF or DKIM pass rates. Geo anomalies identify sending from unexpected countries or IP ranges. Spoofing campaigns surface unauthorized senders attempting to impersonate your domain.

DNS changes detect modifications to your SPF, DKIM, DMARC, or MTA-STS records made outside SpoofSentry. Sender behavior shifts identify established senders whose authentication patterns have changed. Lookalike activity flags domains that closely resemble yours appearing in report data. Each signal type has tunable sensitivity thresholds.

Raw signals are grouped into incidents using correlation rules.Live SpoofSentry clusters related signals by domain (signals affecting the same domain), sender (signals from the same sending infrastructure), vendor (signals related to the same third-party service), and time-spike (signals occurring within the same time window).

Correlation reduces alert fatigue by presenting a single incident instead of dozens of individual signals. Each incident includes a timeline showing when each contributing signal was first observed and how the incident evolved. Cross-domain correlation catches threats that span multiple domains in your portfolio.

Each incident receives a composite threat scoreLive based on five factors. Severity measures the technical impact of the threat. Confidence indicates how certain SpoofSentry is that the signals represent a real threat rather than noise. Business impact considers the affected domain's importance and sending volume. Enforcement impact evaluates whether the threat would be mitigated by a stricter DMARC policy. Blast radius estimates how many recipients are affected.

Scores are used to prioritize the incident queue and determine notification urgency. High-severity incidents trigger immediate alerts through configured channels (Slack, Teams, email, webhook). Lower-severity incidents are batched into daily or weekly digests.

Every incident follows a defined lifecycle:Live new (just detected), active (ongoing signals), acknowledged (analyst has reviewed), and resolved or false_positive (closed with disposition). State transitions are recorded in an immutable timeline with timestamps, the user who made the change, and optional notes.

The timeline provides a complete audit trail for post-incident review and compliance evidence. SLA timers track time-to-acknowledge and time-to-resolve against configurable targets. Overdue incidents are escalated automatically through notification channels.

Each incident type is linked to one or more remediation playbooksLive that provide step-by-step resolution guidance. Playbooks can be executed manually, semi-automatically (with approval gates), or fully automatically on Enterprise plans. Analyst notes can be attached to any incident for context sharing across the team.

SLA timers are configurable per incident severity level. When an SLA breach is approaching, SpoofSentry sends escalation notifications. Response metrics (mean time to acknowledge, mean time to resolve) are tracked per domain and across the portfolio for operational reporting.

When a resolved incident's signals recur,Live SpoofSentry automatically reopens the incident rather than creating a duplicate. The reopened incident retains its full history, including previous analyst notes and remediation steps taken. This prevents the same threat from being investigated from scratch each time it reappears.

Recurrence patterns are surfaced in reporting so teams can identify persistent threats that require deeper remediation, such as a vendor whose infrastructure repeatedly falls out of alignment or a spoofing campaign that returns periodically.