What is Validin?

Validin is an internet intelligence platform that helps security teams understand how domains, IP addresses, and online infrastructure are created, used, and changed over time.

The platform collects its own data directly from the internet and combines it with selected open source intelligence to provide clear, explainable context about online activity.

This allows users to investigate infrastructure, track changes, and understand how threats operate without relying on sampled traffic or opaque scoring.

📘

Note

Validin focuses on direct observation and long-term history rather than real-time traffic monitoring or proprietary reputation scores.

What we mean by internet intelligence

Internet intelligence is information about how public internet infrastructure behaves and evolves.

This includes how domains resolve, how servers respond to requests, how certificates are issued and reused, how domains are registered, and how external research references infrastructure over time.

Validin normalizes these data points so they can be searched, reviewed historically, and operationalized across investigations.

How Validin collects data

Validin relies primarily on first-party collection. This means the platform gathers data using infrastructure it operates itself, rather than relying on third-party traffic feeds, browser telemetry, or customer-supplied data.

Open source intelligence is added separately to provide context and attribution, not to replace direct measurement.

📘

Note

First-party collection allows Validin to control how data is gathered, refreshed, and preserved over time.

Core data areas

Validin is built around several core data areas that are designed to work together to form a complete CTI solution:

1. DNS data

Validin actively collects DNS information across the global DNS namespace. This makes it possible to see how domains resolve today, how they resolved in the past, and when changes occurred.

DNS data supports discovery of shared infrastructure and resolution patterns that are difficult to observe using resolver-limited datasets.

2. Host response data

Host response data captures how servers respond to HTTP and HTTPS requests.

This includes response headers, page content, favicons, and certificates, along with derived fingerprints. Host response data helps teams understand how services are configured and whether infrastructure is reused across multiple hosts.

3. Certificate Transparency data

Validin continuously monitors public Certificate Transparency logs.

This data shows which certificates have been issued, which domains they cover, and how certificates are reused over time. Certificate data often reveals relationships between domains that are not visible through DNS alone.

4. Registration data

Validin collects domain registration information using WHOIS and RDAP where available.

Registration records are normalized and stored historically, allowing users to see how ownership, registrars, and contact details change over time.

5. OSINT and reputation data

Validin ingests open source intelligence from selected public sources to provide threat context.

This data links domains and IP addresses to named threats, campaigns, and research reports. Reputation context is based on documented references and is fully explainable.

📘

Note

Reputation in Validin is contextual. Users can always review the sources and evidence behind an association.

How the data fits together

All datasets in Validin are designed to connect together to produce operationalized intelligence.

Users can move between DNS data, host responses, certificates, registration records, and OSINT context without losing historical detail. This makes it easier to understand how infrastructure is related, how it changes, and how activity observed in one dataset is reflected in others.

Searching and investigation

Validin supports different investigation styles, from quick lookups to large-scale analysis.

Users can start with simple searches for domains, IP addresses, or hashes, then apply structured filters to narrow results based on behaviour, configuration, or historical changes. For broader analysis, Validin supports bulk analysis and YARA-based searches to identify matching content across historical and continuously collected data.

Monitoring and alerting features allow teams to track infrastructure over time and receive notifications when meaningful changes occur, supporting both reactive investigations and ongoing analysis.

Collaboration and integration

Validin supports both individual research and team-based workflows.

Projects allow users to group investigations, track indicators, and preserve context over time. Sharing controls make it possible to collaborate across teams while maintaining access boundaries. Alerts surface changes to tracked assets, and API access allows Validin data to be integrated into external systems and automated workflows.

These features support use cases ranging from ad hoc research to continuous monitoring and operational integration.

Who uses Validin

Validin is used by security teams, threat researchers, and analysts working across investigation, response, and research.

The platform is commonly used to investigate suspicious infrastructure, track how threat assets evolve, support incident response, and enrich detections with additional context. Use cases range from short-term investigations to long-running monitoring and research efforts.

Capabilities

Getting access

Validin is available through a web interface and API.

A free Community account provides limited access to core data. Paid plans (Pro and Enterprise) increase query limits and unlock additional features such as projects, monitoring, and automation.