Attack Path Analysis
From one foothold, the structure an attacker would lean on. The run finds the DNS and registrant choke points whose compromise reaches the furthest, the pivots that cluster its infrastructure even after IPs rotate (a shared registrant email, a shared TLS fingerprint), whether it is provably linked to a second asset, and how close it already sits to known-bad.
- 2 threat-listed domain(s) on the foothold's IPs — near known-bad
- Provably linked to the second asset via shared registrant (hostmaster@ebay.com, hostmaster@paypal.com, service@sintl-paypal.com)
- Shares 3 IP(s) with the second asset
- Shares nameserver(s) with the second asset
- DNS choke point pdns100.ultradns.com carries 581 dependent domain(s)
40 nodes · 50 edges
- DNS choke point: pdns100.ultradns.com serves 581 domain(s) — its compromise severs DNS for all of themDNS
- Registrant pivot: 1,000 domain(s) share hostmaster@ebay.com — a pivot that survives IP/NS churnWHOIS
- Hidden link confirmed — the foothold is provably linked to the second asset via registrant hostmaster@ebay.com, hostmaster@paypal.com, service@sintl-paypal.com; 3 shared IP(s); shared nameserver(s)DNS
- 2 threat-listed domain(s) are co-tenanted on the foothold's serving IPs — the path to known-bad is shortthreat-intel
| nameserver | dependents | sample |
|---|---|---|
| pdns100.ultradns.com | 581 | paypal.aihellenicbank.apppaypal.com.armcgraw-hill.asiavitaminworld.asiapaypal.at |
| ns2-pchnet.paypal.com | 254 | paypal.aipaypal.com.arpaypal.atpaypal.com.aupaypal-australia.com.aupaypal-business.com.au |
| ns1-pchnet.paypal.com | 254 | paypal.aipaypal.com.arpaypal.atpaypal.com.aupaypal-australia.com.aupaypal-business.com.au |
| ppdns.paypal.com | 155 | paypal.atpaypal.com.aupaypal-education.com.aupaypal-opladen.bepaypal-recharger.bepaypal-topup.be |
| registrant email | estate | sample |
|---|---|---|
| hostmaster@ebay.com | 1000 | 3pm.aimarktplaats.amsterdamstubhub.amsterdambitbay.appcatch.appdeepcommerce.app+2 more |
| hostmaster@paypal.com | 1000 | venmo.aipayp.asiapypl.asiabill-safe.atbill-save.atbraintree.co.at+2 more |
| service@sintl-paypal.com | 56 | paypalgiftcards.bizpaypalsmartpaymentbuttons.bizpaypalsmartpayments.bizvenmogoods.bizcashify.comloanbuilder.com+2 more |
| shared ips | shared nameservers | shared registrant |
|---|---|---|
| 151.101.195.1151.101.3.1162.159.141.96 | ns1-pchnet.paypal.comns2-pchnet.paypal.comppdns.paypal.compdns100.ultradns.comns1.p57.dynect.net | hostmaster@ebay.comhostmaster@paypal.comservice@sintl-paypal.com |
| ip | cotenant count | sample |
|---|---|---|
| 151.101.3.1 | 192 | paypal.aipaypal.com.arwww.paypal.com.arpaypal.atwww.paypal.atpaypal.com.au+4 more |
| 151.101.195.1 | 113 | paypal.aiwww.paypal.com.arwww.paypal.atwww.paypal.com.auwww.paypal-australia.com.auwww.paypal-business.com.au+4 more |
| 162.159.141.96 | 84 | paypal.com.arpaypal.atpaypal.com.aupaypal-australia.com.aupaypal-business.com.aupaypal.be+4 more |
| asn | peer count | facilities | facility sample |
|---|---|---|---|
| AS54113 | 79 | 897 | NIKHEF AmsterdamCoreSite - San Jose (SV1)CoreSite - Los Angeles (LA1) One WilshireDigital Realty SFO (365 Main)Digital Realty NYC (60 Hudson) |
| AS13335 | 1221 | 1488 | Equinix SV8 - Silicon Valley, Palo AltoEquinix SV1/SV5/SV10 - Silicon Valley, San JoseEquinix DA1 - DallasEquinix DC1-DC15,DC21-DC22 - AshburnDigital Realty SFO (200 Paul) |
| ip | threat neighbors | sample |
|---|---|---|
| 151.101.3.1 | 2 | paypal.nopaypal.com.ve |
| 162.159.141.96 | 2 | paypal.nopaypal.com.ve |
The one query behind this▾
CALL explain($value)
Snapshot from a max-depth run on Jun 26, 2026. Run it again for live data. attack-path
Free tier — no credit card. Runs up to 3 hops deep; Pro goes to 5.
What it solves
Internal attack-path tools stop at your perimeter. This traces the external structure an adversary would actually use, and the pivots that persist even when the obvious indicators change.
The run finds the DNS and registrant choke points whose compromise reaches furthest, the pivots that keep clustering the infrastructure after IPs rotate (a shared registrant email, a shared TLS fingerprint), whether the asset is provably linked to a second one, and how near it already sits to known-bad.
Reconstruct the external graph by hand, pivot by pivot.
- passive DNS
- WHOIS pivoting
- TLS fingerprinting
- threat feeds
What this means
- A choke point with thousands of dependents is the single node whose compromise reaches the furthest. It is the highest-leverage target, and the biggest blind spot.
- A shared registrant email or TLS fingerprint is a persistent pivot. It links infrastructure even after IPs and nameservers rotate.
- Threat-listed neighbours on the foothold’s own IPs measure how short the path to known-bad already is — distance to danger, not mere association.
Dig deeper
Read the how-to
The documentation for this flow — the queries explained, with variants you can adapt.
Open the documentation →Related flows
All use cases →Blast Radius
Pick one piece of infrastructure and see what breaks if it disappears, from the domains it serves to the owner and datacenter behind it.
Digital Infrastructure Mapping
One indicator, mapped to its real owner and full footprint, even behind privacy WHOIS, then graded for how concentrated it is.
Indicator Investigation
Drop in any domain, IP, ASN, or prefix and get back a verdict you can defend, with the evidence and sources attached.
Attack-Surface Mapper
Point it at a domain and get the full external footprint, scored: subdomains, nameservers, mail senders, the origins behind any CDN, and the posture of everything that serves it.