Products APIs Data Feeds Web Tools Domain Research & Monitoring Enterprise Packages AI Deep Research
WHOIS / WHOIS History
WHOIS / WHOIS History

Provide current and historical ownership information on domains / IPs. Identify all connections between domains, registrants, registrars, and DNS servers.

DNS / DNS History
DNS / DNS History

Look into all current and historical DNS / IP connections between domains and A, MX, NS, and other records. Monitor suspicious changes to DNS records.

IP Geolocation / IP Netblocks
IP Geolocation / IP Netblocks

Get detailed context on an IP address, including its user’s geolocation, time zone, connected domains, connection type, IP range, ASN, and other network ownership details.

Domain Research Suite (DRS)
Domain Research Suite (DRS)

Access our web-based solution to dig into and monitor all domain events of interest.

Domain Research Suite (DRS)
Domain Research Suite (DRS)

Get access to a web-based enterprise-grade solution to search and monitor domain registrations and ownership details for branded terms, fuzzy matches, registrants of interest, and more.

New gTLD Intelligence Services (NGIS)
New gTLD Intelligence Services (NGIS)

Independent, evidence-based DNS and abuse intelligence for applicants, advisors, governments, and counsel participating in the ICANN 2026 New gTLD Program.

Research
Monitoring
White-Label
Predictive Threat Intelligence Feeds
Predictive Threat Intelligence Feeds

Predictive threat intelligence is your best first line of defense. Subscribe to the feeds to strengthen your cybersecurity posture. Contact us today for more information.

WhoisXML API Internet Infrastructure
Internet Infrastructure

Unlock integrated intelligence on Internet properties and their ownership, infrastructure, and other attributes.

Enterprise API Packages
Enterprise API Packages

Our complete set of domain, IP, and DNS intelligence available via API calls as an annual subscription with predictable pricing.

Security Intelligence (SI) Suite
Security Intelligence (SI) Suite

Offers complete access to WHOIS, IP, DNS, and subdomain data for product enrichment, threat hunting and more.

Attack Surface Discovery API
Attack Surface Discovery API

Uncover entire attack surfaces with this API to embed asset discovery, vulnerability scanning, and technology metadata into your platform. Now in early access.

MCP Server
MCP Server

Talk to our APIs using LLMs. Connect your preferred LLM to WhoisXML API and simply chat about WHOIS, DNS, threat intelligence, and more.

Jake AI
Jake AI

I’m your Domain Intelligence Assistant. I make it easy to explore WHOIS, DNS, and threat data from WhoisXML API — I’m cloud-based, fast, and always ready to help.

WhoisXML API Domain Intelligence Advisor (via ChatGPT)
WhoisXML API Domain Intelligence Advisor (via ChatGPT)

A custom GPT for WHOIS, DNS, IP, and threat intelligence research. Connects ChatGPT directly to WhoisXML API to enable fast, conversational investigations and domain insights.

Discover what you really pay for when buying commercial Internet intelligence data.

Download now
×
Contact Us
Read other articles Download PDF

The Pyramid of Pain: How to Fight Back in Cybersecurity

Cyber threat actors can hurt you, but did you know you can hurt them too? And it’s absolutely legal. You can make their lives harder — perhaps so hard that they stop attacking you altogether or, hopefully, even reconsider their careers. How do you do it?

Every time you block their attacks, you hurt them. You make them change something in the way they attack, which takes time and effort. Some of the changes hurt more than others. In this post, we talk about the Pyramid of Pain — a model that attempts to measure how blocking different things hurts attackers differently — and how it helps security teams evaluate and put different types of threat intelligence to good use.

What Is the Pyramid of Pain?

The Pyramid of Pain is a cyber threat intelligence concept that involves ranking indicators of compromise (IoCs) based on the effort an adversary must spend in order to change that IoC once you flag it. It looks like this:

The pyramid of pain model

The Pyramid of Pain was first introduced by security researcher David J. Bianco, who said, “The amount of pain you cause an adversary depends on the types of indicators you are able to make use of.

In other words, the pyramid helps security teams gauge the impact on threat actors when their artifacts are detected and blocked. 

Understanding The Different Levels of the Pyramid of Pain

The pyramid is structured into stacked levels, with each level representing a different type of artifact an attacker uses.

As you move up the list of pyramid levels, the effort required for an adversary to change or replace the detected threat artifacts also increases. This increasing effort corresponds directly to the level of pain security teams inflict.

Let’s break down David J. Bianco’s simple diagram from the bottom up. 

Hashes

At the base are SHA1, MD5, and other hashes of malicious files. These are the easiest threat detection artifacts for an adversary to change — a single byte change in the code generates an entirely new hash. 

Hashes in an IoC-based threat intelligence data feed
Image source: Threat Intelligence Data Feed Malicious File Hashes sample file

Although the impact on threat actors is trivial, blocking hashes still offers short-term loss, making a threat intelligence feed with an up-to-date list of malicious hashes important for cybersecurity.

Disruption tactics and tools:

  • Antivirus solutions
  • Threat intelligence feeds

IP Addresses 

IP addresses are also low-effort to replace. Blocking an IP address is easily bypassed with a simple switch to a different server, which, in the era of cloud computing, has become even easier than before. Still, this IoC type is useful for identifying the adversary’s infrastructure, and security teams use this data for immediate remediation (e.g., block connections to malicious IP addresses associated with botnets).

While the operational pain inflicted on the attacker is low, this immediate action helps mitigate high-volume attacks. Naturally, threat intelligence feeds like the aforementioned WhoisXML API’s Threat Intelligence Data Feed contain IP addresses as well.

IP addresses in an IoC-based threat intelligence feed
Image source: sample from Threat Intelligence Data Feed Malicious IPv4 addresses data feed

Disruption tactics and tools:

  • Firewalls and NGFWs
  • Threat intelligence feeds

Domain Names

Historically, domains were slightly harder to change than IPs, but modern techniques have all but erased this distinction.

Case in point: The proliferation of domain generation algorithms (DGAs) has made it easy for attackers to have an almost infinite supply of command-and-control (C2) or phishing domains and rotate between them. For instance, security intelligence sources such as the First Watch Malicious Domains Data Feed see hundreds of thousands of new DGAs daily. 

Disruption tactics and tools:

  • DNS security solutions
  • Threat intelligence feeds

Network and Host Artifacts

Moving up, network and host artifacts are harder to change. These are threat detection artifacts caused by the adversary on your network or hosts. 

Network artifactsHost artifacts
URI patternsSMTP Mailer valuesC2 communication HTTP user-agent stringsSpecific registry keys left by malwareSuspiciously named files or directoriesMalicious services

These require code modification in how the threat actor interacts with the target network. Blocking them can lead to the loss of access to an entire class of attack vectors. Attackers would need to reconfigure or recompile their tools to change these artifacts, which would require them to spend a moderate level of effort and cost.

Disruption tactics and tools:

  • Endpoint detection and response (EDR)
  • Intrusion detection systems (IDS)
  • Threat intelligence feeds

Tools

An attacker’s tool can range from commercial software to a bespoke tool custom-built by a threat group. Detecting and blocking a specific tool means the adversary must invest time and resources into modifying, replacing, or buying a new one, causing significant impact to adversaries. This is especially true if the tool exploits 0-day vulnerabilities, as their discovery can prompt patching, making threat actors lose a prized asset.

Disruption tactics and tools:

  • Behavior analytics (UEBA)
  • Threat hunting 
  • Predictive threat intelligence

Tactics, Techniques, and Procedures (TTPs)

At the apex of the pyramid is the adversary's behavior. TTPs describe how an attacker operates — their methods for reconnaissance, lateral movement, and data exfiltration. 

Detecting and blocking these behaviors (e.g., the abuse of PowerShell for remote execution or using scheduled tasks for persistence) is the most effective strategy for defenders, as it causes the most disruption for attackers’ cyber operations. It forces adversaries to learn new methods, which is extremely difficult and costly. 

When you think about it, blocking individual domains detected on First Watch Malicious Domains Data Feed actually also blocks entire toolsets based on domain registration patterns. Threat actors can no longer easily jump from one domain to another because all domains have been blocked. They are then forced to change tools or TTPs — remaking their DGA algorithms, jumping between registrars, or doing more. That would inflict significant pain to the attackers.

Disruption tactics and tools:

  • Behavior analytics (UEBA)
  • MITRE ATT&CK-mapped detection
  • Strategic threat intelligence 
  • Predictive threat intelligence

Using the Pyramid of Pain for an Effective Cyber Defense

The Pyramid of Pain is a framework for evaluating how an organization can use threat intelligence more effectively, helping security teams to measure the qualities of threat detection artifacts and focus their efforts for maximum results. 

Does this mean ignoring bottom-level artifacts and zooming in on IoCs on the higher levels? Absolutely not. The strategy should be to automate the bottom and focus your attention on the top.

Disrupting the Lower Levels with Security Automation

On the lower levels, the most efficient strategy is to automatically block everything. Manual management isn’t possible on these levels given the sheer volume of these IoCs. To give an example, there are about 3.4 billion spam emails sent every day, many of which contain malicious links or attachments. Without automation, it’s impossible to deal with such volumes. 

Disrupting the lower levels of the pyramid of pain
  • IoC-Based Threat Intelligence Feeds. Traditional tactical feeds with IoCs contain known malicious hashes, IP addresses, and domains that map to Level 1 (Hashes), Level 2 (IPs), and Level 3 (Domains) of the Pyramid of Pain. Security platforms automatically ingest these indicators via APIs, continuously refresh them, and enforce them across controls. All of that works automatically, with barely any manual analyst involvement. This is the foundational level that enables all the other disruption tools to work.
  • Antivirus Solutions. Antivirus tools actively block malicious files at Level 1 (Hash values) by scanning files at execution or access time and matching them against continuously updated signature databases. The platform automatically quarantines or deletes detected malware in real time, stopping known threats as soon as they appear on an endpoint.
  • Firewalls / NGFWs. Firewalls and NGFWs actively disrupt Level 2 (IPs) and partially Level 3 (Domain Names) by denying network connections to attacker-controlled infrastructure. They are tied to IoC-based threat intelligence, as essentially they are the means of applying threat intelligence on the level of the organization’s network using blocklists. 
  • DNS Security Solutions. DNS filtering tools actively disrupt Level 3 (Domain Names) by blocking or sinkholing DNS requests before endpoints can reach malicious destinations. Yet again, these require threat intelligence, but can be quite effective cutting off command-and-control and phishing infrastructure without analyst action.

Disrupting the Upper Levels with Analysts’ Focus and AI

Upper levels are harder to completely automate and require human analysts to think, analyze, and act. However, there’s still room for automation.

Disrupting the upper levels of the pyramid of pain
  • Strategic and Predictive Threat Intelligence Feeds. Strategic threat intelligence helps disrupt threat actor operations at Level 5 (Tools) and Level 6 (TTPs) by providing context on their goals, capabilities, and long-term operational patterns. That enables defenders to anticipate attacker behavior and proactively harden defenses.
    Predictive threat intelligence goes a step further by identifying and blocking emerging infrastructure patterns, such as domain registration behaviors, naming conventions, hosting choices, and DGA algorithms, forcing threat actors to change tooling, automation logic, and infrastructure generation methods.
    Below is an example of dozens of .top domains that start with “zzz” followed by a random series of numbers from our predictive threat intelligence solution — First Watch. They all have glaring commonalities that make the chances of false positives very low, including the same registrar, name servers, and creation date (and even almost identical timestamps). All of them were added to the feed almost immediately after domain registration. This means that using a predictive solution like First Watch allows organizations to effectively block such patterns.
Predictive threat intelligence allows you to block domain patterns
Image source: First Watch Malicious Domains Data Feed file dated June 9, 2025
  • Threat hunting targets Level 5 (Tools) and Level 6 (TTPs) by actively searching for attacker behavior that bypasses automated controls. By finding repeatable techniques like lateral movement or persistence, hunting forces attackers to abandon known playbooks and develop new methods.
  • Behavior Analytics. Behavior analytics (primarily User and Entity Behavior Analytics tools) works at Level 6 (TTPs) by detecting abnormal user, host, and network behavior instead of relying on known indicators. It flags unusual activity and attracts analysts’ attention to it, preventing attackers from reusing familiar techniques even when they change tools or infrastructure.
    For example, as your firewall or SIEM automatically blocks malicious file hashes and domains, behavioral detection might alert on a sequence of actions: a Microsoft Word document spawning a PowerShell process, which then makes a network connection to an unknown domain.
    Even when the threat actor changes their tools, behavioral analysis can still support future attribution and inflict lasting pain and long-term loss because it directly targets the attacker's core methodology.
  • Mapping to MITRE ATT&CK. Mapping detections to MITRE ATT&CK disrupts both Level 5 (Tools) and Level 6 (TTPs) by organizing defenses around attacker behavior. This approach starts with attacker techniques and tactics and exposes detection gaps and helps teams block entire techniques, forcing attackers to change how they operate rather than just rotating indicators.

Conclusion

The Pyramid of Pain provides a clear path for maturing an organization's detection and response capabilities. Automating detection and blocking of lower-level indicators and shifting the focus of human expertise to high-level malicious behaviors allows security teams to effectively disrupt threat actor operations and increase their operational costs.

This forces adversaries to retool, retrain, and reconsider their individual targets. For state-sponsored espionage actors and other APTs with specific targets in mind, this is even more devastating. Which makes it even more useful for the security teams of organizations that are likely to become targets of such actors.

Try out WhoisXML API’s predictive threat intelligence solution: First Watch Malicious Domains Data Feed.

Read other articles Download PDF
Try our WhoisXML API for free
Get started