> For the complete documentation index, see [llms.txt](https://wiki.privai.cloud/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://wiki.privai.cloud/ecosystem-components/threat-intel.md).

# Threat Intel

Threat Intel modules help users evaluate suspicious websites, phishing URLs, claim pages, and risky infrastructure before they connect a wallet or share information.

## What It Helps Answer

* Is this domain connected to known malicious activity?
* Does this page look like a phishing or fake-claim page?
* Are security headers missing or weak?
* Does public infrastructure context raise concerns?
* Should the user avoid connecting a wallet or signing anything?

## Active Modules

| Module                  | Purpose                                                                  | Status     |
| ----------------------- | ------------------------------------------------------------------------ | ---------- |
| **dapp\_domain.scan**   | Reviews dApp/domain reputation and web infrastructure signals.           | MVP active |
| **phishing\_url.check** | Checks URL/domain reputation through configured threat-intel sources.    | MVP active |
| **site\_headers.audit** | Reviews common web security headers and basic browser hardening posture. | MVP active |
| **fake\_claim.detect**  | Checks suspicious claim pages using the domain scan pipeline.            | Staged     |

## Signal Categories

| Signal                     | Why It Matters                                                 |
| -------------------------- | -------------------------------------------------------------- |
| **Domain reputation**      | Helps identify known malicious or suspicious infrastructure.   |
| **URL reputation**         | Helps flag phishing pages and risky redirects.                 |
| **Security headers**       | Shows whether a site follows basic browser security practices. |
| **Clone indicators**       | Helps detect fake claim pages and brand impersonation.         |
| **Infrastructure context** | Can reveal risky hosting, redirects, or repeated patterns.     |

## Data Sources

| Source                 | Used For                                    |
| ---------------------- | ------------------------------------------- |
| **VirusTotal**         | Domain and URL reputation checks.           |
| **urlscan**            | Domain and web infrastructure scan context. |
| **Direct HTTP checks** | Header posture and basic site metadata.     |


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://wiki.privai.cloud/ecosystem-components/threat-intel.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
