Karen IT Cyber Threat Intelligence

Built for Analysts.
Powered by Real Infrastructure.

Our internal CTI platform gives security teams, researchers, and law enforcement a structured environment to scan, investigate, and hunt threats — backed by Karen IT's own data collection infrastructure, threat feeds, and image clustering technology.

Request Access View API Documentation

640K+

Malicious URLs Detected

Searchable Fields

Data Layers Per Scan

5min

Live Feed Refresh

Overview

One Platform.
Every Layer of a URL.

When a suspicious URL surfaces — in a phishing report, an incident, a threat feed, or an investigation — most tools give you surface-level answers. Our CTI platform goes deeper.

A single scan returns the full technical stack: HTTP behavior, DNS records, TLS certificate details, geolocation, WHOIS data, HAR interaction logs, favicon hashing, and image-based clustering — all in one structured, queryable record.

Every scan is permanently linked, exportable as raw JSON, and searchable across dozens of fields. Built for analysts who need answers fast, and for investigations that require documentation that holds up.

WHAT EACH SCAN RETURNS

Full request chain — FQDNs, IPs, ASNs, countries

TLS certificate inspection and fingerprinting

Full DNS resolution — A, AAAA, NS, MX and more

HAR log — complete browser interaction record

Image clustering — visual similarity detection

Favicon MD5, page hash, permanent JSON permalink

Core Scanning

Submit a URL.
Get the Full Picture.

Each scan produces a structured record across eight data layers. Private scan mode is available for sensitive investigations.

Summary

The top-level overview of every scan — everything you need at a glance, with links to deeper layers.

Input URL & Landing URL
Scan queue & execution timestamp
Total requests sent
FQDNs contacted
IP addresses resolved
ASNs & countries spanned
TLS certificate status & issuer
DNS record count
Universally Unique ID (UUID)
Hashtag classifications
Permanent raw JSON link
Final HTTP status code
Favicon MD5 hash (FQDN)
Image ClusterX assignment
Image ClusterY assignment

HTTP

The browser-level rendering of the page — what a real browser sees when it loads the URL.

Input URL
Landing URL (after redirects)
Page title as rendered
Full HTML source (first 80 KB)

DNS

DNS resolution data collected using public resolvers (1.1.1.1, 8.8.8.8). Responses follow RFC 1035.

A records
AAAA records
NS records
MX records
Additional record types
Response codes (RFC 1035)
Full query & response data

Geolocation

Network-level location mapping for every IP address encountered during the scan.

IP address
Country Code (CC)
Autonomous System Number (ASN)
Autonomous System name (AS)

TLS

Full certificate inspection for the landing domain — issuer, validity window, fingerprints, and all covered names.

Certificate issuer
Valid from date
Valid until date
Certificate fingerprint
Public key fingerprint
Subject Alternative Names (SANs)
All domains the cert is valid for

HAR — HTTP Archive Format

The complete log of browser interaction with the target website. Every request made by the browser, captured in full.

Request number
Filename
HTTP status code
Content length
MIME type
Host
Action / method

WHOIS

Domain registration data from public WHOIS records — registrar details, dates, and nameserver information.

Registrar name
Registrar IANA ID
Creation date
Expiration date
Last updated date
Registrant data (where available)
Nameservers

HTTP (cURL)

Raw HTTP-level inspection — separate from browser rendering. Captures what the server actually sends, without JavaScript execution.

Input URL
Landing URL
MD5 hash of full page content
HTTP status code
Full HTML source
All response headers

Advanced Search

Query Across
Every Field.

Build single-field lookups or construct compound rules with AND/OR logic across any combination of fields. Export results for use in your own workflow or SIEM.

Multi-condition rule builder

Add multiple conditions with AND / OR logic. Combine any fields — for example: TLD = .xyz AND ASN = 12345 AND WHOIS creation date > 2024-01-01.

Request Access to Search

21 SEARCHABLE FIELDS

Record UUID Scan Date Scanned URL WHOIS Creation Date WHOIS Expiration Date WHOIS Update Date Registrar IANA ID Page Title Registered Domain FQDN A Record AAAA Record NS Record Hashtag Top-Level Domain (TLD) ASN Country Code Image ClusterX Image ClusterY IOC HAR Domain Names

→ Export results as structured data for integration with your SIEM or tooling

Built-in Analysis Tools

Investigation Tools,
Built Into the Platform.

Every tool in the platform is designed around a real investigative workflow — not a feature checklist.

🔎

Image Search

Find visually similar pages across all scans in the database. Our platform captures screenshots of every scanned URL and clusters them using two independent algorithms. Effective for identifying phishing kit reuse — the same template deployed across dozens of unrelated domains.

P-Hash C-Hash

🎯

Domain Hunting

When a threat actor registers one malicious domain, the probability of several others registered simultaneously is high. Domain Hunting surfaces domains sharing registration patterns, naming conventions, or structural similarity with a known malicious domain.

SimilarityX Startswith + TLD

📅

Daily Domains

Browse newly registered domains by date and TLD. Useful for early detection of typosquatting, brand impersonation, and infrastructure preparation by threat actors — before the domains are activated for an attack.

Filter by Date Filter by TLD

🌐

Dig Interface

Full web-based dig command-line interface. Query any domain's DNS records directly through the platform — no command line required. Useful for quick DNS lookups during an investigation without leaving the platform environment.

📝

WHOIS (Live)

Real-time WHOIS lookup for both domains and IP addresses. Domain WHOIS returns registrar, dates, nameservers, and registrant data. IP WHOIS returns ASN, network range, organization, and country.

Domain WHOIS IP WHOIS

⚡

Live Scan Feed

The Latest Entries view displays recently scanned URLs in real time. Visibility is governed by your role and permissions. The feed refreshes automatically every 5 minutes — useful for coordinating team-wide investigations and spotting emerging clusters.

Auto-refresh every 5 minutes · Role-gated visibility

API Access

Everything Available
Through the API.

All platform capabilities are accessible programmatically. Integrate scan submission, result retrieval, and search queries directly into your SIEM, automation pipelines, or custom tooling.

Full API documentation is available to authorized users. Rate limits and access tiers are defined per-organization based on your use case.

Request API Access

// Example: Submit a scan
POST /api/scan
{
  "url": "https://example.com",
  "private": false
}

GET /api/scan/{uuid}
GET /api/search?field=tld&value=.xyz
GET /api/daily-domains?date=2026-04-17

Access & Eligibility

Designed for Professionals
Who Need More Than a Free Tool.

Access to the Karen IT CTI platform is provided to vetted organizations and individuals operating in a security capacity. This is not a public tool.

Security Operations Centers (SOC) Incident Response Teams Threat Intelligence Analysts Digital Forensics Investigators Law Enforcement Agencies National CERTs & CSIRTs Domain Registrars & Registries Anti-Abuse Teams Fraud Prevention Units

Access requests are reviewed individually. If your organization has a legitimate security or investigative need, contact us to discuss access terms and integration requirements.

Request Platform Access Contact Our Team

Threat Intelligence Is Only Useful
If You Can Act on It.

Our CTI platform is built around one principle: give analysts the full picture, fast, in a format they can use. Whether you are triaging a phishing report, hunting a threat actor's infrastructure, or building evidence for a law enforcement referral — the platform is designed to support that work.