Skip to main content

What this capability area answers

“Has anyone at this company — or anyone using this company’s apps — had credentials stolen by an infostealer?” Domain Intelligence endpoints search by domain rather than by individual email/username, and are the natural starting point for assessing an organization’s exposure.
EndpointUse it to…
Search DomainsGet raw matching credential/cookie records for a domain
Company ExposureSame, but classified as employee / user / third-party, with SSO domain support
Domain OverviewGet headline counts (no raw records) for one or many domains at once
Assets DiscoveryEnumerate URLs/apps seen on infected machines that had this domain’s credentials
Third-Party RiskFind vendor/supply-chain domains co-harvested alongside this domain
TimelineWeekly trend of breach volume for one domain
Top Exposed DomainsGlobal leaderboard of the most-exposed domains
All require the search:domain scope except Third-Party Risk (search:advanced, pro/ultra) and Top Exposed Domains (any valid key).

The type field: employees vs. users

Many endpoints accept a type parameter: 
type: employees | users | both   # default: both
This classification is computed by checking whether the matched login email belongs to one of the searched domains (an “employee” of that company) versus an external account that merely used a service on that domain (a “user” — e.g. a customer account on acme-corp.com’s storefront).
  • employees — only logins @<searched-domain> (or a searched subdomain)
  • users — only logins that are not on the searched domain, but the matched record (e.g. a session cookie or saved form) is for a URL on the searched domain
  • both (default) — no filtering by this classification
This same type semantics is reused by Search Domains, Company Exposure, Assets Discovery, and Search by Email.

Subdomains: subdomains vs. include_subdomains

POST /v1/domain/search (and /v1/domain/company, /v1/domain/assets) accept two related parameters:
  • include_subdomains: true — include all subdomains of the searched domain(s)
  • subdomains: ["mail", "vpn"] — restrict to specific subdomain labels
If both are set, subdomains takes priorityinclude_subdomains is ignored. This is a common integration mistake: setting include_subdomains: true while also passing an (unintentionally non-empty) subdomains array will silently restrict your results to just those labels, not “all subdomains.” Discovered subdomains you didn’t explicitly search for are masked on the free tier — see Data Masking.

Pagination

Search Domains and Company Exposure are cursor-paginated — see Pagination. Domain Overview, Assets Discovery, Third-Party Risk, Timeline, and Top Exposed Domains are aggregations and are not paginated — each returns its full (capped) result set in one call.