Early access: New content posts daily — updates are frequent and you may notice work in progress.
OSINTBench
Tools network recon ·threat intelligence SecurityTrails
SecurityTrails logo

SecurityTrails Review

Historical DNS and domain intelligence database covering 10+ years of infrastructure changes

3.8/5
freemium Free (50 queries/mo) / Business from $50/mo Professional Brief overview Reviewed 2026-04-02
Affiliate disclosure: OSINTBench may earn a commission if you purchase through links on this page, at no extra cost to you. Affiliate relationships do not influence our ratings or recommendations. Full policy →

Quick Verdict

Threat intelligence analysts and penetration testers doing infrastructure pivoting — tracing how a threat actor's domain portfolio evolved over time, finding related infrastructure through shared hosting history, or enumerating a target's historical attack surface

Pros

  • + Historical DNS records going back 10+ years — see every IP a domain has resolved to, every nameserver change, every MX record
  • + Reverse lookup by IP, nameserver, MX host, or SSL certificate to find all associated domains
  • + Subdomain enumeration from passive DNS collection — often surfaces subdomains not found by active scanning
  • + Current and historical WHOIS with change tracking
  • + API available on all tiers including free (50 queries/month)

Cons

  • Free tier is 50 API queries/month — exhausted quickly in any real investigation
  • Business tier ($50/mo) required for meaningful volume; Enterprise pricing not public
  • Passive DNS coverage is deep for popular domains but can be thin for obscure or low-traffic infrastructure
  • No active scanning — data is collected passively from DNS resolvers, not from fresh queries
  • Competitor products (Shodan, Censys) overlap significantly for IP/infrastructure discovery
Visit SecurityTrails →

What SecurityTrails Is

SecurityTrails offers a domain and DNS intelligence feed. The feed collects passive DNS data from worldwide resolvers. It builds a history of every change to a domain's infrastructure, including A records, nameservers, MX records. All changes are stored for over a decade.

You can query a domain's history to see hosting changes, IP addresses, and nameservers. Historical DNS data helps with threat intelligence, linking past campaigns, registrations, and shared hosting. Operators often miss domain changes.

becomes

SecurityTrails offers a domain and DNS intelligence feed. The feed collects passive DNS data from worldwide resolvers. It builds a history of every change to a domain's infrastructure, A records, nameservers, MX records. All changes are stored for over a decade.

You can query a domain's history to see hosting changes, IP addresses, nameservers. Historical DNS data helps with threat intelligence, linking past campaigns, registrations, shared hosting. Operators often miss domain changes.

What It's Good For

Infrastructure pivoting on threat actor domains is a core use case. Start with a known-bad domain, and explore its IPs and co-hosts. Historical data is key here; APT groups leave trails. SecurityTrails makes DNS history searchable, with no need for raw logs.

Many subdomains are hidden, including development boxes, staging servers, and internal sites. SecurityTrails collects subdomains from resolver traffic; any DNS query gets recorded. Active scanners often miss these, but you can find them another way.

WHOIS history tracks changes, such as registrar changes, privacy settings toggles, and owner changes. All that history is necessary for threat intelligence.

A reverse lookup on a nameserver returns all domains using that nameserver, which often share a hosting account or DNS provider. This allows you to quickly identify malicious domains and infer which others are likely compromised.

Pre-engagement, pentesters can get history quickly, without active probing. Subdomains, IPs, hosting, and certificates are all available. This approach is faster than active scanning and more comprehensive.

  • Original: 'including development boxes, staging servers, and internal sites'

Free Tier Reality

The free tier offers 50 API queries per month. The 50 queries disappear quickly in a real threat intel workflow, within a day or two. The Business tier costs $50/month and provides 5,000 queries, making it suitable for individual investigators and small teams.

What It Doesn't Do

SecurityTrails collects data passively. Its records come from DNS traffic seen by its resolver network. Domains and IPs that show up get catalogued. Low-traffic sites, internal subdomains, and new domains may be sparse or unlisted.

SecurityTrails is not a vulnerability scanner and does not do port scans. SecurityTrails tells you what's out there and configuration changes over time. For service details, use Shodan or Censys.

Comparison to Alternatives

Shodan scans ports and fingerprints services. SecurityTrails digs into DNS history. These are different tools for different jobs. Used together, they cover more ground.

VirusTotal offers passive DNS records as part of a threat intelligence platform. The free tier allows you to make more queries. For basic DNS history, VirusTotal works. However, if you need to dig deeper, SecurityTrails provides more data and a better workflow.

DomainTools is an enterprise option that provides more history and extra features like risk scores. However, it costs more. SecurityTrails offers similar DNS intelligence at a lower price—that is the key difference.

Reviewed April 2026. Tool available at securitytrails.com.

See Also

Threat Intelligence Platforms: A Hands-On Comparison

Intro

You need threat intel, not just any intel, but intel that helps you track adversaries, understand their tactics, techniques, and procedures (TTPs). Shodan, Censys, and SecurityTrails are your go-to platforms. They collect and analyze data from the internet to give you visibility into potentially vulnerable targets.

Shodan

Shodan indexes internet infrastructure, including servers, cameras, routers, industrial control systems. Anything listening on an open port gets catalogued. Banners tell you what's running, version numbers, sometimes config details. That's the OSINT value: you know what a target has exposed before you ever send a packet their way. Operators miss things, dev servers get forgotten.

You can use Shodan's query syntax to filter results. A query like vuln:heartbleed finds systems vulnerable to Heartbleed. A query like port:3389 finds RDP servers. The API is where Shodan earns its rating, allowing you to automate searches and integrate with tools like Splunk or ELK.

Shodan's free tier is limited, you'll burn through it in about 40 minutes of actual work. Paid plans start at $99/month.

Censys

Censys finds assets Shodan misses, and vice versa. Censys focuses on certificate data. Shodan doesn't index certificate data comprehensively. You get another angle on exposed systems. Censys also scans ports, but its dataset isn't as broad as Shodan's. Censys includes certificate data, port scans.

Censys's query language is similar to Shodan's. A query like services.port:443 finds HTTPS servers. A query like certificate.subject.cn:example.com finds certificates issued to example.com. The API is solid.

Censys offers a free tier, with 100,000 certificates per month.

SecurityTrails

SecurityTrails focuses on domain and IP intelligence. You get historical data on domain registrations, IP ownership, and network activity. This platform helps you understand an adversary's online presence.

You can use SecurityTrails to track domain changes, IP address history, and network neighbors. The API is well-documented, making integration straightforward.

SecurityTrails offers a free trial, but no permanent free tier. Pricing starts at $249/month.

Comparison

The platforms have different strengths. Shodan provides broad infrastructure visibility, with a robust query syntax and extensive API. Shodan's pricing starts at $99/month. Censys focuses on certificate data, with a solid API. Censys offers a free tier. SecurityTrails provides domain and IP intelligence, with a well-documented API. SecurityTrails' pricing starts at $249/month, with a free trial.

Conclusion

You choose a threat intel platform based on your needs. Shodan for broad infrastructure visibility. Censys for certificate data. SecurityTrails for domain and IP intel. Each has strengths, weaknesses. Test them, see which works for you.

Best Threat Intelligence Platforms Domain and IP OSINT Guide

Further Reading

Tool Relationships

Complements Shodan 4.7/5 Complements Censys 4.1/5 Alternative to Netlas 3.9/5 Feeds into Amass 4.3/5 Feeds into subfinder 4.4/5

Similar Tools

Shodan

Search engine for internet-connected devices — find exposed servers, industrial systems, and network infrastructure worldwide.

4.7/5 freemium

urlscan.io

Free website scanner that captures full-page screenshots, network requests, and DOM snapshots for any URL

4.6/5 freemium

VirusTotal

Multi-engine malware scanner and threat intelligence platform for files, URLs, IPs, and domains

4.5/5 freemium

C2 Tracker

A live C2 infrastructure feed that helps defenders hunt, block, and correlate active command-and-control servers by framework type.

4.3/5 free

Community Rating

Ratings from security researchers. No third-party tracking.

☆☆☆☆☆
No ratings yet

Rate this tool:

This review reflects testing as of 2026-04-02. OSINT tools change frequently — check the vendor's current documentation for pricing and feature updates. Report an error →

View SecurityTrails on Wayback Machine →