Скачать или смотреть Stop Paying for Domain Feeds: Build Your Own Threat Intel - Stephen Doyle

Security teams often rely on third-party domain feeds; passive DNS, CT logs, and threat intelligence subscriptions to monitor malicious infrastructure. But these feeds are usually lagging, noisy, and offer the same surface-level data to everyone. The assumption is, building something better is too hard. This talk challenges that assumption.

It’s a practical walkthrough of how to build your own lightweight, open-source pipeline to monitor the web for domain-based threats on your terms, and without handing money or trust to vendors.

The talk covers how to scan, resolve, enrich, and analyze domains at scale using open tools and on-prem infrastructure. You’ll learn how to collect the kinds of intelligence that threat feeds miss; misconfigured web stacks, malicious redirect chains, third-party script abuse, phishing infrastructure, and newly deployed shady domains.

Topics include:
Why paid feeds are limited (and often outdated)

How to extract high-signal data directly from the web: DNS, TLS, HTTP, headers, and third-party resources

Tools and techniques to crawl and map domains yourself

Building an on-prem enrichment and storage pipeline

Real-world examples of strange, fragile, or dangerous architectures discovered in the wild

You’ll also hear lessons learnt from monitoring large parts of the web continuously, and why many domains break in surprising, insecure ways, often depending on dozens of external services just to render a login page.

It’s a talk for engineers, defenders, and curious hackers who like building things and want to see more of the web for themselves. If you've ever thought, “Why am I paying for this feed when I could just scan it myself?” then this talk is for you.

The goal is simple: empower others to stop outsourcing visibility, start building smarter, and gain more meaningful threat intelligence, on your own terms.

#bsidesbelfast25 #securitybsides #bsidesbelfast #bsides