The Context Graph: Powering Preemptive Cyber Defense

Enhance your cybersecurity workflows with Silent Push SOAR integrations 

/in /by

Security teams face several challenges when attempting to turn large amounts of indicator data into actionable intelligence, at scale, across an expansive security automation operation that encompasses numerous vendor platforms. 

Teams often find themselves battling with ever-increasing alert queues, containing domains and IPs which require multiple manual pivots to validate an authentic threat. 

Silent Push Enterprise Edition changes the game by giving teams the ability to automatically feed a world of additional context into each indicator they come across in the wild, at scale, using proprietary categorization that isn’t available through any other vendor. 

Categorization and Correlation 

Each hostname, website and IP Silent Push scans is enriched with 200+ datapoints that allow teams to enact faster, better informed, automated decisions on how to deal with indicators they encounter in their alert queues – known or unknown – including: 

  • Attacker DNS automation 
  • Malicious hosting clusters 
  • Infrastructure changes over time 
  • Inbound scanning signatures 
  • Website content 
  • WHOIS and certificate data 

IOFA Feed Integration

As well as historic DNS and web content data analysis, a key capability of the Silent Push API is the ability to query all of our Indicators of Future Attack (IOFA)™ Feed data, and use the information to gain better insight on where the next attack may be coming.

Let’s look at some of the industry-leading SOAR platforms that we connect with via the Silent Push API, along with some quick workflow examples.

Cortex XSOAR (Palo Alto Networks) 

Our Cortex XSOAR integration brings together two powerful cybersecurity functions: preemptive threat detection and enterprise-grade security orchestration. 

By combining Silent Push data with XSOAR’s playbook automation capabilities, security teams can transition from reactive IOC-based triage to proactive threat discovery, at scale.

Capabilities 

  • Enrich domains, IPs, and ASNs in real-time 
  • Automatically triage alerts by correlating indicators with IOFA™ feed data, including Silent Push risk scoring 
  • Trigger live URL scans (including screenshots of suspicious domains) directly from an XSOAR playbook 
  • Feed enriched indicators into downstream systems, like firewalls or SIEMs, enabling faster mitigation and reduced analyst load 

Example 

When an alert hits your SOC, it can be passed through XSOAR to Silent Push, where the domain is enriched with DNS history, certificate associations, infrastructure movement, and similarity to known threat actor TTPs. 

After generating an enhanced risk profile based on the above information, the system can escalate, suppress, or initiate blocking – all without manual intervention. 

Key Outcomes Delivered 

  • Reduced response times
  • Eliminates a need for isolated lookups 
  • Continuous infrastructure monitoring within existing playbooks 

Splunk SOAR 

Our Splunkbase app for Splunk SOAR (formerly Phantom) delivers threat intelligence and playbook automation within Splunk SecOps workflows. 

By embedding infrastructure-focused data alongside Splunk datastreams, teams can move from manual investigation to proactive, TTP-driven responses.

 

Capabilities 

  • Perform domain and IP enrichment within a Splunk instance 
  • Lookup historic and live WHOIS data, certificate information, and ASN/subnet reputations 
  • Explore DNS history 
  • Automatically generate risk scores 
  • Fetch live URLs with scans and screenshots into Splunk 

Example 

Your SOC receives a phishing or brand impersonation alert into your Splunk instance. A playbook takes the suspicious domain, enriches it via Silent Push (including IOFA™ feed correlation and DNS history), and calculates a risk score. If the domain is flagged as high risk, an automated response is triggered – such as initiating an action in a ticketing system, or isolating the asset via firewall integration. 

Key Outcomes Delivered 

  • Reduce manual triage steps
  • Cut mean times to detect (MTTD) and respond (MTTR) to threats
  • Provide your Splunk instance with the ability to proactively detect emerging infrastructure

Torq 

The Silent Push Torq integration feeds Silent Push enrichment data directly into your no-code security workflows, allowing teams to operationalize threat data without writing a single line of code. 

Our Torq integration automates early-stage threat detection and response with context from Silent Push’s DNS, certificate, WHOIS and content scanning datasets. 

Capabilities 

Silent Push exposes multiple API endpoints through a native integration with Torq, including: 

  • Domain and IP enrichment 
  • Forward and reverse DNS lookups 
  • Live endpoint scans and screenshots 
  • Access to IOFA™ feeds 

Examples 

Torq accepts a domain or IP input (e.g., from SIEM or ticketing alert), queries Silent Push, and uses caching to avoid redundant lookups (ideal for high volume investigations). Results can then be routed to downstream actions like ticketing (e.g., ServiceNow), chat (e.g., Slack), or blocking controls. 

Key Outcomes Delivered 

  • Real-time infrastructure intelligence at scale, without scripting or manual triage
  • Feed enhanced risk scores into EDR response logic 
  • Faster, smarter, and more proactive security decisions across your stack 

Swimlane 

Our Swimlane integration brings advanced infrastructure intelligence into Swimlane’s low-code, hyperautomation environment, enhancing Swimlane “cases” – a container or record within Swimlane SOAR that represents a security incident, alert, or event – with Silent Push data. 

Capabilities 

The Swimlane plugin supports data enrichment for: 

  • Domains, IPv4, and IPv6
  • Nameserver details and change history 

Example 

Silent Push enrichment tasks automatically run when a SIEM or EDR alert is activated in Swimlane. Your SOAR parses observables, queries the Silent Push database, and enriches case records with infrastructure intelligence in real time. High-risk domains or IPs are highlighted through IOFA™ feed correlation, and trigger immediate escalation, task creation, or containment workflow actions. 

Key Outcomes Delivered 

  • Inject preemptive infrastructure intelligence into Swimlane cases 
  • Detect and disrupt threat actor infrastructure at scale, before an attack is launched 
  • Trigger automatic escalation for high priority alerts 

Tines 

The Silent Push Tines integration allows security teams to embed Silent Push IOFA™ data directly into Tines stories, facilitating early detection, smarter triage, and automated response without the need for manual coding. 

Capabilities 

  • Retrieve domain and IP risk scores, WHOIS data, nameserver reputations and historical change information 
  • Fetch subnet reputations and scanned data including open directories, JARM fingerprints, HTTP headers, favicons, and SSL attributes 
  • Analyze a domain’s digital footprint and output it to Tines as a downloadable CSV 

Example 

Your system flags a phishing trigger (via email, Slack, or SIEM) in a Tines Story. The domain is passed into Silent Push enrichment actions, which return risk scores, WHOIS details, associated domain clusters, and certificate data. 

The dataset is then used to: 

  1. Make a triage decision via conditional logic 
  1. Present findings through a Tines page for analyst review (if manual approval is desired) 
  1. Automatically generate a ticket in ServiceNow, or an alert in Slack, if critical thresholds are met 

Key Outcomes Delivered 

  • Operationalize enrichment data at scale 
  • Elevate static lookups to dynamic stories, infused with context 
  • Speed-up detection by sharpening analyst workflows 

ServiceNow 

The upcoming Silent Push ServiceNow integration connects incidents and observables inside ServiceNow’s Security Operations suit, with Silent Push datapoints, enabling teams to take fast, informed action on emerging threats before they turn into a breach.

Capabilities 

  1. Generate Tickets from an IOFA™ Feed 

When Silent Push detects a newly registered domain mimicking your brand or infrastructure, a ServiceNow ticket is created that allows legal, brand protection, or threat intel teams to automatically initiate a takedown or investigation. 

  1. Enrich Existing Tickets with IOFA™ Context 

If an indicator appears in Splunk that triggers a ServiceNow ticket, Silent Push can be queried to retrieve DNS history, certificate data, hosting changes, and risk scoring to help assess its threat level. 

  1. Build Custom Enrichment Workflows 

Leverage over 20 Silent Push APIs within your ServiceNow playbooks. For example, automatically capture a live screenshot of any domain included in a phishing report or correlate IPs with infrastructure clusters seen in IOFA™ datasets. 

Book a demo 

Our team is on hand to show you how easy it is to link your SOAR platform with the Silent Push API, and build faster, more efficient security workflows that remove manual intervention and give teams access to better insight on emerging threat infrastructure. 

Contact us today for a platform demonstration.

Workshop – Pivoting Across Infrastructure to Detect Unknown Threats

/in , /by

Join us for an interactive online session designed for those new to threat hunting in the Silent Push platform.

Adversary infrastructure is often hidden or unused—escaping detection by most CTI tools — until it’s suddenly activated in an attack.

Learn how to uncover the 98% of malicious infrastructure that typically goes undetected. We’ll show you how pivoting — linking data points like domains, IPs, and certificates — can map out an attacker’s hidden network. Get real-time examples of powerful pivots in the Silent Push free Community Edition and learn how to spot threats before they strike.

  • Date: 24 June 2025
  • Time: 10am ET // 4pm CET // 10am SGT // 12pm AEST
  • Location: Online – Zoom
  • Requirements: Silent Push free Community Edition | Sign-up here
REGISTER

Emerging Tech: Adoption Trends in Preemptive Cyber Defense

/in /by

According to Gartner®, current projections indicate a substantial increase in the adoption rate of Preemptive Cyber Defense (PDC) solutions from 5% to 35% by 2028.

Generative AI is transforming cybersecurity, making traditional “detect and respond” methods insufficient in blocking modern-day attacks. Malicious actors are using AI to scale and personalize attacks, requiring preemptive threat intelligence to anticipate and mitigate risks early.  

Read this Gartner® report to learn how to uplift your cybersecurity strategy with preemptive detection technologies.

Gartner, Emerging Tech: Adoption Trends iPreemptive Cyber Defense, Isy Bangurah, Luis Castillo, Walker Black, 12 November 2024. 

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

The Silent Push Difference

Silent Push provides preemptive cyber intelligence that exposes threat actor infrastructure as it’s being set up, and shared as Indicators of Future Attack (IOFA), allowing organizations to proactively block attacks.

Silent Push Events: May 2025

/in /by

SINCON, May 22-23, Singapore 

First up is SINCON 2025, held on May 22–23 at voco Orchard Singapore. 

This year’s event focused on advancing cybersecurity through technical exploration and innovation, with a strong emphasis on proactive defense strategies and knowledge sharing.

Our CEO, Ken Bagnall, gave a talk on “Finding Adversary Infrastructure Before the Attack with Future-Based Threat Intelligence.” 

Ken demonstrated how attackers consistently reuse infrastructure to a series of patterns, and how teams can use Indicators of Future Attack (IOFA)™ to expose these patterns and block all the infrastructure that’s being deployed in an attack – not just the handful of domains and IPs lurking on the surface.

Everyone who stopped for a chat at our booth was keen to explore the importance of understanding adversary tactics when attempting to anticipate and stop future attacks, rather than purely relying on reactive post-breach defense mechanisms. Those days are clearly over. 

Lots of Enterprise demos. Lots of new Community Edition users. See you next year! 

Silent Push & Shellsoft Technology Corp. Partnership Seminar, May 27, Singapore 

Our CEO, Ken Bagnall, APJ Sales Director, Anthony Ng, and Chief Customer Officer, Brad Arnold – working alongside our partners at Shellsoft Technology Corp – hosted an event for cybersecurity leaders and executives at Cork Elite, on the roof deck of the W Hotel in Singapore.

At the event, Ken gave a talk that showed how most legacy CTI platforms are simply passing on intelligence that’s already widely known, and how Silent Push focuses on the DNS-based relationships that are created as adversaries deploy their infrastructure to facilitate early detection, to expose IOFA™.

Check out Shellsoft Technology Corporation’s solutions here. We’re excited to be working together!

BSides, May 24, Dublin 

Our Director of Threat Intelligence, Kasey Best, and Senior Threat Analyst, Zach Edwards, were in Dublin for Security BSides Dublin 2025. 

Held at the Trinity Business School, the community-driven, non-profit conference brought together information security professionals, students, and enthusiasts from across Europe to engage in a day of learning, networking, and collaboration. 

The event featured a diverse range of presentations and workshops covering topics such as application security, malware analysis, ethical hacking, and emerging threats like AI-driven attacks and IoT vulnerabilities. 

Kasey and Zach held a well-attended session that expanded on our exposé of the Triad Nexus pig butchering and money laundering network

By renting IP addresses from reputable providers like Amazon Web Services and Microsoft Azure, threat actors use malicious hosting providers such as the FUNNULL Content Delivery Network (CDN) – recently sanctioned by OFAC – to weave illicit operations into mainstream infrastructure. 
 
If you’re looking for more info on how to stop infrastructure laundering attacks, check out our on-demand webinar

Health ISAC Spring Summit, May 19-23, Florida 

Next up is the Health-ISAC Spring Summit, at the Naples Grand Beach Resort in Florida. 

The 2025 event – “Creating Safe Harbours” – brought together cybersecurity professionals from across the healthcare sector for a week of collaboration, intelligence sharing, and discussions on the evolving threat landscape facing healthcare providers, pharmaceutical companies, and medical device manufacturers. 

Our CRO, David Troha, and Director of Sales Engineering, Maulik Limbachiya, fielded questions on how Silent Push can help the healthcare industry proactively avoid sector-specific attack vectors, including ransomware, and APT groups targeting intellectual property and patient records.

FS-ISAC EMEA Summit, May 20-22, Brussels 

Held in Brussels, the 2025 FS-ISAC EMEA Summit addressed evolving cybersecurity challenges in the financial sector around three key areas: intelligence, security and resilience

Hot talking points included AI-driven fraud, third-party risk management, regulatory compliance, and the ever-present threat of ransomware. 

Our team was on hand to listen to the challenges financial organizations face across Europe, the Middle East, and Africa as they attempt to integrate preemptive cybersecurity technologies into reactive (and often unwieldy) defense frameworks, to speed up detection and expose threats early.

Hacker Hoedown May 16-17, Dallas 

The inaugural Dallas Hacker Hoedown took place at Will Call Bar, on May 16-17. 

A self-professed grassroots event, the Hoedown (which didn’t actually feature any hoedowns, in case you’re wondering) is designed to foster laid-back collaboration among security professionals – something a little different to the highbrow discussions at most industry events. 

Key themes included the changing role of SOC teams and security analysts, the inherent difficulty in protecting large SaaS environments from attacks, and recent governmental and technical developments including AI and the future of CVE. 

Our Director of Sales Engineering, Maulik Limbachiya, gave a talk on how Silent Push exposed preemptively exposed Contagious Interview’s threat infrastructure, and led the charge on tracking the group’s evasion techniques. 

Here’s to next year’s event! Cheers for the invite. 

TechNet Cyber, May 6-8, Baltimore 

AFCEA’s TechNet Cyber 2025 convened military, government, industry, and academic leaders to address numerous evolving challenges in cybersecurity. 

Held at the Baltimore Convention Center, the event focused on the theme “Empowering the Warfighter: Innovate, Integrate, Dominate.” 

Our Sales Engineer, Noah Plotkin, gave a presentation on how organizations need to combat attacker sophistication with simplicity by using an adversary’s own TTPs against them to track infrastructure the moment it’s deployed

Noah demonstrated advanced techniques in our Enterprise platform that enable teams to expose malicious infrastructure at the earliest opportunity, by focusing on the management of domains and IPs, and how infrastructure moves across the IP space over time. 

Health ISAC, May 7, Netherlands 

The Utrecht Health-ISAC event was a full-day, in-person security workshop that brought together health sector security professionals to address the current threat landscape, and various challenges facing the healthcare industry. 

Our Threat Analyst, Mees van Wickeren, had some great discussions on the need for a renewed set of best practices focused on proactive threat detection. Lots of interest in how we can help to minimize cyber risk across the sector, and help organizations avoid loss through early detection mechanisms. 

Looking ahead…

Next month we’ll be at the 37th Annual FIRST Conference, at the Bella Center, Copenhagen, on June 22–27. 

Organized by the Forum of Incident Response and Security Teams, FIRST events bring together cybersecurity professionals to collaborate on improving computer security worldwide. 

FIRST conferences are always a valuable experience for the team, with so many takeaways, new prospects met, old friends caught up with and lots of chatter about preemptive detection technology, and the role played by IOFA™in future-based threat detection.

If you’re in attendance and you’d like a chat, contact us here

See you on the conference floor! 

U.S. Treasury Sanctions FUNNULL CDN, FBI Issues Advisory Warning Against Major Cyber Scam Facilitator

/in /by

Key Findings

  • The U.S. Department of the Treasury sanctioned Chinese-based content delivery network (CDN), FUNNULL, labeling it as a major distributor of online scams. The FBI concurrently released an advisory report to disseminate indicators of compromise (IOCs) associated with malicious cyber activities linked to FUNNULL.
  • The Treasury Department reported, “Funnull is linked to the majority of virtual currency investment scam websites reported to the FBI. US-based victims of these scam websites have reported over $200 million in losses, with average losses of over $150,000 per individual.”
  • These moves come just months after our threat analyst team’s findings were published and subsequently reported by “Krebs On Security” cybersecurity journalist Brian Krebs.
  • Our team’s October 2024 research, dubbed “Triad Nexus,” exposed the sprawling cluster of domains routed through FUNNULL CDNs, revealing how it enables cybercriminals to leverage credible cloud providers for malicious activity through infrastructure laundering.
  • Silent Push previously coined the phrase “Infrastructure Laundering,” based on how FUNNULL uses illicit accounts on major cloud providers.

Table of Contents

Executive Summary

Silent Push Threat Analysts have been tracking FUNNULL CDN and its use of infrastructure laundering since 2022. Our reporting began in May 2022 with our report on “Fake Trading Apps,” followed by our October 2024 expose, “Unveiling Triad Nexus: How FUNNULL CDN Facilitates Widespread Cyber Threats,” and then our January 2025 blog explaining “Infrastructure Laundering: Silent Push Exposes Cloudy Behavior Around FUNNULL CDN Renting IPs from Big Tech.” We have also provided additional coverage and analysis of FUNNULL CDN in our detailed reports created exclusively for our enterprise clients.

We have also hosted a webinar on Infrastructure Laundering and presented our FUNNULL research in 2025 at FIRST Monaco, B-Sides San Francisco, B-Sides Dublin, and numerous private briefings.

Last year, our analysts uncovered and exposed a sprawling network of domains routed through a China-based CDN service called FUNNULL. Our research revealed how this infrastructure quietly enabled cybercriminals, including groups linked to China, to leverage U.S. and other credible cloud providers for malicious activity.

The U.S. Department of the Treasury and the Federal Bureau of Investigation (FBI) issued a press release, “Treasury Takes Action Against Major Cyber Scam Facilitator” and an an FBI advisory report, “Infrastructure Used to Manage Domains Related to Cryptocurrency Investment Fraud Scams between October 2023 and April 2025,” respectively, on May 29, 2025, warning that FUNNULL is a major distributor of online scams.

These reports included critical new details that are now public:

  • FUNNULL is linked to the majority of virtual currency investment scam websites reported to the FBI.
  • US-based victims of these scam websites have reported losses exceeding $200 million, with an average loss of over $150,000 per individual.
  • FUNNULL enables virtual currency investment scams by purchasing IP addresses in bulk from major cloud services companies worldwide and selling them to cybercriminals to host scam platforms and other malicious web content.
  • In 2024, FUNNULL purchased a repository of code used by web developers and maliciously altered the code to redirect visitors of legitimate websites to scam websites and online gambling sites, some of which are linked to Chinese criminal money laundering operations.

The actions come months after our findings were published and reported by Brian Krebs of Krebs On Security, regarding how FUNNULL, “A sprawling network tied to Chinese organized crime gangs and aptly named ‘Funnull’ — highlights a persistent whac-a-mole problem facing cloud services.

Cybercrime infrastructure is evolving fast—the cybersecurity community must adopt a proactive approach to detection. We’re also encouraged by other companies like Chainalysis writing up research about FUNNULL and sharing details, including key facts about FUNNULL’s connection to money laundering networks, writing, “Funnull had direct exposure to Huione Pay, for which the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) recently issued a finding and notice of proposed rulemaking (NPRM) identifying it as a primary money laundering concern.

Sign Up for a Free Silent Push Community Edition Account

Register now for our free Community Edition to use all of the tools and queries mentioned in this blog.

Sign Up Here

Threat Mitigation

Silent Push believes all domains associated with FUNNULL CDN and infrastructure laundering present some level of risk.

Our analysts construct Silent Push IOFA™ Feeds that provide a growing list of Indicators Of Future Attack™ data focusing on scams supported by this technique.

Silent Push Indicators Of Future Attack™ (IOFA™) Feeds are available as part of an Enterprise subscription. Enterprise users can ingest IOFA™ Feed data into their security stack to inform their detection protocols or use it to pivot across attacker infrastructure using the Silent Push Console and Feed Analytics screen.

Continuing to Track FUNNULL and Infrastructure Laundering

Our team continues to track FUNNULL CDN and threat actors utilizing infrastructure laundering in its ever-evolving forms. We will report our findings to the security community as we identify new developments and other threat actors that exploit this practice.

We will also continue to share our research on threats we discover with law enforcement. If you happen to have any tips about threat actors participating in infrastructure laundering or engaging in other types of crime obfuscation activities, our team would love to hear from you.

Silent Push Inc. ©2025