Threat Intel Interview Questions: How to Pivot From One Malicious Domain
You have one malicious domain from an incident and need to build a fuller picture of the adversary's infrastructure. A weak answer stops at reputation checks and a quick block. A strong answer treats the domain as a starting node, then pivots methodically through registration, hosting, certificates, and historical links to find what is still active and worth action.
The Common Mistake
Most candidates answer this scenario as if the interviewer asked for validation, not analysis.
"I would check VirusTotal, see whether the domain is already known as malicious, block it in our firewall, and send it to the SOC. If there are hits in our logs, I would investigate those systems too."
That answer is not useless, but it is incomplete in exactly the way threat intelligence interviewers care about. It treats the known domain as the finished product instead of the first breadcrumb. It also fails to explain what question each step is answering. Reputation tells you whether someone else has seen the domain. It does not tell you what related infrastructure the adversary controls, which pivots are strong versus speculative, or where you should spend the next ten minutes to uncover active risk.
The deeper problem is methodological. The candidate has described a checklist with no branching logic. There is no attempt to identify registration patterns, no use of passive DNS, no certificate pivoting, no historical view, and no confidence language. That usually signals memorization-based thinking: the analyst knows the tools, but not how to turn one indicator into a defensible infrastructure picture.
What Interviewers Are Testing For
This question tests whether a candidate can move from a single artifact to a structured map of adversary infrastructure. The domain matters less than the reasoning pattern.
Interviewers usually want to hear four things:
- Whether the analyst starts with the highest-yield pivots. Strong candidates prioritize pivots likely to expose active infrastructure, not the easiest tools to click.
- Whether the analyst distinguishes relationships from proof. Shared nameservers, hosting, or certificates can justify a lead, but not every link deserves the same confidence.
- Whether the analyst can track patterns, not just collect artifacts. Registration details, naming conventions, web structure, and historical reuse reveal how the infrastructure is being operated.
- Whether the analyst can produce something operational. A visual relationship map, confidence notes, and prioritized follow-on leads are more useful than a long flat IOC list.
Candidates often get this wrong in predictable ways:
- They stop at basic reputation and never pivot outward.
- They pivot everywhere without explaining why a pivot is likely to matter.
- They treat every linked domain as equally malicious.
- They ignore historical data, which makes infrastructure tracking look static when it is actually evolving.
The mental model interviewers want is simple: start from one confirmed node, test the strongest adjacent hypotheses, document confidence at each branch, and keep narrowing toward infrastructure that is both related and currently actionable.
Framework: Infrastructure Pivoting
| Component | Weak Version | Strong Version |
|---|---|---|
| Starting point | Checks whether the domain is already known | Treats the domain as a seed for structured expansion |
| Pivot selection | Clicks through many sources without prioritization | Chooses WHOIS, passive DNS, certificate transparency, and shared services based on expected yield |
| Relationship handling | Assumes every technical overlap means same actor | Documents confidence for each relationship and separates strong links from tentative ones |
| Output | Flat IOC list | Visual infrastructure map with prioritized active leads |
Strong Answer Breakdown
A strong answer sounds like an analyst building outward from the seed domain with purpose:
"I would start with WHOIS and other registration details to look for repeatable patterns such as registrant reuse, registrar choice, and naming conventions. Then I would use passive DNS to identify domains that shared infrastructure with the seed domain, because that is often the fastest way to surface adjacent active nodes.
Next I would pivot through the certificate. Certificate Transparency logs are useful for finding other domains tied to the same certificate or issuance pattern. I would also check shared nameservers, mail servers, and hosting to see which relationships recur across multiple pivots.
After that I would inspect web content and structure for signs that the infrastructure is part of the same cluster. Historical data matters here too. If domains moved across IPs but kept similar setup patterns, that is stronger than a single one-time overlap.
I would document confidence for each link, build a relationship map, and prioritize the pivots most likely to reveal infrastructure that is still active and worth blocking or monitoring."
Each part of that answer maps back to the expected answer. WHOIS and naming patterns help identify operational consistency. Passive DNS and certificate pivots expand scope beyond the original indicator. Shared hosting, nameservers, and mail services help test whether the overlap is structural or incidental. Historical data helps distinguish durable patterns from noise. The confidence note matters because infrastructure analysis produces leads with different evidentiary strength, and strong candidates say that out loud.
The key distinction is that the candidate is not collecting enrichment for its own sake. Each pivot exists to answer a practical question: what else is likely part of this cluster, how strong is that linkage, and which findings deserve immediate defensive action.
Why This Distinction Matters
Real adversaries do not operate as single indicators. They operate as clusters of infrastructure that change over time but often preserve parts of their setup logic. If an analyst only validates the seed domain, the organization blocks one artifact and misses the surrounding campaign surface. If the analyst pivots methodically, the same starting point can produce proactive blocks, higher-quality hunts, and better detection coverage.
That is why this competency outlasts any specific platform. Tools change. Data providers change. The durable skill is knowing how to expand one confirmed signal into a confidence-rated picture that helps defenders act before the next domain appears.
Red Flags
- Reputation-only workflow. The answer ends after checking whether the domain is known malicious.
- Random pivoting. The candidate names data sources but cannot explain what each pivot is supposed to prove.
- No confidence handling. Every linked artifact is treated as equally trustworthy and equally malicious.
- No historical perspective. The answer ignores how infrastructure changes over time and misses recurring setup patterns.
- No operational output. The investigation produces a pile of indicators instead of a prioritized map and follow-on actions.
Key Takeaways
- When given one malicious domain, a practitioner should treat it as a seed node because the real objective is expanding to related infrastructure, not validating what is already known.
- When choosing pivots, a practitioner should prioritize the sources most likely to reveal active adjacent infrastructure because breadth without yield is wasted analysis time.
- When a technical overlap appears, a practitioner should document confidence explicitly because shared infrastructure can be suggestive without being conclusive.
- When historical data shows repeated setup patterns, a practitioner should weight that pattern more heavily because durable operational habits are more useful than one-off matches.
- When reporting results, a practitioner should produce a relationship map and prioritized next actions because defenders need structured decisions, not raw enrichment output.