Investigate threats
Users can investigate the details of an IP address, domain name, URL, or Autonomous System Number (ASN). You can find the Investigate feature in your Cloudflare account’s Security Center and in Cloudflare Radar ↗.
You can search with Investigate by IP address, domain, URL and AS number.
An IP address ↗ is a unique address that identifies a server. It stands for Internet Protocol ↗, which is the set of rules that allows servers to communicate with each other.
IP address search allows you to search both IPv4 and IPv6 ↗ addresses and retrieve relevant information such as their pointer records, AS numbers and passive DNS records.
A domain name ↗ is a string of text that maps to an IP address. Domain names are used to help people remember where websites are hosted. Domain names are purchased through registrars and can be acquired easily by anyone.
When you search for a domain name, Cloudflare will provide an overview of the domain’s category and IP addresses it currently resolves to.
For a detailed list of categories, refer to Domain categories.
A domain can have multiple categories. Cloudflare displays both the parent category and the detailed child category. You can request category changes for a domain. Miscategorized domains can also request to have a category added. This request goes through an approval process with the Cloudflare team.
As part of the domain search results, Cloudflare show the WHOIS details and a history of its category changes over time.
An AS number ↗ is a group of IP addresses belonging to and controlled by a single organization. The entire group of networks have a single unified routing policy. The Internet Assigned Numbers Authority ↗ (IANA) is the organization responsible for managing the assignment and distribution of AS numbers. The AS number’s routing policies are used by BGP ↗ which is how Cloudflare’s anycast network ↗ works.
When you search for an AS number, Cloudflare will return registration data such as its country, description and type. It will also display data such as domain count, top 10 domains and subnets.
With sufficient data, AS number search results will also return the geographical distribution of traffic in its network, application level attacks and network level attacks, each broken down by Cloudflare mitigation techniques and network protocols, respectively.
When you search for a URL, Cloudflare will provide a list of recent scan reports for that specific URL, limited to the past 30 days. You can view previously generated reports or scan again to generate a new report.
Different Cloudflare plans will have different scan limitations.
When generating a new scan report, the default visibility is set to Unlisted, but you have the option to set it to Public. By choosing Public, the generated scan will be available to all Cloudflare dashboard and Cloudflare Radar users alike, which will increase awareness of potentially malicious websites for others.
We recommend choosing Unlisted if you are scanning infrastructure that is not intended to be shared with the wider Cloudflare community.
While viewing the most recent scans, you can use the filtering options. Selecting All account scans will display both Unlisted or Public scans initiated from your Cloudflare account. However, by selecting All global scans, only Public scans are displayed.
You can download a report of your scan in HAR or JSON format.
To download a report:
- Log in to your Cloudflare dashboard ↗ and select your account.
- Select Investigate > Enter your domain > Select Search.
- Once the report has been generated, select Download > Choose between Download HAR or Download JSON.