Understanding Attack Infrastructure Clusters

Category: Features & Tools

What Are Clusters?

A cluster is a group of related attack infrastructure elements — domains, IP addresses, SSL certificates, and email addresses that attackers use together as part of the same campaign.

What Does Cluster Information Tell You?

When viewing an exposure, you may see attack infrastructure information showing:

• Number of Clusters - How many distinct attacker infrastructure groups are involved
• Total Domains - Domains in the attacker's infrastructure
• Total IPs - IP addresses used by the attacker
• Total Emails - Email addresses associated with the infrastructure

Why It Matters

If an exposure has associated attack infrastructure clusters:

1. The vulnerability is not just theoretical - attackers have built infrastructure to exploit it
2. The threat is more imminent and requires faster response
3. Understanding the cluster helps you see the full scope of the attack campaign

More clusters typically means more sophisticated or widespread attacker activity.

Connection Types in the Graph

• Resolved IP (solid line) - DNS resolution
• SSL Certificate (solid line) - Certificate association
• HREF Link (dashed line) - Hyperlink reference between resources
• Redirect (solid with markers) - HTTP redirect chain
• Cluster Connection (thick solid line) - Connection to a cluster group

Updated on: 26/02/2026