Documentation Index
Fetch the complete documentation index at: https://none-38c466ad.mintlify.app/llms.txt
Use this file to discover all available pages before exploring further.
The architecture is modular, with clear boundaries separating acquisition, signal extraction, enrichment, correlation, and output. This separation allows each domain to be optimized independently while supporting horizontal scaling under distinct capacity and failure envelopes.
3.1 Acquisition Domain
The acquisition layer retrieves rendered web surfaces together with associated resource and network artifacts at broad scale. The objective is to capture a complete snapshot for correlation in a single pass while keeping collection mechanics abstracted from downstream layers.
Captured elements include:
- DOM snapshots before and after script execution
- Resource manifests with checksums and retrieval order
- Network logs of runtime endpoints and payload metadata
- Execution metadata such as timings and viewport context
These elements together form a multi-dimensional record suitable for deterministic linkage and cross-domain comparison.
3.2 Signal Extraction Domain
Signal extraction transforms raw acquisition output into structured technical artifacts. Normalization prevents spurious overlap and ensures that correlation relies on signals with defined type and entropy properties.
Signals fall into four broad families:
- Structural: layout hashes, inline and external asset fingerprints
- Integration: identifiers from analytics, payments, and platform APIs
- Infrastructure: endpoints, storage containers, and webhook targets
- Platform metadata: themes, plugins, or template markers
Normalization eliminates accidental overlaps and ensures that correlation is driven only by signals with explicit type assignments and measurable distinctiveness.
3.3 Enrichment Domain
Enrichment extends isolated signals into broader pivots. DNS, TLS, and hosting metadata provide infrastructure anchors, while resolution of storage and webhook identifiers exposes shared back-office fabric.
Enrichment answers three questions: where infrastructure resides, what else occupies it, and whether overlaps are intentional or incidental. By resolving domains, normalizing storage containers, and parsing certificate fields, enrichment transforms raw signals into persistent operator fingerprints.
The process also confirms or refines platform classification, combining extraction results with enriched evidence to assign confidence levels.
3.4 Correlation Domain
Correlation converts enriched signals into linkages between domains and infrastructure. Deterministic matches such as unique hashes or storage identifiers form hard edges, while probabilistic overlaps such as analytics IDs contribute weighted edges. Negative evidence filters suppress false positives when conflicts occur.
The result is a weighted graph of domains, assets, and operators. Confidence tiers distinguish high-certainty clusters from weaker associations, and thresholds adapt to platform baselines. These graphs provide the substrate for mapping operator networks, generating coordinated enforcement actions across linked domains, and tracing how infrastructures evolve over time.
3.5 Output and Integration Domain
The output domain ensures intelligence is consumable without loss of fidelity. Structured exports preserve provenance, scores, and linkage rationale. Formats include JSON for programmatic pipelines, CSV for manual review, graph exports for visualization, and bundled evidence for legal workflows.
All outputs carry acquisition timestamps, signal provenance, and correlation context, enabling reproducibility and auditability. Integration points include APIs, webhooks, and scheduled exports. Because signals are already normalized into feature vectors, the same outputs can feed supervised and unsupervised models, as well as temporal analysis.
The outcome is intelligence that remains actionable, explainable, and machine-usable across investigative, enforcement, and modeling contexts.
