context safety score
A score of 48/100 indicates multiple risk signals were detected. This entity shows patterns commonly associated with malicious intent.
brand impersonation
Domain '1xlite-03801.world' closely mimics the 1xBet/1xLite gambling brand using a numeric subdomain-style suffix pattern (03801) appended to the brand name, registered on a .world TLD. This pattern is commonly used to create disposable brand-impersonating domains that evade blocklists while directing users to the real infrastructure via CDN (traincdn.com). (location: metadata.json: domain field, page.html: CDN URLs pointing to v3.traincdn.com)
social engineering
The server is actively fingerprinting the scanning agent by name: 'userAgentSsr':'brin-agent/1.0' is logged and stored in serverData, and a 'userBlockingInfo' object is returned with a 'blockingCookieValue' (base64: eyJ0ZW1wbGF0ZSI6MSwicnVsZSI6MjJ9 = {"template":1,"rule":22}). This indicates the site detects automated/security scanners and serves them a different page (BlockPage/ErrorPage) than real users, actively evading security analysis. (location: page.html: window.serverData userBlockingInfo block, blockingCookieValue)
hidden content
The page served to the scanner is a technical/block page shell with no visible content — actual site content is hidden behind bot/agent detection. The 'mfc' array specifies 'BlockPage' with 'Detailed' variant is rendered for this agent, meaning real phishing or malicious content is concealed from security scanners. The page-hidden.txt is empty, confirming no visible content was delivered. (location: page.html: window.serverData mfc array ([{"name":"ErrorPage","variant":"Default"},{"name":"BlockPage","variant":"Detailed"}]))
malicious redirect
All scripts and assets are loaded from an external CDN domain 'v3.traincdn.com' via dynamically injected script tags. The CDN loader includes a fallback mechanism: if the CDN fails, it silently strips the CDN prefix and loads assets locally. This pattern allows the operator to swap malicious payloads via CDN without changing the origin page, and the domain 'traincdn.com' is associated with 1xBet gambling infrastructure known for operating in restricted jurisdictions. (location: page.html: inline CDN loader script, fetch to v3.traincdn.com/version.json, script injection via document.body.appendChild)
curl https://api.brin.sh/domain/1xlite-03801.worldCommon questions teams ask before deciding whether to use this domain in agent workflows.
1xlite-03801.world currently scores 48/100 with a suspicious verdict and medium confidence. The goal is to protect agents from high-risk context before they act on it. Treat this as a decision signal: higher scores suggest lower observed risk, while lower scores mean you should add review or block this domain.
Use the score as a policy threshold: 80–100 is safe, 50–79 is caution, 20–49 is suspicious, and 0–19 is dangerous. Teams often auto-allow safe, require human review for caution/suspicious, and block dangerous.
brin evaluates four dimensions: identity (source trust), behavior (runtime patterns), content (malicious instructions), and graph (relationship risk). Analysis runs in tiers: static signals, deterministic pattern checks, then AI semantic analysis when needed.
Identity checks source trust, behavior checks unusual runtime patterns, content checks for malicious instructions, and graph checks risky relationships to other entities. Looking at sub-scores helps you understand why an entity passed or failed.
brin performs risk assessments on external context before it reaches an AI agent. It scores that context for threats like prompt injection, hijacking, credential harvesting, and supply chain attacks, so teams can decide whether to block, review, or proceed safely.
No. A safe verdict means no significant risk signals were detected in this scan. It is not a formal guarantee; assessments are automated and point-in-time, so combine scores with your own controls and periodic re-checks.
Re-check before high-impact actions such as installs, upgrades, connecting MCP servers, executing remote code, or granting secrets. Use the API in CI or runtime gates so decisions are based on the latest scan.
Learn more in threat detection docs, how scoring works, and the API overview.
Assessments are automated and may contain errors. Findings are risk indicators, not confirmed threats. This is a point-in-time assessment; security posture can change.
integrate brin in minutes — one GET request is all it takes. query the api, browse the registry, or download the full dataset.