context safety score
A score of 34/100 indicates multiple risk signals were detected. This entity shows patterns commonly associated with malicious intent.
encoded payload
suspicious base64-like blobs detected in page content
brand impersonation
The domain ddog-gov.com impersonates Datadog (datadoghq.com) by using a typosquat/lookalike domain. The page title is 'Datadog: Log In' and the page replicates Datadog's login UI, branding, and infrastructure references (DD_version, dd-login.min.js, dd-login.min.css), creating a convincing fake login portal for a major SaaS monitoring platform. (location: https://ddog-gov.com / page.html:6, page.html:10-11)
credential harvesting
The page presents a fully functional Datadog login form hosted on a non-Datadog domain (ddog-gov.com). The hidden auth_settings input includes authentication_token '403d63f5bcc4c109a57be4c34087675ab6d9c39a', login endpoints (/account/login), and supports SAML, Google OIDC, and standard credential login — all designed to capture real Datadog credentials submitted by users who believe they are on the legitimate Datadog site. (location: page.html:20 (auth_settings hidden input))
phishing
The site is a phishing page masquerading as the official Datadog government login portal. It uses the '.gov' suffix in the domain (ddog-gov.com) to imply government legitimacy and official status, likely targeting government or enterprise users of Datadog's FedRAMP/GovCloud product. The config-init value references datacenter 'us1.fed.dog' and env 'gov', reinforcing the deceptive government/federal framing. (location: https://ddog-gov.com / metadata.json, page.html:61 (config-init hidden input))
hidden content
Multiple hidden inputs are embedded in the page using 'display: none' divs: 'auth_settings' contains authentication tokens, OAuth URLs, reCAPTCHA site keys, and login flow configuration; 'config-init' contains extensive application configuration including Braintree payment keys ('production_svxkfc64_9mgt93ty97qj6hbt'), browser SDK tokens, and internal app URLs; 'public-path' exposes static asset CDN origin. This hidden data exfiltrates or exposes sensitive configuration to any page scripts or third parties. (location: page.html:20 (auth_settings), page.html:61 (config-init), page.html:62 (public-path))
credential harvesting
A reCAPTCHA site key ('6LfyEw8pAAAAAN9eEkzUhRICIZWXcrvCXEn5bF0U') and a Braintree production publishable key ('production_svxkfc64_9mgt93ty97qj6hbt') are embedded in the hidden config, suggesting the site may also be set up to process payment information or bypass bot protections under a fraudulent context. (location: page.html:20 (recaptcha_site_key in auth_settings), page.html:61 (braintree_publishable_key in config-init))
curl https://api.brin.sh/domain/ddog-gov.comCommon questions teams ask before deciding whether to use this domain in agent workflows.
ddog-gov.com currently scores 34/100 with a suspicious verdict and low confidence. The goal is to protect agents from high-risk context before they act on it. Treat this as a decision signal: higher scores suggest lower observed risk, while lower scores mean you should add review or block this domain.
Use the score as a policy threshold: 80–100 is safe, 50–79 is caution, 20–49 is suspicious, and 0–19 is dangerous. Teams often auto-allow safe, require human review for caution/suspicious, and block dangerous.
brin evaluates four dimensions: identity (source trust), behavior (runtime patterns), content (malicious instructions), and graph (relationship risk). Analysis runs in tiers: static signals, deterministic pattern checks, then AI semantic analysis when needed.
Identity checks source trust, behavior checks unusual runtime patterns, content checks for malicious instructions, and graph checks risky relationships to other entities. Looking at sub-scores helps you understand why an entity passed or failed.
brin performs risk assessments on external context before it reaches an AI agent. It scores that context for threats like prompt injection, hijacking, credential harvesting, and supply chain attacks, so teams can decide whether to block, review, or proceed safely.
No. A safe verdict means no significant risk signals were detected in this scan. It is not a formal guarantee; assessments are automated and point-in-time, so combine scores with your own controls and periodic re-checks.
Re-check before high-impact actions such as installs, upgrades, connecting MCP servers, executing remote code, or granting secrets. Use the API in CI or runtime gates so decisions are based on the latest scan.
Learn more in threat detection docs, how scoring works, and the API overview.
Assessments are automated and may contain errors. Findings are risk indicators, not confirmed threats. This is a point-in-time assessment; security posture can change.
integrate brin in minutes — one GET request is all it takes. query the api, browse the registry, or download the full dataset.