context safety score
A score of 37/100 indicates multiple risk signals were detected. This entity shows patterns commonly associated with malicious intent.
encoded payload
suspicious base64-like blobs detected in page content
malicious redirect
script/meta redirect patterns detected in page source
brand impersonation
The domain indeed.net is distinct from the legitimate indeed.com job platform. The Cloudflare challenge page embedded in the response explicitly sets cZone to 'www.indeed.com', indicating the site is presenting itself in a context associated with the Indeed.com brand while operating under the lookalike domain indeed.net. This is a classic domain squatting / brand impersonation pattern targeting users who may mistype or be redirected to the .net variant expecting the legitimate .com service. (location: metadata.json: domain=indeed.net; page.html/page-text.txt: cZone='www.indeed.com')
malicious redirect
The page contains a Cloudflare-style challenge page (cType='managed') hosted on indeed.net but referencing www.indeed.com as the challenge zone. This infrastructure pattern is consistent with adversary-in-the-middle or reverse-proxy phishing setups where traffic is intercepted under a lookalike domain and proxied to or from the legitimate site, enabling credential or session harvesting. The meta refresh tag (content='360') also forces page reload behavior. (location: page.html: _cf_chl_opt cZone='www.indeed.com', cType='managed'; meta http-equiv='refresh' content='360')
phishing
indeed.net is a typosquat/lookalike domain for the legitimate indeed.com employment platform. Serving a Cloudflare-mimicking interstitial challenge on a brand-impersonating domain is a well-documented phishing technique used to steal credentials or session tokens from users who believe they are interacting with the real Indeed.com site. (location: metadata.json: url=https://indeed.net; page.html: Cloudflare challenge interstitial)
credential harvesting
The Cloudflare challenge interstitial on the lookalike domain indeed.net requests that users enable JavaScript and cookies to continue. On a fraudulent domain mimicking indeed.com, this pattern is used to capture authentication cookies and credentials as users proceed through what appears to be a legitimate security check before being prompted to log in. (location: page-text.txt: 'Enable JavaScript and cookies to continue'; page.html: cUPMDTk and fa parameters pointing to /?__cf_chl_tk= endpoints)
hidden content
The page contains a large base64-encoded SVG embedded in CSS (background-image: url('data:image/svg+xml;base64,...')) and extensive obfuscated Cloudflare challenge parameters (cH, md, mdrd tokens) with no visible user-facing content beyond the challenge message. These opaque data blobs obscure the true behavior of the page from both users and automated scanners. (location: page.html: #challenge-error-text style background-image data URI; _cf_chl_opt md and mdrd fields)
curl https://api.brin.sh/domain/indeed.netCommon questions teams ask before deciding whether to use this domain in agent workflows.
indeed.net currently scores 37/100 with a suspicious verdict and low confidence. The goal is to protect agents from high-risk context before they act on it. Treat this as a decision signal: higher scores suggest lower observed risk, while lower scores mean you should add review or block this domain.
Use the score as a policy threshold: 80–100 is safe, 50–79 is caution, 20–49 is suspicious, and 0–19 is dangerous. Teams often auto-allow safe, require human review for caution/suspicious, and block dangerous.
brin evaluates four dimensions: identity (source trust), behavior (runtime patterns), content (malicious instructions), and graph (relationship risk). Analysis runs in tiers: static signals, deterministic pattern checks, then AI semantic analysis when needed.
Identity checks source trust, behavior checks unusual runtime patterns, content checks for malicious instructions, and graph checks risky relationships to other entities. Looking at sub-scores helps you understand why an entity passed or failed.
brin performs risk assessments on external context before it reaches an AI agent. It scores that context for threats like prompt injection, hijacking, credential harvesting, and supply chain attacks, so teams can decide whether to block, review, or proceed safely.
No. A safe verdict means no significant risk signals were detected in this scan. It is not a formal guarantee; assessments are automated and point-in-time, so combine scores with your own controls and periodic re-checks.
Re-check before high-impact actions such as installs, upgrades, connecting MCP servers, executing remote code, or granting secrets. Use the API in CI or runtime gates so decisions are based on the latest scan.
Learn more in threat detection docs, how scoring works, and the API overview.
Assessments are automated and may contain errors. Findings are risk indicators, not confirmed threats. This is a point-in-time assessment; security posture can change.
integrate brin in minutes — one GET request is all it takes. query the api, browse the registry, or download the full dataset.