context safety score
A score of 33/100 indicates multiple risk signals were detected. This entity shows patterns commonly associated with malicious intent.
js obfuscation
JavaScript uses eval() with String.fromCharCode — common obfuscation
obfuscated code
Heavy JSFuck-style obfuscation used inside eval() calls within the values() function to construct strings at runtime, hiding the true payload from static analysis. The obfuscated expressions build strings character-by-character using array coercions and eval, a classic technique for evading content security scanners. (location: page.html:36 (second <script> block, values() function, eval arguments))
obfuscated code
Hex-identifier obfuscation (_0x4541, _0x2d84, _0x37209d, etc.) used to disguise a XOR-based string encoding/decoding routine (key 0x6). The obfuscated module pattern rotates an array by 0x127 positions and then decodes values using XOR, concealing what strings are being produced and used as cookie values. (location: page.html:41 (second <script> block, _0x4541 array and IIFE))
hidden content
The page renders two language sections (#en and #fa) both initially hidden via CSS class 'error-section--hide'. Visibility is controlled by JavaScript that detects the user's timezone (Tehran/Iran) to selectively reveal content, meaning different content is shown to Iranian vs. non-Iranian visitors. This geo-targeted display can be used to serve different experiences to specific audiences while appearing benign to others. (location: page.html:1 (both <section> elements with class 'error-section--hide'))
malicious redirect
The page is a transient 'Transferring to website...' interstitial that sets obfuscated cookies (__arcsjs and __arcsjsc) via JavaScript and then calls location.reload() after a randomized delay (2000-3000ms). The redirect target is not disclosed in the HTML; the actual destination URL is determined server-side after the cookies are validated, concealing where users are ultimately sent. (location: page.html:43-48 (DOMContentLoaded setTimeout block with location.reload()))
obfuscated code
The XOR-encoded cookie values (hash and hash_v1) are computed by double-applying a XOR cipher (key=6) to obfuscated strings produced by eval(). This produces credential-like tokens set as browser cookies (__arcsjs, __arcsjsc) with a 15-minute TTL. The double-encoding and obfuscation of inputs makes it impossible to statically determine what values are being stored in these cookies without executing the code. (location: page.html:41,45-46 (hash/hash_v1 computation and document.cookie assignments))
curl https://api.brin.sh/domain/isna.irCommon questions teams ask before deciding whether to use this domain in agent workflows.
isna.ir currently scores 33/100 with a suspicious verdict and low confidence. The goal is to protect agents from high-risk context before they act on it. Treat this as a decision signal: higher scores suggest lower observed risk, while lower scores mean you should add review or block this domain.
Use the score as a policy threshold: 80–100 is safe, 50–79 is caution, 20–49 is suspicious, and 0–19 is dangerous. Teams often auto-allow safe, require human review for caution/suspicious, and block dangerous.
brin evaluates four dimensions: identity (source trust), behavior (runtime patterns), content (malicious instructions), and graph (relationship risk). Analysis runs in tiers: static signals, deterministic pattern checks, then AI semantic analysis when needed.
Identity checks source trust, behavior checks unusual runtime patterns, content checks for malicious instructions, and graph checks risky relationships to other entities. Looking at sub-scores helps you understand why an entity passed or failed.
brin performs risk assessments on external context before it reaches an AI agent. It scores that context for threats like prompt injection, hijacking, credential harvesting, and supply chain attacks, so teams can decide whether to block, review, or proceed safely.
No. A safe verdict means no significant risk signals were detected in this scan. It is not a formal guarantee; assessments are automated and point-in-time, so combine scores with your own controls and periodic re-checks.
Re-check before high-impact actions such as installs, upgrades, connecting MCP servers, executing remote code, or granting secrets. Use the API in CI or runtime gates so decisions are based on the latest scan.
Learn more in threat detection docs, how scoring works, and the API overview.
Assessments are automated and may contain errors. Findings are risk indicators, not confirmed threats. This is a point-in-time assessment; security posture can change.
integrate brin in minutes — one GET request is all it takes. query the api, browse the registry, or download the full dataset.