Domain and IP intelligence with alphaMountain and LimaCharlie

Threat actors rotate domains and IP addresses faster than any blocklist can keep up, which means the hard part of network defense is rarely seeing a connection. It is knowing what that connection means. A DNS request to an unfamiliar host is just noise until something tells you the host is a gambling site, a parked domain on a shared box full of malware, or a live command and control server. This session, moderated by LimaCharlie co-founder Christopher Luft with Will Andre, lead evangelist at alphaMountain, and Matt Bromiley, lead solutions engineer at LimaCharlie, is ostensibly about a new integration. The more useful way to read it is as an argument about where reputation data belongs in a detection pipeline and who gets to decide when it counts as an alert.

Reputation is a decision tool, not a feed to drown in

Andre frames what alphaMountain sells around three properties he calls the three F's. Freshness, meaning how fast a verdict gets rendered. Fidelity, meaning how granular and confident the score is. And factors, meaning the explainable reasons behind each rating. The third one is the one that matters most for anyone who has to stand in front of a customer. The company's web product, Threat Yeti, makes this concrete: look up a domain, get a risk rating on a numerical scale, and drill into what drove it. Andre walks through a 9.1-rated host and the reasoning is all there in the open, the domain shares an IP with other risky hosts, it is unpopular (and unpopular sites tend to be riskier than heavily trafficked ones), its mail and name servers sit in scattered countries, the domain is young. None of those factors are hidden behind a verdict you have to take on faith.

Andre is explicit about who this serves. Picture a SOC bringing analysts in on day one who do not yet know what a malicious site looks like or how to render a verdict on one. Threat Yeti is, in his words, a Google for risky sites, a way to sit those analysts down and let them close out investigations with confidence instead of guesswork. For an MSSP or MDR, that is the quiet economic case: explainable reputation data lifts the floor on what a junior analyst can defensibly decide, which shortens onboarding and keeps senior people off routine triage.

The operator, not the vendor, decides what counts as an alert

The center of Bromiley's half of the conversation is a distinction that sounds pedantic and is actually the whole design philosophy: enrichment is not the same as an alert. alphaMountain exposes three separate lookups through the integration, and they answer different questions. Category tells you what a site is, gambling, information technology, adult content. Popularity is a separate signal of its own. Threat tells you whether a host is malicious in a way that warrants action. Adding a category label to network telemetry, Bromiley argues, is not inherently a security event. It just describes the destination. The threat lookup is what supports a higher-fidelity detection. LimaCharlie does not collapse those into one automatic enrichment. It hands the operator the choice.

That choice is not cosmetic, and it is where the multi-tenant economics show up. Nothing gets enriched until a detection and response rule explicitly calls the API. Bromiley is blunt about why: the platform is not going to blow up your data storage by bolting reputation onto every event and wishing you luck sifting the noise. Just as important, an API key usually comes with a numerical limit, and a feed you burn through in five minutes is worthless. Forcing the lookup to be deliberate protects both the storage bill and the quota across every tenant you run.

The demo itself is almost beside the point, which is fitting given how much of it went sideways live (a query timed out, a window misbehaved, Bromiley fixed it mid-session). The mechanics are simple: a rule watches DNS events, pulls the domain, runs the alphaMountain category lookup, and reports the result with the host name attached so an analyst can pivot. The interesting move is what he does to keep it from matching every DNS request in the environment. Tag user laptops, perimeter devices, crown-jewel systems, or the ten hosts under a magnifying glass during an incident, then point the lookups only at what you care about. The same logic explains why replaying a rule against historical telemetry deliberately will not fire external API calls. Nobody wants a backlog of old DNS records triggering a flood of billable lookups.

Where reputation earns its place in a workflow

What gives the integration teeth is that the lookups can be sequenced rather than fired blindly. Bromiley sketches the pattern he clearly prefers: a detection that catches a productivity application, Word, Outlook, Acrobat, PowerPoint, opening a network connection, then pushes that event to alphaMountain to ask what it is reaching out to. A Microsoft app talking to microsoft.com for an update is uninteresting. The same app reaching a host flagged as malicious, or one whose category makes no sense, is worth waking someone up for. In that arrangement reputation becomes a first-level indicator, tag a host as suspicious on certain categories, then dig in with the threat feed, rather than a standalone alarm.

Bromiley also pushes back on the assumption that this is all about nation-state activity. The category lookups surface ordinary policy problems too, peer-to-peer or torrent clients running on short-lived or single-use systems, the kind of acceptable-use enforcement a provider does across a client fleet every day. And every lookup result carries a Threat Yeti URL that LimaCharlie appends to the data, which an analyst can carry straight into a ticket, an email alert, or a response action, so the verdict and its evidence travel together into wherever the work actually gets done.

The integration is recent, the product of a conversation that started when the two teams met at Black Hat Europe in December 2022 and shipped by June 2023. But the durable idea here is not the partnership. It is that reputation data is most valuable when the operator controls when it runs, what it costs, and whether a given verdict rises to the level of an alert, rather than having a vendor decide all three on their behalf.