How It Works


By monitoring outbound DNS requests and correlating this against our aggregated threat intelligence, Strongarm prevents people from interacting with malicious content.


We Watch The Attackers So You Don't Have To

Our analysis team is constantly watching attackers set themselves up on the Internet. Be it phishing sites, hacking websites and adding exploits, or malware command and control, we’re constantly watching.

We do this through two mechanisms. First, we aggregate data every day from technology partners and open sources. These are built by people who have been attacked or are breaking apart malware. Second, we curate a set of our own data, derived from triaging customer infections, domains reported to us by our customers, our relentless analysis of user reported phishing and spearphishing attacks, and some tools we’ve built to watch attackers. This intelligence allows us to get ahead of the attackers.

How DNS-Based Security Works

By monitoring outbound DNS requests and correlating this against our aggregated intelligence, Strongarm stops your company’s systems from talking to malicious infrastructure.

When a connection to a bad domain is identified trying to leave your network, the DNS resolver returns Strongarm’s blackhole address instead of the attacker’s. The victim system communicates with Strongarm instead of the attacker, effectively disarming the attack.

Strongarm Speaks To Your Users... and Malware

If your user clicks on a phishing link, they receive a shot of user education right where they would have been phished. This is a real win, as there’s nothing for you to do to respond.

In the case of malware or ransomware, Strongarm doesn’t just block an infection and drop the connection. We “speak malware,” meaning we can interrogate the infected host to gather valuable information, such as who the victims (machines) were and whether there is a “poison pill” to destroy it.

All of this functionality comes from our DNS blackhole - it’s what makes us different from all other DNS security solutions: We turn the attacker against themselves to protect you.

If You See Something, Say Something

Cybercriminals send phishing emails and targeted spearphishing emails to specific victims. Differentiating these emails from regular emails is becoming harder and harder. No security solution will stop spearphishes. Your people being able to find them and report them is your only hope.

If just one person reports the phish via an email address we setup just for you, Strongarm will block all of the links, protecting anyone else who might make a mistake and click. You benefit from your users reporting phishing emails, and all of the users reporting phishes in the Strongarm customer community.

Strongarm's Got Your Back

When Strongarm stops an attack, our team has only just begun to go to work. As soon as you (and we) see an attack has been stopped, we begin triaging what’s happened. Using the Strongarm discussion feature, we will tell you what kind of an attack has happened, what the attacker’s goal was, and recommend how you can respond.

Sometimes it simply having a conversation with a user. Sometimes it’s cleaning malware off of a workstation. Sometimes it’s verifying your systems are patched against the attack we stopped. Working together, we’ll keep your users safe.

Where Strongarm Is Deployed

Strongarm is most commonly deployed as a forwarding resolver. This can be done on your Active Directory server, DHCP server, router, or firewall. (Not sure what any of that means? Don’t worry. Our simple-to-follow videos will help you get set up in minutes.)

If you’ve made investments in DNS infrastructure, Strongarm can also be configured as Response Policy Zone master, or you can download a plugin to your existing DNS resolvers that uses our API. Either way, your infrastructure will be caching the requests, ensuring no slow-down in any of your network traffic.

Why DNS-Based Security Works

By watching DNS requests and not focusing on the network traffic, Strongarm is not blind to encrypted traffic, peer-peer traffic, and other tactics that hackers use to get past firewalls and antivirus.

How Strongarm Thwarts Attackers


Phase:  Attack

Attacker infects victim

    Over 90% of attacks begin with someone clicking on a bad link sent via a phishing email or a hacked website. The attacker’s goal here is to either (1) steal your passwords or (2) to get malicious software (malware) running on your machine so they can begin to do their dirty work.


Phase:  Attack

Click performs DNS lookup

    By clicking on the malicious link, the victim’s system performs a DNS lookup to prepare to “phone home” to the people controlling the malicious link or to download other malware to the users system.


Phase:  Interference

Strongarm’s DNS responds with the blackhole IP address

    The Strongarm DNS resolvers (populated with our threat intelligence) see the lookup and respond with the IP address of the blackhole. The attack has now been defused and we can begin to use the interference to respond.


Phase:  Interference

Victim starts communicating with the blackhole

    The phish or malware “phones home” to the blackhole, thinking it is contacting the attacker. Strongarm’s blackhole holds this connection open and starts the conversation. If the blackhole detects a user, they get a dose of user education — a game to help them spot a phish. If the blackhole detects malware, it pretends to be the attacker’s infrastructure, and starts talking to the infected machine. The malware doesn’t know the difference and gives up all of the details of the victim.


Phase:  Notification

Strongarm sends alert

    Strongarm immediately notifies you that we’ve stopped an attack, providing a link to our dashboard so you can securely view the details about the victim, attack, and attacker. Don’t worry — the attack was stopped and your systems are completely protected.


Phase:  Triage

Strongarm and user triage attack

    Strongarm’s analysis team immediately gets to work triaging the infection. Our analysis will include details of the attacker and the attack type (an Office365 phish, targeted malware, etc.), what we know about the victim, and our recommendations for response. The Strongarm dashboard is continuously updated with additional information as our team and yours work together. Strongarm keeps the attack quarantined while we build your incident response and remediation plan.


Phase:  Remediation

Infection is remediated

    If one of your users clicks on a phish, the Strongarm block page can ask them to call you or forward the email to our phishing reporting service. When there’s malware involved, Strongarm often remediates the malware automatically (via a “killswitch” or “poison pill”). Alternatively, you can wipe and reinstall the system entirely. Our team provides support, so you can find the victim and ensure the problem is solved.


Phase:  Remediation

Infection is resolved

    Resolve the infection in the Strongarm dashboard. If the infection happens again, you’ll get another notification that another attack has taken place.

Want to learn more?

Download our white paper:

The Complete Guide to Strongarm