Metrics

​

Overview

They are built by aggregating your organization’s activity (reports, detections, blocked assets, takedowns) into simple, readable summaries.

​

Why It Matters

Metrics help you answer “Are we protected?” by showing threat volume, coverage, and response quality to your internal stakeholders and, when enabled, to external audiences via your Security Portal.

​

Key Characteristics

​

Organization-Specific

Metrics are always calculated for a specific organization and reflect only that organization’s reports, threats, and takedown activity. You only see your organization’s data with no cross-organization visibility, customized to your brands and assets, reflecting your specific threat landscape.

​

Time-Bound

Every metrics view uses a time window (e.g., “last 30 days” or a custom range). Common time periods include last 7 days, last 30 days, last 90 days, and custom date ranges. The same metric (e.g., “New Threats”) may look very different depending on the period you select.

​

Filterable

Many metrics can be filtered by brand and broken down by: Asset Type - Domains, Twitter/X, Telegram, other platforms Threat Category - Brand impersonation, employee impersonation, general phishing, specific attack types

​

Components

Counts - Reports received, new threats blocked, threats on watchlist, takedowns filed, takedowns completed Breakdowns - Threats by asset type, threats per brand, detections by source, category distributions Timelines and Speed - Threats blocked per day, takedowns completed per day, median time to takedown, trend analysis

​

What Lives Inside Metrics

​

Core Volume Metrics

• Reports - How many submissions your organization received from users, partners, and integrations
• New Threats - How many assets were blocked as threats (domains, social profiles, Telegram channels, etc.)
• Threats Watchlisted - Threats you’re actively watching (takedowns not appropriate or on hold)
• Takedowns Filed - How many takedown requests your organization has initiated
• Takedowns Completed - How many takedown requests have been successfully resolved

​

Threat Breakdowns

By Asset Type:

• Domain Threats - Blocked malicious domains and URLs (phishing websites, fake landing pages, impersonation sites, malicious web applications)
• Twitter Threats - Blocked threats on Twitter/X (impersonation accounts, scam posts, fake support accounts, fraudulent giveaways)
• Telegram Threats - Blocked threats on Telegram (fake support channels, scam groups, impersonation accounts, phishing bots)
• Other Threats - Blocked threats on all other supported surfaces (app stores, other social networks, developer platforms, email addresses, blockchain addresses)

By Brand: Threats blocked per brand inside your organization, showing which brands are targeted more heavily. Use this to identify most-targeted brands, allocate protection resources, track brand-specific campaigns, and compare threat levels across portfolio.

​

Time-Series and Speed Metrics

Threats Blocked Per Day - Shows how many assets were blocked on each day in the selected range. Helps identify threat spikes, track seasonal patterns, measure detection effectiveness, and spot coordinated campaigns. Takedowns Completed Per Day - Shows how many takedowns reached “completed” status on each day. Helps track takedown velocity, measure provider responsiveness, identify bottlenecks, and monitor team efficiency. Median Time to Takedown - Calculated from when a takedown request is created to when it is first marked completed. Available as overall median, by asset type (domains, social media, etc.), and by threat category (brand vs. employee impersonation). Lower median times indicate faster threat removal and better provider relationships.

​

How Metrics Relate to Other Concepts

Assets and Asset Scans - When asset scans and reviews lead to an asset being blocked, that asset contributes to metrics such as New Threats, Threats by asset type, and Threats blocked per day. Ongoing scans and liveness updates ensure that metrics reflect the current state of your threat surface. Threats / Detections - Every detection or blocked asset rolls up into counts like new threats, detections by type, and domains blocked. Metrics summarize how much malicious activity is being found and neutralized for your organization over time. Reports and Reviews - Reports raised by your team or users drive the Reports metric. Review outcomes (e.g., approving a threat as real and blocking it) flow into threat and takedown metrics. Shows how well your review process is keeping up with incoming threats. Takedowns - Takedown records power Takedowns Filed, Takedowns Completed, and Median time to takedown per asset type and category. These metrics show how quickly threats are being removed once identified. Brands and Services - Metrics can be filtered by brand to show which brands are most targeted. Enabling services like detection, reviewing, takedowns, and wallet blocking typically increases visibility in metrics (more threats found, blocked, and removed). Higher threat counts don’t mean you’re less secure; they mean you’re detecting more threats that were always there.

​

Examples

​

Example 1: Quarterly Threat Overview

For executive reporting, you select “Last 90 days” on the Metrics page. The dashboard shows reports received (245), new threats blocked (187), takedowns filed (142), takedowns completed (128), plus charts of threats blocked per day. You share these numbers with leadership to summarize malicious activity detected and action taken. Key insights: 76% of reports resulted in blocked threats, 90% of takedowns were completed, average of 2 threats blocked per day.

​

Example 2: Domains vs. Social Threats

For threat landscape analysis, you compare threat counts for the last month: Domain Threats (45, down from 60 last month), Twitter Threats (30, stable), Telegram Threats (55, up from 35 last month), Other Threats (20, stable). You see that domain threats have decreased while Telegram threats have increased, and adjust your monitoring and communication plans accordingly—increase Telegram monitoring frequency, alert community about Telegram scams, investigate why attackers shifted platforms.

​

Example 3: Takedown Speed Analysis

For provider performance review, you analyze median time to takedown by asset type: Domains (48 hours), Twitter (24 hours), Telegram (18 hours), App stores (72 hours). Insights: Social platforms respond faster than hosting providers, app stores have longest response times, Telegram is most responsive. Actions: Focus on improving domain takedown speed, investigate app store delays, document Telegram best practices.

​

Key Takeaways

• Metrics reveal protection gaps: Tracking detections by channel shows where attackers focus, helping you prioritize monitoring efforts on platforms with highest threat activity
• Time-based analysis identifies campaign patterns: Sudden spikes in detections often indicate coordinated campaigns, while steady increases suggest growing attacker interest
• Speed metrics drive operational improvements: Median time to block and takedown completion times help identify bottlenecks in your response process
• Filtering enables strategic decisions: Breaking down metrics by brand, asset type, or threat category reveals which parts of your organization face the most risk