Smarter Investigations with ZeroFox Intelligence Search Pivoting

Cyber adversaries aren’t just evolving—they’re poised to outpace defenders at every turn. Their tactics are more coordinated, their infrastructure more concealed, and their reach more global than ever. According to IBM’s 2024 Cost of a Data Breach Report, the global average cost of a breach has surged to $4.45 million—a staggering 15% increase over the past three years. And yet, while threats accelerate, defenders are still grappling with an overwhelming volume of disconnected intelligence, often struggling to make sense of it all before the damage is done.

Security teams no longer just need visibility. They need the power to act swiftly, pivot intelligently, and uncover the full story behind every threat. That’s where ZeroFox Intelligence Search delivers. With unmatched visibility across the surface, deep, and dark web, ZeroFox has already been a force multiplier for security teams. Now, with the release of our new Intelligence Search Pivoting functionality, analysts can easily initiate successive searches or apply refined filters directly from initial results, supported by intelligent, context-aware search suggestions.

ZeroFox Intelligence Search: A New Era of Threat Hunting

ZeroFox Intelligence Search is a game-changer, offering a powerful, searchable interface into a threat intelligence graph with over 12 billion interconnected data points. Built on real-time feeds, expert analysis, and petabytes of curated data, it empowers analysts, incident responders, and researchers to explore structured and unstructured data—from IP addresses and CVEs to dark web chatter and social media posts. At its core lies the Correlated Graph, a dynamic visualization engine that maps relationships between threat indicators, actors, and assets, turning fragmented signals into a cohesive narrative.

Now, with the introduction of advanced pivoting functionality, ZeroFox Intelligence Search takes threat hunting to new heights. This feature allows analysts to dynamically navigate datasets in real time, following threat trails to reveal critical insights faster and more effectively than ever before.

The Correlated Graph: Seeing the Unseen

Imagine a digital war room where every threat—malicious domains, compromised credentials, dark web posts—is a node in a sprawling, interconnected map. The Correlated Graph uses advanced algorithms to illuminate relationships, such as a typosquatted domain tied to a phishing campaign or a dark web marketplace linked to a brand impersonation scheme. Analysts can zoom in on specific datasets, pivot to related indicators, and trace a threat’s lifecycle—all in real time.

By blending structured data (like IPs and CVEs) with unstructured sources (like social media or dark web chatter), the Correlated Graph provides a 360-degree view of the threat landscape. It’s not just data—it’s the adversary’s playbook laid bare.

New Pivoting Functionality: Precision at Your Fingertips

The new pivoting functionality supercharges ZeroFox Intelligence Search, enabling analysts to tailor their investigations with unprecedented precision. Key capabilities include:

• Visual Dataset Breakdown: Interactive bar and pie charts visualize dataset distribution and result counts, making it easy to understand the origins and connections of intelligence.
• Time-Based Aggregation: Automatically group results by seconds, minutes, hours, days, weeks, months, or years, with aggregation dynamically adjusted to the query’s time range (e.g., daily aggregation for queries spanning a week or less).

• Dynamic Pivot Navigation: Start with one indicator (e.g., a domain or IP) and seamlessly pivot to related datasets, such as associated IPs, credentials, or dark web mentions, without starting a new query.
• Context-Aware Pivoting: Dive deeper into results by pivoting to related indicators, assets, or actors, uncovering the full scope of a threat campaign with intelligent suggestions guiding the way.

These features enable seamless, graph-based exploration, connecting seemingly unrelated signals into a clear, actionable picture—no complex queries required.

What Is Intelligence Search Pivoting—and Why Does It Matter?

In cyber threat intelligence, pivoting is the process of following digital breadcrumbs. You start with a single clue—an IP address, suspicious domain, email, keyword, or leaked credential—and pivot to discover related data points. It’s like solving a mystery in real time: each clue uncovers another layer of the adversary’s infrastructure or intent.

Traditionally, this investigative work required hours of manual digging, spreadsheet wrangling, and cross-referencing across siloed tools. Our new pivoting capability changes all that. With just a few intuitive clicks, ZeroFox Intelligence Search allows analysts to move seamlessly from one threat indicator to another, surfacing meaningful relationships from our expansive threat intelligence data graph. What once took hours now happens in minutes, empowering defenders to act faster and smarter.

A Smarter, More Streamlined Threat Hunting Workflow

The latest update to ZeroFox Intelligence Search introduces a more intuitive, flexible, and powerful way to pivot across its massive threat intelligence data graph. Here’s why this matters for security teams:

Accelerated Investigations

In cybersecurity, speed is critical—it takes organizations an average of 258 days to identify and contain a breach (194 days to detect, 64 days to contain). In that time, threat actors can escalate attacks, move laterally, and inflict serious damage. ZeroFox’s pivoting functionality is designed to radically reduce that window. Analysts can now move seamlessly from one indicator, like a suspicious domain, to every related entity: IP addresses, credential leaks, dark web mentions, threat actor chatter, and malware signatures. What once took days can now happen in minutes, enabling teams to go from detection to action before attackers escalate.

Reveal Hidden Threat Relationships

ZeroFox’s Threat Intelligence solutions combat orchestrated cyberattacks by leveraging pivoting functionality to uncover relationships across threat vectors, providing a holistic view of the threat landscape. Below are key ZeroFox intelligence capabilities:

• Proprietary HUMINT (Human Intelligence): ZeroFox’s DarkOps team gathers exclusive insights from underground forums and channels like TOR and Telegram, providing early warnings on attacker plans and stolen data to disrupt threats proactively.
• Dark Web Monitoring (Real-Time Threat Discovery): Leverages AI to continuously scan deep and dark web sources for compromised credentials, data leaks, ransomware chatter, and malicious toolkits. This foundational layer enables early identification of exposed assets and threat actor activity targeting your organization.
• Advanced Dark Web Reporting (Context-Rich Threat Intelligence): Goes beyond alerts to deliver deep-dive threat intelligence reports combining AI and HUMINT. Includes specific indicators such as dark web URLs, exposed PII, actor aliases, and discussion context. Ideal for security teams that require validated, actionable intelligence for incident response, attribution, or takedown operations.
• Finished Intelligence Reports: Expert analysts deliver curated reports with actionable insights on emerging threats and attacker TTPs, tailored to an organization’s specific risk profile.
• Cross-Platform Social Media Analysis: Uses AI-driven NLP and OCR to monitor platforms like Facebook and LinkedIn, identifying impersonations and phishing to prevent fraud and reputational damage.

This multidimensional view turns isolated indicators into rich narratives, helping analysts understand not just what happened, but why, how, and what’s next.

Tailored Investigations by Industry or Region

Every organization faces unique risks. A hospital may face data extortion campaigns targeting patient records, while a financial firm might be targeted by credential harvesting or wire fraud. With pivoting, you can tailor investigation paths based on what matters most to your organization—region-specific threats, industry-related TTPs, or adversary groups focused on your sector.

Pivoting + Saved Searches = Repeatable Intelligence Workflows

In April 2025, we launched Saved Searches, enabling analysts to build and reuse complex search logic. Now, with pivoting fully integrated, those searches become even more powerful. You can create full pivot chains—across domains, IPs, credentials, and more—and revisit them to track persistent threats or monitor adversary activity. It’s threat hunting made repeatable, scalable, and efficient.

How ZeroFox Intelligence Search Pivoting Works: A Real-World Example

Your security team receives an alert: a suspicious domain is mimicking your brand. Here’s how pivoting with ZeroFox Intelligence Search helps your SOC spring into action:

1. Start with the Domain: Enter the domain into the platform. ZeroFox pulls up an intelligence profile: WHOIS info, hosting details, DNS records, and mentions across threat actor forums.
2. Pivot to the IP Address: Notice an IP address associated with the domain? Click to pivot and discover additional domains hosted on the same server, one linked to a known phishing kit.
3. Explore Credential Leaks: Pivot again to see if credentials linked to your organization have been posted in the same forums, revealing a leaked batch of employee emails and passwords.
4. Take Action: Your team can now:
   • Block the malicious domain at the network edge
   • Invalidate and reset the exposed credentials
   • Initiate takedown requests through ZeroFox’s platform
   • Feed the new IoCs into your SIEM and SOAR systems for automated monitoring

What started as a single IoC becomes a full-scale incident response, fueled by intelligent, connected threat data.

From Reactive to Proactive: The Strategic Advantage of Intelligence Search Pivoting

The pivoting capability doesn’t just change how you search for and investigate threats—it changes how you prepare for and prevent them. The 2025 Verizon Data Breach Investigations Report shows that organizations leveraging intelligence-led strategies reduce breach impact by over 50%.

With ZeroFox Intelligence Search with Pivoting, your security team can:

• Connect the dots across vast intelligence sources
• Prioritize real threats over background noise
• Harden your defenses before the next wave of attacks hits

Whether you're fighting phishing, ransomware, supply chain compromises, or AI-driven threats like deepfakes, the ability to investigate intelligently gives you a major edge.

Ready to Pivot Smarter?

Ready to experience the power of pivoting in ZeroFox Intelligence Search? Contact the ZeroFox team for a demo and see how this game-changing functionality can transform your threat intelligence operations. In a world where cyber threats grow more sophisticated by the day, ZeroFox equips you with the tools to hunt smarter, respond faster, and stay ahead of the curve.