Intent Detection – Categories
Threat Intent
Traditionally, security tools focus on identifying whether a URL is malicious. Threat Intent goes a step further by answering:
- What is the attacker trying to achieve?
- How is the user being targeted?
- What signals led to this classification?
How It Works
Each detected phish or scam URL is analyzed to determine:
- Threat Intent – The primary goal of the attack
- Threat Intent Summary – A short explanation of why the URL was categorized this way based on key signals found on the page (e.g., login forms, fake branding, redirect behavior)
Threat Intent Categories
Below are the supported Threat Intent categories and what they represent:
- Brand Impersonation
Cloned or lookalike brand page designed to appear legitimate, without directly capturing credentials. - Domain Parking
Domain parked/for-sale but using brand name or assets. - Credential Harvesting
Login or authentication page designed to steal user credentials (email, password, SSO). - Info Stealer
Collects sensitive personal or financial information beyond credentials (credit card, SSN, phone number, address) - OAuth Phishing
Fake authorization or consent flows attempting to gain access via OAuth or SSO permissions. - Business Email Compromise (BEC)
Fake invoices, wire requests, or executive impersonation targeting financial transactions. - Gift Card Scam
Reward card scam, requests for gift cards or prepaid cards under false pretenses. - Online Store
Fraudulent e-commerce sites designed to collect payments without delivering goods. - Malware Distribution
Pages offering fake downloads, updates, or software that install malicious payloads. - Captcha Lure
Fake CAPTCHA pages used to trick users into enabling push notifications or triggering malicious actions. - Redirect
Pages that automatically redirect users to another malicious destination. - Social Engineering
Uses urgency, fear, or incentives (e.g., prizes) to manipulate users without directly collecting credentials. - Tech Support Scam
Fake support pages urging users to call or interact with fraudulent customer service. - Warning
Fake security warning, virus alert, or browser alert.
Where to Access Threat Intent
Threat Intent and Threat Intent Summary are available across both table views and visualizations in the Web module.
Table Views (Takedown Malicious & Post Malicious)
You can access Threat Intent directly in the table views:
- Navigate to Takedown Malicious or Post Malicious
- Open the column selector (table settings)
- Enable:
- Threat Intent
- Threat Intent Summary
Once enabled, these columns will display for each URL, giving you immediate visibility into the attacker’s objective and the reasoning behind the classification.
Takedown Activity
Threat Intent is also integrated into Takedown Activity, where it powers key visualizations:
- Volume View – Understand distribution of threats by intey
- Time View – Analyze which providers are most associated with specific threat intents and how takedowns are progressing
This allows you to move beyond raw counts and gain a clearer understanding of what types of attacks are happening, where they are hosted, and how effectively they are being mitigated over time.
Categories
Bolster’s classification model uses deep learning and natural language processing to analyze webpage content and behavior, classifying pages into the following categories:
Bolster’s Intent Detection model leverages the capabilities of deep learning and natural language processing to detect the intent of a webpage. Currently, the model can classify webpages into the following categories.
| Category Name | Category Mnemonic (for API calls) | Description |
|---|---|---|
| Sensitive Data | sensitive_data | Webpages asking for user’s login or personal information |
| Shopping/ eCommerce | online_store | Webpages selling products/services online |
| Cryptocurrency | crypto | Webpages with cryptocurrency-related content |
| Gambling | gambling | Online gambling, casinos, and betting websites |
| Gaming | gaming | Online gaming websites |
| Captcha | captcha | Webpages asking users to fill in a captcha |
| Promo Code | promo_code | Webpages claiming to give away promo codes of any brand |
| Tech Support | tech_support | Webpages prompting users to call a tech support number |
| Survey | survey | Webpages asking users to fill in a survey |
| Gift Card | gift_card | Webpages claiming to give away gift cards to users |
| Hacked Websites | hacked_site | Websites that have been hacked |
| Domain Parking | domain_parking | Websites that do not host active content, but are registered and parked for later use/ sale |
| Pharmacy/ Drug | pharma | Webpages containing content about pharmacies and drug stores |
| Streaming | streaming | Websites streaming movies, tv shows, live games and other content |
| Error Pages | error_page | Webpages that display error messages |
| Directory Listing | directory_listing | Webpages that display the directory with files/ folders |
| Banking | banking | Websites related to banks |
| Warning | warning | Webpages displaying a warning sign against potential phishing/ malicious pages |
| Health | health | Websites that contain health-related content |
| App store | app_store | Distribution platforms for mobile applications online |
Contact | contact | Webpages offering users an opportunity to contact the organization |
| BEC | bec | Webpages that ask users to sign in, but are not associated with any brand. These webpages are used to carry out BEC scams. |
| Adult | adult | Websites hosting adult/ NSFW content |
