Initiate a Takedown Remediation

You can request that Rapid7 contact the host to request a takedown of a malicious domain, website, or mobile application. The following table shows to whom the takedown request will be sent:

Takedown typeHost that will be contacted
WebsiteHosting provider
Mobile applicationApplication store

Take down a suspicious domain or website

When you request to remediate a suspicious phishing alert (called a "takedown"), you can target to take down the suspicious website or the suspicious domain. Targeting a domain is a much stronger defense against a threat actor renewing the website on another domain.

If you have the required evidence against the domain, it is recommended to target the domain. If you lack that evidence, but you have good reason to suspect that the website is a phishing website, target the website.

Without properly-prepared evidence, registrars will not take down a domain. For more information, see the Evidence Best Practice Guidelines.

The following table summarizes the takedown recommendations for a suspicious phishing domain:

Is there also a phishing website?Do you have evidence for the domain?Does the website appear to be a phishing website?Take down this target
Yes or NoYesNADomain

Not all alerts can be remediated, and even for those that can be remediated, not all forms of remediation are available. To see the available forms of remediation, see Remediation matrix. To remediate alerts that are not in  Threat Command, contact Customer Support.

Initiate a takedown remediation

Steps required to initiate a takedown remediation of a domain, website, or mobile application. You can also automatically close an alert after it's been successfully remediated.

Before initiating a domain takedown, it is imperative to prepare evidence that satisfies the registrar's strict requirements. See the Evidence Best Practice Guide before attempting to take down a domain.

To initiate a takedown remediation:

  1. From the Alerts list, select an alert.
    If the Remediate**** option is not displayed, the selected alert is not a candidate for remediation. To see the available forms of remediation, see Remediation matrix.
  2. Start the request by doing either of the following:
    • From the Alert banner or the Alert description  footer, click Remediate.
    • From the Alert options  section, click temporary placeholder.
  3. For a domain or website takedown, in the Takedown target  area, select Domain  or Website.
  4. If evidence is required, upload it.
    The success of a domain takedown is dependent on the proper preparation of evidence.
    See theEvidence Best Practice Guide before uploading evidence.
  5. (Optional) To automatically close an alert after it's been successfully remediated, select that option.
    temporary placeholder
    Note : If you do not automatically close remediated alerts, they will remain open.
  6. Click Initiate Remediation Process.

The takedown remediation process begins. Progress is displayed in the Remediation panel.

You can view all remediation requests in the Remediationspage.