Entropy0

Benchmark · May 2026

What blind retrieval misses before an agent fetches

These examples show what blind retrieval can miss before an agent fetches an external source — and what Entropy0 surfaces through source-level infrastructure signals. Each row shows the Trust, Threat, and Deviation scores computed at scan time, along with the action guidance returned for a balanced policy and fetch / read_only / medium interaction context.

Evaluate a domain ↓API reference
Scope and limitations

These examples show how Entropy0 evaluates source-level infrastructure signals before external sources enter an AI workflow. Entropy0 does not inspect page content, does not detect prompt-injection payloads, does not guarantee that a source is safe, and should not be treated as a replacement for content scanning, prompt-injection defenses, sandboxing, or human review. Action guidance is shaped by infrastructure posture and interaction context — the same domain may return a different action depending on what the agent is about to do with it.

Scores reflect the infrastructure state observed at scan time (May 2026) under a balanced policy and a fetch / read_only / medium interaction context. Infrastructure changes after that date will produce different scores. This is a signal demonstration, not a statistically representative safety benchmark or third-party evaluation.

Methodology
Signal scope
DNS consistency, SSL validity, WHOIS age, registrar context, network hygiene, brand impersonation detection, and power-law anomaly scoring against 162k+ Tranco domain baselines. Entropy0 evaluates source infrastructure, not page content.
Score axes
T = Trust (infrastructure posture, 0–100) · Th = Threat (abuse likelihood, 0–100) · D = Deviation (structural anomaly vs. baselines, 0–100). Scores are deterministic — no LLM in the loop.
Reproducibility
Scores may differ if you run the same domain today. Infrastructure changes (DNS, TLS, WHOIS, hosting, domain state, enrichment availability, or historical baselines) produce different signals. Temporal memory also changes as a domain accumulates more observations. Use the playground to evaluate current state.
Blind retrieval baseline
“Without a trust gate” refers to the default agent pattern where a URL can be fetched and placed into context without a source-trust decision step — the default state of most LangChain, LlamaIndex, and OpenAI Agents pipelines without additional tooling. It is not a comparison against another product or service.
Score and action legend
Trust (T)
Source infrastructure confidence — registrar, hosting, DNS, and certificate posture.
Threat (Th)
Risk and abuse indicators surfaced by available signals.
Deviation (D)
How structurally unusual this source appears relative to 162k+ Tranco domain baselines.
Action
Suggested routing for the stated interaction context — not a final verdict. The same domain may return a different action under a different policy or interaction kind.
Action vocabulary

Every POST /v1/decide response returns one of five actions. The same domain may return a different action depending on interaction context and policy profile.

proceedSource infrastructure posture is consistent with normal automated interaction.
proceed_with_cautionInfrastructure posture is acceptable; interaction should be read-only. Do not submit credentials.
sandboxInfrastructure signals are elevated. Interact only in a constrained environment.
escalate_to_humanSignals are ambiguous or the interaction risk is high. Request human review before proceeding.
denyInfrastructure posture is inconsistent with safe automated interaction under this policy.
typosquats

Typosquat domains

Domains that visually mimic legitimate brands — character swaps, missing letters, TLD substitutions. Without a source trust gate, an agent has no signal to distinguish them from the originals.

Without a trust gateNo infrastructure signal available. Both the original and the lookalike are fetched and passed to context.
github.com
T:96Th:2D:11
proceed
140+ scans · stable
githvb.com
T:19Th:81D:74
deny
First seen · no baseline· Lookalike of github.com
pypi.org
T:94Th:3D:9
proceed
130+ scans · stable
pypl.org
T:21Th:76D:68
deny
Recently registered· Lookalike of pypi.org
npmjs.com
T:92Th:4D:14
proceed
120+ scans · stable
nmpjs.com
T:17Th:83D:71
deny
First seen· Lookalike of npmjs.com
anthropic.com
T:95Th:2D:8
proceed
80+ scans · stable
anthroplc.com
T:14Th:88D:79
deny
First seen· Lookalike of anthropic.com
fresh domains

Newly-registered domains

Domains under 30 days old. Domain age is invisible to standard retrieval logic — a freshly registered domain and a ten-year-old established source are indistinguishable without infrastructure signal.

Without a trust gateNo age signal available. A 2-day-old credential-harvesting domain and an established API host look identical to a retrieval agent.
stripe.com
T:97Th:1D:7
proceed
150+ scans · stable
str1pe-billing.com
T:12Th:91D:82
deny
3 days old· Brand keyword · fresh registration
openai.com
T:96Th:2D:9
proceed
100+ scans · stable
openai-developer-api.com
T:18Th:84D:76
deny
11 days old· Keyword pattern · fresh registration
docs.python.org
T:95Th:2D:10
proceed
90+ scans · stable
python-docs-help.com
T:31Th:58D:63
sandbox
18 days old· Ambiguous brand signal · fresh
aws.amazon.com
T:98Th:1D:6
proceed
200+ scans · stable
aws-console-login.net
T:9Th:93D:88
deny
2 days old· Credential-harvest keyword pattern
reregistered

Expired and re-registered domains

Domains that once belonged to legitimate organisations, expired, and were re-registered by different parties. WHOIS age appears old; infrastructure posture has changed.

Without a trust gateWHOIS age is visible but infrastructure shifts are not. A re-registered domain with a decade-old creation date may appear more trusted than it should.
docs.microsoft.com
T:98Th:1D:5
proceed
200+ scans · stable
microsoftonline-id.com
T:8Th:94D:85
deny
Infrastructure shift detected· Cert issuer and hosting changed
letsencrypt.org
T:97Th:1D:7
proceed
180+ scans · stable
lets-encrypt-ssl.com
T:11Th:89D:81
deny
DNS inconsistency· Lookalike of letsencrypt.org
cloudflare.com
T:98Th:1D:6
proceed
200+ scans · stable
cloudflare-ddos.net
T:13Th:87D:78
deny
Hosting anomaly· Brand-similar domain pattern
ugc platforms

UGC platforms — infrastructure trust ≠ content trust

High-reputation platforms that host user-generated content. Entropy0 returns high infrastructure trust for the platform itself. Platform-level trust does not imply page-level or user-generated content safety — individual repos, files, packages, or deployed apps are not evaluated.

Without a trust gatePlatform reputation is applied uniformly. A malicious npm package on npmjs.com and an official release are treated identically.
github.com
T:96Th:2D:11
proceed
Platform infra: strong· Individual repos: out of scope
raw.githubusercontent.com
T:94Th:8D:18
proceed_with_caution
UGC flag applied· File-level trust: not evaluated
npmjs.com
T:92Th:4D:14
proceed
Platform infra: strong· Package contents: out of scope
vercel.app
T:88Th:9D:21
proceed_with_caution
Shared hosting platform· Deployed app content: not evaluated
pypi.org
T:94Th:3D:9
proceed
Platform infra: strong· Package contents: out of scope
s3.amazonaws.com
T:91Th:7D:19
proceed_with_caution
Shared object storage· Bucket content: not evaluated
What this benchmark does not cover
  • · Prompt injection inside page content — Entropy0 does not scan page text. Use Lakera, LlamaFirewall, or a content-inspection layer for that.
  • · Individual artifacts on trusted platforms — a specific GitHub repo, npm package, or S3 object. Entropy0 evaluates domain infrastructure, not hosted artifacts.
  • · Model output safety — jailbreak detection, output toxicity, hallucination. Out of scope for a pre-ingestion source trust gate.
  • · Content accuracy or factual quality — a domain with high infrastructure trust may still host inaccurate content. Trust posture and content quality are independent signals.

Entropy0 is a pre-ingestion trust gate, not a complete AI safety solution. It should be deployed alongside content-level guardrails, sandboxing, and human review — not instead of them.

Try it yourself

Run any domain through the same engine used to produce the scores above. No account required — 5 scans per hour per IP.

Live Playground

Scan any domain — see trust, threat & intent signals instantly.

Try:
API reference →How it works →Get a free API key →