In recent years, the increased onset of modern malware has led to managers questioning how secure are these environments are from a variety of attackers. As an administrator’s time is typically constrained, it’s essential that a toolset provide increased visibility and ease of use, while generating information that is valuable to both technical and business stakeholders alike. IP address information alone is not adequate since modern attacks are typically leveraging DNS to hide in low cost hosted environments. DNS Miner seeks to provide visibility into an organization’s DNS activity. By combining up-to-date threat intelligence feeds, with the ability to compare existing endpoint DNS activity against newly blacklisted entries; DNS Miner can minimize the time needed to investigate potential incidents, allowing administrators to more accurately determine which of endpoints have accessed potentially malicious domains without disclosing that information outside the organization. This toolset was designed to be highly customizable by security administrators, which allows for greater control over the functionality, and reporting capabilities in order to properly align with business objectives. Effective incident response also requires containment mechanisms for newly identified security incidents that may be unique to the organization, I.E, not on any common public threat intelligence feed.