Infoblox Threat Defense™ Tokens - Customer FAQs

These FAQs explain how Infoblox Threat Defense™ Tokens work, in plain language, for both IT security leaders and security engineers.

Download PDF

OVERVIEW AND KEY CONCEPTS

Q1. What is a token?

A token is a licensing unit that Infoblox uses to turn on and measure your entitlement to Threat Defense capabilities. Instead of buying many separate SKUs, you buy tokens and apply them across the Threat Defense portfolio.

Tokens come in two main types:

  • Security Tokens are used for core Threat Defense capabilities (Threat Defense Cloud, Threat Defense for NIOS, SOC Insights, Dossier and Lookalike Domain Monitoring).
  • Reporting Tokens are used when you export DNS logs and events from Threat Defense Cloud to external systems like security information and event management (SIEM), security orchestration, automation and response (SOAR), data lakes or other analytics tools.

Q2. How does the token model benefit my security program?

The token model is designed to maximize flexibility, value and visibility for your security program. Key benefits for security leaders and engineers include:

  • Ultimate Flexibility for Threat Defense: A single pool of Security and Reporting Tokens lets you enable and expand Threat Defense capabilities on your timeline, instead of renegotiating separate SKUs every time you want to add or test something new.
  • Highest Value Aligned to Real Risk: Licensing follows protected assets and DNS activity, not employee counts, so your spend tracks the infrastructure and workloads that actually drive exposure and where Threat Defense is blocking threats.
  • Full Financial Visibility with Simpler Procurement: The Infoblox Licensing Portal shows how tokens are allocated and used across capabilities, helping you forecast growth, justify renewals and avoid surprise overages, while a unified token agreement reduces repetitive procurement and legal cycles.
  • Best‑of‑Breed DNS Security that Grows with You: The same token model spans Threat Defense Cloud and Threat Defense for NIOS, so you can mix cloud and on‑prem protection, adopt new add‑ons and extend coverage to new sites and workloads without redesigning your license structure.

Q3. What is a “protected asset”?

A protected asset is any device, user endpoint, server or workload that sends DNS queries through Threat Defense for protection.

Examples include:

  • User devices such as laptops, desktops and mobile devices
  • Servers and virtual machines (VMs) in your data center
  • Cloud workloads, containers and services
  • IoT/OT devices that rely on DNS to reach the internet or internal services

Q4. Which Threat Defense products use tokens?

Within security, Security Tokens are used to license and scale:

  • Threat Defense Cloud: DNS security and visibility delivered from the cloud, licensed by the number of protected assets and their DNS activity.
  • Threat Defense for NIOS: DNS security enforced on‑premises using Infoblox NIOS appliances; licensed based on the model and capacity of the NIOS appliances you use.
  • SOC Insights: An add‑on to Threat Defense Cloud that uses analytics and asset context to reduce noise and highlight high‑priority DNS threats for your SOC team; licensed as a percent of your Threat Defense Cloud Security Tokens.
  • Dossier: A threat research workspace that lets analysts investigate indicators of compromise (IoCs) in more depth; licensed in increments of 25 queries per day (QPD).
  • Lookalike Domain Monitoring: Detects domains that mimic your brand or critical partners, so you can respond to impersonation and phishing risks; licensed in increments of 25 monitored domains.

Reporting Tokens are used when you:

  • Export enriched DNS logs and security events from Threat Defense Cloud
  • Stream events through Cloud Data Connector into SIEM, SOAR or data lakes such as Splunk, Elastic or hyperscaler services.
  • Send increments of 10 million exported DNS logs per month; each such increment requires 40 Reporting Tokens.

WHY INFOBLOX MOVED TO TOKENS

Q5. Why did Infoblox move away from per‑user (FTE) licensing?

Older per‑user licensing assumed your risk surface was tied mainly to employee count. That breaks down in modern environments where:

  • DNS traffic comes from many non‑user sources (servers, cloud workloads, IoT/OT, remote sites and service‑to‑service traffic).
  • A small number of users can generate very heavy DNS traffic (for example, due to local services or automation).
  • Some organizations have large non‑technical workforces that generate little or no network traffic.

As a result, per‑user licensing could underestimate risk in dense, infrastructure‑heavy environments and overestimate it in organizations with many low‑usage users.

The token model aligns licensing with what Threat Defense is actually protecting: your assets and their DNS activity. This:

  • Improves Fairness: You pay based on what you protect and how much traffic you put through the service.
  • Tracks Modern Architectures: Including hybrid and multi‑cloud, and enables easier migration when you are ready.
  • Supports Growth: As you add assets, sites and workloads, tokens scale with you.

SECURITY TOKENS VS. REPORTING TOKENS

Q6. What is a Security Token and what does it license?

A Security Token licenses core Threat Defense capabilities, including:

  • Threat Defense Cloud: Protection based on the number of protected assets and their DNS queries.
  • Threat Defense for NIOS: Protection based on the NIOS appliance model and its DNS security capacity.
  • SOC Insights: Licensed as an add‑on to Threat Defense Cloud.
  • Dossier: Licensed based on how many threat lookups you run.
  • Lookalike Domain Monitoring: Licensed by how many domains you monitor.

Security Tokens are not consumed or “spent” like credits. They represent a level of entitlement that is measured over time against your actual usage.

Q7. What is a Reporting Token and when do I need it?

A Reporting Token is used when you export DNS logs and events from Threat Defense Cloud to external tools, such as:

  • SIEM and SOAR platforms
  • Data lakes (for example, in a hyperscaler)
  • Other security analytics systems via Cloud Data Connector

Key points:

  • You do not need Reporting Tokens to use Threat Defense Cloud itself or to search recent DNS activity inside the Threat Defense portal.
  • Reporting Tokens are only counted when logs are exported out of Infoblox, not for searches or dashboards inside the product.

HOW TOKENS ARE ALLOCATED AND USED

Q8. How are tokens used for Threat Defense Cloud?

For Threat Defense Cloud, Security Tokens are tied to protected assets, the devices and workloads that send DNS queries through the service:

  • Per‑Asset Allocation. Each protected asset is sized against a typical daily DNS query budget. Light‑traffic assets effectively use less of that budget. Consistently, heavy‑traffic assets can count as multiple assets from a licensing perspective. This keeps token usage aligned with real DNS load rather than just a static asset count
  • Daily Tracking. Every 24 hours, Threat Defense Cloud takes a snapshot of how many protected assets were active and how many tokens that required for that day.
  • Monthly Peak and Three‑Month Average. For each month, the system records the monthly high‑water mark, the single day with the highest token allocation. Compliance is then checked using a rolling three‑month average of those monthly peaks against the customer’s purchased token count. If that rolling average is above what was purchased, the account is flagged for a true‑forward discussion; tokens are not “shut off” and there is no token “ceiling.”

The mapping is three Security Tokens per protected asset for Threat Defense Cloud, with the daily and rolling averages making sure that long‑term usage matches what’s licensed.

Q9. How are tokens used for Threat Defense for NIOS?

For Threat Defense for NIOS, Security Tokens are allocated based on the NIOS appliance models you use for enforcement.

Each supported model has an associated token level that reflects:

  • Its DNS security capacity (such as response policy zone (RPZ)/threat feed capacity)
  • The scale of protection it can provide to your network

This lets you pick the right appliance models for your environment and license them consistently through tokens. Please see the table below for the token count required for various NIOS appliance models:

NIOS Server ModelCapacity (RPZ Records in M)Tokens
9266880
1516202,270
1526202,995
2326406,755
41264017,010
141561,800
152582,600
2215253,860
2225255,225
40154011,690
40254013,610

Q10. Are tokens tied to specific devices or permanently assigned?

No. Tokens are not hard‑assigned to specific devices or users. They function as an entitlement measured against your overall usage of Threat Defense services.

In practice, that means:

  • You can change your deployment (add or remove assets, move workloads, adjust policies) without manually “moving” tokens.
  • The Infoblox platform measures how much Threat Defense you are actually using over time and compares that to your purchased tokens.
  • You can easily trial new Threat Defense capabilities on a small set of assets or sites first. As you expand the trial, your increased usage is reflected through the same token entitlement instead of separate trial licenses.

Q11. Do tokens expire or carry over year to year?

Tokens are purchased for the term of your subscription or contract. During that period:

  • You have a defined number of Security and, if applicable, Reporting Tokens.
  • You can use those tokens across Threat Defense capabilities, as described above.
  • As your contract renews, you and your Infoblox account team can adjust token levels to match how your environment and usage have evolved.

Tokens are not a prepaid “bucket” that you burn down; they define the level of usage your subscription covers.

MONITORING USAGE AND UNDERSTANDING TRUE‑FORWARD

Q12. How can I see my token usage and entitlements?

You can see your token usage in the Infoblox Licensing Portal, which shows:

  • Tokens purchased, by type (Security Tokens and Reporting Tokens).
  • How tokens are currently used across Threat Defense Cloud, Threat Defense for NIOS and add‑ons such as SOC Insights and Dossier.

This gives you a clear view of:

  • How broadly Threat Defense is deployed
  • Which capabilities you’re using
  • How much headroom you have for further growth

Q13. What happens if my Threat Defense usage grows over time?

In normal operation, your environment will change as you add or remove users, workloads or sites. When this happens:

  • Threat Defense continues to protect your traffic as expected.
  • Your usage in the Licensing Portal will show how much of your entitlement you are using.
  • If your average usage is trending above your purchased token level, your Infoblox account team will talk with you about adding tokens so your license stays aligned with what you are protecting.

This gives you a clean way to grow coverage without surprises.

Q14. What is a true‑forward and when does it happen?

A true‑forward is a contractual adjustment that increases your licensed token entitlement when your sustained usage is higher than the number of tokens you purchased.

At a high level:

  • How is it measured?
    • For each token type (Security Tokens and Reporting Tokens), the platform tracks usage daily and records a monthly high‑water mark (the single highest usage day each month).
    • A rolling three‑month average of those monthly high‑water marks is then compared to the number of tokens you have licensed for that token type.
  • What triggers a true‑ forward?
    • If the rolling three‑month average for any token type (Security or Reporting) exceeds your purchased token count, your account is considered to be operating outside of licensed entitlement for that token type and becomes subject to a true forward event.
    • If the rolling three‑month average for any token type (Security or Reporting) exceeds your purchased token count, your account is considered to be operating outside of licensed entitlement for that token type and becomes subject to a true forward event. https://www.infoblox.com/company/legal/infoblox‑threat‑defense‑supplemental‑termsand‑conditions/

Q15. Will Threat Defense stop working if I exceed my tokens?

No. Threat Defense is designed to continue protecting your environment even if your usage temporarily goes above your licensed token level.

Key points:

  • There is no hard enforcement that suddenly blocks DNS security when you cross a threshold.
  • Instead, if your average usage stays above your entitlement, Infoblox will address it via true‑forward, adjusting your subscription level so it reflects how you are actually using the service.
  • You and your account team can then decide how to right‑size your deployment and licensing going forward.

This approach helps you maintain protection while still keeping licensing aligned with long‑term usage. It also means that seasonal peaks or one‑time anomalous spikes in DNS traffic will not disrupt protection or force an immediate token purchase unless that higher usage is sustained over a long enough period, so you can focus on security outcomes with greater peace of mind.

REPORTING AND LOG EXPORTS

Q16. Do I need Reporting Tokens to search DNS activity in Threat Defense?

No. You do not need Reporting Tokens for:

  • Searching recent DNS and security activity inside the Threat Defense portal
  • Using built‑in dashboards and reports for Threat Defense

Reporting Tokens are only used when you export logs outside of Infoblox to systems such as SIEM, SOAR, data lakes or other analytics tools.

Q17. When do I need Reporting Tokens?

You need Reporting Tokens when:

  • You rely heavily on a central SIEM or data lake and want Threat Defense DNS data included there for correlation and long‑term analysis.
  • You need to forward enriched DNS events to multiple tools via Cloud Data Connector.

You can work with your Infoblox account team to estimate how many DNS logs you expect to export and size Reporting Tokens accordingly.

WORKING WITH OTHER INFOBLOX AND HYPERSCALER OFFERINGS

Q18. How do tokens relate to Google Cloud DNS Armor or AWS integrations?

Threat Defense powers several integrations, including:

  • Google Cloud DNS Armor, powered by Infoblox: Bringing Threat Defense intelligence into Google Cloud DNS environments.
  • Infoblox Managed Rules for AWS Network Firewall: Using Infoblox threat intelligence to improve AWS Network Firewall policies.

Google Cloud DNS Armor, powered by Infoblox, is billed directly by Google in a customer’s Google Cloud Platform monthly bill. Infoblox Managed Rules for AWS Network Firewall is purchased and billed directly through the AWS cloud marketplace . They do not consume Security Tokens or Reporting Tokens.

Tokens are used to license Threat Defense products (such as Threat Defense Cloud and Threat Defense for NIOS). If you choose to use Threat Defense alongside these hyperscaler offerings, your tokens apply to the Threat Defense deployment itself, while Google Cloud DNS Armor, powered by Infoblox, and AWS Managed Rules continue to follow their native cloud billing models.

MOVING FROM OLDER THREAT DEFENSE LICENSING

Q19. I’m an existing Threat Defense customer on the older licensing model. Do I have to move to tokens?

If you are using a legacy Threat Defense offering, such as Threat Defense Essentials, Threat Defense Business (On‑Premises or Cloud), Threat Defense Advanced or Threat Defense Ecosystem, you can continue to use your current license for the term of your existing contract. Over time, Infoblox is standardizing new Threat Defense orders on the token‑based model.

When it is time to renew or expand:

  • Your Infoblox account team can show you how your current deployment maps to the tokens model.
  • You can move to tokens in a way that aligns coverage, traffic and contract value with what Threat Defense is actually doing for you today.

Q20. What changes should I expect when I move from legacy licensing to tokens?

When you move from a legacy Threat Defense SKU to tokens, you can expect:

  • Clear mapping of value, from user counts or older bundles to protected assets, DNS traffic and specific capabilities.
  • Unified licensing across Threat Defense Cloud and Threat Defense for NIOS, instead of managing separate models for each deployment type.
  • Easier adoption of add‑ons like SOC Insights, Dossier and Lookalike Domain Monitoring, which can now be turned on within the same token framework.

Your account team will work with you to ensure your new token level reflects both your current usage and expected growth.

GETTING STARTED

Q21. How do I get started with Threat Defense Tokens?

If you are new to Threat Defense or considering a move to tokens:

  1. Talk with your Infoblox account team or partner about your current environment: number of sites, how many knowledge workers you have, approximate number of assets, cloud‑based workloads and which security tools you already use.
  2. Discuss which Threat Defense capabilities you need, such as:
    1. Threat Defense Cloud for protecting users and workloads across on‑prem and cloud
    2. Threat Defense for NIOS for on‑prem DNS security
    3. SOC Insights to reduce alert noise
    4. Dossier for investigations
    5. Lookalike Domain Monitoring for brand and supply chain protection
    6. Log Exports to SIEM/SOAR or data lakes
  3. Agree on an initial token level that covers your current deployment with reasonable headroom for growth.

From there, you can adjust your token levels over time as Threat Defense usage and coverage evolve.

Let’s talk core networking and security

Contact Us
Back To Top