WhoisXML API Blog

December 2025: Domain Activity Highlights

WhoisXML API analyzed 10.2+ million domains registered between 1 and 31 December 2025 to identify the most popular registrars, TLD extensions, and other global domain registration trends. This number rose by 16.9% from 8.7+ million NRDs last month.

We also determined the top TLD extensions used by 27.3+ billion domains from our DNS database’s A record full file dated 4 December 2025, indicating a 14.6% drop from November’s 31.9+ billion domains.

Next, we studied the top TLDs of 1.1+ million domains, up by 5.0% from 1.0+ million in November, detected as IoCs this month.

Finally, we summed up our findings and provided links to the threat reports produced using DNS and domain intelligence sources during the period.

Turning Abuse Signals into Coordinated Action: Strengthening Digital Trust and Internet Resilience in Latin America and the Caribbean

A conversation with Gonzalo Romero, Director of Abuse Signal Coordination (LAC), WhoisXML API

We are pleased to welcome Gonzalo Romero to WhoisXML API as Director of Abuse Signal Coordination for Latin America and the Caribbean (LAC). In this welcome interview, Gonzalo shares his perspectives on Internet abuse intelligence, ecosystem coordination, and digital trust.

Although grounded in his work across LAC, the insights discussed here reflect global challenges and considerations relevant to Internet abuse coordination worldwide.

DNS Reconnaissance: Real-Life Use Cases and Tools

Every successful penetration test or red team exercise begins with a scope. From there, DNS reconnaissance is one of the most useful ways to start building an asset map.
But DNS reconnaissance use cases aren’t limited to pentesting — one can do a lot of interesting things using DNS data as a starting point. In this post, we will look at the other applications of DNS reconnaissance and the tools that turn simple DNS queries into actionable data points for a security assessment. If you need a refresher on DNS basics before diving into DNS reconnaissance, check out this DNS primer.

WhoisXML API Participates in the Black Hat Europe 2025

Brendan O’Doherty, Intelligence Partnerships at WhoisXML API, joined over 4,500 security professionals at Black Hat Europe 2025, which took place from December 8 to 11, 2025, at Excel London in the United Kingdom.

As with Black Hat USA back in August 2025, the week kicked off with a few days of intensive cybersecurity training sessions before transitioning into two days of main briefings and business hall activities.

Here’s a recap of the most prominent themes of the event.

The Dangers of Domain Generation Algorithms and How to Protect Against Them

Cybercrime tactics always evolve, but few techniques are as persistent as the use of domain generation algorithms (DGAs). Even though they have evolved too.

These algorithms are designed to create a moving target for security teams. Attackers use DGAs to be able to rotate between domain names constantly — when one domain is detected, blocked, or taken down by law enforcement, DGAs allow threat actors to generate and switch to a new set of domains in a matter of seconds or minutes.

In this post, we will talk about the types of DGAs, how they are used by attackers, and how to protect against them.

DNS Intelligence: What It Means and Its Role in Cybersecurity

Almost every activity on the Internet involves a DNS query, making DNS a rich source of threat information. There are many ways to use it — from filtering suspicious DNS requests for malware prevention to mapping threat actor infrastructure. In this article, we explore the different kinds of DNS intelligence, how they work, and how they are used in modern cybersecurity.

The Pyramid of Pain: How to Fight Back in Cybersecurity

Cyber threat actors can hurt you, but did you know you can hurt them too? And it’s absolutely legal. You can make their lives harder — perhaps so hard that they stop attacking you altogether or, hopefully, even reconsider their careers. How do you do it?

Every time you block their attacks, you hurt them. You make them change something in the way they attack, which takes time and effort. Some of the changes hurt more than others. In this post, we talk about the Pyramid of Pain — a model that attempts to measure how blocking different things hurts attackers differently — and how it helps security teams evaluate and put different types of threat intelligence to good use.

7 Real-World Applications of AI Agents in Cybersecurity

Despite the recency of the hype, artificial intelligence (AI) in cybersecurity is nothing new. It has been used in this field for years, whether for heuristic malware detection and phishing prevention or calculating vulnerability scores. Even endpoint antivirus solutions have relied on machine learning components since the 1990s.

But, fast-forward to today, and AI has become much more widespread. Perhaps the key difference is that AI is now available to end users rather than only developers, so more people are using it (or exploring its use) beyond traditional fields. On top of that, AI has become much more advanced, which has resulted in many new use cases emerging in recent years. 

Take AI agents, for example. Nowadays, most routine tasks can be outsourced to one agent or another, and the role of humans is to keep up with the rapid development of AI, connect the dots, and think critically.

In this post, we will explore some of the use cases of AI agents in cybersecurity.