WhoisXML API Blog

Every successful penetration test or red team exercise begins with a scope. From there, DNS reconnaissance is one of the most useful ways to start building an asset map.
But DNS reconnaissance use cases aren’t limited to pentesting — one can do a lot of interesting things using DNS data as a starting point. In this post, we will look at the other applications of DNS reconnaissance and the tools that turn simple DNS queries into actionable data points for a security assessment. If you need a refresher on DNS basics before diving into DNS reconnaissance, check out this DNS primer.

Brendan O’Doherty, Intelligence Partnerships at WhoisXML API, joined over 4,500 security professionals at Black Hat Europe 2025, which took place from December 8 to 11, 2025, at Excel London in the United Kingdom.

As with Black Hat USA back in August 2025, the week kicked off with a few days of intensive cybersecurity training sessions before transitioning into two days of main briefings and business hall activities.

Here’s a recap of the most prominent themes of the event.

Cybercrime tactics always evolve, but few techniques are as persistent as the use of domain generation algorithms (DGAs). Even though they have evolved too.

These algorithms are designed to create a moving target for security teams. Attackers use DGAs to be able to rotate between domain names constantly — when one domain is detected, blocked, or taken down by law enforcement, DGAs allow threat actors to generate and switch to a new set of domains in a matter of seconds or minutes.

In this post, we will talk about the types of DGAs, how they are used by attackers, and how to protect against them.

Almost every activity on the Internet involves a DNS query, making DNS a rich source of threat information. There are many ways to use it — from filtering suspicious DNS requests for malware prevention to mapping threat actor infrastructure. In this article, we explore the different kinds of DNS intelligence, how they work, and how they are used in modern cybersecurity.

Cyber threat actors can hurt you, but did you know you can hurt them too? And it’s absolutely legal. You can make their lives harder — perhaps so hard that they stop attacking you altogether or, hopefully, even reconsider their careers. How do you do it?

Every time you block their attacks, you hurt them. You make them change something in the way they attack, which takes time and effort. Some of the changes hurt more than others. In this post, we talk about the Pyramid of Pain — a model that attempts to measure how blocking different things hurts attackers differently — and how it helps security teams evaluate and put different types of threat intelligence to good use.

Despite the recency of the hype, artificial intelligence (AI) in cybersecurity is nothing new. It has been used in this field for years, whether for heuristic malware detection and phishing prevention or calculating vulnerability scores. Even endpoint antivirus solutions have relied on machine learning components since the 1990s.

But, fast-forward to today, and AI has become much more widespread. Perhaps the key difference is that AI is now available to end users rather than only developers, so more people are using it (or exploring its use) beyond traditional fields. On top of that, AI has become much more advanced, which has resulted in many new use cases emerging in recent years. 

Take AI agents, for example. Nowadays, most routine tasks can be outsourced to one agent or another, and the role of humans is to keep up with the rapid development of AI, connect the dots, and think critically.

In this post, we will explore some of the use cases of AI agents in cybersecurity.

WhoisXML API analyzed 8.7+ million domains registered between 1 and 30 November 2025 to identify the most popular registrars, top-level domain (TLD) extensions, and other global domain registration trends. This number dropped 8.7% from 9.6+ million last month.

We also determined the top TLD extensions used by 31.9+ billion domains from our DNS database’s A record full file dated 6 November 2025, indicating a 17.5% drop from October’s 38.7+ billion domains.

Next, we studied the top TLDs of 1.0+ million domains, down from 1.1+ million in October, detected as indicators of compromise (IoCs) this month.

Finally, we summed up our findings and provided links to the threat reports produced using DNS and domain intelligence sources during the period.

The longer a threat remains undetected, the more costly and disruptive it becomes. This is particularly concerning given that, on average, attackers stay hidden within a network for 24 days, as highlighted in Verizon’s 2025 Data Breach Investigations Report (DBIR). 

The data breaches resulting from those attacks hit the organizations quite heavily. According to IBM’s Cost of a Data Breach Report 2025, the average cost of a data breach is $4.44 million. The bright side is that this figure is 9% lower than the previous year, thanks to faster threat detection and response (TDR). 

If fast threat detection and response can significantly reduce the global average cost of a data breach, imagine what early detection can do. In this post, we explore early threat detection — what it actually means, why it matters, and the role AI plays in it.