Products APIs Data Feeds Web Tools Domain Research & Monitoring Enterprise Packages AI Deep Research
WHOIS / WHOIS History
WHOIS / WHOIS History

Provide current and historical ownership information on domains / IPs. Identify all connections between domains, registrants, registrars, and DNS servers.

DNS / DNS History
DNS / DNS History

Look into all current and historical DNS / IP connections between domains and A, MX, NS, and other records. Monitor suspicious changes to DNS records.

IP Geolocation / IP Netblocks
IP Geolocation / IP Netblocks

Get detailed context on an IP address, including its user’s geolocation, time zone, connected domains, connection type, IP range, ASN, and other network ownership details.

Domain Research Suite (DRS)
Domain Research Suite (DRS)

Access our web-based solution to dig into and monitor all domain events of interest.

Domain Research Suite (DRS)
Domain Research Suite (DRS)

Get access to a web-based enterprise-grade solution to search and monitor domain registrations and ownership details for branded terms, fuzzy matches, registrants of interest, and more.

Research
Monitoring
White-Label
Predictive Threat Intelligence Feeds
Predictive Threat Intelligence Feeds

Predictive threat intelligence is your best first line of defense. Subscribe to the feeds to strengthen your cybersecurity posture. Contact us today for more information.

WhoisXML API Internet Infrastructure
Internet Infrastructure

Unlock integrated intelligence on Internet properties and their ownership, infrastructure, and other attributes.

Enterprise API Packages
Enterprise API Packages

Our complete set of domain, IP, and DNS intelligence available via API calls as an annual subscription with predictable pricing.

Security Intelligence (SI) Suite
Security Intelligence (SI) Suite

Offers complete access to WHOIS, IP, DNS, and subdomain data for product enrichment, threat hunting and more.

Attack Surface Discovery API
Attack Surface Discovery API

Uncover entire attack surfaces with this API to embed asset discovery, vulnerability scanning, and technology metadata into your platform. Now in early access.

MCP Server
MCP Server

Talk to our APIs using LLMs. Connect your preferred LLM to WhoisXML API and simply chat about WHOIS, DNS, threat intelligence, and more.

Jake AI
Jake AI

I’m your Domain Intelligence Assistant. I make it easy to explore WHOIS, DNS, and threat data from WhoisXML API — I’m cloud-based, fast, and always ready to help.

WhoisXML API Domain Intelligence Advisor (via ChatGPT)
WhoisXML API Domain Intelligence Advisor (via ChatGPT)

A custom GPT for WHOIS, DNS, IP, and threat intelligence research. Connects ChatGPT directly to WhoisXML API to enable fast, conversational investigations and domain insights.

Discover what you really pay for when buying commercial Internet intelligence data.

Download now
×
Contact Us
Read other articles Download PDF

WhoisXML API Joins DEATHCon 2025

WhoisXML API’s Alex Ronquillo, Vice President, and Ed Gibbs, VP of Research, participated in DEATHCon 2025 on November 8–9, 2025. The community-driven event on Detection Engineering and Threat Hunting (DEATH) successfully blended a virtual global conference with several localized in-person community gatherings in cities around the world, including Tacoma, San Diego, Austin, and Amsterdam.

Our team directly contributed to the event’s technical focus, with Alex Ronquillo and Ed Gibbs hosting an online workshop titled “TXTually Explicit: Malware & Middleware in Motion.” The session demonstrated modern techniques for leveraging DNS TXT records—often overlooked in security analysis—to uncover hidden software dependencies, trace command-and-control (C2) communications for malware, and expose system misconfigurations.

The workshop video detailing how to use DNS TXT records for advanced threat hunting is available here:

In this post, we share some of the major themes from workshops and sessions at DEATHCon 2025.

Pursuing Detection Engineering Maturity

DEATHCon 2025 highlighted a collective goal to make defenses resilient enough to withstand advanced attacks. Rather than relying solely on known signatures, security teams were urged to move beyond basic rule-writing to focus on adversarial detection engineering. 

A workshop called “My Detection Machine” presented a technique for connecting the entire threat life cycle—from raw threat intelligence and threat hunting operations to detection engineering and alert triage. The goal was to bridge the gap between knowing about threats and acting on them.

Another workshop focused on automating repetitive, high-volume tasks in the detection life cycle. The speaker, Ale Houspanossian, walked participants through setting up an entire automated detection engineering pipeline, covering the documentation of detections, automated deployments and validation, and the creation of an automated heat map with ATT&CK Navigator. There was also a training session on building production-ready email threat detection rules that rely on sentiment analysis and behavioral patterns.

Throughout the conference, it was made clear that achieving detection maturity requires the ability to quickly analyze massive and complex datasets. This need was addressed by sessions that provided detailed guidance on specialized querying languages and tools, including:

  • Using Hql as a universal query language for log analysis.
  • Building custom memory analysis tools with the Modern Python Data Ecosystem.
  • Mastering advanced threat hunting techniques using Kusto Query Language (KQL)

Cloud Security and Identity Hunting

With infrastructure rapidly shifting to the cloud, DEATHCon 2025 emphasized that the traditional security perimeter has dissolved. Several workshops focused on defensive strategies in modern cloud and hybrid environments, noting that to protect cloud-native identity systems, attendees first need to understand advanced offensive techniques, such as:

  • Entra ID takeover: Workshops explored the advanced methods attackers use for tenant compromise in Entra ID (formerly Azure Active Directory), providing defenders with the knowledge needed to harden authentication and authorization pipelines.
  • AWS attacks: A workshop called “AWS Advanced Offensive Techniques, What Defenders Need to Know” focused on how to detect privilege escalation paths, instance misconfigurations, and lateral movement within the world's largest cloud environment.
  • Repository takeovers: A notable session (“From Workflow to Wreckage: Insecure GitHub Actions and Repo Takeovers”) focused on the risks inherent in modern continuous integration/continuous delivery (CI/CD) pipelines, highlighting the dangers of insecure GitHub Actions and the potential for repository takeovers and supply chain compromise that result from those misconfigurations.

DEATHCon workshops revealed that the sheer volume of logs and configurations in multi-cloud environments makes misconfiguration one of the major threat vectors, putting organizations at risk of the above threats, as well as subdomain takeovers and other DNS-based attacks

AI and Automation for the Blue Team

AI is not just for adversaries. The conference showcased its practical applications for Blue Teams (defenders) to improve efficiency and scale. The central theme was using AI and machine learning to improve detection and threat intelligence by automating labor-intensive processes in the security lifecycle, a method that organizations are using on a greater scale. For example, asset discovery processes such as subdomain enumeration, asset mapping, and domain infrastructure discovery can be performed using an MCP server

One session introduced PERSEPTOR, an AI-powered threat intelligence tool that demonstrated the potential for rapid defense. PERSEPTOR automates detection rule generation, enabling security teams to instantly create new detection rules from newly published threat reports, dramatically shortening the defensive response window. 

Furthermore, other workshops showed blue teams how to engineer agentic pipelines that integrate real-time intelligence feeds (i.e., open-source data from Mastodon streams) using automation platforms like n8n for processing and then feeding the enriched data directly into a threat intelligence repository like OpenCTI. The automated process ensures that threat intelligence is not only fresh but also immediately formatted and usable by security analysts.

About WhoisXML API

WhoisXML API is a seasoned OEM data provider, specializing in delivering well-parsed, normalized, and comprehensive WHOIS, IP, and DNS intelligence. With more than 15 years of industry experience, we have amassed a vast repository of data, encompassing more than 25.5 billion historical WHOIS records, 50+ billion hostnames, 116+ billion DNS records, 10.5+ million IP netblocks, and 99.5% coverage of active IPv4 and IPv6 addresses.

We offer a wide range of domain, DNS, and other Internet intelligence solutions delivered via comprehensive databases, secure APIs, and intuitive web GUIs. Regardless of the consumption model, our intelligence serves as a robust foundation for leading cybersecurity products and services, with products like predictive threat intelligence data feeds leveraging AI predictive analytics capabilities and domain telemetry to enable organizations to detect potential malicious web properties early.

Trusted by more than 52,000 satisfied customers spanning cybersecurity, marketing, law enforcement, e-commerce, and financial services, WhoisXML API has consistently been recognized for its rapid growth and innovation, earning multiple accolades as an Inc. 5000 honoree and a Financial Times Top Fastest-Growing Company.

Related posts
Read other articles Download PDF
Try our WhoisXML API for free
Get started