WhoisXML API Participates in the Black Hat Europe 2025
Brendan O’Doherty, Intelligence Partnerships at WhoisXML API, joined over 4,500 security professionals at Black Hat Europe 2025, which took place from December 8 to 11, 2025, at Excel London in the United Kingdom.
As with Black Hat USA back in August 2025, the week kicked off with a few days of intensive cybersecurity training sessions before transitioning into two days of main briefings and business hall activities.
Here’s a recap of the most prominent themes of the event.
Agentic AI and Autonomy as the Next-Gen Defense
One of the major themes at Black Hat Europe 2025 centered on the role of agentic AI in cybersecurity. Unlike basic chatbots, AI agents—including WhoisXML API’s very own Jake AI—can perform complex tasks on behalf of users. These agents are fast becoming a powerful tool for cyber defenders, but they are also changing the nature of cyber attacks.
In “AI Unleashed: Witness the Next Generation of Cyber Defense and Offense,” two Broadcom representatives played each other’s devil’s advocate and demonstrated how autonomous AI agents are being weaponized for sophisticated intrusions and how defenders are racing to build adaptive, agent-based security platforms.
Dick O'Brien, Security Strategist at Broadcom ESG, demonstrated how AI agents handle the heavy lifting for intruders, not only as writing assistants for phishing lures but also as autonomous operators. Paul Miller, Principal Intelligence Analyst at Broadcom ESG, countered that defenders are already using AI to achieve ambient security—where defense is built in and moves as fast as the threat.
This built-in defense is not so far-fetched. In fact, another session, “Make Agent Defeat Agent: Automatic Detection of Taint-Style Vulnerabilities in LLM-based Agents,” introduced a fuzzing diagnostic framework that detects taint-style vulnerabilities in LLM-based agents.
Integrating vulnerability detection into AI security applications is critical because the risk these intelligent systems pose is real. In another briefing, Tencent researchers reported finding more than 500 unique vulnerabilities after an eight-month investigation into 1,000 MCP projects on GitHub. When vulnerabilities are mitigated, agentic AI can effectively handle triage, and modern Blue Teams can see a 60-80% reduction in containment time.
Security Embedded in the Modern SDLC
Speaking of built-in defense, several sessions at Black Hat Europe 2025 emphasized the need to stop treating security as an afterthought and instead integrate it directly into the Software Development Lifecycle (SDLC). Experts demonstrated how AI-driven tools help teams outpace the volume of vulnerabilities inherent in modern software stacks using tools such as CodeQL and LLMs, allowing developers to identify vulnerabilities as they write code.
Several briefings tackled application security (AppSec), including “Unsafe Code Detection Benchmark: Stress-Testing SAST And LLMs On Modern Web Backends,” which addressed the semantics gap in modern web frameworks like FastAPI, Next.js, and NestJS. The benchmark provided a path for organizations stuck between traditional scanning and the new wave of AI-powered security.
Speakers at the session “Productivity vs Pitfall: What New Research Reveals About the Path to Secure AI Adoption,” meanwhile, presented a workflow-integrated approach that aligns AppSec and engineering teams, transforming security from a bottleneck into a natural and automated part of the daily coding routine to address the invisible risks introduced by AI-generated code and open-source models.
Google security engineers exposed how modern AI/ML workflows remain vulnerable to pickle attacks despite existing scanners and revealed new attacker techniques that bypass popular tools like Fickling and Picklescan. To address these threats, the speakers introduced SaferPickle, an open-source library that uses opcode inspection and behavioral analysis to harden the ML supply chain. Attendees learned how Google and VirusTotal are using this technology to secure workloads against sophisticated, fragmented-code exploits.
The Rise of Self-Healing SOCs
The event also highlighted a move away from rigid, rule-based automation toward Security Operations Centers (SOCs) that can think and adapt during an active incident.
In “Nation-Scale SecOps: How CERT PL Scans Poland,” the speaker explained how Poland’s national-level security teams use automated, large-scale scanning and response frameworks to protect an entire country’s digital infrastructure.
In another briefing called “Flying into the SOC of the Future: How Virgin Atlantic's CISO Cleared the Runway for SecOps Transformation,” John White, CISO at Virgin Atlantic, shared how he future-proofed the airline’s security by ditching siloed, manual processes in favor of an AI-driven autonomous SOC.
A large part of creating self-healing SOCs involves using integrated platforms that reduce toil for service providers rather than fragmented tools. “From Fiction to Fact – Autonomous SecOps in Action” showcased how modern platforms can address alert fatigue and talent gap issues that have plagued the industry for years by using AI-Powered investigation agents, MCP servers, no-code app editors, autonomous playbooks, and smart TV dashboards.
Footprint-Focused Threat Hunting
Black Hat Europe 2025 showcased how threat hunting is increasingly focused on following digital footprints.
In “Not Just Victims: The Hidden Villains Inside Infostealer Logs,” researchers demonstrated how cyber intelligence can be a double-edged sword in threat hunting. They used LLMs to parse unstructured logs leaked by infostealing malware to uncover and investigate other crimes, such as scams and underground operations. The logic behind this mirrors how WhoisXML API researchers use DNS footprints left by attackers to map out attacker infrastructures and uncover additional artifacts.
Another session introduced major contributions that help enterprises using macOS detect threats. These included Malware Analytics & Labeling for Enterprise Threats (MALET), a public dataset of macOS malware that allows researchers to train machine learning models and refine detection logic, and Katalina, a static analyzer that enables SOC teams to perform instant triage on unknown files using commodity hardware.
Researchers also shared new methods for tracking adversaries across decentralized platforms and supply chains. In “The Forensic Trail On GitHub: Hunting For Supply Chain Activity,” speakers presented a methodology for investigating and tracking supply chain attacks within the GitHub Actions ecosystem. They drew on real-world incidents to demonstrate how to use publicly available metadata—such as user behavioral heuristics, hidden Git commits, and deleted Gists—to unmask attackers and identify reconnaissance targets in real time.
About WhoisXML API
WhoisXML API is a seasoned OEM data provider specializing in delivering well-parsed, normalized, and comprehensive WHOIS, IP, and DNS intelligence. With more than 15 years of industry experience, we have amassed a vast repository of data, encompassing more than 23.8+ billion historical WHOIS records, 50+ billion hostnames, 116+ billion DNS records, 10.5+ million IP netblocks, and 99.5% coverage of active IPv4 and IPv6 addresses.
We offer a wide range of domain, DNS, and other Internet intelligence solutions delivered via comprehensive databases, secure APIs, and intuitive web GUIs. Regardless of the consumption model, our intelligence serves as a robust foundation for leading cybersecurity products and services, with products like predictive threat intelligence data feeds leveraging AI predictive analytics capabilities and domain telemetry to enable organizations to detect potential malicious web properties early.
Trusted by more than 52,000 satisfied customers spanning the cybersecurity, marketing, law enforcement, e-commerce, and financial services industries, WhoisXML API has consistently been recognized for its rapid growth and innovation, earning multiple accolades as an Inc. 5000 honoree and a Financial Times Top Fastest-Growing Company.