Access Now & WhoisXML API: Faster Global Incident Response for Human Rights Defenders
About
Access Now is a global non-profit civil society organization dedicated to defending and extending the digital rights of individuals and communities at risk. Access Now combines direct technical support, strategic advocacy, grassroots grantmaking, and convenings such as RightsCon to fight for human rights in the digital age.
A key component of their mission is the Digital Security Helpline (“the Helpline”), a 24/7 service providing real-time incident response, digital safety advice, and technical support to activists, journalists, and human rights defenders worldwide.
Highlights
-
Manual identification of TTPs and connected phishing domains proved slow and inefficient.
-
The Helpline’s Incident Response Analysts used the MCP Server to run WHOIS queries programmatically and map malicious infrastructure via the Gemini CLI.
-
This partnership delivered a 60% gain in efficiency while providing the critical ownership context needed to mitigate emerging threats.
Phishing Investigations Require Easy Access to Accurate Domain Registration Data
Incident Response Analysts at Access Now work with civil society to identify, collect, and preserve evidence, and to expose advanced threats and attacks, which include sophisticated spear-phishing campaigns targeting activists, journalists, and human rights defenders for their truth-telling and accountability work. The primary hurdles involve uncovering Tactics, Techniques, and Procedures (TTPs), pivoting between domains linked to the same campaign, and achieving accurate attribution.
The Helpline required reliable methods to efficiently access and search WHOIS records or track registrant email reuse, to reduce the time and increase the accuracy of its investigations. A limited ability to effectively search for shared registration data meant that related phishing domains could easily be overlooked, leaving human rights defenders exposed to ongoing threats and hindering the Helpline's ability to provide timely and comprehensive protection to those at risk.
Automated WHOIS Queries Through the MCP Server
In 2025, Access Now incorporated WhoisXML API’s WHOIS API and MCP Server into their investigative workflow. Utilizing the Gemini CLI, analysts performed automated WHOIS lookups and interactively queried data to identify registrant email reuse across multiple suspicious domains.
The team had access to clean and structured records that allowed them to enrich phishing indicators with much-needed ownership context. The implementation proved straightforward, empowering analysts to rapidly analyze suspicious domains and pivot to related infrastructure, effectively mapping the global phishing campaigns.
“Integrating WhoisXML API has transformed how we do our investigations. It allowed us to quickly pivot from fragmented data points to a comprehensive view of malicious infrastructure.”
Accelerated Response and Enhanced Visibility
The partnership has significantly bolstered Access Now’s incident response capabilities, yielding the following outcomes:
-
Significant efficiency gains: Analysts achieved approximately 60% time savings compared to manual WHOIS lookups. The ability to query WHOIS data programmatically reduced manual workload and minimized the risk of missing related phishing domains.
-
Enhanced infrastructure visibility: The team gained superior visibility into domain ownership patterns, facilitating the faster identification of related phishing domains through registrant email reuse.
-
Actionable intelligence: Enriching phishing indicators with ownership context strengthened investigative analysis and supported more informed decision-making for Helpline users.