WhoisXML’s Alex Ronquillo on Domain Age as a Security Signal episode artwork

EPISODE · May 19, 2025 · 27 MIN

WhoisXML’s Alex Ronquillo on Domain Age as a Security Signal

from Ahead of the Breach · host Sprocket

From a casual gaming project at NASA's JPL to powering 700+ cybersecurity vendors, WhoisXML API has become the foundation of modern threat intelligence. In this episode of Ahead of the Breach, recorded at RSA Conference 2025, Casey sits down with Vice President Alex Ronquillo to explore how domain registration data has become critical infrastructure for security tools and how penetration testers can leverage this intelligence in their work. Alex takes us behind the scenes of the massive data collection operation that tracks billions of domain events monthly, explaining how even the most heavily reviewed security tools rely on WhoisXML API to identify potentially malicious domains based on registration patterns. He also reveals surprising research showing that 90% of subdomains in security databases don't actually exist — they're artifacts of security scanning against wildcard DNS configurations that respond to any query.  Topics discussed: Research showing that domains created within the last 30 days are significantly more likely to be malicious, forcing penetration testers to deliberately "age" domains to avoid detection by security tools that automatically flag new registrations. How security professionals can use reverse WHOIS lookups based on email addresses, organization names, and nameservers to discover hidden attack surfaces and verify domain ownership during testing. Rather than performing millions of individual WHOIS queries, major security platforms license structured data dumps to perform local lookups for domain intelligence at massive scale. Since GDPR implementation in 2018, approximately 80-90% of domains have non-public registrant information, forcing security teams to rely on alternative signals like SSL certificates and hosting infrastructure. WhoisXML API's partnership network with cybersecurity vendors creates a collaborative intelligence platform that tracks malicious domains and infrastructure across the internet ecosystem. How security tools inadvertently pollute passive DNS databases by triggering wildcard DNS records, creating the illusion that millions of non-existent subdomains are real assets. How the Registration Data Access Protocol is modernizing domain registration data access while preserving the critical information that security tools need for threat intelligence. How companies like Doppel use WhoisXML API's data to identify phishing domains targeting their customers within minutes of registration, enabling rapid takedown before damage occurs. How investment analysts and technology companies use WHOIS and hosting data to track market share and adoption patterns across cloud providers and services. Listen to more episodes:  Apple  Spotify 

From a casual gaming project at NASA’s JPL to powering 700+ cybersecurity vendors, WhoisXML API has become the foundation of modern threat intelligence. In this episode of Ahead of the Breach, recorded at RSA Conference 2025, Casey sits down with Vice President Alex Ronquillo to explore how domain registration data has become critical infrastructure for security tools and how penetration testers can leverage this intelligence in their work. Alex takes us behind the scenes of the massive data collection operation that tracks billions of domain events monthly, explaining how even the most heavily reviewed security tools rely on WhoisXML API to identify potentially malicious domains based on registration patterns. He also reveals surprising research showing that 90% of subdomains in security databases don’t actually exist — they’re artifacts of security scanning against wildcard DNS configurations that respond to any query.  Topics discussed: Research showing that domains created within the last 30 days are significantly more likely to be malicious, forcing penetration testers to deliberately ”age” domains to avoid detection by security tools that automatically flag new registrations. How security professionals can use reverse WHOIS lookups based on email addresses, organization names, and nameservers to discover hidden attack surfaces and verify domain ownership during testing. Rather than performing millions of individual WHOIS queries, major security platforms license structured data dumps to perform local lookups for domain intelligence at massive scale. Since GDPR implementation in 2018, approximately 80-90% of domains have non-public registrant information, forcing security teams to rely on alternative signals like SSL certificates and hosting infrastructure. WhoisXML API’s partnership network with cybersecurity vendors creates a collaborative intelligence platform that tracks malicious domains and infrastructure across the internet ecosystem. How security tools inadvertently pollute passive DNS databases by triggering wildcard DNS records, creating the illusion that millions of non-existent subdomains are real assets. How the Registration Data Access Protocol is modernizing domain registration data access while preserving the critical information that security tools need for threat intelligence. How companies like Doppel use WhoisXML API’s data to identify phishing domains targeting their customers within minutes of registration, enabling rapid takedown before damage occurs. How investment analysts and technology companies use WHOIS and hosting data to track market share and adoption patterns across cloud providers and services. Listen to more episodes:  Apple  Spotify

NOW PLAYING

WhoisXML’s Alex Ronquillo on Domain Age as a Security Signal

0:00 27:56

No transcript for this episode yet

We transcribe on demand. Request one and we'll notify you when it's ready — usually under 10 minutes.

Frequently Asked Questions

How long is this episode of Ahead of the Breach?

This episode is 27 minutes long.

When was this Ahead of the Breach episode published?

This episode was published on May 19, 2025.

What is this episode about?

From a casual gaming project at NASA's JPL to powering 700+ cybersecurity vendors, WhoisXML API has become the foundation of modern threat intelligence. In this episode of Ahead of the Breach, recorded at RSA Conference 2025, Casey sits down with...

Can I download this Ahead of the Breach episode?

Yes, you can download this episode by clicking the download button on the episode player, or subscribe to the podcast in your preferred podcast app for automatic downloads.
URL copied to clipboard!