Ahead of the Breach

WhoisXML's Alex Ronquillo on Domain Age as a Security Signal


Listen Later

From a casual gaming project at NASA's JPL to powering 700+ cybersecurity vendors, WhoisXML API has become the foundation of modern threat intelligence. In this episode of Ahead of the Breach, recorded at RSA Conference 2025, Casey sits down with Vice President Alex Ronquillo to explore how domain registration data has become critical infrastructure for security tools and how penetration testers can leverage this intelligence in their work.

Alex takes us behind the scenes of the massive data collection operation that tracks billions of domain events monthly, explaining how even the most heavily reviewed security tools rely on WhoisXML API to identify potentially malicious domains based on registration patterns. He also reveals surprising research showing that 90% of subdomains in security databases don't actually exist — they're artifacts of security scanning against wildcard DNS configurations that respond to any query. 

Topics discussed:

  • Research showing that domains created within the last 30 days are significantly more likely to be malicious, forcing penetration testers to deliberately "age" domains to avoid detection by security tools that automatically flag new registrations.
  • How security professionals can use reverse WHOIS lookups based on email addresses, organization names, and nameservers to discover hidden attack surfaces and verify domain ownership during testing.
  • Rather than performing millions of individual WHOIS queries, major security platforms license structured data dumps to perform local lookups for domain intelligence at massive scale.
  • Since GDPR implementation in 2018, approximately 80-90% of domains have non-public registrant information, forcing security teams to rely on alternative signals like SSL certificates and hosting infrastructure.
  • WhoisXML API's partnership network with cybersecurity vendors creates a collaborative intelligence platform that tracks malicious domains and infrastructure across the internet ecosystem.
  • How security tools inadvertently pollute passive DNS databases by triggering wildcard DNS records, creating the illusion that millions of non-existent subdomains are real assets.
  • How the Registration Data Access Protocol is modernizing domain registration data access while preserving the critical information that security tools need for threat intelligence.
  • How companies like Doppel use WhoisXML API's data to identify phishing domains targeting their customers within minutes of registration, enabling rapid takedown before damage occurs.
  • How investment analysts and technology companies use WHOIS and hosting data to track market share and adoption patterns across cloud providers and services.
  • Listen to more episodes: 

    Apple 

    Spotify 

    ...more
    View all episodesView all episodes
    Download on the App Store

    Ahead of the BreachBy Sprocket