Preemptive Domain Disruption: AI-powered Disruption Jumps Left of Live

Earlier this month I was on stage at the FS-ISAC Americas conference speaking alongside security leaders from several of the world’s largest financial institutions. The conversation turned, as it often does, to the challenge of staying ahead of increasingly sophisticated attackers. 

At the end of our session, one audience member asked a question that caught my attention: 

“How do we get further ahead of threat actors, taking down infrastructure we know will become malicious?” 

I paused for a moment, smiled, and asked if they knew something about our yet-to-be-announced service that does exactly that. The room laughed, but the question was the right one. Preventing attacks, or “shifting left,” is what every security leader is thinking about. And today, we have an important new tool in our arsenal.  

For decades, the cybersecurity industry has largely operated in a detect-and-respond mode when it comes to phishing and online fraud infrastructure. Attackers register domains, prepare phishing kits, eventually publish malicious content, and begin lure distribution. In this legacy model, defenders detect and begin takedowns only after content appears.  

At Netcraft, we’ve spent years moving the detection and takedown timeline earlier, leveraging purpose-built AI and ML to detect and take down attacks faster than anyone else in the industry. Our vast global signal collection, AI-powered processing, and deep infrastructure relationships, allow us to see threats, classify them, and disrupt attacks incredibly fast. In the last three months, Netcraft’s median time to takedown for phishing threats globally has been just 33 minutes. 

But even that leaves an uncomfortable truth. If defenders can only act once the attack is live or content is added to a page, criminals will always have a head start. 

Today we’re changing that. 

Introducing Preemptive Domain Disruption

At RSAC this year, Netcraft is launching Preemptive Domain Disruption, a new AI-powered capability that allows organizations to disrupt malicious infrastructure before attacks are launched. 

The idea is simple in concept but extremely difficult to execute responsibly. 

The internet’s trust and safety ecosystem depends on just that: trust. Hosting providers and registrars require clear, verifiable evidence before taking action. Speculative reporting on domains that might be malicious risks creating noise, eroding credibility, and ultimately slowing down response. As is the case with traditional detect-and-respond disruption, preemptive disruption must be evidence-based. 

That’s why we've taken a deliberate, outcome-driven approach to Preemptive Domain Disruption. Our reports are trusted by infrastructure providers because they contain clear, verifiable proof of abuse—a reputation we’ve built through years of collaboration across the internet ecosystem. Without that trust 33 minute takedown times would not be possible. 

Our guiding principle: Preemptive Domain Disruption had to meet that same standard. 

Verified Attack Indicators

The key to doing this responsibly is by using something we call Verified Attack Indicators (VAI). 

Rather than relying on speculative predictions about what might become malicious, Netcraft looks for concrete signals within infrastructure that strongly indicate criminal ties. 

These indicators emerge from patterns across criminal campaigns and infrastructure clusters that we observe globally. When domains share characteristics or connected indicators, the likelihood of malicious intent becomes high.  

Examples include:

• Domains embedded within known criminal infrastructure clusters 

• Suspicious MX record configurations associated with fraud operations 

• URLs and infrastructure scoring that indicate high-risk activity patterns 

• Technical fingerprints tied to known phishing kit deployment patterns 

• Other infrastructure signals that historically precede attacks 

When these Verified Attack Indicators appear together, they provide the evidence needed to confidently report a domain before an attack is fully deployed or content is hosted.

Building in Partnership with Infrastructure Providers

Preemptive Domain Disruption did not happen overnight. 

Over the past nine months, Netcraft has worked closely with trusted infrastructure providers across the internet ecosystem to refine evidence criteria and ensure these early signals meet the standard required for taking preemptive action. 

Providers are understandably cautious about preemptive reporting. Accuracy matters, and false positives create friction. 

Through collaboration and testing, we’ve built a model that providers trust; one that allows them to act earlier in the attack lifecycle while maintaining the credibility that effective abuse reporting requires. It has been clear in conversations with infrastructure providers that the approach we’ve brought to them is welcome, effective, and foundational to the ongoing success of our combined efforts.

Early Results: Eliminating the Victimization Window

The results from early deployments have been compelling. 

In one large early-access enterprise implementation, Netcraft proactively disrupted more than 21,000 malicious domains, preventing attacks that could have resulted in victim harm, brand damage, significant operational costs, and more.. 

Across these early deployments: 

• 90% of reported threats were taken down within 24 hours. 

• Domains were removed well before malicious content was visible. 

• Entire campaigns were neutralized before deployment. 

Instead of responding after attacks go live, defenders can now disrupt infrastructure while criminals are still preparing it. 

Complementing Netcraft’s Industry-Leading Takedowns

Preemptive Domain Disruption does not replace traditional takedowns—it strengthens them. 

Our evidence-based philosophy remains unchanged. If a suspicious domain does not yet present the Verified Attack Indicators required for a preemptive report, we continue to monitor it closely. 

Suspicious domains are continuously observed across Netcraft’s global monitoring network. If VAI or content appears, we detect it immediately, often within seconds. Our AI-powered systems then automate evidence capture, bypass cloaking techniques used to hide malicious content, and prepare abuse reports supported by screenshots and forensic data from our global proxy infrastructure. 

When Verified Attack Indicators are present, Preemptive Domain Disruption eliminates the victimization window entirely. The infrastructure disappears before the attack ever launches. 

When indicators are not yet present, Netcraft’s monitoring and rapid-response takedown process still compresses the victimization window, dramatically reducing exposure by up to 90%.  

But the impact goes beyond stopping individual attacks. 

Changing the Economics of Cybercrime

Cybercriminals operate businesses. Like any business, they pursue the targets that offer the highest return for the least effort. Effective disruption changes that equation.

Over time, Netcraft has consistently seen that organizations investing in rapid detection and takedown begin to experience fewer attacks. When criminals repeatedly lose infrastructure and campaigns targeting a particular brand, they shift their attention elsewhere.

The return on investment for attackers erodes fast. Preemptive disruption pushes this dynamic even further left in the attack chain.

Imagine the impact. Taking down infrastructure after an attack launches is frustrating for criminals but not unexpected. Taking it down while they are still building the attack? Domains are paid for and registered, infrastructure is configured, phishing kits are staged — and then the entire operation disappears before a single victim sees the threat. That’s the kind of frustration we aim to create (for the criminal).

By eliminating attacks before they reach victims, organizations make themselves a significantly more expensive target. Criminals must spend more time, more infrastructure, and more effort to achieve the same result.

That shift in economics is where the real ROI emerges.

Comprehensive Defense – Adding Proactive Takedowns

Every generation of cybersecurity aims to move earlier in the attack lifecycle. 

Security has moved from manual, signature-based antivirus toward automated, behavior-driven detection; from matching known threats to spotting suspicious behavior; from tracking isolated indicators to mapping campaign infrastructure. The same evolution is visible across the tech stack: email security targets phishing infrastructure rather than generic spam; fraud teams follow coordinated networks instead of lone transactions; attack-surface management finds exposures before attackers can exploit them. Yet despite these advances, defenders remain largely reactive, detecting threats only after infrastructure has been registered, deployed, or observed in use. 

Preemptive Domain Disruption represents the next generation of Digital Risk Protection. Instead of waiting for criminals to deploy attacks, defenders can now disrupt the infrastructure behind campaigns while it is still being prepared. 

A Better Way to Fight Online Fraud

Cybercriminals operate at scale by registering domains in bulk, rapidly deploying phishing sites, and shifting across providers to stay ahead of defenders. 

Tooling is evolving to support this. Phishing-as-a-Service platforms have begun incorporating AI to generate and localize phishing content, lowering the barrier to entry and enabling campaigns to scale more efficiently. Attackers are also quick to adopt new, low-friction AI platforms  and services that allow content and infrastructure to be deployed with minimal effort. 

But the infrastructure criminals rely on leaves patterns. Those patterns can be identified, verified, and disrupted, if you have the visibility and operational reach to act on them. 

Preemptive Domain Disruption is our latest innovation in the fight against an increasingly AI-enabled adversary, built on two decades of protecting organizations and their customers from cybercrime.  

The question from the FS-ISAC audience member captured exactly what the industry has been asking: 

How do we get ahead of attackers? 

Preemptive Domain Disruption is our answer. Connected data, attack indicators, and strong industry collaboration, all built on next-gen digital risk protection solutions for the AI age. There are no silver bullets in this fight, but we're working hard to put criminals back on their heels.