Defensive domain registration

Defensive domain registration is the practice of proactively registering domain name variants to prevent attackers from using them for phishing or brand impersonation. This guide covers what to register, how to prioritize, and when monitoring is more practical.

3 min read

What it is#

Defensive domain registration is the practice of proactively registering domain name variants, typos, alternate TLDs, hyphenated forms, and other permutations, before attackers can claim them. The goal is to eliminate the most obvious typosquatting vectors by owning those names first, typically redirecting them to the primary site or letting them sit unused.

What to register#

The highest-priority defensive registrations typically include:

  • Common typos. Character substitutions, omissions, and transpositions that users are most likely to type accidentally (e.g., gogle.com, gooogle.com). Running the primary domain through typosquatting permutation generators reveals the most plausible misspellings.
  • Key TLD variants. The brand name under widely used TLDs like .net, .org, .co, and country-code TLDs in markets where the organization operates. TLD squatting is one of the simplest impersonation techniques, and registering the exact brand string across major TLDs is a low-cost defensive measure.
  • Hyphenated variants. Adding or removing hyphens, especially for multi-word brand names
  • Singular/plural forms. If the brand is plural, register the singular, and vice versa

Some organizations also register homoglyph variants (substituting visually similar characters like rn for m) and bitsquat variants (single-bit ASCII permutations), though the combinatorial space grows quickly.

Prioritization#

Defensive registration has a fundamental scaling problem. For any given domain, there are hundreds to thousands of plausible variants across hundreds of TLDs. Registering all of them is prohibitively expensive and logistically impractical.

Prioritize by attack likelihood and impact. Focus on variants that are one edit distance away in popular TLDs, especially where the brand has significant customer traffic. A financial services company with millions of customers typing its domain daily has a stronger case for broad defensive registration than a B2B company whose customers reach it through bookmarks or search engines.

Accept that defensive registration cannot cover the entire variant space. It is a complement to monitoring, not a replacement for it.

Renewal governance#

Defensive domains are easy to forget. Organizations regularly lose defensive registrations to expiration because no one tracked the renewal dates or the credit card on file expired. A lapsed defensive domain is worse than never registering it, an attacker who notices the drop can register it immediately, sometimes with cached content or residual search engine rankings.

Maintain a centralized domain inventory with auto-renewal enabled, a single registrar account (or a small number of consolidated accounts), and regular audits to confirm all defensive domains are still active.

When to register vs. when to monitor#

Defensive registration makes the most economic sense for a small number of high-risk variants. For the long tail of possible permutations, domain monitoring is more cost-effective, detect when a threatening variant is registered and respond through enforcement rather than trying to preempt every possibility.

A practical approach is to register the top 20–50 most dangerous variants (common typos in major TLDs), and monitor for everything else. If monitoring detects a registration that was not anticipated, evaluate whether to add it to the defensive portfolio going forward. For a deeper look at combining these strategies, see the guide to typosquatting protection.

Portfolio management#

As brands evolve, product names change, companies merge, new markets open, the defensive domain portfolio should evolve too. Conduct annual reviews to drop domains that no longer align with active brand assets and add registrations for new ones. This prevents portfolio bloat and keeps renewal costs aligned with actual risk.

More from Domain protection

View all

Domain monitoring

Domain monitoring is the practice of tracking new domain registrations, DNS changes, certificate issuance, and web content on domains that could impersonate or attack a brand. This guide covers detection approaches, data sources, the monitoring pipeline, and integration with incident response.

What is domain protection?

Domain protection is the practice of monitoring for lookalike domains, defending against brand impersonation, and enforcing takedowns of unauthorized domain registrations. This guide covers how it works and what it includes.

Domain protection vs domain privacy

Domain protection and domain privacy solve fundamentally different problems. Domain privacy hides registrant data from public WHOIS records. Domain protection monitors for lookalike domains, manages defensive registrations, and pursues takedowns against brand impersonation.

Put what you learn into practice

Monitor typosquats, investigate infrastructure, and move from reading to detection with continuous domain coverage built for security teams.

Start free trialExplore features