2026-06-01 –, Room 1
Managing tens of thousands of DNS records across multiple cloud providers and registrars introduces significant risk—especially when bug bounty reports for domain takeover vulnerabilities begin to surge. Scaling remediation is both critical and complex. In this talk, we share how our security team built a cloud-native, event-driven automation system that delivered a 10x improvement in detection, and achieved a 98% vulnerability closure rate.
We’ll begin by explaining why domain takeovers became a problem worth solving at scale, including the impact of different takeover classes and the asset attribution challenges inherent in large organizations. From there, we’ll walk through our journey—from evaluating tooling to designing a cloud-native orchestration system that integrates with our DNS registrar, AWS and GCP environments, and internal vulnerability management platform.
Our approach centers on continuous DNS asset enumeration via cloud provider APIs, enrichment with account ownership metadata, and intelligent remediation workflows. Rather than treating takeover findings as isolated alerts requiring manual triage, we built a system that continuously synchronizes DNS, registrar, and cloud account data.
Using Lambda and EventBridge, new AWS accounts are automatically onboarded into the organization. Hosted zones and domain states are enumerated, enriched with organizational context, and fed into our External Attack Surface Management (EASM) platform. External takeover findings are ingested through API Gateway webhooks and correlated with DNS records, cloud inventory, and organizational metadata. This enables automated bundling, severity classification, routing to the appropriate teams, and enforced re-alerting when issues are closed without remediation.
A key factor in our success was ownership attribution. By correlating DNS records with cloud and organizational metadata, we reduced manual toil, improved routing accuracy, and ensured vulnerabilities could not be silently dismissed.
We’ll also discuss alternative solutions we evaluated that failed to scale or proved ineffective, and why an event-driven, attribution-focused model ultimately succeeded.
Attendees will leave with:
- A clear understanding of domain takeover vulnerabilities and their impact
- Practical approaches to identifying and remediating domain takeovers at scale
- Insight into asset attribution challenges in large organizations
- An overview of tooling strategies and lessons learned
Whether you manage ten domains or tens of thousands, this session provides a practical framework for scalable DNS takeover detection and remediation.
Ramesh is a Staff Security Engineer at Block with two decades of experience across cloud, Kubernetes, datacenter, and network security. He holds three patents, has presented at AWS re:Invent and BSides SF, and has published with ISACA. His research has influenced the OWASP Top 10 for Kubernetes, and he volunteers with the Cloud Security Alliance.
