Cyber Pre-Crime: Netcraft's AI Kills Threats Before Launch

SALT LAKE CITY and LONDON – March 17, 2026 – In a move that aims to re-architect the very foundations of digital defense, cybersecurity firm Netcraft today announced a new service that hunts down and dismantles criminal infrastructure before it can be used to launch an attack. The AI-powered platform, named Preemptive Domain Disruption, represents a significant strategic pivot in the war on cybercrime, moving from a reactive posture of cleaning up attacks to a proactive model of preventing them entirely.

For decades, the fight against phishing and online fraud has been a high-stakes game of cat and mouse. Criminals launch a campaign, and security companies race to detect the malicious websites and emails, blocking them only after they are live and have potentially claimed victims. Netcraft’s new capability seeks to end this cycle by intervening much earlier in the attack chain—a strategy the industry calls “shifting left.”

The Shift from Reaction to Prediction

The core of Netcraft’s innovation lies in exploiting the time lag between when a cybercriminal registers a domain and when they “weaponize” it with malicious content. This window can last for days, weeks, or even months, providing a critical opportunity for intervention.

Instead of waiting for a phishing page to appear, Netcraft’s AI scours the internet for newly registered domains that exhibit the subtle hallmarks of criminal intent. It functions like a digital profiler, correlating disparate data points that, in isolation, might seem benign. The system analyzes what it calls “high-fidelity data clusters,” looking for shared infrastructure, suspicious registration artifacts, and technical configurations that match the fingerprints of known criminal campaigns. This could include domains registered using anonymizing services, names that mimic legitimate brands (typosquatting), or those configured on servers previously associated with fraud.

“Attackers operate differently in an AI age. They can quickly stand up infrastructure well in advance of a campaign,” said Ryan Woodley, CEO of Netcraft, in the announcement. He emphasized that the company’s two decades of experience fighting cybercrime provides a unique repository of threat actor behavior to train its predictive models. “By removing attacker infrastructure upstream, we don’t just detect threats faster; we prevent them from reaching our customers and the people who trust them.”

This approach fundamentally differs from traditional domain monitoring, which often relies on identifying active malicious content before initiating a takedown. By focusing on intent inferred from infrastructure and registration data, Netcraft aims to neutralize the threat before it poses any risk to the public.

Putting Predictive Power to the Test

While the concept of predictive defense is compelling, its value hinges on execution and accuracy. According to Netcraft, early results from enterprise customers have been dramatic. The company reports that approximately 90% of the criminally-controlled domains it identifies are successfully taken down within 24 hours. In one three-month pilot with a single enterprise client, the service resulted in over 21,000 preemptive takedowns, effectively eliminating the window for risk exposure from those specific threats.

This rapid disruption is achieved through deep collaboration with internet infrastructure providers. Once the AI flags a cluster of domains with high confidence and collects what the company calls “enforcement-grade evidence,” Netcraft works directly with registrars and hosting companies to disable the domains. Simultaneously, it broadcasts high-risk signals to DNS operators and email reputation systems, further shrinking the attacker’s operational capacity.

The methodology is already gaining recognition from key industry bodies. Peter Cassidy, a co-founder of the influential Anti-Phishing Working Group (APWG), endorsed the approach. “Netcraft's approach to preemptively disrupting malicious campaigns brings the contest against cybercrime where it belongs: into the future,” he stated. In a significant move, the APWG will create a new sub-category for “predeployed domain names” in its member eCrime eXchange, to which Netcraft will contribute data, formalizing the tracking of this nascent threat type.

Redrawing the Cyber Battlefield

The introduction of a potent preemptive defense is poised to ripple across the entire cybercrime ecosystem. The Digital Risk Protection (DRP) market includes established players like BrandShield and Group-IB, which also leverage AI for early threat detection. However, Netcraft's singular focus on disrupting the infrastructure during the registration-to-activation window, before any brand infringement or active attack occurs, carves out a specialized and highly aggressive niche.

This “shift left” strategy will almost certainly force cybercriminals to evolve. If their newly registered domains are consistently disabled before use, their return on investment plummets. Security analysts anticipate that attackers may adapt by shifting their focus away from disposable domains and toward more resilient tactics. These could include an increased reliance on compromising legitimate, established websites to host their phishing kits, abusing legitimate cloud services, or moving to decentralized web technologies that lack a central point of failure or control for takedowns.

This dynamic sets the stage for the next phase in the cybersecurity arms race. As defenders get better at predicting and preventing traditional campaigns, attackers will be driven to find new, more sophisticated methods of evasion, pushing the boundaries of both offense and defense.

The Preemptive Paradox: Efficacy vs. Ethics

Proactively disabling a domain before it contains malicious content, however, enters a complex legal and ethical gray area. The most significant risk is the false positive: mistakenly identifying a legitimate domain as criminal and having it taken down. Such an error could cause significant financial and reputational damage to an innocent party and expose the security provider to legal challenges.

The legal basis for these preemptive actions typically relies on violations of a registrar’s or hosting provider’s Terms of Service, which often prohibit fraudulent or malicious intent. Netcraft’s ability to provide “enforcement-grade evidence” of this intent is therefore critical to justifying its actions and securing the cooperation of infrastructure partners.

This proactive stance raises questions about due process and censorship. While stopping crime is the goal, the act of taking down a site based on a predictive algorithm, without any active malicious content, requires an exceptionally high degree of accuracy and accountability. The industry’s move to formalize the tracking of “predeployed” malicious domains through organizations like the APWG is a crucial step in building a consensus and a defensible framework around these next-generation defensive measures.

Ultimately, Netcraft’s Preemptive Domain Disruption is a bold gamble on the power of prediction. Its success will depend not only on the sophistication of its AI but also on its ability to navigate the delicate balance between aggressive prevention and the rights of all internet users, a challenge that will define the future of digital security.