Traditional cybersecurity's detect-and-respond model is struggling under the weight of AI-generated malware. While organizations invest heavily in perimeter defenses and endpoint protection, sophisticated attackers now leverage artificial intelligence to craft personalized malware variants at unprecedented scale, rendering signature-based detection systems increasingly obsolete.
To understand how the industry is adapting, The Tolly Group recently spoke with Krupa Srivatsan, Senior Director of Product Marketing at Infoblox, who leads the company's cybersecurity solutions focused on protective DNS. Srivatsan's team has developed an approach that fundamentally shifts security from reactive to proactive by targeting threat actor infrastructure before it can be weaponized.
The Patient Zero Problem
Traditional detect and response solutions rely on someone else being the first victim, Srivatsan explains. "Someone else gets infected with that first piece of malware, and the industry then tries to learn more about that malware once that initial organization gets affected."
This reactive model worked when threat actors recycled known malware variants, but today's landscape is fundamentally different. AI has automated malware creation, allowing attackers without coding expertise to generate sophisticated, single-use malware tailored to specific industries, companies, or even individual employees. The result is that any organization could become patient zero, dramatically increasing risk across the board. To address this new paradigm, the effort to find solutions is shifting the battleground upstream.
DNS as the Universal Choke Point
Unlike traditional security tools that wait for threats to manifest, DNS-based security can track threat actor infrastructure before it's weaponized. When attackers launch campaigns, they must establish domains, weaponize those domains, and then launch malware attacks. This creates a natural choke point where every cyber attack requires a DNS query to reach its destination.
By monitoring and blocking malicious domains at the DNS layer, organizations can stop threats at their first point of contact rather than after they've infiltrated the network. Srivatsan draws a compelling analogy: "It's similar to a dealer versus cartel approach. If you're going after individual drug dealers on the street or the individual malware variants, you're never going to catch them all. But if you're going after the cartels, the threat actors and their supply chain infrastructure and tools, then you are catching it early."
Scale of the Challenge and Market Response
Infoblox's latest research reveals the scale of the threat landscape: nearly a quarter of all newly observed domains are malicious or suspicious. More importantly, the company blocks 82% of threats before the first DNS query reaches a malicious domain, providing customers with an average 68-day head start over attacks.
This preemptive protection delivers immediate operational benefits. By blocking threats at the DNS layer, organizations reduce the load on other security tools, minimize alerts to security information and event management (SIEM) systems, and improve security operations center (SOC) productivity. The cost efficiency extends beyond threat blocking, as fewer alerts reach SIEM systems when DNS prevents malicious traffic from reaching other security tools.
The approach has gained significant validation from authoritative sources. The National Institute of Standards and Technology (NIST) released a draft update to SP800-81 in April 2025, recommending DNS as a security control point to block access to high-risk and malicious domains. The draft guidance encompasses using DNS as a protective security layer, securing the DNS protocol itself through encryption and DNS Security Extensions (DNSSEC), and protecting DNS servers from attacks like distributed denial of service (DDoS).
Additional market validation comes from major cloud providers. Google recently announced DNS Armor for cloud workloads, powered by Infoblox's DNS-based threat detection engine, recognizing DNS as a valuable security control point alongside established standards bodies.
Why Platform Architecture Matters
While some firewall and Secure Access Service Edge (SASE) solutions offer basic DNS filtering, Srivatsan emphasizes implementing protective DNS on a dedicated DNS platform. Without operating on a recursive DNS resolver, organizations lose significant visibility and threat detection capabilities that come with being an actual DNS resolver.
Infoblox's approach combines DNS with Dynamic Host Configuration Protocol (DHCP) and IP address management (collectively called DDI) to provide comprehensive visibility. This integration enables security teams to identify not just which domains were blocked, but which specific assets made malicious requests. "You want to know what asset made that DNS request to a suspicious or a high risk domain," Srivatsan explains. "If you're not having that visibility with DNS and IPAM, all you get is an IP address, but you won't know what's behind the IP address."
This visibility gap represents a critical blind spot that can delay incident response and increase breach costs. By consolidating DNS resolution, asset management, and security functions on a unified platform, organizations gain both operational efficiency and the granular visibility required for effective threat hunting and incident response.
Next-Generation Security Operations
Recent product innovations demonstrate how DNS security is evolving beyond basic blocking. Infoblox's new security workspace provides intuitive dashboards that immediately show security teams the value they're receiving, including protection-before-impact metrics that quantify neutralized threats. The simplified interface allows security teams to quickly see what's being blocked and how their environment is performing without extensive training.
The company has also introduced detection mode, allowing organizations to evaluate the solution without disrupting existing DNS infrastructure. This approach enables proof-of-concept testing without requiring customers to deploy threat defense inline in production environments. New token-based licensing aligns costs with actual usage rather than static user counts, allowing organizations to reallocate security resources as their environments evolve.
The Future: Preemptive Over Reactive
Cybersecurity is decisively moving toward preemptive strategies. Traditional detect and respond approaches that wait for patient zero are too reactive for today's AI-based threats. This shift encompasses predictive threat intelligence that can identify potentially malicious infrastructure before it's weaponized, attack surface management that examines vulnerabilities from an outside-in perspective, and consolidation onto unified platforms that reduce operational complexity.
"The market is looking for something more preemptive," Srivatsan explains. "Being more preemptive in your overall security strategy, which also includes protective DNS, I think is the future because reactive is not working and we can't keep up with the AI-based threats to get ahead of them."
Organizations continuing to rely solely on reactive security measures face mounting risk as AI-generated threats proliferate. The shift to preemptive DNS-based protection is not just a technological upgrade, it's a strategic necessity for maintaining security in an AI-driven threat landscape.
Key Takeaways
AI automated malware creation is proliferating the abundance of novel threats
DNS monitoring can identify and prevent attackers prior to campaign deployments
Industry standards are evolving to include DNS-layer security recommendations
Centralized network platforms offer unique advantages for security policy enforcement
Cybersecurity investments are shifting toward proactive threat prevention strategies
Learn More
For detailed information about Infoblox's protective DNS solutions and the latest threat intelligence research, visit the Infoblox website: https://www.infoblox.com/products/threat-defense/