WhoisXML API Participates in the 2025 FIRST Mexico City Technical Colloquium
With the cybersecurity landscape constantly evolving, regional gatherings like the 2025 Mexico City Technical Colloquium are vital for incident response professionals. Organized by the Forum of Incident Response and Security Teams (FIRST), the event took place in Mexico City from October 27 to 29, 2025.
WhoisXML API’s Vice President of Research, Ed Gibbs, was one of the speakers at the gathering. He co-led a session titled "Advanced Signals: NextGen Threat Hunting using Active and Passive DNS and Internet NetFlow Telemetry," along with Ernesto Guzmán, Head of the Digital Forensics and Incident Response team at ES Consulting.
In this post, we share some of the recurring themes and our key takeaways from the event.
Cyber Threat Intelligence (CTI) Automation
One of the most pressing bottlenecks for Security Operations Centers (SOCs) is the sheer volume of raw threat intelligence data. Several sessions at the FIRST 2025 Technical Colloquium explored how to automate the ingestion and enrichment of this data using next-generation techniques.
For instance, a session led by SOCRadar’s Ensar Şeker discussed Agentic CTI, a novel approach leveraging Agentic AI and the Model Context Protocol (MCP) to automate the entire threat intelligence pipeline, from ingesting reports and extracting indicators of compromise (IoCs) to enriching data and generating structured outputs.
The discussions at the conference also extended beyond data collection, exploring how to transform raw intelligence into effective organizational strategy. Building a comprehensive threat landscape serves as the foundation of any effective cybersecurity plan, which includes tailoring CTI communication for maximum impact, as highlighted in the session, "Are You Talking to Me? Tailoring CTI Communication for Maximum Impact."
Advanced Threat Hunting
The colloquium detailed how to utilize unique data signals to identify threats, indicating that threat hunting is moving past simple detection toward methods that detect evasive threats.
Ed Gibbs and Ernesto Guzmán’s session, for one, detailed the use of active and passive DNS records, along with Internet NetFlow telemetry, to track and identify coordinated malicious activity. This approach effectively transforms raw data into actionable threat intelligence. The speakers demonstrated how domain clustering analysis detects typosquatting and cybersquatting domain registrations that security platforms often miss.
The importance of Open-Source Intelligence (OSINT) tools for cyber investigations was also highlighted at the event. The session "From Breadcrumbs to Breaches: OSINT in the Heat of Incident Response" showed how OSINT tools for cyber investigations can turn a single piece of evidence into actionable insights that drive an investigation forward.
Deep Adversary Insights
Another recurring theme across several sessions was the need to understand cybercriminals' methods, motivations, and mindsets, treating them as a necessary part of the threat model.
The session “How to Become One of Them” provided a look into the full lifecycle of a deep-cover Human Intelligence (HUMINT) operation. The speaker, Sean Jones of Groupsense and Cognyte, used actual examples to walk participants through crafting believable personas, navigating underground forum dynamics, and extracting intelligence directly from threat actors.
Threat analysts also presented in-depth analyses of specific criminal operations. FortiGuard Labs’ Arturo Torres, for example, examined recent threat trends and Tactics, Techniques, and Procedures (TTPs) in Latin America.
There were also sessions that presented technical deep dives into specific malware families, such as “How to Cook Hora-bot, The Long and Slow Way,” which analyzed the new obfuscation techniques used by the Hora-bot botnet. A session titled “Privacy Digital Identity by Criminal Eyes: Insights From Russian-Speaking Underground” talked about modern criminal business processes. It explained that cybercriminals are now using biometrics and LLMs to get around identity and regional perimeters, allowing them to expand attack surfaces and their geographical reach.
Strategic Incident Response and Cyber Crisis Management
The overarching theme of the Mexico City Technical Colloquium was that incident response is fundamentally intelligence-driven.
Several sessions discussed how successful incident response and cyber crisis management depend on intelligence gathered before the incident, not just the methods and technology used during the incident. This means that preparation and strategic thinking contribute to corporate cyber resilience, making predictive intelligence vital. In fact, a session titled “Beyond Incident Response: Mastering the Art of Cyber Crisis Forecasting” introduced the Cyber Crisis Forecaster (CCF), a new specialist role dedicated to actively predicting cyber attacks and crises.
The program wrapped up in a training day focused on XDR-Driven Response: Strategies for Modern Threat Environments, which ties all the gathered CTI and threat insights directly into a technical defense framework designed to handle today’s most sophisticated threats.
About WhoisXML API
WhoisXML API is a seasoned OEM data provider, specializing in delivering well-parsed, normalized, and comprehensive WHOIS, IP, and DNS intelligence. With more than 15 years of industry experience, we have amassed a vast repository of data, encompassing more than 25.5 billion historical WHOIS records, 50+ billion hostnames, 116+ billion DNS records, 10.5+ million IP netblocks, and 99.5% coverage of active IPv4 and IPv6 addresses.
We offer a wide range of domain, DNS, and other Internet intelligence solutions delivered via comprehensive databases, secure APIs, and intuitive web GUIs. Regardless of the consumption model, our intelligence serves as a robust foundation for leading cybersecurity products and services, with products like predictive threat intelligence data feeds leveraging AI predictive analytics capabilities and domain telemetry to enable organizations to detect potential malicious web properties early.
Trusted by more than 52,000 satisfied customers spanning cybersecurity, marketing, law enforcement, e-commerce, and financial services, WhoisXML API has consistently been recognized for its rapid growth and innovation, earning multiple accolades as an Inc. 5000 honoree and a Financial Times Top Fastest-Growing Company.