Google Patents a System That Grabs Abandoned Domains Before Hackers Can

By Patentlyze Team · Updated May 15, 2026

Forgotten subdomains are a surprisingly common attack vector — a company decommissions a cloud service but leaves the DNS record pointing nowhere, and an attacker quietly registers the underlying resource to hijack traffic. Google's new patent describes a platform that finds those orphaned domains and claims them first.

How Google's platform squats on dangerous orphan domains

Imagine your company once ran a service at api-old.yourcompany.com, pointed at an AWS bucket you've since deleted. The DNS entry still exists, but the bucket is gone — and anyone can re-register it. That's a subdomain takeover: an attacker claims the abandoned resource and starts serving malicious content under your domain name. Your users trust the URL because it looks like yours.

Google's patent describes a security analytics platform that continuously scans a company's DNS records and security data, spots domain names that aren't backed by any real computing resource, and then claims those resources itself — essentially squatting on the orphaned endpoint so no attacker can get there first.

The platform sends notifications back to the affected company so they know what was found and what was done about it. Think of it as an automated bouncer that locks a door the moment it finds it unguarded, then tells you it did so.

How the security analytics platform claims unclaimed domains

The system works in three broad steps:

• Ingest security data — the platform receives DNS records, infrastructure inventories, and other security telemetry associated with a specific organization.
• Parse and identify gaps — it cross-references every domain name or subdomain found in that data against the organization's actual computing resources (cloud instances, servers, storage buckets, etc.). Any domain name with no matching live resource is flagged as a candidate for takeover.
• Claim the resource — the platform creates an association between that orphaned domain name and a computing resource it controls, effectively parking the domain under a safe, monitored endpoint before a third party can do the same maliciously.

The patent also describes a notification manager architecture — multiple notification manager components that alert the affected organization when an association has been created on their behalf. This creates an audit trail so the company knows exactly which domains were at risk.

There's also a caching layer (an association cache) that stores these mappings, presumably so the platform can quickly respond at scale across many customers without re-scanning from scratch every time.

Why subdomain takeover is a real and underrated threat

Subdomain takeover has been a documented attack technique for years — it's been used against major brands to serve phishing pages, steal session cookies, and bypass Content Security Policy rules because the malicious content appears on a trusted domain. Most organizations don't have great visibility into the gap between their DNS records and their live infrastructure, especially after cloud migrations or product retirements.

A service that automatically claims orphaned endpoints changes the defensive posture from reactive (wait for an incident, then clean up) to proactive. For large enterprises with hundreds of subdomains and frequent infrastructure churn, that automation gap is exactly where attackers look first. If this ends up inside Google's Chronicle or Mandiant product lines, it could become a quiet but meaningful layer of enterprise security hygiene.

Editorial commentary on a publicly published patent application. Not legal advice.