Zerofox Joins eco – Association of the Internet Industry

Disrupting abuse starts with being in the room where relevant standards get made.

When ZeroFox identifies a phishing site, a fraudulent social media profile, or an impersonation domain targeting one of our clients, the threat doesn't disappear on its own. Someone has to get it removed. That means working directly with the registrars, hosting providers, platforms, and content delivery networks (CDNs) that control the infrastructure. The speed and success of every one of those removals depends on the strength of those relationships.

ZeroFox has spent years building those relationships. Becoming a member of eco - Association of the Internet Industry is a direct extension of that commitment.

Why eco Matters for Internet Infrastructure

ecois the leading Internet industry association in Europe, with around 1,000 member companies spanning the full stack of internet infrastructure: domain registrars and registries, hosting providers, cloud operators, and the legal and policy professionals who connect those industries to regulators and law enforcement. The Names & Numbers Competence Group alone brings together more than 120 domain industry companies, and eco carries significant weight in ICANN processes and European internet governance broadly.

When policy is being written that affects how registrars handle abuse, how hosting providers respond to takedown requests, or how the EU's E-Evidence Regulation lands in practice for DNS and hosting providers, eco members are in those conversations. The EU's Digital Services Act and NIS2 Directive are both reshaping how infrastructure providers handle abuse reports and respond to data access requests, and those rules are being interpreted in real time through exactly the kind of multi-stakeholder engagement that eco facilitates. For ZeroFox, membership means a seat at the table where infrastructure-level abuse policy gets shaped, not just consuming the results after the fact.

What topDNS Means for Takedown Operations

eco's topDNS initiative is where this gets operationally concrete. Founded in 2021, topDNS is where registries, registrars, and hosting providers work together on the practical realities of DNS abuse: identifying threat patterns, sharing what actually works, and building frameworks that become industry norms. Steering Committee members include Verisign, Team Internet, Public Interest Registry, Realtime Register, and Cloudflare. ZeroFox is now a topDNS sponsor and holds a seat on that Steering Committee.

The initiative produces real outputs that directly improve the ecosystem we operate in: EU-aligned codes of conduct for hosting and domain providers, monthly abuse measurement reports, and operational workshops where technical staff build hands-on skills for handling abuse reports. To understand why those outputs matter so much, it helps to look at how takedowns actually work.

What Is a Takedown?

A takedown is the process of getting malicious or fraudulent content removed from the internet. That could mean a phishing site impersonating a bank, a fake executive profile on LinkedIn used for social engineering, a lookalike domain registered to harvest credentials, or a fraudulent mobile app distributing malware.

The requesting party (in our case, ZeroFox acting on behalf of a client) identifies the threat, gathers evidence, and submits a report to the entity that controls the infrastructure. That entity might be a domain registrar, a hosting provider, a social media platform, a CDN, or an app store. Each of these organizations has its own abuse policies, intake processes, and response timelines. Some accept reports through APIs. Others require manual form submissions or email. Some respond in hours. Others take days or never respond at all.

A single threat often touches multiple layers of infrastructure at once. A phishing domain might be registered through one company, hosted by a second, and served through a third-party CDN. Taking it down can mean filing reports with all three, each with different evidence requirements and escalation paths. The domain registrar can suspend the domain. The hosting provider can remove the content. The CDN can stop serving the site. Knowing which lever to pull first, and having a trusted relationship with the team on the other end, is what separates a fast resolution from a report that sits in a queue for weeks.

ZeroFox performs over a million successful takedowns per year, with a 95% acceptance rate. That volume matters because it means we are not sending cold reports into the void. We have established, trusted channels with the infrastructure providers who make the actual removal decisions. Separately, the ZeroFox Global Disruption Network works with 80+ ISP, registrar, hosting, CDN, and telco partners to block malicious domains and URLs at the DNS and network level, cutting off threats at internet-wide scale even while individual takedown cases are still in progress.

What Affects Takedown Speed?

The single biggest variable in takedown speed is the receiving party. A registrar or hosting provider that has invested in abuse handling, that staffs a responsive trust and safety team, that has clear policies for different threat categories, that organization processes reports faster and with better outcomes.

Several other factors directly influence how quickly a takedown resolves:

Evidence quality. A report that includes the malicious URL, a screenshot with a timestamp, WHOIS/RDAP and DNS records, and a clear explanation of the abuse type gets triaged faster than a vague complaint. ZeroFox automates evidence packaging to meet the specific requirements of each provider.

Submission channel. Automated, API-based submissions are faster than email, and email is faster than web forms or in-app reporting. Not all providers offer APIs, and the ones that do often limit access to trusted reporters. Building those trusted reporter relationships is part of the long game.

Threat classification accuracy. A phishing report sent as a trademark complaint ends up in the wrong queue. Matching the abuse type to the provider's internal categories matters, and it varies from one provider to the next.

Infrastructure routing. When a threat spans multiple providers, the order of operations matters. Suspending a domain at the registrar level is often the most decisive action, but if the content is hosted behind a CDN, reporting to the hosting provider first may produce a faster initial result while the registrar case progresses. Getting this wrong means wasted time and duplicate effort. Getting it right requires knowing how each provider's infrastructure is layered and which team handles what.

Registrar and hosting provider training. This is the systemic variable, and the hardest to influence at scale. When the people reviewing reports understand the difference between a legitimate takedown request and a speculative abuse complaint, they act faster and with better judgment. Industry-wide training, shared frameworks, and common abuse taxonomies all push response quality upward. A registrar whose abuse team has worked through real case studies alongside peers at other registrars develops institutional muscle memory that benefits every report they receive, not just ours. That kind of cross-industry training is exactly what eco and topDNS deliver.

Intelligence-Led Disruption at Industry Scale

ZeroFox monitors 12B+ signals daily, tracks 6B+ domains (including subdomains), and operates across 180+ platforms. The abuse patterns and response data that come out of that volume are what organizations like eco and initiatives like topDNS need more of. Most industry participants see abuse from their own slice of the infrastructure. A registrar sees domains flagged in its portfolio. A hosting provider sees content reported on its servers. ZeroFox sees it across the entire chain, from initial domain registration through content deployment to the eventual takedown resolution, across the domain industry, the hosting space, and every major platform.

That cross-ecosystem view produces data that the industry can use: which abuse patterns are trending, which threat categories are growing fastest, how response times vary across provider types, and where the gaps are between policy and practice. Bringing that data into eco and topDNS working groups strengthens the frameworks that every provider uses to handle reports, including ours.

We intend to bring it.