Research highlights an overlooked phenomenon that hinders security operations
Palo Alto, Calif. — CyCognito, the leader in external attack surface management, today published new research examining domain-to-IP volatility and its impact on enterprise security operations. The findings highlight how changing DNS resolution can break assumptions about assets, complicating attribution, disrupting investigations, and degrading the accuracy of exposure reporting.
“Attack surface management is complex,” said Zohar Venturero of the CyCognito research team. “But it can be boiled down to a few basic questions: what assets are exposed, what are their attributes, are they exploitable, and how does the risk profile change over time? Understanding the mechanics of dynamic IP resolution is important to answering these questions correctly. It’s a complex technical challenge that too often goes overlooked.”
For this report, the research team analyzed the publicly visible domain sets of 264 organizations and filtered for enterprise domains, producing a dataset of more than four million unique domains. The team repeatedly resolved DNS A records for those domains over time and tracked changes in the resulting IP addresses. Domains with repeated IP rotation were classified as dynamic.
The researchers also used network data to identify the infrastructure associated with each domain, including content delivery networks, load balancers, and cloud providers. The team then measured how frequently IPs changed across domains in each category.
Key findings include:
– On average, 8.6% of domains resolve to dynamic IP addresses. For large organizations, that can translate to hundreds or thousands of domains.
– Dynamic domains are common in standard enterprise architectures. Of dynamically resolved domains, 53.9% serve content from a content delivery network (CDN), 55.6% sit behind a load balancer, and 72.5% are hosted on cloud infrastructure such as IaaS or PaaS. Many domains fell into multiple categories.
– IPs often change faster than security teams can process assets. In the most dynamic subset analyzed, IP addresses changed more than eight times per month (about two to three times per week).
IP volatility is an overlooked phenomenon that can hinder attack surface management and broader security operations. When teams do not consistently identify and track dynamic resolution, it can break attribution and create a steady stream of false-positive signals over time.
As asset context is lost and exposure metrics swing, confidence in reporting and trend analysis erodes. The result is operational overhead: teams spend time rebuilding context, often through manual corrections and correlation. This slows remediation, obscures true issues, and consumes resources without improving security outcomes.
CyCognito’s research highlights an operational challenge many security teams face today. By grounding the problem in measurable data, enterprises can put in place the processes and tools needed to make domain-to-IP volatility visible and manageable.
Learn more about how CyCognito addresses domain-to-IP volatility: https://www.cycognito.com/blog/dynamic-ip-volatility-study/
About CyCognito
CyCognito is an external exposure management platform that reduces risk by discovering, testing and prioritizing security issues. The platform scans billions of websites, cloud applications and APIs and uses advanced AI to identify the most critical risks and guide remediation. Emerging companies, government agencies and Fortune 500 organizations rely on CyCognito to secure and protect from growing threats.
For more information, visit https://www.cycognito.com.
