The rundown on becoming runZero What I learned rebranding a company - Part 2


This is part two of our rebrand journey. Be sure to check out part one of this story and be on the lookout for part three and four.

Changing priorities from name to domain #

At this point, we decided that we definitely wanted to own a dot com domain, if possible without a modifier like “technology.” This would mean we could effectively own the brand in a much more powerful way than just a registered trademark, while also avoiding confusion in the market. Now that we had our options, the name became secondary because finding an available, affordable domain was the much harder problem to solve.

We had liked LightOptionA quite a bit and found another domain we’ll call that was no longer being used by its owner. After doing some research, we figured out that it was held by, say, ACME Corporation, a 5,000 person technology company in New England. The domain had been part of an acquisition many years ago, was now five acquisitions deep, and ACME Corporation had sold off that asset but kept the domain–now defunct.

The question was: who would have the power in that company to approve the sale of the domain? Having worked in Marketing in larger companies, I didn’t feel that they would have an interest, the process, or the juice to broker the deal. I decided to reach out to their corporate development team instead, referred through a joint LinkedIn contact. If corp dev had acquired the domain, they would have the process to sell it as well, plus they were used to non-standard deals.

We reached out and found a cooperative partner in one of their directors. However, he needed more time to figure out who could make the decision to release the domain, putting us on hold. The clock was ticking, so we decided to search for alternatives in parallel.

Down the domain name aftermarket rabbit hole #

I didn’t know much about the domain name market until that point, and it became an interesting rabbit hole. Domains are like digital real estate that big and small-time brokers and speculators flip for sometimes staggering amounts.

Broadly speaking, I broke domain availability down into these buckets:

  • Available to register: Go to GoDaddy and register a dot com for $12. Done! It’s becoming increasingly harder to find good domains that are still available. More on that later.
  • Buy now domains: Owner has listed the domain to purchase for a specific amount. and are the two big ones here. Be careful though; these pages have dynamic pricing, meaning the price goes up if you visit the domain multiple times in a day or week. That’s a good reason to take good notes and not go back until you want to purchase. Keep names and domains close to the chest in your internal process to control visits to the site. Mark my words! Prices can range from $100 to $20,000.
  • Curated buy now domains: Buy now domains have a lot of low-quality names. The curated sites like Squadhelp and Brandbucket have a better selection and often provide a very basic logo. I haven’t seen a lot of dynamic pricing here, but by the time I visited these sites, I had become more careful. A safe method is to search for a word that contains the target domain and view the price on the overview listing page rather than the detailed domain page. Most domains are priced around $1,000 to $5,000.
  • Private market: Some speculators and brokers hold their own domains or sell them on behalf of a customer. These sales are not publicly recorded in comp databases and can go up to several million dollars for a single English word domain, especially for common words that have commercial value. Think or A two-word dot com domain runs between $5K and $50K. Shorter names are more expensive. For example, $200K for a three-letter domain can be a bargain. Prices range from $5,000 to $10m.
  • Passive domain owners: These are folks that hold a domain but are not actively looking to sell them. Some may actively be using the domain name, others have a broken page or not even a domain name server. Tracking down the owners and negotiating with them can be worth it, but it wasn’t a great option for us because the negotiations usually take between 3 and 18 months. ACME Corporation with LightOptionB was one example. I also reached out to the owner of, who used to have a band by that name but we never heard back. One other domain we traced to an owner in Iran, which became a dead end because of international sanctions. Pricing in this space varied a ton and there are no guarantees on asks being reasonable, especially because the owners are not professional domain traders.

If you want to learn more about the domain name aftermarket, I recommend the Domain Name Wire Podcast as a starting point.

Considering domain brokers #

Apart from full-time employees at GoDaddy and other registrars that offer brokering services, there are a lot of individuals that do domain brokering, often as a part-time gig. They tend to have a background in working for a registrar, because having relationships within the industry can help unmask the domain. However, it’s not always necessary - I’ll share techniques on figuring out domain owners later.

Domain brokers will spend about 20 to 500 hours negotiating domains. This is usually only worth it for high-stakes private market and passive owners. They take between $500 and $5,000 retainer for any domain name you are trying to go after (success not guaranteed) and take a 10-20% commission of the purchase price. They often also have private lists of premium domains.

Learning #4: It’s important to keep in mind that hiring a domain broker doesn’t guarantee a domain name. The domain market is highly volatile and can become expensive quickly. If you’re in the early stages of a rebrand, be sure to look at all your options before putting money into a domain broker.

Brokers can also be a good “privacy shield” if you are representing a big company and want to stay anonymous in the negotiations so you don’t push the price up. However, I have heard mixed reviews on this topic, because if you have the cash to pay a broker, you likely have deep pockets.

Some brokers also offer naming services that help you figure out a name for your company for an additional fee. ( offers this service as a crowdsourced effort, but we found the results didn’t align with our goals and sought other domain acquisition means.)

If you are cash-rich and time-poor, or you don’t want to deal with the technical and social hassle of chasing down domain owners and negotiating with them, I can recommend Eric Friedman, who I talked to as part of our journey and who seems to be knowledgeable as well as a decent human being.

We ultimately believed we could broker the domains ourselves and found that to be the right choice for us in the end. Be prepared to dive in deep to learn about the space though.

Unmasking domain owners #

I spent quite a bit of time trying to figure out the identity of passive domain owners. My background in open source intelligence (OSINT) proved to be very helpful. Here are some resources that you may find useful when trying to unmask a domain owner:

  • Visiting the domain: By far the easiest way to figure out the owner. Look for any personal or company names, email addresses, and social media handles that may provide a clue.
  • Internet archive: The website takes snapshots of the most popular sites over time. Check if you can find a previous version of the site that gives up more information.
  • Google: Just search for the brand name or domain on Google and see what you find.
  • Network infrastructure: Check who is hosting the infrastructure, both currently and historically. I found Security Trails by Recorded Future to be a great source of detail (great company name, by the way). Look at where DNS and MX are hosted and which subdomains may provide a clue.
  • Whois History: Most people mask their WhoIs information but historical records can be very helpful in figuring out previous owners or current owners that added a privacy shield after having registered with their clear name. Best service I found is
  • Breach data: If the owner of the domain had an email address that got breached, you may be able to find it in breach data. My favorite is If you sign up for their very reasonably priced service, you can search in the format “” to find any email addresses that were breached in the past. Please note that using breached passwords to access any accounts is a criminal felony under the Computer Fraud and Abuse Act and will land you in jail.
  • Email outreach: Just try emailing and similar handles to see if anyone responds. If you didn’t see an MX record in your infrastructure research, that email will bounce. Otherwise, it’s worth a shot, even if the chances of success are low.
  • Social media handles: Check if there are any likely social media handles with the same name and reach out to their owners via DM.
  • Registrar abuse emails: Find the registrar of the domain through the WhoIs information and email their domain abuse address (often and ask to be put in touch with the owner. They won’t reveal their name, especially if the domain has privacy protection, but they may forward the email. Large registrars will usually point you to their domain brokerage service and charge a fee (about $10 to $60), but it may be worth it if other means haven’t surfaced anything useful.

Once you have found out the owner, research their background and what motivates them before you reach out. Position your purchase offer from their perspective.

If you’d like to learn more about OSINT, I highly recommend the book Open Source Technologies by Michael Bazzell. If you are an entrepreneur or marketer and interested in competitive intelligence, check out my talk Using OSINT for Competitive Intelligence.

Looking at buy-now domains #

In this next round, we focused on buy now domains to speed up our search and cut out negotiations. We had bid on a few domains through GoDaddy and reached out to some private owners. The process was aggravating and open-ended. The curated vendors Squadhelp and Brandbucket were great for us because they had higher quality inventory than other sites and enabled you to browse, in addition to just searching. We continued on the theme of light and found domains like, and for around $2-$3K.

My personal favorite was a domain called, which went for $3,395 on I liked it because neon gray is a paradoxical color that doesn’t exist, so it sticks in your mind. Our technology finds devices on your network that other solutions can’t see, so I saw a parallel of us seeing neon gray whereas others cannot. One issue was also that the alternative spelling,, was a bid domain on GoDaddy, so that would have pushed out the timeline. Ultimately, my team didn’t align on it and the alternate spelling created too much confusion to go forward with it.

We agreed on a variant of that - No alternative spellings, but a private bid domain. We started negotiations but ultimately pulled out for two reasons: first, we saw a potential trademark conflict with CarbonBlack, also an element plus the color black, who were not competitive but adjacent. Second, BlackLivesMatter was heavily in the news and we didn't want our brand to be thrown into the gauntlet of political opinions, which could have played out badly in either direction.

Follow the story #

Part three of this story was published on Wednesday, September 14, so be sure to follow the story.

Written by Chris Kirsch

Chris Kirsch is a co-founder of runZero. Chris started his career at an InfoSec startup in Germany and has since worked for PGP, nCipher, Rapid7, and Veracode. He has a passion for OSINT and Social Engineering. In 2017, he earned the Black Badge for winning the Social Engineering Capture the Flag competition at DEF CON, the world’s largest hacker conference.

More about Chris Kirsch
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.

Related Articles

runZero Research
SSHamble: Unexpected exposures in the Secure Shell
We conducted a deep dive into the SSH ecosystem and identified vulnerabilities across a wide range of implementations. During the research process,...
runZero Research
Attack Surface Challenges with OT/ICS and Cloud Environments
Learn why successfully navigating changes to operational technology and cloud attack surfaces is critical for successful asset security.
Life at runZero
Employee Spotlight: Nikki Milum
Nikki Milum is our stellar Senior People Operations Partner! Read on to learn more about why Nikki thinks runZero is different than any place she’s...
runZero Research
Evolving threat landscapes: a view through the lens of CAASM
See what our analysis of sample CAASM data reveals about the current threat landscape and how security teams are responding to challenges old and new.

See Results in Minutes

Get complete visibility into IT, OT, & IoT — without agents, credentials, or hardware.

© Copyright 2024 runZero, Inc. All Rights Reserved