Defensive domain registration: a strategic guide for brands

Registering domains you do not plan to use is a cost-effective brand protection strategy. Learn which TLDs and variants to cover, and where to stop.

Defensive domain registration means registering domain names you have no intention of using operationally, with the sole purpose of preventing others from using them against you. It is brand insurance, not a business asset. Large brands manage portfolios of hundreds or even thousands of defensive domains. For smaller organizations, the goal is intelligent prioritization within a reasonable budget, not exhaustive coverage. This guide provides a framework for deciding which domains to register defensively, which to monitor without registering, and when to stop.

What defensive registration is and is not

Defensive domains are typically either redirected to your main domain (a 301 redirect so any typo traffic lands on your real site) or parked (a blank holding page indicating the domain is held by the brand). Both serve the protective purpose of denying the domain to potential squatters or attackers.

What defensive registration is not: registering every one of the 1,500+ TLDs that exist today, registering names that belong to other brands (that is reverse cybersquatting, which the UDRP explicitly recognizes as abuse), or building a speculative domain portfolio hoping domains will appreciate in value.

When the math justifies defensive registration

The calculation is straightforward. A single UDRP procedure costs between $1,500 and $4,000 in provider fees alone, plus legal counsel if you use it (typically $2,000-$5,000 more). An annual domain renewal costs $10-30. That means 10-15 years of renewing a single domain costs roughly the same as one UDRP. For high-risk domains, the decision is clear. For low-risk TLDs that are unlikely to be registered or used maliciously, the math shifts.

A prioritization framework: four risk levels

Apply this to your own brand to classify which domains are worth registering defensively.

LevelDescriptionExample TLDsRecommendation
CriticalHigh confusion risk, primary market.com, primary ccTLDRegister without question
HighSignificant confusion possible, secondary market or popular sector TLD.net, .co, .io, .org (sector-dependent)Register if budget allows
ModeratePossible confusion, less frequent.eu, .app, .shop, other targeted ccTLDsRegister or monitor
LowLimited risk, rarely used TLDs or out-of-target geographies.xyz, .top, .info, non-target ccTLDsMonitor via Domain Sentinel

How to classify your TLDs: consider your brand's recognition level (more recognized brands face broader attack surface), your sector (fintech, healthcare, and e-commerce see higher phishing rates than B2B SaaS), and your geographic presence (a TLD matters more if you operate in that country).

Which TLDs to register defensively

The generic TLDs that matter

.com is the single most important domain regardless of where you operate. If you are on .io or .co as your primary TLD, owning the .com is especially critical because users will try .com first by reflex. .net is broadly recognized and historically associated with internet services. .co is so visually similar to .com that it warrants special treatment: for any brand operating on .com, .co should be in the critical tier. .org is relevant for brands with a community or non-profit dimension.

Sector TLDs by industry

SectorPriority TLDs to cover defensively
Tech / SaaS.io, .app, .dev, .ai, .cloud
E-commerce.shop, .store, .market
Finance.finance, .capital, .money
Health.health, .care, .clinic
Legal.law, .legal, .attorney

Register the two or three most active TLDs in your sector. The others can go on the monitoring list.

ccTLDs by geographic priority

The method: rank countries by revenue or user base, then register the ccTLD for the top three to five markets. Monitor the rest. The cost of a ccTLD registration ($10-30 per year) is trivial compared to the cost of a UDRP proceeding to recover one.

Three ccTLDs that are effectively sector TLDs and deserve special treatment regardless of geographic operations:

  • .co (Colombia): used as a .com alternative across all markets. High confusion risk universally.
  • .io (British Indian Ocean Territory): standard for technology companies by convention. High value for tech brands.
  • .ai (Anguilla): widely used in the AI sector. Critical for AI-adjacent brands.

New gTLDs: the sensible approach

ICANN has launched hundreds of new gTLDs since 2013 (.online, .site, .tech, .store, etc.). Registering all of them defensively is impossible and counterproductive. The sensible approach: use Domain Sentinel to monitor new gTLD registrations matching your brand name, and register only if you detect actual suspicious activity. The Trademark Clearinghouse (TMCH) offers a "Sunrise" period for established trademark holders before each new gTLD opens, which is worth using for major brands.

Typographic and semantic variants to cover

Beyond TLD coverage, which name variants deserve defensive registration?

Priority typos

For names of 4-5 characters, consider registering all single-character substitutions on critical TLDs. The attack surface is manageable and the risk is real. For names of 8 or more characters, focus on the most probable errors: the two or three letter pairs that are adjacent on the keyboard and where a mistake produces a pronounceable result.

Semantic variants with high phishing risk

These specific patterns appear in real phishing campaigns with enough frequency that registering them is cost-justified for most brands with public-facing products:

  • [brand]-login.com, [brand]-account.com, [brand]-secure.com
  • [brand]support.com, [brand]help.com
  • get[brand].com, try[brand].com

At $15-20 per domain per year, covering ten of these patterns costs less than a single hour of legal counsel. The protective value against phishing campaigns impersonating your brand to your own users is significant.

Phonetic and orthographic variants

If your brand name has a non-obvious spelling (a French name with accents, a name commonly misspelled), register the phonetic alternatives. "Séquoia" should own sequoia.com. A brand called "Connexion" that uses that exact French spelling should consider connexion.com alongside connexion.fr.

Where to stop: the limits of the all-defensive approach

Real cost of a defensive portfolio: 50 domains at $15/year is $750 in annual renewal fees, not including registrar management time. Large brands allocate significant budgets to this. The rule for everyone else: cover what the risk justifies, monitor the rest.

Monitoring as a cost-effective alternative: Domain Sentinel lets you watch dozens of variants without registering them. If one gets registered, the alert gives you time to act before the squatter builds a case for legitimate use. For moderate and low-risk domains, monitoring is usually more cost-effective than preventive registration.

Managing and maintaining a defensive portfolio

Four operational requirements:

Centralize at a single trusted registrar with auto-renewal enabled on everything. A defensive domain that expires and gets captured by a squatter requires a UDRP to recover. Managing renewals across multiple registrars is a recipe for missed expirations.

Configure 301 redirects from all defensive domains to your main domain. A parked page with no content is slightly better than nothing, but a redirect ensures that any user who accidentally types the wrong address lands on your real site. It also prevents the domain from sitting as an empty shell that could be repurposed if your hosting relationship changes.

Document your portfolio. A simple spreadsheet with domain, TLD, reason for registration, expiration date, and redirect status takes an hour to set up and saves significant headaches during audits.

Add all defensive domains to Domain Sentinel for expiration monitoring. An alert 60 days before expiration gives you time to renew without risk. An alert 30 days out is the last warning. Auto-renewal plus Domain Sentinel monitoring is belt-and-suspenders protection against losing a domain you paid to protect.


An intelligent defensive strategy is not exhaustive, it is prioritized. Register the critical and high-risk domains defensively, monitor the rest with Domain Sentinel. The monitoring layer covers the residual space without inflating your portfolio maintenance costs. The combination, registration for the highest-risk variants and monitoring for the rest, is what makes brand domain protection sustainable at scale. Start by analyzing which domains are most at risk for your brand.

Start with a domain you care about

Look it up for free. If you want alerts when status changes or expiry gets close, create an account. Takes about 30 seconds.