I participate in a lot of bug bounty programs, where I try to automate the discovery of as many security issues as possible.
Many companies do not know all of the assets that they have on the internet. When you know their attack surface better than them, you can find a lot of otherwise trivial issues. One of the easiest types of issues to automatically discover are subdomain takeovers, where a DNS record or a load balancer points traffic towards an unknowing third party. If testing.example.com is pointed towards Amazon S3, what will S3 do if that bucket hasn't been created yet? It will just throw a 404 error — and wait for someone to claim it.
At this point I had no idea what to do — why were there so many impacted domains across many organizations, and how was I even going to submit all of these issues? However, I noticed that the domains were slowly being changed to a MarkMonitor parked domain page. It became clear that these were all parked domains with varying degrees of use, and they were all registered via MarkMonitor. This is a bit surprising, because MarkMonitor sells themselves as the domain registrar that does not make mistakes. It would be hard to understate the cost of losing domains for a tech company — anything that is pointed to them will immediately begin directing their traffic elsewhere. MarkMonitor is not a cheap solution to this problem, but it is widely used (apparently by "more than half of the Fortune 100", per the page).