When people talk about link rot, they treat it as a quality-of-life problem. A 404 here. A weird redirect there. Mostly an aesthetic concern for archivists and footnote-keepers.
The aesthetic framing misses the actual cost. Every dead outbound link on your site is a registration the next attacker can claim, and the link is what gets them the traffic they want.
How fast the decay actually happens
The empirical literature on this is unromantic and consistent. A few of the load-bearing numbers:
- Roughly 8% of newly published outbound links are dead within 3 months. (See the Harvard/Berkman link-rot studies, particularly Zittrain et al.'s work on legal citation rot, where this is the lower-bound figure across multiple corpora.)
- After one year, ~20% of outbound links point to dead pages, repurposed content, or redirects that diverge from the original intent.
- After seven years, ~44% of links are gone or have materially changed.
A site that published 100 reference links a year ago has 20 broken ones already. A site that's been publishing for a decade has nearly half of its outbound graph pointing at something other than what it originally cited.
The decay itself isn't the security problem. The security problem is who refills the empty space.
Why dead links become attack surface
When a destination dies, one of a few things happens:
The domain expires and gets re-registered. This is the case that matters most. Within hours of expiry, automated bidders pick the name up, usually a dropcatcher, sometimes an attacker who specifically targeted high-residual-traffic names. Your link still works. It now resolves to phishing, malware, parking, or a redirect chain into whatever the current monetization is.
A parking service takes over. No targeted attacker, just a wall of programmatic ads — sometimes benign, often not. The ads rotate. The page that's clean at 9am can be hostile at 2pm. (See Park Your Car, Not Your Domain Name.)
A 404 becomes a phishing template. If the new owner controls the server, they control what 404s look like. A page that mimics your brand or a well-known SaaS login is a tiny lift.
The page is gone but the domain still works. About half of all link rot is content-deletion under an active domain — the owner removed the post but kept the registration. The link is "live" technically, but the resource is gone, and the page that replaces it could be anything. A vendor's content marketing redirect, a placeholder, an upgrade pitch, a domain-for-sale shell.
The common thread: at any of these transitions, the trust you accumulated by being the linker survives. The thing you're vouching for is replaced.
The compounding part
Your visitors trust you. When they click a link on your site they assume you vetted it, or at the very least vouched for it implicitly by publishing it. Attackers buy expired domains for exactly this — a $10 registration that includes traffic and reputation, both already laundered through a third party.
That's dropcatching as a business model. It's not a fringe activity; it's a tier of the domain industry with named operators, real auctions, and recurring revenue.
The downstream consequences for the linker, beyond the immediate user harm:
- Compliance findings. Regulated industries (healthcare, finance, education, public sector) get audited on what their public pages link to. "We didn't notice" is not an audit-passing answer.
- Legal exposure. If a user is meaningfully harmed by clicking through to malware or a credential-phishing kit reached via your link, the discovery process will start with your outbound-link inventory.
- Brand damage. Once a screenshot of a parked-domain ad or a phishing page reached from your URL is in circulation, it takes a long time to leave.
- Search demotion. Outbound link rot and outbound link quality are measurable signals, and search engines treat them that way.
Why one-time scanning misses the point
A broken-link checker run quarterly tells you what was broken last quarter. The domains that expired between checks are claimed within hours and serving something else by the time the next scan runs. The audit is always behind.
The right framing isn't "find the broken links and fix them." It's "watch the inventory continuously and tell me when a destination materially changes." Different signal, different cadence, different tool. See Broken Link Checker vs Link Monitoring for the longer version of this argument.
What LinkSentry does about it
We watch outbound destinations as a continuous-monitoring problem, not a periodic scan. Specifically:
- Drift detection. A snapshot of every destination at first-sight, compared to what it serves now. New content from an old domain is the most useful single signal.
- Threat-intel correlation. Each destination is checked against the feeds that themselves seed the browser blocklists — usually hours to days before a domain shows up in Safe Browsing or SmartScreen.
- Registration-change monitoring. When a domain you link to was re-registered or transferred recently, that's an alert in its own right, regardless of what it currently serves.
- Coverage from real sessions. Outbound links discovered from actual visitor browsing, including behind auth, so the inventory matches the surface area customers actually use.
What to do today
You can't prevent link rot. The web changes, ownership rotates, businesses fold, and the names go back into the pool. What you can do is take it seriously as a recurring security responsibility rather than a quarterly housekeeping task.
A dead link isn't the problem. Whoever shows up to fill it is.