I read this document for the ART review team. My background is in security, but I tried to focus on "typical ART area issues" as described in https://trac.ietf.org/trac/art/wiki/TypicalARTAreaIssues I have some feedback, but nothing that could not be addressed during the next phase of publication; i.e., do not respin a draft just for this review.

I think "blue team" mentioned in sec 3.1 should be in the terminology section, and have an expanded definition.

Did Bianco coin the (lovely) term pyramid of pain? If so, perhaps use "Bianco's" when introduced in 3.1  The wording in the paragraph before the drawing might need some tweaking. At the end of 3.1 on large number of domain names, isn't auto-generated names also a factor?

Sec 6.1, "If an attack happens than you hope"  "you hope" seems uncommon in RFC's these days in my experience.

I really liked this document.  Thanks for providing it.